It has taken us a long time to fully grasp the level of dishonesty in the security industry, since it is so rampant that is hard to believe how bad things truly are, even seeing examples every day. That there is almost any dishonesty should be surprising since trust is so important when it comes to security, especially when you consider the almost total lack of evidence that security companies put forward to back incredible claims they make about their products and services. As an example of how bad things are take the company Sucuri, which claims that trust is one of four of their claimed values:
The security space is filled with snake-oil and unnecessary FUD (fear, uncertainty, and doubt). We are committed to building services in the best interest of website owners.
That is pretty clearly contradicted by everything about we know about them. Take a post from just a couple of days ago, which is titled “Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins”. So how massive is it? Not massive at all:
At the moment of writing, we see 1700+ sites with the cdn.eeduelements[.]com script and 500+ sites with the cdn.allyouwant[.]online script.
The post indicates that these websites were running WordPress, one estimate out there from December of 2016 was that there were 75 million websites running WordPress. If that were accurate then by Sucuri’s measurement a massive campaign could involve only 0.00002933333 percent of WordPress website, which is nonsense.
That would seem to be an example of textbook FUD, but looking at the rest of the post things seem even worse when it comes to them than just a misleading blog post.
Sucuri Doesn’t Know of Issues Before They Become a Problem
On Sucuri’s homepage a testimonial is prominently displayed that ends with the following claim:
Another thing we like is that Sucuri knows about security issues before they become a problem – in advance.
From everything we have seen over the years that isn’t true and in fact them seen in the past they seem to become aware well after we have written public blog post about issues. That is problem when they promote their service as being used instead of handling security properly and when their service possibly being an effective alternative would require them to at least be staying up with new threats.
In this case, one of the two vulnerabilities they mention as being part of this campaign is a vulnerability in Ultimate Member that we discussed on this blog back on August 8th, which was before the vulnerability was fixed. At the same time we had started warning our customers of our service and anyone using the free companion plugin to the service if they were at risk. Sucuri though wasn’t even aware of the vulnerability until an unstated amount of time after it had been fixed (as they don’t indicate when they did that analysis):
In the logs we analyzed, we see the first successful attempts to exploit that security hole on August 11th, just two days after the release of version 2.0.22 where the issue was initially addressed. Around that time, we registered an increased number of infections covered in this article. This proves once again that website owners have a very short window between the disclosure of a vulnerability and first massive attempts to exploit it –especially for popular themes and plugins.
When we discussed it here it was in the context of it being exploited already and we are not aware of any disclosure of the vulnerability prior to the exploitation starting. From what we have seen it was being exploited at least as far back as July 27.
Sucuri’s Mess of a Conclusion
The final portion of Sucuri’s post seems to be written by someone that really has no idea what they are talking about. The first two paragraphs contradict each other:
This massive infection clearly demonstrates how zero-day attacks occur and exponentially grow during the vulnerability window.
When vulnerabilities are disclosed, the volume of opportunistic attacks often immediately increases. Hackers are vigilant and monitor closely for changes of popular themes and plugins. If a bad actor sees that a security issue has been fixed, they will try to create exploits for older versions to target vulnerable sites who haven’t yet patched to the latest available version.
A zero-day vulnerability is one that is being exploited before the developer is aware of it, the number of days refers to the number of days that since the developer became aware of the vulnerability until it is exploited. So it doesn’t make sense that hackers would start exploiting one of those based on seeing that it has been fixed, since it won’t have been fixed when it starts being exploited, otherwise it wouldn’t be a zero-day vulnerability. It also doesn’t make sense that hackers would be looking to see if vulnerabilities have been fixed to find out there has been disclosure, instead they would look for disclosures directly since they are usually indexed on a number of public websites. In this case of the vulnerability in Ultimate Member, it was being exploited despite not being disclosed first.
The third and final paragraph is where you get to an ad for Sucuri (we removed the link to their service in this):
Timely updates of all site components are very important to minimize the risk of infection. If you are concerned that you are unable to maintain updates to your themes, CMS, and plugins, your best option is a website firewall that can block the majority of new attacks.
In this case the vulnerability was being exploited before being fixed, so keeping things up to date wouldn’t have protected you. That is where a security service that actually provides you something over keeping your software up to date can provide additional value, which should be where a service like Sucuri’s should be useful. That is exactly what our service offers, in terms of warning about unfixed vulnerabilities and trying to catch exploitable vulnerabilities as they are introduced and before they get exploited. Considering from what we have seen, to provide protection with a service like Sucuri claims to offer requires being aware of vulnerabilities, they would have been late in providing protection and they would have somehow have had better information if they followed our blog then what their own systems provide. Considering that we are a much smaller entity, their lack of capability is a good reminder of how poor so much of the industry is at providing security, especially companies that many will claim to be better than others.