Sucuri Security Doesn’t Like the Truth To Be Exposed

When it comes to bad security companies Sucuri Security is certainly up their for a variety things we have seen them do over the years. In just a few of those cases we have written up blog post about those. The company clearly don’t like that we exposed some of their bad practices, as something we just ran across today shows. Someone had posted a review for one of their WordPress plugins, which linked to several of our posts. The review has now been edited, but from the Google cached version you can see what was there and response from Sucuri’s CEO:

sucuri-security-innacurate-claims

The part relevant to our previous posts was (our emphasis added):

Those articles have absolutely nothing to do with the issue you experienced or this ability of this plugin, they are inflammatory and now you’re crossing into the line of social harassment unnecessarily. It’s a shame, seeing your social presence that you’d stoop so low. They are also inaccurate and completely out of context.

So what were these articles they claim are inaccurate and inflammatory.

The third article linked to discussed the poor state of Sucuri’s scanner several years ago, which was accurate then and based on what we have seen more recently the scanner still seems to be quite poor.

The second article discussed an attempt by Sucuri to astroturf a comment on that third article, which they admitted to in the comments of the second article. That comment came from the same person now claiming that the articles are inaccurate, but in his attempt at astroturfing he didn’t actually point out any real inaccuracy in the third article (if any of are articles actually contained inaccuracies we would want to correct them as soon as possible).

The first article discussed how Sucuri uses bad data to try scare people into using their service, so that would make them, not us, the inaccurate ones and probably inflammatory as well.

Sucuri Security Uses Bad Data to Try to Scare People into Using Their Service

When it comes to security companies most of what we see is quite bad. Most of them don’t have a good understanding of security, sell products and services that can’t do what they claim they can, or are some combination of both of those things. Sucuri Security is one of the worst companies we have seen and would fall in to that last category. We have been hired on quite a few occasions to re-clean websites they previously hired to clean, for which they failed to basic parts of the cleanup – like determining how the website was hacked – that if done, should have prevented the website from being re-hacked in the first place. Among things we have seen, there was the recent situation we came across where we found that they were helping to put WordPress websites at greater risk of being hacked.

That isn’t just our perspective, last week someone contacted us wanted to know if we knew a good alternative to Sucuri due to this litany problems they had with them:

I’ve been using Sucuri for about 5-6 months and it’s been the worst experience I’ve had with a service provider that I can remember. CloudProxy throws false positives all the time, and I explicitly asked them to remove it from one of our 5 sites multiple times and support ignored the request. The support has been bad from day one–beyond belief bad–not just in this instance but with nearly all the tickets I’ve opened.

Three years ago we discussed their SiteCheck security scanner’s poor quality and something we ran across the other day shows that it hasn’t gotten better, but in the meantime they have turned up the fear factor to try to scare people into using their service.

While we were looking too see if anyone else had discussed a false report of a vulnerability in WordPress 4.2.2, we can across a mention that a security company was running a vulnerable version of the Apache HTTP server on their website. That would be interesting if it was true. Following the link on that post brought us to this page on Sucuri’s SiteCheck:

sucuri-sitecheck-bad-warnings

A quick check showed that Sucuri was providing misleading information, we’ll explain that in second, but first let’s look at their rather scary warnings that came along with that bad information. First they warn “Outdated Software detected. Immediate Action is Recommended.”:

sucuri-sitecheck-bad-warnings-small-1

Then they warn of a “High” severity issue due to the website being outdated. and recommend to “PATCH AND PROTECT With Sucuri Firewall”:

sucuri-sitecheck-bad-warnings-small-2

Then they warn that an “Outdated Web Server Apache Found”:

sucuri-sitecheck-bad-warnings-small-3

They are a couple of major problems with this, first if the Apache HTTP Server version was actually outdated the solution would be to update it, not buy some security service they provide. Only in small text at the bottom do they suggest that “You can contact your host about it and ask them to update for you”:

sucuri-sitecheck-bad-warnings-disclaimer

Their claim that their CloudProxy service can automatically update the software is simply untrue.

The bigger problem is that Sucuri has no idea if the Apache HTTP server is in fact outdated in this instance and therefore if the “High” severity issue actually exists. To explain this let’s start by taking a look at a second screenshot, this time of our Server Details extension for Chrome on the same website:

fortiguard-server-details-screenshot

You can see it also identifies the website as using version 2.2.3 of the Apache HTTP Server, but it doesn’t label it as being outdated (despite that being a capability of the extension). The reason it doesn’t label it as being outdated is due to the second piece of information, that the server is running CentOS 5. The CentOS operating system is based on Red Hat Enterprise Linux (RHEL), which means that instead of introducing new versions of included software when a security fix is released they backport the security fix to the existing version. That means that while that server is using an outdated version of the Apache HTTP Server, it isn’t necessarily outdated in a security sense. If Sucuri Security did in fact have the security expertise they claim to have, they would know about this and properly handled this situation.

Now you might be wondering how hard it would have been for them to check for this type of situation before showing such dire warnings. They way we get the information for our extension and how Sucuri probably get their data is to look at the Server HTTP header. For this website it is this:

Apache/2.2.3 (CentOS)

CentOS is one of three words in it, so it isn’t hard to detect. (We are able to say the website is running version 5 of CentOS based on the Apache HTTP Server version identified in that.)

WPScan and Sucuri Put WordPress Websites at Risk

Yesterday we discussed a situation where the WPScan project didn’t bother to notify the developer of a WordPress plugin or the wordpress.org Plugin Directory about a vulnerability that they knew about. Some might excuse WPScan’s responsibility to alert them based on the fact that the vulnerability was discovered by someone else and already publicly disclosed. After running in to that situation we took a closer look at the WPScan project and found something more troubling. Back in March they started discussing a backup plugin that wasn’t properly securing backup files made by it. The issue was quite serious since some of the backup files, which can contain sensitive information, made by the plugin could be easily found with just a simple Google search. In the thread no one even brings up the idea of notifying the developer of the plugin or the Plugin Directory about the issue, which would be the way to get it fixed. Instead there is some discussion in thread on how to further exploit the poor security of the plugin in the WPScan vulnerability scanner.

We are quite sure that no one ever bothered to contact the Plugin Directory about the issue because within hours of us notifying them last week the plugin was pulled from the directory pending the security being improved. Within a few days of that, security improvements were introduced to the plugin. Based on the plugin developer’s comment at the end of the thread it doesn’t sound like WPScan had informed them either.

What makes this particular troubling is that at the same time they are at least knowingly leaving websites insecure they are selling WordPress security services.

They are not the only ones selling security services involved in this. Prominently displayed on the WPScan homepage is a banner letting you know the project is sponsored by Sucuri:

WPScan is Sponsored by Sucuri

We would ask why a security company would sponsor a project that seems more interested in exploiting security issues than fixing them, but we already know that Sucuri doesn’t have much interested in websites actually being secure. We have often been hired to re-clean websites that had previously cleaned by Sucuri. What we have found in those cases is that Sucuri didn’t do basic parts of a proper cleanup, including making sure the software on the website was up to date and determining how the website was hacked, which if done would have made it less likely that the website would be hacked again.

Sucuri Security: How Not to Astroturf

A couple of months ago we wrote a post about someone who came to us after several tools had claimed their website was infected with malware. We found that not only were those tools wrong, but that the false positives highlighted major flaws in these tools. One of them was Sucuri SiteCheck, which we found was not bothering to actual scan a file labeled as malicious before falsely labeling the website as being infected. Since then there was an obvious attempt to get people to comment on the post, not on the substance of the post but with praise for Sucuri. We are happy to receive comments that further the discussion of a post, especially if they disagree with us. We are not interested in our blog being filled with off-topic comments and won’t approve them and you won’t see them. One of the comments we received during this was unlike any of the others, it was a long bizarre rant that had all the hallmarks of an attempted astroturfing by a Sucuri employee. It was later confirmed that this was an astroturfing attempt by Sucuri when the COO of Sucuri visited our website and contacted us using the same computer two weeks later. In our reply to them we mentioned the astroturfing, which they didn’t deny. We don’t know if this is a one-off attempt or if this is a common thing for Sucuri, but you should be on the lookout if you are reading something about them. You also have to wonder what other unethical actions Sucuri might also find acceptance to do.

The comment, which can be found in full at the bottom of the post, is a good lesson on what not to do if you are going to attempt to astroturf. To start with the name you use shouldn’t be something that seems so obviously contrived like the name used in this instance, Intriqued Citizen. Then you would probably want to keep your comment short and to the point. Instead the comment was nearly three times longer than the section on Sucuri in the post itself. Would anyone spend that much time with something that they were not deeply involved in? Their comment also seemed quite obsessed with us competing with Sucuri, which doesn’t fit with what we were discussing in the post (nor does it fit with what we actually do). You also don’t want to use a computer that can be determined is from your organization. Most importantly, making a bizarre rant isn’t going to be the way to help you to win over people to your point of view, which is the point of astroturfing.

We are not going to put you through the misery of us analyzing the whole thing, but there were several things that stood out for us and are worth highlighting.

A good of example of the bizarre nature of the whole thing comes in their response to us stating the basic fact that JavaScript files should be scanned for malware when scanning a web page for malware:

And this is based on what? Your extensive experience building malware scanners? Or wait, is it design? Oh no, maybe its Drupal? Oh, no, it must be publicly attacking every company that you disagree with. At least that what someone gets from reading your other nonsense posts.

In the middle of not addressing at all the substance of what they are commenting on is a mention of Drupal, which comes completely out of left field. The blog post makes no mention of Drupal and the website discussed in the post was running WordPress (which can be surmised due to the first part of the post discussing a WordPress plugin). The rest of their comment doesn’t make any mention of Drupal either. We do run Drupal on parts of our website and provide services for Drupal (as we do for a variety of software), so maybe this is some sort of weird anti-Drupal bias? You might expect something like that from a kid, not from a self proclaimed C-level executive.

Another section claims that we use their service:

Why don’t you post all your other findings of when you used it to clean your own clients sites. Come on, don’t lie, you know you use it.

We have never used Sucuri to clean up a hacked website, as we actually do our own work. We have seen the shoddy work they do, so it would also be unethical for us to have ever outsourced the work to them. On a fairly regular basis we have people come to us to clean up a website that Sucuri had previously been hired to clean up, but had been reinfected after their initial cleanup (and in some instances after they did multiple cleanups). There are certainly reasons for that which would not be Sucuri’s fault, but in all of the instances we have dealt with basic parts of a proper cleanup had not been done by Sucuri. This included not doing the most important, but also the most time consuming and difficult, part of a cleanup. We don’t know if this is due to them offering to cleanup websites without knowing how to properly clean them up or if they are choosing to cut corners (they could probably get away with that in many instances), but would you really want to deal with a company that does either one? This is something we will expand on in a follow up post, as Sucuri certainly isn’t alone in not properly cleaning up hacked websites.

Full Comment From Intriqued Citizen (aka Sucuri’s COO):

Wow, so you have obviously put in a lot of effort to get this word out to every one you can as I am seeing this on a number of search engines and Facebook. Either you love them, you are genuinely trying to get the word out, or you’re simply trying to tarnish their reputation by putting out a post that really says nothing. Which is it?

So let’s look at your post:

What appears to have happened is that Sucuri automatically flagged the code based on their signature without actually scanning the JavaScript file for malicious code, which, if their scanner was reliable, would have determined that it was not malicious.

Is this in fact what happened? Did you contact them? Did you ask the question or are you simply talking out of your rear? Did you try to understand how it works or simply look to benefit off their name?

Interesting comment here:

That should be a basic part of scanning the page for malware even if it wasn’t in that odd location or part of a signature.

And this is based on what? Your extensive experience building malware scanners? Or wait, is it design? Oh no, maybe its Drupal? Oh, no, it must be publicly attacking every company that you disagree with. At least that what someone gets from reading your other nonsense posts.

Then there is this:

When you don’t actually scan things for malware before falsely identifying them as malware, you really shouldn’t be calling what you do website malware scanning.

So instead, your recommendation is that they sign up with you? So it appears you’re a competitor or at least trying to play with the big dogs, no? Why would I choose to go with you over Sucuri has a stellar reputation and you have a… umm.. who are you again? Oh that’s right, the guy that bashes everyone and spends money on … umm.. ???

Oh, here is a juicy one:

The more troubling aspect of this for their customers is the fact Sucuri’s idea of protecting websites is detecting that they already have been hacked and then cleaning them up.

Really? That’s their idea? Odd, didn’t see that. Where did you see this? Or, again, are you talking out of your rear?

holy run on sentence batman:

Putting aside the fact for the moment that properly secured websites are highly unlikely to be hacked and that allowing websites to be hacked has consequences even after they are clean again, with a scanner this poor it is unlikely that it will actually do a good job of detecting when website are infected.

So, I’m confused, this sounds like opinion based around what? Your test of one site? Honest question, you think that’s a good objective test from a competitor? Why don’t you post all your other findings of when you used it to clean your own clients sites. Come on, don’t lie, you know you use it.

Alright, let’s look at all your even more ridiculous comments:

Your response to Buck:

At that point it isn’t even actually a malware scanner.

And this is again based on what? Your one test? Not very trustworthy assessment in my opinion, but what do I know.

There is a big difference between perfection and not bothering to actually scan for malware with something claiming to be a malware scanner.

Another empty statement with no facts.

We actually know about security. Not the kind the kind that involves throwing around catchy phrases like “defense in depth” and “security is a process, not a state”, but the kind that deals with the real world.

You do? Based on what? Your ability to detect software is out of date? Good job there turbo.

If people do the things in the article that we linked to at the beginning of the post, then that will prevent the kinds of hacks that are actually causing the average website to be hacked.

Are you serious? The crap in this post: http://www.whitefirdesign.com/resources/secure-your-website-from-hackers.html? You mean the same shit every other security company offers? Oh my you said sanitize all inputs to avoid SQL injections.. you rockstar you.. again, where was the real value in this post? I get more from reading http://sucuri.net/learn then I do from that post. But maybe I missed the sheer genius that was going to keep me safe in all that high-level non sense.

(There is more that security community can do to improve security beyond that, but unfortunately many of them are instead focused on pushing products and services that don’t fix the real problems.)

Oh, like this post and every other one that references your services section? Like that you mean?

The solution to this isn’t for people to spend money on an unreliable malware scanner or even a malware scanner that works perfectly. At best a malware scanner would tell you that the website is infected after it already has been infected.

Got it, so if I understand correctly, what you’re saying is, you don’t need a car alarm or a house alarm. As long as you don’t forget to lock the doors, get a blot lock, use a bolt lock on your steering wheel? Is that about right? Just want to make sure I understand this statement.

At that point you need to clean up the infection and secure the website to make sure the infection doesn’t reoccur. We think it is better to secure the website before it can be infected.

Oh but wait, based on what you said, there is no need to clean them up. They should be hardened to prevent this, so suck it up. No?

Your responses to Shaza:

The rest of your comment actually shows that Sucuri is reactionary and not preventative. They only fixed the TimThumb vulnerability on your websiteafter you were hacked.

Awkward, sounds like they only signed up after they were infected. If that’s the case, how would they have cleared the TimThumb issue? Is that what they did? Do you know, or are you talking out of your rear, again?

If you want to pay someone to keep your website secure (and we never suggested you should or shouldn’t do that), then you should find someone who actually does the things that keep websites secure instead of hiring a company that uses a faulty malware scanner to attempt to detect that websites are already infected with malware as you are with Sucuri.

Are you serious here? Did you really just say in your last comment not to go with people that push service or product but then push your own? Come on, that’s just retarded bud

If Sucuri was actually interested in keeping WordPress based websites secure, instead of profiting off them remaining vulnerable, you have to wonder why they haven’t had an effort to get the issues with unresolved plugin security vulnerabilities fixed.

Do you work for them? How do you know they haven’t or aren’t? That’s odd.. : /

Now, let’s see how big your balls are and if you’re really serious about bringing this issue to people’s attention. Go ahead and approve this and respond and let’s have an honest conversation. Not doing so will simply show how much of a slime ball you are putting out false information with no real facts or anything of real value that any one should pay attention to.

False Positives Highlight Deeply Flawed Website Malware Scanners

We often get asked by clients about whether they should be using some sort of malware scanner on their website and our answer has always been no. Two major reasons for this are that with proper security websites can be protected from being infected in the first place and that these website malware scanners are not very good at identify malware. What we haven’t considered before was the issue with these scanners producing false positives. We know that when people are told that their websites are infected with malware it is stressful and it can lead to them taking drastic, including deleting the websites. Deleting a website won’t always solve the underlying that caused the infection when a website is infected, but with a website that is not infected it is just a waste. This is why it is critical for those developing malware scanners to be very careful in making sure their scanners work properly and properly detailing what they are detecting. This is something that has been disregarded by the developers of the AntiVirus WordPress plugin and the Sucuri SiteCheck website malware scanner, as we recently discovered when we were contacted by someone unfortunate enough to have run into these two tools.

We were contacted, as we often are, by someone who wasn’t sure it there website was infected. (We are always happy to do a quick free check to confirm whether a website is infected or in some other way hacked. For potential clients that contact about dealing with a hacking issue we always do this first, as we find on a regular basis that the issue they are experiencing are not related to a hack or have actually already been resolved.) They and their web host couldn’t find anything wrong their website, but they were getting warning from two website malware scanning tools. As with any check we do, it involves discussing what leads them to suspect the website is hacked and us doing some of a variety of manual checks. Automated scanners are not reliable way for detecting issues for a number of reasons. In this instance the two scanners were falsely identifying two different items as being malware. We were able to determine this after a quick review of what they were reporting.

By looking at the false positives a malware scanner produces you can get a good sense of how good or bad it is.

AntiVirus

On the page for the AntiVirus plugin on the WordPress.org Plugin Directory the plugin is described as a “useful plugin that will scan your theme templates for malicious injections” and “a easy and safe tool to protect your blog install against exploits, malware and spam injections”.

On the website we were contacted about the plugin was displaying a warning in the Admin Bar that a virus was suspected:

"Virus Suspected" Warning Shown in Admin Bar

What was being identified is shown in the screenshot below:

False Positive Shown for Theme

As shown in the screenshot the suspected virus was the use of the statement require_once. The require_once statement causes a file to be included, with the further requirements that it only be included once and that an error occur if the inclusion fails. This isn’t a malicious statement and it isn’t something that should on its own be used to claim that malware is suspected. It is possible that something malicious could be included with this statement, but as it was with this website, there are perfectly legitimate uses of it.

After seeing this result we wondered why the use of this statement was being identified as a suspected virus, did the developer of plugin believe that this particular statement was only used with malware? What about the similar include, include_once, and require statements? When went to start testing this, we saw a startling result. As can been seen in the screenshot below, the default theme in WordPress 3.4 was being identified as suspected of containing a virus, for simply using the require statement:

AntiVirus Result for Twenty Eleven Theme

A theme using any of the statements used for including files is identified as being suspected of infected, despite that clearly not being at a reliable indicator of a virus. It is quite troubling that something that is so clearly inaccurate is allowed to be in the Plugin Directory. At the very least it should have a very visible warning explaining what the scanner actually identifies. Looking at the support forum for the plugin you can see there are numerous threads involving these false positives. (There is also a topic where the self proclaimed “Hack Repair Guy” says that he recommends “this to my clients for basic security”, which is affirmation for our warning about that guy last year.)

Sucuri SiteCheck

In their marketing material Sucuri describes their SiteCheck website malware scanner as being “highly sophisticated” and that it “leverages internal definitions that are refined daily, external sources, and intelligence to identify both potentially harmful signatures and anomalies that may not be known”. They also claim to be the “de facto standard in website malware monitoring”.

As can been seen in the screenshot below Sucuri’s scanner claimed “Site infected with malware” and that it contained known JavaScript malware:

Sucuri Sitecheck Results

We looked at the code that they identified as malicious and found it to be legitimate and non-malicious. We also found that it was on a legitimate website and we could find no indication that website in question was recently infected, so why was Sucuri flagging it? To try to figure that out we looked at the malware entry that they were flagging the code for. The description given is “A suspicious remote javascript include was identified. It was set in an non-standard place (before the <html> tag) and was used to distribute malware to someone visiting the infected web site.” It is true that sometimes malware is placed at locations were you wouldn’t usually find legitimate code and it would make sense for a malware scanner to flag that for additional scrutiny, beyond a regular scan of the code for malware.

What appears to have happened is that Sucuri automatically flagged the code based on their signature without actually scanning the JavaScript file for malicious code, which, if their scanner was reliable, would have determined that it was not malicious. That should be a basic part of scanning the page for malware even if it wasn’t in that odd location or part of a signature. When you don’t actually scan things for malware before falsely identifying them as malware, you really shouldn’t be calling what you do website malware scanning.

If you are to believe their marketing claims about how great their website malware scanner is, you have to wonder how much worse the other scanners are. The more troubling aspect of this for their customers is the fact Sucuri’s idea of protecting websites is detecting that they already have been hacked and then cleaning them up. Putting aside the fact for the moment that properly secured websites are highly unlikely to be hacked and that allowing websites to be hacked has consequences even after they are clean again, with a scanner this poor it is unlikely that it will actually do a good job of detecting when website are infected. You really are much better off spending your time and money on actually keeping the website secure in the first place, instead hoping that when the website does get hacked it can be detected and cleaned properly.