One of the most basic principles of IT and web application security is to always run the latest version of the software that you use on your web server, websites and everything else that has some sort of software executed on it.
Yet sometimes the most basic principles are those that are ignored and most commonly exploited in successful hack attacks, case in point: Mossack Fonseca.
A lot has been said on the news on how the Panama Papers leak could have had happened. Some news outlets said that the attackers gained access by exploiting a SQL Injection in a vulnerable version of WordPress, or a plugin. Some others, including security software vendors said that the attackers exploited a SSL vulnerability such as either Heartbleed, Poodle or Drown.
One thing is for sure; Mossack Fonseca were running their websites and customer portals using very old versions of WordPress, Drupal, Apache, SSL, PHP and several other components. All of these software components had known vulnerabilities. If Mossack Fonseca kept its software up to date none of this would have happened and the prime minister of Iceland would not have resigned.
Mossack Fonseca got all the media’s attention because many world leaders and businessmen are involved in this leak, though this is not the first time that old software was the cause of a successful hack attack.
Just last year a security research identified a vulnerability in a popular WordPress plugin called RevSlider. As per usual, the developer released a fix though thousands of WordPress websites still got hacked through this vulnerability months later. Actually, till this day there are WordPress websites being hacked through this vulnerability.
There are two reasons why so many WordPress websites are still being hacked through this vulnerability after all this time:
Shouldn’t the Panama paper leaks have happened, there wouldn’t be a global turmoil about taxes, politicians and businessman. I am in no way justifying any of the actions such people have done. I am just highlighting the ramifications of not keeping all your software up to date. From a simple mistake of not updating WordPress, or an SSL library, to a prime minister resignation and a political crisis. And this is just the beginning.