{"id":2797,"date":"2016-08-24T13:47:46","date_gmt":"2016-08-24T19:47:46","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2797"},"modified":"2016-08-24T13:47:46","modified_gmt":"2016-08-24T19:47:46","slug":"its-scary-how-little-wordfence-knows-about-security","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2016\/08\/24\/its-scary-how-little-wordfence-knows-about-security\/","title":{"rendered":"It’s Scary How Little Wordfence Knows About Security"},"content":{"rendered":"

If you follow the news what seem pretty clear is that cybersecurity is not in good shape these days, whether it’s major credit card breaches at retailers or hacks of high profile organizations, clearly something is very wrong. It seems unlikely that is due to a lack of spending on security products and services, consider that estimates of yearly spending on cybersecurity are in the 10s of billions of dollars and expected to continue to rise. Instead part of the explanation is that much of that money is being spent on products and services from\u00a0companies that know and or care little about security.<\/p>\n

To give you one example,\u00a0anti-virus software from well known companies\u00a0Kaspersky Lab, Norton, McAfee, Sophos, and Trend Micro<\/a>\u00a0all were found by Google researcher Tavis Ormandy to have had exploitable vulnerabilities in them. When you have to be concerned that security products are increasing your security risk that indicates something is quite wrong. But what is more striking about those vulnerabilities is the ease of exploiting some of these and that they\u00a0were\u00a0due in part to the companies doing dumb things. For example, in the case of Norton, quite of few of their products, including enterprise products, were subject to a remote code execution vulnerability that could be exploited by sending an email<\/a> (it wouldn’t have had to be opened) that was due in part to running code at a higher privilege level than was have been needed.<\/p>\n

As we have ramped up our Plugin Vulnerabilities service for keeping track of vulnerabilities in WordPress plugins<\/a>, we have run across more of what WordPress security companies are up to and what is seen is that are not the exception when it comes to the poor state of security companies. One such example is Wordfence, we have frequently seen things that showed they either didn’t know or care much about security.<\/p>\n

What we have wondered for some time though, is it more that they don’t know about security or if they just don’t care about it. To see why that is, take their involvement in the widespread claim that brute force attacks against WordPress admin password are occurring, despite the fact the evidence from Wordfence and other security companies actual shows that they are not<\/a>. Does\u00a0Wordfence had no clue what they were talking about or\u00a0do they\u00a0know they were telling people a\u00a0falsehood to help push their product and service, seeing as those wouldn’t be needed if people knew what the malicious login attempts falsely being labeled as part of brute force attacks were most likely part of, dictionary attacks, which can be protected by simply using a strong password. We really were not sure.<\/p>\n

In another example, Wordfence made a bold claim about being able to protect against stored XSS attacks, which we found to be false<\/a> with some simple testing<\/a>.\u00a0In that case it\u00a0could have either been that they were saying something they knew wasn’t true or it could have been that they understand so little about\u00a0this type of vulnerability\u00a0that they didn’t understand what incredible claim they were making and that they needed to be very careful about making it without being sure about the claiming.<\/p>\n

We think the latest\u00a0false information put forward them makes it pretty likely that they are lacking\u00a0a basic understanding of security, which is frightening since so much of the WordPress community\u00a0is relying on them for information and protection.<\/p>\n

In a post<\/a> about what they say are the most\u00a0attack plugin vulnerabilities (worth mentioning here is that we recently found that Wordfence seems to be oblivious to vulnerabilities in plugins that are actually the biggest threat<\/a>) they made a claim that we\u00a0and they found out surprising, that many of the vulnerabilities being targeted were local file inclusion (LFI) vulnerabilities:<\/p>\n

The large number of local file inclusion vulnerabilities that are being exploited is surprising. I should also note that many of these LFI\u2019s were discovered by Larry Cashdollar<\/a>who I had the pleasure of seeing speak at Defcon in Las Vegas\u00a02 weeks ago. So I suspect that many of these are being used in an attack script of some kind which may explain their prevalence in the attacks we\u2019re seeing.<\/p>\n

The clustering\u00a0of LFI\u2019s together and Shell exploits together in the list order is odd, but I don\u2019t have a theory to explain that and there is no error in the data that accounts for that. It appears to be coincidence.<\/p><\/blockquote>\n

Considering\u00a0that everything we know from monitoring plugin vulnerabilities and dealing with lots of hacked websites is that this type of vulnerability is rarely targeted, this seemed odd. But a quick look at the data they presented showed a simply explanation, local file inclusion vulnerabilities were not actually be targeted. Instead what was being targeted were what we refer to as arbitrary file viewing vulnerabilities (they are also often referred to arbitrary file download or directory traversal vulnerabilities), which are very different.<\/p>\n

Before we get in to what each of those type of vulnerabilities is, \u00a0it is worth mentioning that Wordfence really had to go out of their way to get this wrong, as\u00a0can easily seen by the fact that the first five vulnerabilities they listed as being local file inclusion vulnerabilities are actually listed in the linked to advisories as being the following types of vulnerabilities:<\/p>\n