Login

Tag Archives: Sucuri

17 Sep 2018

Sucuri Doesn’t Understand the Recently Disclosed Vulnerability Created by Duplicator (or Security in General)

The reputation of security companies is often very different than the reality. One company that seems to have a good reputation is Sucuri. That is despite everything we have seen over many years indicating they really lack even a basic understanding of security (we wish that were a gross exaggeration). We once again were reminded of that by something that popped up in the monitoring we do to keep track of vulnerabilities in WordPress plugins, which involved a repost of a recent Sucuri blog post.

The Sucuri blog post is titled “Outdated Duplicator Plugin RCE Abused”. [Read more]

24 Aug 2018

Sucuri’s Post With FUD Claim of Massive Infection Really Shows That They Are Failing Their Customers

It has taken us a long time to fully grasp the level of dishonesty in the security industry, since it is so rampant that is hard to believe how bad things truly are, even seeing examples every day. That there is almost any dishonesty should be surprising since trust is so important when it comes to security, especially when you consider the almost total lack of evidence that security companies put forward to back incredible claims they make about their products and services. As an example of how bad things are take the company Sucuri, which claims that trust is one of four of their claimed values:

The security space is filled with snake-oil and unnecessary FUD (fear, uncertainty, and doubt). We are committed to building services in the best interest of website owners. [Read more]

29 Nov 2017

Sucuri Only Became Aware of Exploitation of WordPress Plugins Weeks After Public Disclosure of That Exploitation

One of the problems we find in being part of the web security industry is that the public often believes that companies that don’t seem to know and or care much about security are actually leading on things. As example of the difference between reality and that belief let’s look at something recently from Sucuri, which is one of the best known companies (though also one that has trouble doing the basics of what they offer and is engaged in rather shady practices).

Currently on their homepage you will find a testimonial that reads in part: [Read more]

6 Jul 2017

Sucuri and Others in Security Community Vastly Overstate Threat of WordPress Plugin Vulnerability

When it comes to dealing with web security, one of the big problems we see if that people don’t have a good understanding of what the risk of various threats are, often that seems to be due to security companies and others in the community. At its worst security companies are peddling false threats, but with real threats often seem more interested in driving up fear instead of providing accurate information. A good example comes from a vulnerability the web security Sucuri recently found, which in reality is almost no threat to the average website. But Sucuri and others would lead you to believe otherwise.

It Is an Authenticated Vulnerability

The problems start with the title of Sucuri’s post “SQL Injection Vulnerability in WP Statistics“, which isn’t accurate as the vulnerability is in fact an authenticated SQL injection vulnerability. That makes a big difference since the vast majority of WordPress websites don’t allow untrusted individual access to accounts, so only a small portion of those using the plugin could have been vulnerable. [Read more]