Security Journalists Should Be Focused on Sucuri Failing to Properly Clean up Hacked Websites Instead of Non-Notable Malicious Code

When it comes to the poor state of web security what is badly needed is security journalism that exposes what the many unscrupulous security companies are up to and how they take advantage of their customers, instead what we have found is they act more as the marketing department for them.

One such security company that would apply to is Sucuri, which is company that we are frequently brought in to re-clean hacked websites after they have not even attempted to properly clean them. One of the things we have often found that they haven’t done is try to determine how the website has been hacked. That is a problem for the cleanup, since you need to know how the website was hacked to be insure that vulnerability has been fixed and because from what we have found is that often Sucuri is missing parts of the hack code that could have been spotted if they had done the work needed to try to determine how the website was hacked. But the larger issue with this company not doing that is that their main service is supposed to protect websites from being hacked in the first place, which, in all likelihood, is going to be difficult if you don’t know how they are being hacked.

Sucuri’s own marketing speaks to the fact that they don’t seem focused on actually protecting websites, as on their home page they tout a number of stats about the service, not one is related to effectiveness of protecting websites:

The number of cleanups might be an indication of their failure to do that, if many of those are cleanups of existing customer’s websites (assuming the stats are even true).

You don’t have to take our word that Sucuri doesn’t try to determine how websites are hacked. A recent article on security news website Threatpost, Stealthy Malware Disguises Itself as a WordPress License Key, mentions that in passing, when it should be the focus of the story. Instead the focus of the story is in itself not newsworthy, as it reports on Sucuri describing a dime a dozen situation where malicious code has been added to the functions.php file of a WordPress theme. What might be newsworthy is how that code got there, but Sucuri didn’t even attempt to determine that:

“We had no access to their logs to determine the root cause, but it’s generally caused by compromised admin accounts or downloading and using themes/plugins from untrusted sources,” Moe Obaid, security analyst at Sucuri, told Threatpost.

Getting access to the logs would have been basic part of the work of a proper cleanup and shouldn’t be difficult.

How this person would know how this type of hack generally happens if they are not doing the work to determine that seems like an obvious question to ask them, but it would appear the Threatpost wasn’t interested in digging deeper in to an employee of this company admitting to cutting corners in the work they are doing. (You also have to wonder why someone is called “security analyst” if they don’t actual do security analysis.) One explanation for the lack of critical coverage of the security industry in this instance in general by the Threatpost, it that it appears itself to be owned by a security company.

Kaspersky Lab’s News Website Threatpost Spreads Unfounded Claims About Security Threats

The Russian security company Kaspersky Lab has been in the news a lot recently in regards to questions about its relationship with the Russian government, but what deserves to get some focus is how their news website, Threatpost, helps to spreads unfounded claims about security threats coming from others in the security industry.

Back in November over at the blog for our Plugin Vulnerabilities service we looked at a situation where the Threatpost had covered a claim by the security company Checkmarx that they had found “severe” vulnerabilities in several WordPress eCommerce plugins. At the time Checkmarx presented no evidence to back the claim up and stated that it would be “available in the future”. What they did present indicated that the vulnerabilities, if they existed, might be less than severe. In May we went to look to see if any additional information had ever been released, but we couldn’t find any update and we received no response from Checkmarx when we contacted them asking were we could find it.

Today we ran in to another example of the Threatpost spreading an unfounded claim about a security threat. This time it was with a threat resolving around placing the files for WordPress on a website and then not running the installer. The following line in the article stood out:

WordPress experts claim the attack method isn’t exactly new, but that it clearly hasn’t limited its effectiveness.

The article and the cited source for the article do not provide any measure of effectiveness of the attack. The only cited figure is rather underwhelming argument for even covering this, “biggest increase in scans – roughly 7,500 a day”. Considering that there are apparently at least 100s of millions of websites currently, that isn’t a significant number (it does look like attacks occur a lot more than though, but not more than many other threats that don’t receive any coverage).

We left the following comment on the post pointing to the lack of backing for the claim as to effectiveness of attack:

Your article implies the attack is effective, “WordPress experts claim the attack method isn’t exactly new, but that it clearly hasn’t limited its effectiveness.”, but you and Wordfence don’t present any evidence as to the effectiveness of these attacks. We have seen hackers do large scale attacks that had no chance of being successful because they didn’t understand what they trying to exploit, so 7,500 attempts in a day isn’t in any way an indication that this is effective.

Originally it was held for moderation:

But shortly after that it was removed. So they were clearly aware of the issue, but instead of addressing it they would rather not let people know that they are making unfounded claims.

It also worth noting that first part of the sentence “WordPress experts claim the attack method isn’t exactly new” isn’t all that accurate. It isn’t just a claim that the attack method isn’t new, it actually is factually true that it isn’t new. For example, the issue was brought up five and half years ago and we discussed it at the time.