So this might seem a little esoteric, but bear with me. I think you’re going to find it interesting. Maybe even useful. Possibly even job-saving.
You may have heard about the Panama Papers. If not, here’s a brief recap: A Panamanian law firm, Mossack Fonseca, recently had more than 11 million documents leaked to the public. The documents reveal the identities of shareholders and directors of some 214,000 offshore companies, including financial dealings and privileged attorney-client information.
After more than a year of analysis, the first news stories based on the documents were published on April 3, 2016, along with about 150 of the documents themselves. Many of the documents simply reveal privileged information, while others either hint at or depict illegal (or certainly immoral) behavior.
The people identified in the document read as a veritable Who’s Who of the international governing class: heads of state from Argentina, Iceland, Saudi Arabia, Ukraine, and the United Arab Emirates, as well as government officials, close relatives, and close associates of various heads of government of more than 40 other countries. It’s like someone shined a huge spotlight on all of the dank, dark places rich and powerful people are using to store the levers and dials they use to abuse the systems they’ve created to give themselves the unfair advantages they enjoy. What that spotlight reveals is pretty ugly (though maybe not a surprise to anyone.)
You may already know all of that or could have read it in any number of journalistic reports. But here’s what you might not have heard that you need to know: It’s how this leak happened in the first place.
Over the last few years, the world of web development has been increasingly using off-the-shelf solutions. Products like WordPress and Drupal are often used as the foundational building blocks for websites that require some basic content management. The costs are low and the number of people with some ability to use them are high, which makes them an attractive option.
In addition to these foundational blocks, the capabilities of these platforms have been extended by other programmers writing things called ‘plug-ins’. Plug-ins are developed to do any number of things, and are good options for adding necessary functions to your site without having to write the code yourself. For example, you may have decided you want to use a carousel on your homepage to show three or four images on a timer (something lots of people do, even though there’s no data that suggests it’s effective.) There are some potential problems with these plug-ins, however. First, unless you understand the programming code they’re written in, you may have little idea what’s happening under the hood. They might also require periodic updates as the codebase changes or vulnerabilities are found.
That’s exactly what happened in the case of Mossack Fonseca. Data security experts discovered that the company seemed to have been running a three-year-old version of Drupal with several known vulnerabilities. Additionally, other parts of their site appear to have been running an outdated version of WordPress with a vulnerable version of a plug-in called Revolution Slider. In other words, the 11.5 million documents — making up the largest security breach in the history of mankind, exposing the dirty deeds of members of the highest level of governments around the world — were exposed because someone hadn’t updated the carousel plug-in on the website.
Certainly, bugs can exist in all kinds of software and mistakes can happen. And it definitely takes an unwarranted level of diligence to stay ahead of a hacker that is actively targeting you. But in this case, it appears the hackers got in through an outdated plug-in, accessed the private, client-only section of the site through a different vulnerability, and then penetrated the email server based on a third known exploit.
All of which suggests it could have been avoided – or at the very least mitigated – by even a slight amount of vigilance.
What does this have to do with you? Maybe nothing. Unless your company has a website. Especially a website built on WordPress that requires periodic updates and might also be using one of any number of extensible plug-ins. Or if you may have selected an inexpensive option to have it built to begin with and — as far as you know — don’t have anyone spending the time and effort to keep it up to date.
If any of that’s the case, it may have a whole helluva lot to do with you.