Checkmarx Fails the Wikipedia Test

When looking at the poor state of the security industry one of the things we have noticed is that far too often you can get better information from the Wikipedia than you can from many in the security industry.

One re-occuring issue we see is people in the security industry referring to dictionary attacks, which involves trying to log in using common passwords, as being brute force attacks, which involve trying to log in using every possible password. The Wikipedia by comparison manages to accurately describe both dictionary attacks and brute force attack. They even mention the contrast between them:

In contrast to a brute force attack, where a large proportion of the key space is searched systematically, a dictionary attack tries only those possibilities which are deemed most likely to succeed.

While looking for some information on the website of security company Checkmarx recently we ran across them not understanding the difference between hashing and encryption.

The last sentence of an article looking at a hack of website is as follows:

Included in the leaked information of the VerticalScope forum and website users were their usernames, user IDs, email addresses and encrypted passwords.

For people that know about password security the use of encrypted passwords would seem rather odd and would indicate things were not being done securely.

Further down the article it goes in to more details.

Finally, a vast majority of the passwords were encrypted using methods that were very easy to break using MD5 with salting and less than a couple million of the 45 million passwords were sufficiently encrypted.

That brings us to the first sentence of the second paragraph of the Wikipedia article on MD5:

Like most hash functions, MD5 is neither encryption nor encoding.

To understand why that matters, it helps to think of hashing as one way encryption. When using that on a password the actual password is converted in to some other text, but unlike encryption you cannot decrypt it. That way even if someone gets a hold of the stored versions of the password, say on a website, they can’t get the original password.

If you wondering how the system then know how if the correct password is being entered in the future, the answer is that the password entered then is run through the hashing algorithm and the result is checked to see if it matches the stored version.

The misuse of the term encryption continues in the article, even being used to promote one of Checkmark’s services:

The Importance of Proper Encryption

VerticalScope attempted to hash their passwords using MD5 with salting which security minded developers agree is an “emphatically poor choice” when it comes to securing passwords. First designed in 1992, the MD5 algorithm is a hash function which produces a 128-bit hash value. As early as 1996, flaws were determined in the design of MD5 and in 2005 it became apparent that MD5 was not collision resistant, a key component for a secure encryption algorithm.

How to Ensure Proper Encryption

In addition to avoiding MD5 hashing as your method of choice, it’s important to also avoid SHA-0 since it has been conclusively broken, SHA-1 as well as DES as it can be broken by the average desktop computer’s GPU.

 

When choosing your encryption method, be sure to focus on using a symmetric algorithm key size that is at least 168 bit and if you’re dealing with financial transactions, use at least 256 bits. Ensuring that your application protects all cryptographic keys within the file system will also help ensure that your encrypted data is not exploited.

Additionally, using a static code analysis solution to ensure that your application has sufficient encryption is also recommended as your developers will be able to mitigate any encryption issues at the earliest stages of the SDLC. Checkmarx’s CxSAST scans and for and identifies encryption security issues in multiple languages including Java, CPP, JavaScript, Objective C, C++ and Perl.

Checkmarx Running Outdated and Insecure Version of WordPress

Back in November over at the blog for our Plugin Vulnerabilities service we discussed the fact that the security company Checkmarx was making a claim that a number of WordPress eCommerce plugins had severe vulnerabilities without providing any evidence, even what the name of the plugins was, to support that. That didn’t stop security journalists from covering the claim at the time. The details were supposed to be released later, but when went looking for them several weeks ago we couldn’t find them and when we contact Checkmarx to inquire about them, we received no response. At this point we think it is reasonable to wonder if the vulnerabilities ever existed.

It turns out though that this company that doesn’t seem to have a problem with making what appear to be baseless claims about the security surrounding WordPress, uses WordPress on its own website at the same time.

What should be surprising, but is an all too common occurrence, it also turns out that they are running an out of date and insecure version of WordPress on their website as can be seen in the source code of the website’s pages:

The Checkmarx Website is Running WordPress Version 4.6.1

There have been four releases of 4.6.x with security fixed since then: 4.6.2, 4.6.3, 4.6.4, and 4.6.6 (they also have updated to the latest major release of WordPress, 4.7). The oldest of those was released over four months ago.

The plugin listing its version number below the line for WordPress is not surprisingly also out of date.

What makes their lack of updating stick out is that WordPress would have normally automatically updated without any action required by Checkmarx, due to the automatic background updates feature. So either Checkmarx’s server environment has some incompatibility with that (which they could help WordPress to get fixed) or they intentionally disabled them. In either case you should expect that a security company would be concerned enough about security enough to manually apply those updates.

With all of that, it doesn’t seem like it should be all that surprising that security is in such bad shape these days.