Panama Papers – Why You Should Update Regularly

The Panama Papers have been headline news for some time now. The recent data leak from Mossack Fonseca totalled 11.5 million documents and has rocked governments worldwide including setting the events in motion for the resignation of the Prime minister of Iceland.

Panama Papers

While the overwhelming focus of the media and public attention has been on the possible tax avoidance schemes exposed, there is also some conversation about the security and data protection precautions taken by Mossack Fonseca, or to be more precise, the lack of them.

Software Updates

Sometimes people forget to update their software or they think they are happy with the current version and don’t want to add new features, or that the new version may have bugs that need to be patched. Often they don’t consider the security aspect of the updates. Panama Papers reveal just how devastating a security breach can be.

It seems there were a number of security issues with Mossack Fonseca’s technology that may have contributed to their being hacked, including using a version of WordPress that was 3 months out of date. As reported recently in an article for Wired Magazine,

Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.

After the Panama Papers were released, WordFence compiled a thorough analysis of the Mossack Fonseca Website, here is a useful brief analysis of their findings from Cavendo,

  • The Mossack Fonseca WordPress site was built using the Slider Revolution plugin (you know those sliders that everyone wants on their website).
  • The plugin wasn’t updated since 2013.
  • The plugin had code that wasn’t secure and allows someone with very technical skills to “exploit” the vulnerability.
  • Within a couple of minutes, someone could gain “superuser” access to the web server their website is hosted on. If this server is on a network with other computers in their office all of those computers could be accessed through this hack.

Security

Your website is constantly under attack, a large proportion of website traffic is caused by ‘bots’ looking to find a weakness in your security. These automated hacking bots can have devastating consequences for your website, stealing your sensitive data or planting viruses

The scale of the data breach at Mossack Fonseca is truly staggering and should lead us all to consider our security,

The leak includes emails, contracts, scanned documents and transcripts. Broken down by file type, the leak comprises 4.8 million emails, three million database files, 2.1 million PDFs, 1.1 million images, 320,166 text files and 2,242 files in other formats. All the files came organised in folders for the individual shell firms they related to. A full list of companies and people linked to the offshore entities will be published in May 2016.

Here at Seal Island Media our software is updated constantly. A firewall, regular scans for malware and other enhanced security features, reduce the likelihood of your site being hacked. But if it is hacked we will clean it up and restore the site to the last backup.

Avoid the fate of Mossack Fonseca

While it is not certain yet which security lapse allowed Mossack Fonseca to be hacked, the importance of security and updating regularly should be noted.

If you want to reduce your chances of your WordPress site being hacked:

  • Use secure passwords
  • Update your site regularly
  • Install a WordPress firewall
  • Only use plugins and themes from trusted sources
  • Backup your site regularly in case you are hacked

We hope this blog has been useful. If you would like to talk to us about security for your website you can contact us here or call us on 0800 612 1098

Vulnerability in the WordPress Plug-in WP eCommerce

WP eCommerceThere is a serious vulnerability in the WordPress plugin “WP eCommerce“. The authors have released a fix. The fixed version is 3.8.14.4.

The vulnerability allows an attacker to export user names, addresses, and other private information. It also allows an attacker to modify orders.

Always make sure you have the latest version of WordPress themes and plugins installed.

Take action now to protect your site.

WordPress Security Increased

The Machines WinWordPress security is a major concern for Seal Island Media. Many of the sites we build and host are based on WordPress.

In July 2014 WordPress was used by 22.6% of the sites on the internet according to Web Technology Surveys. This has a great many benefits, but also one major drawback – it makes WordPress based sites prime targets for hackers.

Recently we have seen a large increase in the number of brute force attempts to hack WordPress sites. This is where a hacker, or more accurately a program set up by a hacker, attempts to guess the site administrator’s user name and password, usually ‘admin’ and ‘admin.

To counter this and other security concerns we have decide to move all our WordPress websites behind a firewall. The new software will also check all sites for the HeartBleed vulnerability.

What you need to do

Some sites will need to be moved between servers. If your site is likely to be affected you will shortly receive an email setting out a timetable for the move. Don’t worry, there will be very little impact on your service, but you will receive a new password your site.

For everyone else you will not need to do anything,

The HeartBleed Bug

We have been asked about the HeartBleed bug or HeartBleed Vulnerability.

The HeartBleed bug is a vulnerability in secure communications software that MAY have allowed a hacker to access your passwords or other secure data on a vulnerable server. You may have  received emails suggesting you change passwords on a vulnerable account.

We have been on to our hosting provider and have been assured that:

Our server are fully patched against this vulnerability, no action is needed from your end. It is safe to report that there is no problems nor issues to worry about to your clients.

So there you have it.

CNet has provided a hit list of services that require a password change.

If you want to know more there is an official HeartBleed page covering the bug detail or check out this primer from Mashable.

 

Pin It on Pinterest