Panama Papers: How Two Open Source Platforms Could Be Major Contributors To The Breach
The hacking of Mossack Fonseca’s client portal leaked over 11.5 million documents, 4.8 million emails and 2.6TB of data - the largest leak in history. Prime ministers have resigned, business people are being scrutinized and over 30 countries have launched investigations against individuals and companies.
The information was assumed to have come from unencrypted emails through an outdated (2009) version of Microsoft’s Outlook for Web portal.
There is, however, a well-founded belief that the hackers found their way into the law firm's system through unpatched and outdated versions of the WordPress and Drupal CMS.
“Mossack Fonseca's client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site's changelog. Exposing the website to the Drupalgeddon vulnerability, also known as SA-CORE-2014-005 affected millions of websites back in 2014.”
Full details can be found at Wikipedia Panama Papers including what each of the countries is doing.
This recent incident again highlights some of the gaps in the argument that “the technology doesn’t matter”.
For many years, there have been ongoing debates between open source proponents and commercial software companies. The debate has been passionate, each side has devout beliefs.
The open source argument centers on ownership of source code and benefiting from a community of contributors. In ‘selling’ the benefits of open source, providers refer to the portability of the source code if things don’t work out? The real world reality is that web developers each have their own trusted tools and methods, their own idiosyncrasies and changing providers is really the start of the redevelopment process.
You left that other provider for a reason right? So when your new provider tells you that the quality of the code is poor, that there is a better library or framework and that updates need to be performed then it validates your beliefs.
What has eventuated however is very different;
With the ownership of the source code comes with tremendous responsibility to maintain it.
The argument relating to freedom of ownership is a misguided perception which we would say is purported by those who profit from providing the extensive range of services required to maintain an open source solution.
The problem is formed when the site is launched and with each patch or version update of the open source platform, the issue grows silently in the background.
The owner of the website is focused on growing their business, they are not equipped to properly maintain their platforms - most companies don’t have the first clue of what it requires to protect software and databases from malicious online attacks.
The folks at Mossack Fonseca probably never gave the technology a second thought once the site was deployed. Most likely the provider who built the site used a library of plugins, each of which requires its own maintenance.
Meanwhile, Mossack Fonseca are tracking along thinking “If it broke, we'll call the developers to fix it”.
There are a burgeoning array of providers like Acquia and Automattic, along with hosting companies like Hostway, Pantheon, and Omega8 that have seen the problem and are providing potential solutions to some of these maintenance issues.
But how they can protect sites from poor coding and outdated components?
Clearly, the leadership of Mossack Fonseca is at fault for not managing the risks associated with the maintenance of their CMS platform.
But should this maintenance be something that needs leadership focus? What are the options for companies who can’t afford a full development and networking team?
[Option 1] Outsource to a hosting provider who has a managed services
Companies who will support the full stack including the software. These teams will perform ongoing weekly maintenance and security testing to find holes & components that have failed.
[Option 2] Implement a SaaS solution
Coredna, for example, takes care of the full stack, and for a fixed fee each month will deliver a scalable, managed platform that continuously evolves with new features and updates.
[Option 3] Engage a commercial software provider
And make the maintenance and network security part of the ongoing contract.
No longer can we look at the internet as something that happens "over there". After more than 20 years, the Internet has become far more complicated, intertwined and embedded in our lives.
Here are some other past articles we’ve written related to these topics: