Keep your website up-to date, security is key! #PanamaPapers

And every time there is a new security update you ask yourself:  Should I take the time and install it or can I just hope that it will not hit me, because who would hack me?

At Amazee there’s only one answer: update and fix as fast as possible!

There’s a good (well…) example of what can happen if you don’t take your security job serious these days. The #PanamaPapers are all over the media across the globe: There’s a high chance that this data leak might have a tech aspect too, as there are strong indicators that the site security wasn’t maintained and that there are several vulnerabilities.

Currently the details of how the 2.4 TB of data exactly leaked are not public yet, but it is likely that the data might have been hacked from one of the company’s websites: https://portal.mossfon.com.

Let’s take a quick look at the source code of this site; we can see that it was built with Drupal 7.

pp1

What we can also see is that CSS and JavaScript files are not aggregated (that’s not a good performance practice by the way).

A deeper look into other files unveils more dangerous things.

pp3

The changelog shows that the Drupal version is still 7.23; this means that it’s older than 2 years and has a very bad security hole “Drupalgeddon”. This allows anybody to inject PHP code on the website.

It’s possible that the site itself is patched for this security hole and still has the version Drupal 7.23 in the changelog.txt, but from the general (bad) state of the site we assume that this is not the case.

It’s also possible that hackers were able to steal website login data via the DROWN attack. A DROWN attack test site shows that the site was vulnerable when DROWN was released in February 2016.

We might never know exactly how the data leaked, but it’s sure that it happened! Our key learning on the tech side is that security is very important and laziness can have very bad consequences.

That’s why we at Amazee Labs are using automated update tools like Drop Guard for Drupal and have weekly maintenance windows for all our servers and services.

Find the German version of this post here.

Stay safe!

Tags:

Stay in the Loop

We will use the personal data you are sharing with us solely for the purpose of sending you our newsletter. See more here: Data Privacy.

GET IN TOUCH

Let us know how we can help you.

1