I’m sure you’re all aware of the Panama Papers: a leak of epic proportions that exposed the offshore dealings of the rich and famous. Panamanian law firm Mossack Fonseca was breached, and well over a terabyte of data handed over to journalists, who are going through it with a fine-tooth comb. The leak has given rise to headlines and embarrassments from Washington to Reykjavik. It’s not known exactly how the data was leaked, but we do know that Mossack Fonseca is surprisingly bad at online security. As Forbes and WP Tavern have reported, the Mossack Fonseca site ran an outdated version of WordPress, and their client portal ran on a very outdated version of Joomla!
I’m not going to delve into the ethical and financial details of the leak, but I do want to have a look at one thing businesses can do to limit the risk that their company’s data will find its way onto the web. It’s quite simple: update your content management system!
As we’ve discussed many times before, an out-of-date content management system is an open invitation to hackers, but businesses don’t realize the potential risk. I’ve seen many argue that an old WordPress site is a risk for the site itself, but it isn’t a danger to a business’s internal networks. Many businesses don’t keep private data on the same server as their web hosting account. The web hosting server may well be hacked, but data in the company’s internal network will be safe.
It’s almost never true that there is a complete separation between a business’s internal networks and their site. Business sites are often deeply integrated with the rest of an organization’s operations, and an island-hopping attack that takes the content management system as a staging post for an attack on the rest of the business’s network is fairly standard practice for hackers.
Let’s take a simple example. An attacker targets your business. He looks for security weaknesses, and finds that your website is running an old version of WordPress with known vulnerabilities. He targets the site, compromises it, and embeds scripts in the site’s admin area and public pages that cause any visitors to be redirected to malware sites. Next, he sends out emails to all the site’s administrators within the company (gleaned by comparing admin usernames to company employees discovered on social media). The emails cause admin users to go to the site, login, and become infected with the attacker’s malware. If the attacker is lucky, he now has malware installed on your company’s internal network, and from there it’s a short hop to a data leak.
An attacker could do more-or-less the same thing with any compromised site, but using the business’s own site increases the chances of success, and increases the likelihood that someone of importance will have malware placed on their machine.
Many critics of the WordPress breach hypothesis point out that it’s far more likely that the attacker started with a phishing attack or some other form of social engineering. Perhaps they did, I have no evidence one way or another. The important point is that failing to update your WordPress site gives attackers a potent tool that — perhaps combined with a social engineering attack — can be used to breach internal networks.
The moral of the story: keep your WordPress and Joomla! sites — and any other web application your business uses — updated. It doesn’t take much of your time to make life much more difficult for online criminals.