06 Nov

Comodo and the Insecurity of the Web Security Industry

If you follow our blog you might have noticed we don’t have a great view of most of the web security industry. The reason for that is that industry is really bad (as is the security industry in general). The most recent example we ran across of that, which we discussed in more detail over at our main blog, was what we found after Comodo had contacted us about some partnership with their cWatch web security service. There were a number of issues we raised with what that company is up to in that post, but what relates rather closely with this service is that they are not even keeping the software on their WordPress installations up to date.

What we found was their main blog and their CEO’s corporate blog are both still running WordPress 4.7.2:

The next version, 4.7.3, was released on March 6. That version was a security update, as were the subsequent 4.7.5, 4.7.6, and 4.7.7. Normally the automatic background updates would have applied those updates automatically shortly after they were released. So either that feature has been disabled or there is some incompatibility between the feature and hosting environment of the websites. If it was the latter that would be something that Comodo could work with WordPress to fix for everyone.

Whatever the reason for the updates not happening automatically, Comodo hasn’t even bothered to update the websites manually in eight months (they would normally be being shown a notice about the need to updated in the admin area).

As we noted in the other post not only do they claim that their cWatch service does daily vulnerability scans (which should have picked this up) but the only post on the service’s blog, which is ad for their service under the guise of telling people how to clean up hacked Joomla websites, states that:

Prevention is better than cure.

And a few lines before it states that:

  • Update the Joomla! software and all its components including core files and extensions.

So they don’t even bother to take their own advice about keeping software up to date.

This is far from the first security company we have found in this exact situation with their WordPress install. Earlier this year a Trend Micro website got hacked due to this and even after getting hacked they still didn’t update WordPress for at least four days after cleaning it up.

The other thing we noticed just from looking at source code the CEO’s corporate blog, is that it is running version 4.2.8 of the plugin Captcha:

That version of the plugin contains a reflected cross-site scripting (XSS) vulnerability that we discovered and disclosed back in April (the vulnerability was also discovered DefenseCode and another unidentified party). A reflected XSS vulnerability is unlikely to be attempted to be exploited on the average website, but on a high profile website it seems more likely (especially when the company behind it doesn’t handle security well). If Comodo was using our service they would have been notified of the issue back then and could have avoided remaining insecure for so long.

They also could have avoided by keeping the plugin up to date (it also hasn’t been updated for eight months) and plugins can be automatically updated like WordPress by using our Automatic Plugin Updates plugin.

Be Wary of the Security Industry

We don’t know how much of the security industry’s terrible handing of their own security is due to incompetence and how much is due to them not caring, but in either case it is a good indication that most of them should be avoided, seeing as if they can’t handle the basics on their own website it is unlikely they are going to be able to even understand how to protect other websites, much less implement functionality that could do that.

When it comes to services like Comodo’s cWatch, which claim to protect your website, what we recommend is avoiding any service that doesn’t present evidence from independent testing that is effective at protecting websites. That is something that we have yet to see despite looking at the marketing materials of quite a few of those services. We haven’t even seen evidence presented that they are effective based on a company’s own data, which is good indication they have no idea or don’t care. The closest we have come to that are claims that a service has blocked some amount of hacking attempts, which is rather meaningless as the success rate of hacking attempts is incredibly small (probably a tiny fraction of one percent), so the blocked attempts could have been entirely unsuccessful even without the service.

We have had plenty of people come to us after using such a service and having had their website get hacked despite using the service. In an indication that security industry isn’t the only problem here, those people have come to us looking for another solution like the one that failed them and when we have said they we are not aware any evidence that any of them are effective and we suggest they focus on security basics that will provide real protection instead, they have not been interested in hearing that.

We are obviously biased, but we would suggest looking for companies that like us are actually doing things that improve security for everyone. As the work we do actually makes our customers websites more secure, but also helps make to make WordPress plugins more secure for everyone (we could do more if the leadership of WordPress stops believing or trying to get others to believe that the very real problems with the security of WordPress plugins are instead hypothetical).