Security Boulevard: “Dig into a law firm, and you’ll find secrets. Sometimes these secrets are mundane, like who’s getting divorced, or who’s getting cut out of the will. Sometimes, however, these secrets can shake nations and economies. Huge companies are merging and getting acquired, national leaders are hiding graft in numbered accounts, and you might find all those secrets within the server at a nondescript law firm – which might be possibly the most unsafe place to hide it. Law firms may be extremely discrete when protecting their clients’ identities from judges, the media, and other lawyers, but their track record is less than stellar when it comes to the digital realm. Those who’ve heard of the firm Mossack Fonseca or the Panama Papers (a 2TB data leak that exposed how the wealthy avoid paying taxes) may know that the firm in question was:
- Running a version of WordPress that was 2 years out of date.
- Running a version of Drupal that was three years out of date.
- Running its web server on the same network as its mail server.
- Running its web server without a firewall.
- Running an out-of-date plugin known as “Revolution Slider,” which contained a file upload vulnerability that had been documented since 2014.
This multitude of sins collectively led to a scandal that, among other things, brought down the Icelandic Prime Minister. What’s more troubling, however, is that Mossack Fonseca wasn’t a standout among law firms. Many if not most law firms have an equally bad security posture…”