Monthly Archives: April 2016

Panama Papers breach

The Panama Papers data leak has already snared many rich and powerful folks who have been using questionable means to hide wealth beyond taxation and scrutiny. However, that’s not what I want to write about here. I certainly find the abuse of wealth and power to be an issue, and much ink is being spilled on this. I want to focus instead on information security, and in particular, the vectors likely used to extract the data from the law firm Mossack Fonseca. What happened here was not some sort of uber-secret hacking, but was a simple process of exploiting well known vulnerabilities in WordPress plugins and in a particular version of Drupal core that was found to have severe vulnerabilities in October 2014.

wordpress-logo-notext-rgb

WordPress and Drupal are both extremely popular content management systems (CMS). Your correspondent runs several websites using both these systems, and this blog runs on WordPress. Both systems are robust, reliable, and have huge ecosystems of “plugins” or “modules” that can be used to extend basic functionality of the system in a myriad of ways. These extensions provide visual appeal (image sliders and other tools), spam control, and even database functions for storing information about the user community.  If you can imagine it, someone out there has probably written a WordPress Plugin or Drupal Module that can help you bring that functionality to your site. However, with great power comes great responsibility ūüôā .

One of the banes of any technology system is maintenance and patching. This can be to fix bugs, to add functionality, or, increasingly, to patch the seemingly never-ending list of security holes. WordPress and Drupal are no exception, and in fact, both are big targets. Of the two, WordPress is far more prevalent, with over 75 million sites and growing rapidly. Drupal runs one million sites. From a security exposure perspective, WordPress is in my opinion a bigger problem. WordPress is extremely easy to install, and takes much less study to create interesting sites than does Drupal, and as such, many sites are set up by individuals and groups who don’t appreciate the rigor of site maintenance.  I’m not writing this post to favor WordPress or Drupal.  I like both, and both have strengths and weaknesses. This brings us back full circle to what happened with Mossack Fonseca.

In a word, the problem was maintenance. The likely vector that lead the Panama Papers hackers to Mossack Fonseca’s email servers was thru unpatched and well-known vulnerabilities in WordPress plugins. The Drupal exposure likely led to client documents, and could have been a bit more forgivable from an IT perspective, as the exposure was from the core weakness in Drupal versions prior to 7.31, a part of the “Drupalgeddon” exposure of huge numbers of Drupal sites…except that Mossack Fonseca is still (at the time of this writing) running Drupal 7.23 from August 2013!

Wordfence, an organization that provides security plugins and services for WordPress, has done an excellent writeup of how the Panama Papers hacks unfolded, and it’s well worth a read, especially if you are responsible for either doing website maintenance or if you are concerned about the security of the sites you or your organization run.

The sad fact is that it’s just so easy to do maintenance on both WordPress and Drupal that not maintaining sites is highly unprofessional. Wordfence provides an excellent plugin  that notifies you when a monitored site needs a core update or plugin update. Many updates can be configured to run automatically. Running manually is a simple matter of logging in and then doing a couple of clicks! Drupal is just about as easy, though a Drupal core update is a bit more involved than a WordPress core update, currently needing a separate program (Drush) to handle the core update.

Maintenance of websites is a necessary job, just as is maintenance of any other technology asset. Think of it as changing the oil and checking the tire pressure in your car. If you know how, do it yourself. If you need to hire someone else to do it, then do so…but ensure that it is done, or you and your company may wind up in the news one day…

HF Ham!

I’ve neglected my blog for the past couple of months, with no posting since January. ¬†We had a great time on our cruise to the eastern Caribbean in February, so my excuse it that I was having so much fun I had no time for blogging ūüėČ .

However, I did want¬†to chronicle my success with moving to the world of 6M and HF Ham radio. I posted here in January that I’d upgraded my antennae for my 2M/70CM radio, and I’ve been doing a lot of communication on the 2M band, including becoming a regular participating member of the Possum Trot Net, Possum number 3571! I wanted to add the capability¬†to use high frequency (long distance) bands to communicate to more and different communities. ¬†I added a Yaesu FT-450D radio with a 7-band Buckmaster OCF dipole antennae to my “shack.” I plugged it in Monday of last week and tried to communicate with the local 10M net, but did not have any success in transmitting though I could hear the net traffic. Don’t know if there was just a pileup, or something with local conditions. I reached out to a local Ham to give me some assistance and coaching. KM4MDR came over today and spent a couple hours with me, validating the SWR of my antenna with his MFJ analyzer (it did very well on the supported bands, ranging from 1.2 to 1.8), and showing me a few tuning tricks. I’m very appreciative of John’s help! We participated in the 40M 7.772 Ragchew¬†and talked to Net Control in Maryland, and talked to the 20M 14.300 Mobile Maritime Net (you don’t have to be a boat to participate!) Net Control near Houston TX. ¬†Signal reports were good. So, great success, and now I can operate with the confidence that I can hear and be heard.