SiteLock Fails To Do Basic Security Check

When it comes to the security of websites what we see is a situation where basic security measures, like keeping software up to date, are not being taken and security companies, most of whom appear to have little interested in actually improving security, are selling security services that are really not needed. A good example of this is SiteLock, which sells a security service that doesn’t provide any of the security measures that need to be taken to protect your website from hackers. Worse than that, we recently found that it is really poor at doing one of things that it is supposed to do, leading the people running websites and their customers to have a false sense of security.

We recently were hired to do an upgrade of website running Magento 1.4.1.1, a rather out of date version (the next version, 1.4.2.0, was released in December of 2010). When we took a look at the website we were rather surprised to see a security seal from SiteLock claiming the website was secure (we have blacked out the domain name in the image):

SiteLock Secure Seal

Version 1.4.1.1 of Magento is old enough that security patches for major issues are no longer released for it and anyone concerned about security would be running at least the most recent major release, 1.9.0.0, as it includes a number of security enhancements:

  • Addressed a potential cross-site scripting (XSS) vulnerability while creating configurable product variants.
  • Addressed a potential security issue that could result in displaying information about a different order to a customer.
  • Users can no longer change the currency if the payment method PayPal Website Payments Standard is used.
  • Removed an .swf file from the Magento distribution because of security issues.
  • Improved file system security.
  • Enhanced the security of action URLs, such as billing agreements.
  • Addressed a potential session fixation vulnerability during checkout.
  • Improved the security of the Magento randomness function.

We don’t really think that a website should labeled as secure in that instance, but we assumed that SiteLock had at least provided a private warning that the website was in need of an update. But according to our client they never heard anything from SiteLock about the issue. This is surprising considering it is something that service is supposed to be providing. On the homepage of their website they start the description of their services as “We scan your website to find and fix existing malware and vulnerabilities “. On the page about the service they further expand on that:

Our scanners identify applications you have installed and which version you have. We compare that to industry and proprietary lists to determine the security of your installation. SiteLock’s comprehensive scanning eliminates reports of “false positives” that are not truly dangerous to your business. If we discover a vulnerability in our testing, we report it to you immediately and can help you upgrade your application version and secure your site.

How did SiteLock miss that the website is running such outdated software? It is not because it is difficult to detect. If you have access to the website’s underlying files, which it appears SiteLock would have, then you can easily get the Magento version number from the file /app/Mage.php in Magento. Without access the underlying files you can still get the version number of Magento in use. One way to do that is with our Magento Version Check extension for Chrome, which had no problem detecting the version in use on the website:

Magento Version Check

For anyone looking for a tool that will actually alert you when your websites are using outdated software our Up to Date? app for Chrome provides just that:

Up to Date? app showing Magento verisons

As for the SiteLock service, you would better off using the money you would spend on their service on the things that will actually keep your website secure.

CelebGate: a Long, Dangerous List of Celebrities

During the past few days, the media has been abuzz with the massive celebrity photo leak nicknamed The Fappening or Celebgate 2014. The story started on August 31 when the first nude pictures appeared on a 4chan board. An impressive list of victims has been posted.
FP_BLOG_140903_01
Fake or true, today almost 450 pictures and videos are circulating on 4chan, Reddit, or Imgur in connection with this story. A Google search for “The Fappening 2014″ returns more than 1.4 million URLs. While some netsurfers work at posting them, website administrators work at deleting them.

The forums are inflamed, and dedicated websites are popping up to expose these photos.
FP_BLOG_140903_02
Archives are offered to download:
FP_BLOG_140903_03
And of course, malicious software is never far from such stories. Searching for these real or fake pictures is a dangerous sport. Behind the URLs you can discover via Google or dedicated forums, most of these paths are dangerous. Your chance of landing on a page that tests positive for spam, adware, spyware, viruses, or other malware is almost a sure thing.

My first two attempts infected my test computer.
FP_BLOG_140903_04
After I disabled my antivirus for 10 minutes to easily browse, I was (not) surprised to detect 10 or more new infections (in the following case several Trojans).
FP_BLOG_140903_05
In 2013, McAfee published a list of the 10 most dangerous celebrities. Today we appear to have a Top 100!

You should always be extra cautious when searching hot topics, which often lead to unwanted programs offered by unscrupulous companies or to malicious sites created by cybercriminals.

The post CelebGate: a Long, Dangerous List of Celebrities appeared first on McAfee.

BurpSentintel – Vulnerability Scanning Plugin For Burp Proxy

BurpSentintel is a plugin for Burp Intercepting Proxy, to aid and ease the identification of vulnerabilities in web applications. Searching for vulnerabilities in web applications can be a tedious task. Most of the time consists of inserting magic chars into parameters, and looking for suspicious output. Sentinel tries to automate parts of this...

Read the full post at darknet.org.uk