Tag: SiteLock

123 Reg’s Partnership With SiteLock is Already Producing the Expected Bad Results

As we have continued to dig deeper in to how the web security company SiteLock takes advantage of people, one central element of it is their partnerships with web hosting companies. From their main website you can’t even sign up for their services, only request a quote, and if people were to be looking around for a security provider they would likely come across many horror stories involving them when doing. Instead it looks like the services gets sold on the trust in them implied by their web hosting partnerships marketing them and due to the fact that to varying degrees the web hosts push people to use them if their website is hacked (or in some cases when SiteLock or the web host is falsely claiming it is hacked). The reality of the partnerships is that they are not based on the web hosts believing SiteLock, instead it is based on them getting paid a significant amount of money (one major web hosting company disclosed they get 55% percent of the revenue from SiteLock services sold through the partnership with SiteLock).

Neither SiteLock or the web hosts are upfront about the real reason for their partnerships. Take for example how 123 Reg announced their partnership with SiteLock last month, there is no mention of that financial arrangement. Instead they make a number of claims that don’t match what we have seen of SiteLock’s services in the real world, including:

By partnering with SiteLock, small business customers now have access to best-of-breed security solutions that deliver proactive and reliable protection from internet threats and vulnerabilities.

And:

Our partnership will ensure that websites run safely and smoothly, and will further secure the infrastructure in the UK. Through our combined efforts and commitment, we can make it easy for customers to seamlessly integrate security into their sites and prevent future attacks.

That things are not as they are claiming is hinted at by the paragraph that follows that though:

SiteLock can detect known malware the minute it hits. After identifying malicious content, it automatically neutralizes and removes the threats. SiteLock then provides businesses with complete reports on scans, threats detected and items removed.

On the one hand 123 Reg is claiming that they “can make it easy for customers to ” “prevent future attacks”, but then they are claiming that SiteLock is going detect malware the minute it hits, which indicates they can’t prevent future attacks (otherwise there wouldn’t be malware to detect). No evidence is provided that SiteLock can actually detect malware the minute it is hits and we have seen rather bad results in their attempts to detect malicious code, in one situation we found SiteLock claiming a website was secure while it contained malicious JavaScript code that compromised credit card details entered on the website.

Our experience is that SiteLock does a quite poor job of cleaning up hacked websites. For example, everything we have seen indicates that they fail to do two of three basics steps for cleaning up a hacked website, 1) making sure the website has been secured (which usually means getting the software up to date) and 2) determining, to the extent possible, how the website was hacked. In one recent instance their failure to do those not only left hackers with two forms of access to the website, but also meant that a security problem at one of their partner web hosts remained unfixed, which would allow even more website to be hacked (that vulnerability remaining unfixed would provide them more people to to have the potential to take advantage of as well).

Not to surprisingly then we have already run into an example of the partnership with 123 Reg producing the bad results you would then expect:

It’s not been awful, but it’s been repetitive. A few links stuck in the index page as far as I can see. They’ve tried to put in malware which Sitelock has found and got rid of. But they’re still getting in. We’ve changed passwords, sitelock has changed dns settings (after this I don’t understand much), any coding on the site is from the lastest version of xara web designer and xara say they’re safe. 123reg (who sold me Sitelock) said they can’t keep everything out, which beggars the question – what’s the point? PC that the site was uploaded from is free from viruses and malware. Hosting service are saying it shouldn’t happen again but are advising me to move anyway (!).

If SiteLock was doing things properly they would have done the work to determine how the website was getting hacked and fixed that, but since their idea of protection is to detect a website is hacked instead of actually protecting it, that doesn’t happen, leading to situation like what is described there.

If your web host is a partner with SiteLock your best move is probably to move to another web host since through that partnership they are showing that they don’t really care for their customers. If you are at the point where you are being contacted by your web host or SiteLock about your website being infected with malware or otherwise hacked we recommend you read one of our previous posts that takes you through some of the  important information to understand about the situation before you make any decisions on dealing with it.

Bluehost Had Different Response to a Hacked Website When the Press Questioned Their Pushing SiteLock

When it comes to SiteLock and their taking advantage of people, a critical component of that successfully happening is their partnerships with various web hosting providers. These partnership do not seem to be based on the web hosting companies thinking that SiteLock is really great company to help out people with security issues (from everything we have seen over several years they don’t even understand the basics of what they are supposed to being doing), instead the web host is getting significant amount of money when SiteLock sells services through their partnership. In the case of the parent company of Bluehost, the Endurance International Group, they disclosed to investors that they receive 55% of the revenue (they seem to unwilling to disclose that to the broader public, as one the company’s other web hosting brands won’t even acknowledge that they even are getting paid). In the case of Bluehost and the other web hosting brands owned by the Endurance International Group there is likely reason for the partnership, the majority owners of SiteLock are also the CEO and a board member of the Endurance International Group.

In theory this would likely lead to bad situation for customers, the web hosts have an incentive to treat a security issue in way that makes them the most money and SiteLock would necessarily be overcharging people, since over half the fee for the service doesn’t go them. In the real world things look a lot like that. Take for this instance, what is describe in an article from NBC’s San Francisco Bay area station when their problem solvers look into a Bluehost’s handling of hacked website:

But recently, Rose’s website was taken down. A message on the site read “temporarily unavailable.” She didn’t know how or why it happened, but she did know it would hurt business.

“It means we don’t get sales, so I don’t make money,” Rose said.

Scrambling to get her site back up, Rose called Bluehost, her hosting site, and was connected to SiteLock, a website security company.

Rose said SiteLock referenced an email it had sent her – that it detected malware on her site. Rose recalled the email, but had dismissed it as spam. After all, she didn’t do business with SiteLock; she’d never even heard of the company.

Still, Rose said SiteLock told her she had to pay upwards of $120 a month to fix the malware and get her site up and running again.

Over year that $120 a month plan would work out to $1440, which is much more than you normally pay to have a website cleaned and purchase a security service (the $648 that SiteLock would get would be more in the realm of reasonable).

When Bluehost was contacted by NBC had very different response:

Bluehost explained that SiteLock is a security partner, and it did in fact find malware on Rose’s site. So it took down the site so the malware wouldn’t spread to other websites hosted by Bluehost.

Bluehost acknowledged that the SiteLock email could be perceived as spam, so it’s working to evolve its email communications.

And eager to help out Rose, Bluehost jumped in and fixed her site for free. Boo Boo’s Best is back in business.

Thats right, Bluehost has the capability to clean up hacked websites themselves and it didn’t cost anything for the customer. Its telling how different the response from Bluehost was when what they are doing was having some light shined on. We have to wonder if they were concerned that if they didn’t get this cleared up quickly, then more digging might have be done and the reality of their partnership might get more exposure.

The takeaway seems to be if you run in to this situation you should make a public scene about it, or better yet, before that can ever happen move to a web host that isn’t partnered with SiteLock so you don’t risk running into this (properly securing your website would also limit the chance of this, but entirely as SiteLock is known to sometimes falsely claim website have been hacked).

A Case Study in SiteLock Leaving a Website Insecure While Labeling It as Being Secure

When it comes to the security of websites we frequently see that while security basics are often not being done, security companies are pushing more advanced security products and services. Sometimes those two things come together, last month we looked at one cyber security company that claims to have “clients in the intelligence community, DoD and nearly every cabinet agency” and isn’t bothering to keep the software running the various parts of their website up to date while telling the public they need to take advanced measure to protect their websites. As we mentioned in a post the other day, by comparison the web security SiteLock does keep the software on their own websites up to date, while leaving the software out of date on their customers websites that they are supposed to be securing. We ran across another example of that while looking at one of their case studies that is supposed to show how great their services are.

The case study is missing basics details that would be needed to understand what was actually going on and if SiteLock had done anything to actual secure the website. The post claims the website in the case study was targeted by cybercriminals, but they don’t even mention what type of attack there was:

When cybercriminals began to target Airspeed-Wireless.com last year, he became alarmed. Spiridigliozzi took an investigative approach and soon determined the attacks were coming from an IP address in Iran. His host-provided security options were limited so instead he blocked the malicious IP, hoping it would solve the problem. Unfortunately it did not and the hacking attempts continued.

Most hacks are not targeted, so it is entirely possible that what was actually happening was that website was being hit as part of mass hacks that wasn’t even trying to exploit vulnerabilities relevant to the website and there wasn’t a real threat.

Blocking IP addresses is not an effective security measure because if there is a actually a vulnerability then a hacker could easily get around it by simply using another IP address. It is important to note that the web host, the one that SiteLock says has limited security options, is Bluehost, which is not only a SiteLock partner, but it’s parent company, Endurance International Group, is run by the owners of SiteLock. SiteLock’s partners get paid handsomely for pushing SiteLock services, so providing a poor security options would likely be financial advantageous for them (that might be a good reason to avoid web hosts that have partnered with SiteLock).

The case study that then moves on to another website:

During the process Spiridigliozzi was attacked again, this time on a website he was developing. The new attack came from an IP address in Morocco. The hacker injected malware into the newly developed site and taunted Spiridigliozzi by engaging him in online chat.

There is no explanation as to how the website was hacked, which would be important information for people to know to protect their own websites and to determine if SiteLock could have actually prevented it and whether there might a more effective way to do that.

In the next section the tout their TrueShield Web Application Firewall:

SiteLock also wanted to provide Spiridigliozzi with a preventative solution. They installed the SiteLock® TrueShield™ Enterprise Web Application Firewall (WAF) on Airspeed-Wireless.com. This top tier WAF blocks bad bots, the Open Web Application Security Project (OWASP) Top 10 threats, backdoor connections and meets PCI standards.

First it is worth noting that contrary to how they promote the service, this isn’t actually their service, instead they just slap their branding on Incapsula’s WAF.

Next, just the other day we discussed an instance where one of their customers using the WAF was hacked again and they were told that they don’t cover backdoor access :

Now, after we’ve been hacked yet again, I find out that is not true. SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point.  They don’t cover that. Bluehost doesn’t cover that. I’m screwed.

That obviously doesn’t match up with their claim in the case study that WAF blocks backdoor connections.

Then they claim that numerous threats were blocked:

Since it was installed, TrueShield has blocked 9,478 malicious threats, five SQLi attempts, and 27 visitors from blacklisted IP addresses.

What stands out is the fact that most of threats that were supposed be blocked are vaguely “malicious threats”, but a few SQL injections attempts are broken out even those would also be a malicious threat. That vagueness is important since the reality is that probably only a small fraction of one percent of hacking attempts have the possibility of being successful (many hacking attempts will involve trying to exploit vulnerabilities in software not being used on a website for example). A useful measure would how many of the blocked attempts would have actually lead to the website being exploited if not running through the WAF, SiteLock probably doesn’t have any clue as to that sort of things since they don’t actually provide that service.

The next section points to SiteLock odd idea of how to protect a website:

Spiridigliozzi is grateful for the upgraded security, “The SiteLock suite of security tools now allows me to be more proactive in preventing unwanted visitors and bots from accessing my website, the dashboard gives me an immediate indication of any problems and I also receive email alerts if there are any issues.”

If there is a vulnerability on a website the best way to protect against it is to fix it, trying to stop people that might exploit it is going to be harder to do and SiteLock doesn’t provide evidence of its effectiveness.

It turns out that the website is actually insecure now in an easy to check for way. It is running an outdated version of Magento with known security vulnerabilities:

sitelock-case-study-outdated-magento-version

Magento does provide patches for older versions, so an outdated version might be secure, but in this the website MageReport.com reports that the security patch that provides the same fixes as Magento 1.9.3 is not installed (both the security patch and Magento 1.9.3 were released on October 11):

sitelock-case-study-security-patch-8788-not-applied

SiteLock seems to be unaware of this as they are currently labeling the website as secure:

sitelock-case-study-insecure-website-labeled-secure

The Previous Case Study Is Running An Outdated Version of Joomla

In the case study that proceeding the one we just discussed, SiteLock promoted its scanning service:

The SiteLock 360-degree Security Scan was placed on bluedgebiz.com. As the name suggests, the scan provides a comprehensive scan of Wilson’s entire site. This includes a complete malware, network, spam, SQL Injection, and Cross-Site Scripting scan. With this scan, Wilson is alerted immediately if suspicious code or vulnerabilities are found.

In the past we discussed that we couldn’t find evidence that SiteLock was actually able to find vulnerabilities and a past commenter who had a gotten their scanning service ended up with their website hacked four months later. Both of which don’t point to this service being that great, but the other issue with this is that even if you are alerted vulnerabilities you would need to take action.

Clearly something hasn’t worked in the case of this website as the website is currently running an outdated version of Joomla 3.6.3:

sitelock-case-study-outdated-joomla-version

Version 3.6.4 was released on October 25. That version fixed “three critical security vulnerabilities” and by critical, Joomla really meant it in this instance as websites still running older versions (the vulnerabilities existed back to version 3.4.4) were quickly being exploited (it should be noted that Joomla provided a heads up to everyone four days before that version was released).

What You Need To Know When SiteLock Contacts You Claiming Your Website Has Malware or Is Otherwise Hacked

When it comes to companies providing security services for websites most of them are quite bad from what we have seen over the years. The company SiteLock stands out from the pack though, as it it isn’t just a situation where they don’t seem to know and or care little about security, as is true of so many companies, but they seem to have taken it another level, by doing things that seem to be accurately described as scamming.

As we have recently been taking a closer look into their practices we have noticed that one of the common starting points of problems involving them is with them contacting websites that are hosted with web hosting partners claiming that the websites are hacked and that they can resolve the issue. We thought it would be helpful to present in one post some of the important information you should know when you are in that situation. Some of this they have been fairly successful in hiding from the public up until now.

Your Web Host Has a Financial Relationship With SiteLock

While web hosts will always refer to SiteLock as partner of theirs (HostGator refers to them as a “trusted partner“), what they don’t mention is what exactly that means. It isn’t a situation where they though SiteLock was a really great security company and thought it would be helpful to connect their customers to them (everything we have seen over several years is that SiteLock is quite bad at handling even the basics of security), instead the web host is getting cut of any SiteLock services that get sold through the partnership.

We wonder if they don’t mention that in part because customers probably would not be to happy to find that their web host is profiting off of their website being hacked.

That connection obviously raises some serious questions on how the web hosts handle clients with possibly hacked websites and their interest in keeping their clients secure, since that could cut into their profits. For one of their partners, GoDaddy, we have found multiple instances where the web host has put their customers at risks through their negligence and SiteLock continued to partner with them despite that.

The payments also means that their recommendation to use SiteLock is far from unbiased.

In the case of the many web hosts owned by the Endurance International Group (which include A Small Orange, Bluehost, FatCow, HostGator, HostMonster, iPage, and IPOWER, and others) there is another connection. The majority owners of SiteLock also happen to be the CEO and a board member of Endurance International Group. What is interesting about that is that the only reason we know that to be the case is that the Endurance International Group is legally required to disclose this to their investors in financial filings, neither company discloses that in a public fashion. In fact one the web hosts, HostGator, recently would not even acknowledge that this was true when presented with the information coming directly from their parent company. That seems to be us to a pretty good indication that the companies don’t think that what they are doing is above board.

Don’t Ignore The Message…

We oftentimes hear that people have ignored messages from SiteLock or their web host that the website contains malware or is otherwise hacked. That is a very bad idea, because if the website is hacked then the situation can get worse if you ignore it. For example, additional hackers might exploit the same vulnerability and they might do more damage to the website then the earlier hackers did. That being said, one of the issues we have found with SiteLock is that they will claim that websites have been hacked when they haven’t actually been, so that is why we recommend you a get a second opinion after being contacted.

…But Get a Second Opinion

You should get any information that SiteLock and or your web host will provide on the hack and then get in touch with a reputable hack cleanup company to discuss the situation, due to the fact that SiteLock is known to incorrectly claim websites are hacked in some instances. We are always happy to provide a free consultation on dealing with a hacked website and we always make sure a website is actually hacked before taking on a cleanup, as we have found that other issues are often confused as being hacks.

Make Sure Your Hack Cleanup is Done Properly

We are often brought in to re-clean hacked websites after someone else previously did that and then website got hacked again. While that isn’t always the fault of the company doing the previous clean up, we often find that the previous company had not done basic pieces of the cleanup, which would increase the likelihood that it would get hacked again. Making sure that the company is doing things correctly reduces the chances you will have the website hacked multiple times and possibly have to pay multiple companies in the end (the lower priced providers often don’t end up being the value they seemed at first).

The company doing the cleanup should tell you they are doing the following three basic elements of a proper cleanup:

  • Clean up the malicious content. (This is the obvious one.)
  • Secure the website. (This usually consists mainly of making sure the software on the website is up to date. If the company doesn’t have the expertise to do that, then they likely don’t have the expertise to properly clean up a website using that software either.)
  • Determine, to the extent possible, how the website was hacked. (Websites don’t just get hacked and if you don’t fix the vulnerability that obviously leaves open the possibility it could be hacked again. Without determining how it was hacked you won’t know what the vulnerability that needs to be fixed actually is.)

Your Will Likely Be Overpaying SiteLock For SiteLock Services

We had long suspected that web hosts get a cut of services fees from SiteLock’s services, but when we found how much it was, it surprised us. According to prepared remarks for earnings call, in fiscal year 2014 the Endurance International Group reported receiving 55 percent of the revenue from their partnership with SiteLock. In practical terms that means the company actually provided the service is getting half the revenue from the service, or to put it another you are only getting about half the level of service you are paying for. So you are probably better off finding someone else to provide any services you are being offered from SiteLock.

SiteLock Provides A Service That Indicates They Don’t Do Proper Hack Cleanups

One of the upsells that SiteLock tries to get people to buy is an ongoing service that includes repeated manual hack cleanups, with prices in the thousands of dollars a year. If a website has been properly cleaned up the only way the website should get hacked again if some other vulnerability is discovered that could be exploited. The fact they offer a service that involves them repeatedly doing hack cleanups indicates that they are not properly securing websites, so you end paying a lot more than you should for a cleanup and your website is still left insecure. A recent situation where we were brought in to clean up the mess SiteLock left behind seems to confirm the don’t do proper cleanups.

SiteLock Lies About Who Provides Some of Their Services

As we have recently been looking closely at SiteLock we keep finding more troubling aspects of the company. One that we recently discovered is that they claim that they directly provide some of their services, while they are really provided by another company. In that case it involves sending all of a website’s traffic through another company systems, which is a pretty big concern. There is also the aspect that they are not honest, which is fairly important when dealing with a security company, especially one that can claim your website is hacked and get your web host to take actions against it.

Beware of SiteLock’s Protection Plans

Another thing that has come up repeatedly is that SiteLock sells plans that are supposed to protect that don’t actually protect them. Take one comment we received on a previous post on SiteLock:

Listen to this: Bluehost persuaded me to get Sitelock security for my website and I stupidly paid $500 for a year. This was in January. Yesterday, Sitelock alerted me to malware on my site that could result in terrible consequences. They would remove the malware for a one-time fee of $300! I contacted them to say, “WHAT WAS THE $500 for??” and a hostile character calling himself “sean” told me it was for “scanning.” This company needs to be stopped from continuing their predatory practices.

Not surprisingly SiteLock doesn’t present any evidence, much less independent third-party evidence, that their protection services provide any protection over taking basic security security measures.

In another instance we looked at recently a website with a protection plan was hacked again and at that point SiteLock informed the person running the website, that since the protection was correctly set up the hack must have been caused by something they were not responsible for.

While what we have seen is that these protection services from any company have a limited at best ability to protect and we don’t recommend them, before signing up for one, you should get evidence as to their efficacy.

More Evidence That SiteLock’s TrueShield Web Application Firewall Is Really Incapsula’s WAF

Last week we looked at the evidence we had found that a couple of services that SiteLock was claiming to provide directly were actually provided by Incapsula. That would be an issue both because you have a security company pretty blatantly lying, but also because websites using the services would have traffic is going through a company they are neither aware would have access to their traffic and or that they have a relationship with.

For one of the services, Sitelock’s TrueSpeed CDN, the evidence was beyond a reasonable doubt to us that the service is really provided by Incapsula. For their TrueShield Web Application Firewall (WAF) it seemed likely that was also the case, due in part that it would be easier to use Incapsula’s WAF when they already were using their CDN, but the evidence wasn’t as strong. We ran into another piece of evidence that makes it pretty conclusive that the service is also actually provided by Incapsula.

While requesting a page be saved on archive.org, so that we could link to it if it got removed from the website it was on, this was saved instead:

sitelock-trueshield-web-application-firewall-captcha-page

That page claims that the website is “protected and accelerated by SiteLock” and that there is a ” SiteLock security network”:

The web site you are visiting is protected and accelerated by SiteLock. Your computer might have been infected by some kind of malware and flagged by SiteLock security network. This page is presented by SiteLock to verify that a human is behind the traffic to this site and malicious software.

Here is one of a number a screenshots we found with of the exact same page when coming from Incapsula:

incapsula-waf-captcha-page

The only difference with it is the branding. There really isn’t a way that could be coincidental.

That doesn’t match with SiteLock’s description on the page for the service though. For example, they claim that SiteLock is analyzing the request, when in fact it is Incapsula:

sitelock-trueshield-web-application-firewall-diagram

Looking At How SiteLock Sells Their Services Versus the Reality Behind Them

We recently have been taking a close look at the practices of the web security SiteLock after finding that not only were they providing poor quality services (as is par for the course for web security companies), but a lot of what they look to be doing falls more closely to outright scamming. We thought it would be useful to show how some of what we have found comes in to play to their interactions with a customer. To do that lets look at a recent complaint from one of SiteLock’s customers that hits on a number of issues with what SiteLock is doing.

After their website had been hacked in February of last year SiteLock sold them on one of their services:

[L]ast February we purchased “SiteLock Premium” for $500/year. I was told this was the best security product available. With it, I would have a firewall that would prevent any further attacks.  And since it runs “in the cloud” it would actually make our site faster. We were assured that SiteLock has never been hacked and even if we are hacked, our site would be cleaned.

There are a number of issues we see with that.

We are not sure how SiteLock’s website never being hacked (if that were even true) would mean that their customer’s website wouldn’t be hacked, but that would seem to require the same practices being done on both, but that isn’t the case as we will get to in a later in the post.

Then there is the issue that as best we can tell SiteLock’s web application firewall (WAF) isn’t actually their own, instead there are reselling Incapsula’s WAF service. That raises several issues. One is that SiteLock promotes the service as if they are providing it, if they would lie about that, you can reasonably wonder what else they are not being honest about. Since the service involves sending the website’s traffic through the CDN, that means all the traffic is flowing through a company the SiteLock’s customers are not even aware of, much less have a relationship with. Finally you have to wonder if SiteLock is even aware of how good or bad the WAF is at protecting against attacks, since it isn’t actually something they run.

Another serious issue is that SiteLock failed to do a basic part of a proper hack cleanup, making sure that they software is brought up to date. In this case the website is still using Joomla 2.5:

A Website That Is Supposed to be Secured by SiteLock is Still Running Joomla 2.5.28

That version of Joomla reached end of life on December 31, 2014 and therefore was not receiving further security updates. So any cleanup in 2015 should have included upgrading to a supported version of Joomla. (It is important to note that SiteLock is certainly not alone in doing this important part of hack cleanup, many providers cut corners like this.)

By comparison SiteLock does keep their website up to date. Both their blog and their WordPress focused sub-domain, wpdistrict.sitelock.com, are using the latest version of WordPress:

The SiteLock Blog is Running WordPress Version 4.6.1

SiteLock's The District Website is Running WordPress Version 4.6.1

Keeping the software running your website up to date is going to provide real protection, whereas other security services may not (we haven’t seen SiteLock present any evidence that their services provide better protection then doing the security basics). Its telling that SiteLock does that for their own website, but doesn’t for their customers.

More Money

One of the things we frequently see brought up with SiteLock is after purchasing one security services that was supposed to protect the website and then doesn’t, they want to sell your more expensive services (that was even mentioned by someone who praising their service (and then deleted their post for some reason)). Remember that this person was sold a $500 a year plan that they say SiteLock claimed was the “best security product available”, then the website got hacked again and they are pushing a $720 a year plan:

We were recently informed by SiteLock that our site had sustained a Pharma attack that had inserted links directly into our code. This attack could not be automatically cleaned their software could not remove the malware systematically without risking bringing down our site. The SiteLock technician suggested that we purchase their “Infinity Scan” product for $60 /month.  That product includes manual cleaning of our site.

Again there are multiple issues raised here.

You can start with the fact that SiteLock makes a big deal about their automated malware removal in their marketing material, but never mention that it can have the serious problem of taking down a website. It also seems to us that in an instance where it isn’t up to task they shouldn’t be charging extra to deal with the situation, as it is unable to do what it is promoted to do (and considering their track record you would also have to wonder if they sometimes claim it couldn’t to get more money from people).

The other troubling aspect of this is that they have a service that provides manual hack cleaning on a repeated basis. If a website is properly cleaned then it shouldn’t get re-hacked, so unless you are not taking basic security measures or get unlucky and have get hacked thorough multiple zero-day vulnerabilities in a year you shouldn’t need multiple cleanups in one year. The fact that they provide this would be a red-flag on it own that they don’t do proper hack cleanups, but we already knew that SiteLock doesn’t proper clean up hacked websites, so you don’t have to wonder about that.

What would seems to have happened here seems to be another example of that. So how did SiteLock explain how the website was hacked again after they were brought in:

Now, after we’ve been hacked yet again, I find out that is not true. SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point.  They don’t cover that. Bluehost doesn’t cover that. I’m screwed.

The backdoor access must have either existed when SiteLock was first brought in to deal with the website and should have been handle during the cleanup or was gained after the were supposed to protecting the website. In either case we don’t understand how that wouldn’t be on them. The explanation seems to be that since things were set up correctly it couldn’t be their fault, which doesn’t make any sense to us.

Also worth noting here is that their web host, Bluehost, who pushes SiteLock services as one of their “partners”, is ultimately run by the owners of SiteLock and looks to be getting a majority of the money from services sold through their partnership (which explains the high price of SiteLock’s services and the low quality for the amount paid). That isn’t something they publicly disclose and something that one of the other web hosting owned by the same company, Hostgator, wouldn’t even acknowledge is after it was pointed out those facts were coming from their parent company.

Is SiteLock Lying About Patent-Pending Technology and the True Source of Some of Their Services?

In looking in to some things for recent posts about SiteLock, their web application firewall (WAF) had come up a number of times and that then made us recall that previously it seemed that service was actually provided by the company Incapsula. Looking at the page for the service there was no mention of that or anything that might indicate that SiteLock was not providing the service themselves. The only mention of Incapsula on SiteLock’s website according to Google is them being cited in a couple of blog posts. The same holds true for mentions of SiteLock on Incapsula’s website.

So were we confused in thinking that there was connection between the two companies or have they just hidden it away from the public (like how one of their hosting partners wouldn’t admit to the ownership connection between SiteLock and them)? A little more looking showed the connection actually existed.

The True Provider of TrueSpeed CDN

Doing a traceroute for www.sitelock.com showed their IP address to be 199.83.134.143, for the which the canonical name is 199.83.134.143.ip.incapdns.net. Incapdns.net as in Incapsula, which you wouldn’t expect since you expect that SiteLock would be using their own TrueSpeed content delivery network (CDN) to serve their website. Next up we did a traceroute on their WordPress focused sub-domain wpdistrict.sitelock.com, which showed a canonical name of iasx4.sitelockcdn.net and an IP address of 192.230.66.155, which in turn has a canonical name of 192.230.66.155.ip.incapdns.net. We then looked at several of their customers websites listed in case studies on wpdistrict.sitelock.com and found they were running through Incapsula as well.

From all that it is clear that the TrueSpeed CDN is actually being provided by Incapsula, which you wouldn’t have any clue if you looked at how SiteLock describes the service. One part of the description that stood out for us was this:

Dynamic Content Caching

SiteLock patent-pending technology continuously profiles website resources, gathering information on how content is displayed. Static content can be safely cached. Some dynamic content might change continuously, while other content might rarely change or change only for specific users. This information enables truly optimized caching, and ensures content that is rendered is accurate—a premium feature you won’t get with most content delivery networks.

To claim you have a patent pending certainly makes it sounds like you provide the service yourself. But a quick search pulled up a PDF datasheet for Incapsula’s Content Delivery Network, which pretty clearly is the source of material on SiteLock’s page, with some rewriting of the text having been done. Here is relevant section from Incapsula’s document:

Dynamic Content Caching

Patent-pending advanced learning algorithms continuously profile website resources, gathering intelligence on each resource. Some of these resources, which may be dynamically generated, rarely change over time and for different users. This intelligence allows for optimized caching and ensures resource accuracy.

SiteLock’s lack of truthfulness to their customers about this is pretty troubling as all of the customer’s website’s traffic is going to be running through a company that they don’t have a relationship with or are even likely to know is involved. Even if there is no concern about Incapsula, SiteLock could always switch to some other provider without notice, that isn’t as trustworthy and their customer could find that out too late.

This definitely is something that should make people avoid SiteLock, as trust is so important when it comes to security companies.

What About TrueShield Web Application Firewall?

Our looking into a connection between Incapsula and SiteLock started with looking for a connection with SiteLock’s web application firewall (WAF), so is that also provided by Incapsula as well? The circumstantial evidence points in that direction, but there was no smoking gun that we have found so far.

From a practical stand point if you are already running the website’s traffic through Incapsula it would seem to be easier to use their existing WAF in their systems than creating your own and then integrating that in to their systems, if they would even allow it. SiteLock’s CDN and WAF were introduced at the same time, so that would certainly fall in line with the possibility of them having the same source.

Here is the screenshot of a report from SiteLock’s WAF from the service’s page on SiteLock’s website:

sitelock-trueshield-web-application-firewall-dashboard-screenshot

And here is a screenshot of a report form Incapsula, also related to “Bot Access Control”:

incapsula-events-log-screenshot

The data presentation is quite similar between the two of those, which we have hard time believing could have been coincidental.

Know Something More About The Connection Between The Companies?

If you are aware of additional details related to the connection between SiteLock and Incapsula please leave a comment.

SiteLock Provides A Good Example of How Security Companies Are Working Against Improving Cybersecurity

Looking at the news recently you wouldn’t have to look hard to see that cyber security isn’t in good shape and that isn’t a new problem. A big part of the problem is the security companies, the organizations that are supposed to be improving things are in a lot of cases making things worse instead. For example, on the one hand we have a situation where many people are not doing the basics, while security companies are pushing more advanced security products and services, which they don’t provide evidence that would provide any value over doing the basics (or even evidence they would provide the protection to same degree as doing the basics). What make this issue stand out so much is that even the companies themselves are often failing to the basics, we recently looked at one cybersecurity company that claims to have “clients in the intelligence community, DoD and nearly every cabinet agency” and isn’t bothering to keep the software running the various parts of their website up to date while telling the public they need to take advanced measure to protect their websites.

October is National Cyber Security Awareness month, which unfortunately isn’t a time when these companies consider that they are not having a positive impact, but instead yet another chance to hock their wares. Case in point is SiteLock, over at their at their WordPress focused blog, The District, they have a post, National Cyber Security Awareness Month – What it Really Means for WordPress Users. In that post they include a list of simple security steps. Since the post is WordPress focused you would expect that making sure WordPress and it plugins are up to date would be one of them, but it isn’t. Here is what they listed below:

Simple Security Steps to Implement Today

Some of these may sound simple, but if not implemented can put you at risk.

  • Never write down your username and passwords. Use a password manager tool like LastPass, 1password or others.
  • Use anti-virus software on your computer.
  • Always use a Virtual Private Network when connecting to public wifi. Learn more about VPNs here.
  • Install a Web Application Firewall on your website.

Instead of updating the software they suggested using a web application firewall and they linked to their service that includes that. If you go to the page with the details of their WAF you will find that they don’t provide any evidence, much less independent third-party evidence, that this provides any protection at all (not even from rigged testing, like they recently did for another part of their service).

Actually updating your WordPress plugins would actual make you more secure, as vulnerabilities are frequently fixed in new versions, but telling you that wouldn’t make them money.

SiteLock Promotes The Idea That Protecting Websites Involves Leaving Them Vulnerable to Being Hacked

When it comes to cyber security, it has been clear to us for some time that most of the companies in the field don’t really care about security. Just yesterday we discussed a cyber security company that doesn’t even bother to keep the software running their websites up to date, despite that being a really basic security measure (that is far from the first time we have spotted that type of situation either). One of the areas where we see this lack of care about security is shown by the fact that security companies services and products often are focused not on things that would actual prevent systems from being hacked in the first place, but on detecting the system has been hacked after the fact.

That brings us to a recent post on the web security company SiteLock’s blog. The post uses the results of a test they recently had done by the Tolly Group to argue their product is better at protecting against threats to website than another product of a different type. As we discussed last week the test was, at best, quite poor, but might be accurately describe as being rigged. The test involved testing if their product and another product could detect malicious code on a website and SiteLock not only had access to the samples being tested, but provided the sample code that was tested. Not surprisingly they were able to detect 100 percent of it (the developer of the other product wasn’t provided the sample code). To make things even ridiculous they then promoted the testing as having been independent, despite the fact that they even provided the samples to be tested.

First off, the post really could have used some editing, as it has some quite bad statements such as one in this paragraph:

In recent years, though, informal blogging environments, such as WordPress, have blossomed into full-blown web application platforms. Commercial and community developers contribute blocks of codes, known as “plugins” to enable just about any type of functionality that you can imagine. (A Google search on “WordPress Plugins” shows over 11 million hits.)

If you want to measure how many WordPress plugins there are, you could look at the homepage of the official Plugin Directory, where most WordPress plugins are made available, as that provides a count of plugins available through that, currently 47,146. If SiteLock was as familiar with WordPress as they promote themselves, they should have known that.

Explaining the basis of the test you can see what is so wrong with the view that SiteLock appears to agree with:

The basis of the test was the assertion that traditional endpoint security solutions are not designed to detect web application threats and, therefore, would have a low detection rate when scanning for such threats.

The actual threats against web applications would be vulnerabilites in the software, not malicious code that can be added by exploiting those. But the testing instead looked at the end results of threats being exploited:

A corpus of nearly 3,000 web-based malware samples, defined by SiteLock, was run through a prominent “traditional” endpoint security solution to illustrate SiteLock’s point.

The conclusion on the post is:

The point, really, is not the absolute percentage of malware detected. The point is to illustrate that there is an entirely new set of threats “out there” that traditional endpoint solutions have not been designed to detect. And, those new threats clearly require an additional, “next-gen” endpoint security solution in place to provide protection.

The reality from dealing with many hacked websites that many of those could have been prevented by taking basic security measures and many other could have prevent if other security practices were improved. From what we have seen of automated methods for trying to detect and clean malicious code, they produce poor results. Also, websites don’t just get hacked to place malicious code on them, so leaving a website vulnerable and trying to detect malicious code added to it, would among other things, allow for the possibility of sensitive data being extracted from it on a repeated basis.

While the post was written by the found of the Tolly Group, it isn’t just a situation that SiteLock posted someone else’s words with this very wrong view on the security, our past experience has shown that SiteLock view is in line with this. For example we have found that they label websites as being secure when they are using outdated software with known vulnerabilites and they don’t make sure that the software on a website is upgraded when they are cleaning up after a hack.

HostGator Is Actively Hiding the True Nature of Their Partnership With SiteLock

When it comes the really bad practices of the web security company SiteLock, they often involve their partnership with various web hosts. Considering that long ago we had seen that SiteLock didn’t seem to very good at handling security, whether it be not properly cleaning up hacked websites or not doing a basic security check before declaring a website secure, we had long assumed that these partnerships were not based on the web hosts believing that SiteLock was the best company to best help their customers, but instead based on the web hosts being paid to push their services. Those payments, it turns out, are happening, but they tell only part of the story of the partnerships with some of the web hosts.

Last month while looking for some other information about SiteLock we can across the fact that the companies majority owners also are the CEO and a board member of the web hosting company Endurance International Group. That companies does business under the brand names A Small Orange, Bluehost, FatCow, HostGator, HostMonster, iPage, IPOWER, and many more.

Through that we also found that in the case of Endurance International Group, not only were they getting paid for the sales of SiteLock services through the partnership, but they were receiving a majority of the fees as of fiscal year 2014.

In the case of both of those facts, they were disclosed to investors, the ownership is disclosed in financials statements and the fee breakdown was disclosed in a prepared remarks for an earning conference call. To the public those things have not been disclosed in the normal course of business. And a recent interaction we had with HostGator support on twitter show that isn’t just that they don’t go out of the way to disclose them, but are actively trying to hide those facts.

The interaction starts with this tweet from HostGator Support to a customer of theirs that doesn’t mention either of those items as reason why they are partnered or “suggest” SiteLock:

Its worth noting that when it comes to cleaning up a hacked websites, you would do things the same way no matter the web host, so working well with their service is explanation that doesn’t make much sense for hack cleanups. It also worth noting, as we did before, that HostGator doesn’t make it easy to properly clean up hacked website since log files are not stored for a sufficient amount of time be default. If this was a real partnership and SiteLock actually properly cleaned up hacked websites, we would expect that issue would have been resolved a long time ago.

We sent a reply to their customer mentioning the CEO connection:

In turn HostGator starts to obfuscate (due to the limits of tweet length our tweet had not had made the distinction that the CEO in question, was of Endurance International Group, but it is clear in the linked post)

We then sent a reply clarifying that and they replied:

At that point we said that we hope they would start to disclose the true nature of their partnership:

Which in turn lead stating they could not confirm that, despite those being facts that their parent company has already confirmed (otherwise we wouldn’t know them):

At this point, they claim they can’t confirm they are getting paid:

It is one thing for them to not mention what is going in the normal course of business, but to actual being unwillingly to tell the truth is pretty telling as to what is going on.

The conversation ended after we pointed out that we were not asking them to confirm anything, just disclose what we both already know to be true:

What To Do If You Get Contacted by HostGator or SiteLock About a Hacked Website

One of the bad practices we have seen from SiteLock is to claim that website are hacked when they are not, so if you get contacted by either of them with claim that the website is hacked you should get a second opinion. We are always happy to provide a free consultation on how to best deal with a hacked website, which includes double checking as to whether the reason the website is believed to be hacked does in fact make sense (often times other issues are confused with actually hacking issues and that can usually easily recognized by someone who deals with hacked website on a regular basis).

Considering how bad of a job SiteLock has been doing with cleaning hacked websites as of just the last month and their bad practices you would probably be best off avoiding them when you are dealing with a hacked website. You also might want to consider moving to a web host that doesn’t partner with SiteLock, as that partnership seems like it is pretty clear warning of how they treat their customers and a lack of concern for security.