Several days after the Panama Papers leak had echoed in global media as the greatest international tax scandal in history, security analysts confirmed that the heart of the problem lies in security flaws. As revealed by a detailed examination, the compromised law firm Mossack Fonseca used content management and emailing systems, which had dozens of vulnerabilities that facilitated the breach. Its client portal was found to run on an unpatched version of Drupal, while the main site was managed with an outdated version of WordPress. Coupled with the use of Outlook Web Access mail system that hasn’t been updated since 2009, these faults offered enough loopholes for hackers to exploit. “They [Mossack Fonseca] seem to have been caught in a time warp,” a computer security expert Alan Woodward told Wired after the results of the analysis came in. His words summarize the absurdity of our age in which an alarming portion of companies still sticks to outdated technology, while cyber-attacks become conspicuously more frequent and more aggressive.
Websites increasingly vulnerable to cyber attacks
With company websites playing a critical role in business communications, the consequences of inadequate security practices can be devastating. This was tragically exemplified with the Panama Papers leak, calling for webmasters to rethink their cyber security practices. With WordPress’ well-known history of breaches and an overall instability of outsourced CMS platforms, website owners stand on a shaky ground if they don’t employ strong security. In fact, only a week prior to the Panama Papers leak, Avast warned website owners against a new threat for Joomla and WordPress sites. Using a popular name of jQuery library to inject a piece of code through malware, hackers have managed to infect 4.5 million users within a single day. “The number of hacked domains is abnormally high, which is why this kind of attack was and still is very popular on a daily basis. From November 2015 we registered over 4.5 million users who encountered this infection. Malicious code was found in almost 70 million unique files on hacked websites,” reports Alexej Savcin in an associated announcement. This is one of the most sophisticated WordPress attacks we have seen thus far, but is far from being the only one of this scale. In addition to this, the attack demonstrates the extent to which the strength of attacks targeting WordPress grew over the last couple of years. It thus become yet another wake-up call for the web community that still does quite poorly in terms of adopting cybersecurity standards.
Webmasters still fail to implement security best practices
One of the most important steps to raise awareness of these issues among webmasters was taken by Google two years ago when the company announced that the use of SSL certificates will start making a difference in ranking positions. The idea behind the step was to encourage more website owners to implement secure protocols on their websites and start creating a safer web from there. In the meantime, Google made SSL even more important for SEO earlier in 2015, but this doesn’t seem to have had the desired effect. Namely, Google’s recent transparency report shows that there is still a large number of non-Google sites that do not use encryption whatsoever. The company reports that the volumes of encrypted traffic vary by country, with the variations resulting from a number of factors, such as the availability of software that can support modern TLS and types of devices most commonly used in that country.
Shoulder to shoulder to reports on the massive use of weak passwords, these revelations indicate that most websites are still vulnerable due to inappropriate cybersecurity practices applied. Despite the efforts of the global tech giants and various other organizations to promote online safety, the web world apparently fails to develop secure practices when it comes to website management. This is why we are constantly faced with new reports on massive data breaches which increasingly affect everyday consumer. Panama papers leak is probably one of the most alarming events of the kind and definitely raises important questions on our future abilities to handle increasingly sophisticated cyber-attacks. Although SSL or strong passwords alone cannot stop breaches from happening, they definitely represent important steps towards securing a safer web. Combined with keeping web databases up to date and using only trusted software, these practices could help in saving an important database or two in future. Yet webmasters need to be aware of this today before their respective sites or web properties become a target.
About the Author: Sarah Green (@sarahh_green) is a tech journalist and blogger writing about cyber security, tech startups and digital business. She also tweets about related topics and likes to share her thoughts with industry experts. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
