ESET found what’s known as a UEFI rootkit, which is a way to gain persistent access to a computer that’s hard to detect and even harder to clean up, on an unidentified victim’s machine. The technique isn’t unheard of; researchers have explored proofs of concept in the past and leaked files have indicated that both the CIA and the independent exploit-focused company Hacking Team have had the capability. But evidence that it has happened, in the form of malware called LoJax, represents a significant escalation in the Fancy Bear—which ESET calls Sednit—toolkit.
In a Flash
If “LoJax” sounds vaguely familiar, it’s because you might recall LoJack—formerly known as Computrace—security software that lets you track your laptop in the event of theft. LoJack turns out to be potent stuff. It sits in a computer’s firmware, making regular calls back to a server to announce its location. Crucially, that also means you can’t get rid of it by reinstalling your operating system or swapping in a new hard drive.
“It allows the attacker to take over the machine and download whatever they want.”
RICHARD HUMMEL, ARBOR NETWORKS
That’s an intentional security feature: If someone steals your computer, you want to make it as hard as possible for them to evade detection. But it also presents a unique opportunity to bad actors, as outlined in a 2016 presentation at a security conference called Zero Nights, and again in more detail this May by researchers at security firm Arbor Networks. Essentially, Fancy Bear figured out how to manipulate code from a decade-old version of LoJack to get it to call back not to the intended server, but one manned instead by Russian spies. That’s LoJax. And it’s a devil to get rid of.
“Whenever a computer infected with a UEFI malware boots, it will place the LoJax agent on the Windows file system, so that when Windows boots, it’s already infected with the LoJax agent. Even if you clean LoJax from Windows, as soon as you reboot, the UEFI implant will reinfect Windows,” says Alexis Dorais-Joncas, ESET’s security intelligence team lead.
It is possible to remove LoJax from your system entirely, but doing so requires serious technical skills. “You can’t just restart. You can’t just reinstall your hard drive. You can’t replace your hard drive. You actually have to flash your firmware,” says Richard Hummel, manager of threat intelligence for Arbor Networks. “Most people don’t know how to do that. The fact that it gets into that spot where it’s really difficult to use makes it really insidious.”
Most antivirus scanners and other security products also don’t look for UEFI issues, making it even harder to detect whether malicious code is there. And if it is, you’re in trouble.
“Decade-old software and hardware vulnerabilities are easily exploited by modern attackers, so companies must use good endpoint hygiene best practices including ensuring endpoints and firmware are up-to-date, leveraging anti-malware, and confirming other endpoint protection agents are always present and healthy,” says Dean Ćoza, executive vice president of products at LoJack developer Absolute. “We take the security of our platform extremely seriously, and are working to confirm these issues do not impact our customers or partners.”
The malware ESET observed does not itself actively steal data from an infected device. Think of it not as a robber, but as a door into your house that’s so hidden, you can’t see it even if you pore over every wall. LoJax gives Fancy Bear constant, remote access to a device, and the ability to install additional malware on it at any time.
“In effect, it allows the attacker to take over the machine and download whatever they want,” says Hummel. “They can also use the original intent of the malware, which is to track the location of the infected machines, possibly to specific owners that may be of interest to the attackers.”
“Probably more attacks will take place.”
ALEXIS DORAIS-JONCAS, ESET
Several details about the Fancy Bear UEFI attack remain either vague or unknown. ESET’s Dorais-Joncas confirmed that the device they spotted it on was “infected by several pieces of malware,” and that the hacking group targeted government entities in Europe. They don’t know exactly how Fancy Bear hackers gained access to the victim’s device in the first place, but Dorais-Joncas suggests that they likely followed their typical strategy of a spearphishing attack to gain an initial foothold, followed by movement through a network to locate more high-value targets.
The security firm has more specificity, though, in terms of how exactly Fancy Bear operated once it got that initial control. First, the hackers used a widely available tool to read the UEFI firmware memory, to better understand what specific device they were attacking. Once in possession of that image, they modified it to add the malicious code and then rewrote the infected image back to the firmware memory. The process was not automated, says Dorais-Joncas; a human behind a keyboard went through every step.
Those details offer some hope for future potential victims. Namely, the attackers were only able to write onto the target computer’s firmware in the first place because it was an older device; Intel and others have baked in better protections against that behavior, especially after the Hacking Team and CIA revelations. Using the Windows Secure Boot feature, too, would prevent this type of attack, since it checks to make sure that the firmware image on your computer matches up with the one the manufacturer put there.
“On the other hand,” says Dorais-Joncas, “probably more attacks will take place,” given that Fancy Bear has figured out how to do it successfully. And now that it’s widely known that Fancy Bear did it, copycats may not be far behind.
“Whenever we see these new tactics, it does not take long for other hackers to figure out how they did it and to mimic it,” says Hummel.
Russia’s hackers already have an elaborate hacking toolkit. But the introduction of a UEFI rootkit—stealthy, complex, pernicious—affirms just how advanced their capabilities have become. And more importantly, how hard they are to defend against.
When they gain access to a site, they plant a backdoor for future access and make modifications to the site’s code.
Malwarebytes security researcher Jérôme Segura said this malicious code filters users visiting the compromised sites and redirects some to tech support scams.
While many organizations are guarding the front door with yesterday’s signature-based antivirus (AV) solutions, today’s unknown malware walks out the back door with all their data. What’s the answer? This white paper, “The Rise of Machine Learning…
Segura also said that some of tech support scams that users are landing on are using the “evil cursor” Chrome bug to prevent users from closing the malicious site’s tab, a trick that the researcher first spotted last week.
This WordPress site hijacking campaign appears to have started this month, according to Sucuri, and has intensified in recent days, according to Segura.
Last week, ZDNet revealed that attackers had been scanning the Internet in an attempt to exploit a recent vulnerability in a popular WordPress plugin.
While Sucuri did not find confirmation that this vulnerability was now being used in this recent wave of site hacks, the company did confirm our initial report, based on WordFence’s telemetry.
We offer special incentives for new clients who want to move to a new, secure host, update and harden their WordPress websites and create new WordPress websites. Call 954-202-8004 or use the Contact Us form.
You may have heard the dark web is a place for drug dealers and hitmen. That’s correct, but there’s more to it than that. In this article, find out what is the dark web, how to access it, and what you might find there.
The dark web is a part of the Internet that requires special software to access and is not indexed by search engines. It offers much greater privacy than the widely accessible parts of the World Wide Web.
That privacy also makes the dark web a setting for illegal activity, scams, and offensive content. The high-profile rise and fall of the Silk Road marketplace for illicit drugs is the best-known example of this. But despite the sensational media coverage, few people really understand what the dark web is or how it works. For instance, it might surprise some people to learn that The New York Timesand Facebook both maintain websites on the dark web.
The dark web isn’t “dark” because it’s bad; it’s dark because it’s the only place on the Internet that offers a bit of privacy. In this article, we’ll explain how that works, what actually happens on the dark web, and how you can check it out for yourself.
What is the dark web?
Think of the Internet as divided into three parts: the clearweb, the deep web, and the dark web.
The clearweb is the Internet most of us are familiar with. Its pages are searchable in Google, but it makes up just a small percentage of all the content on the Internet. The deep web comprises the majority of the Internet, but it is not indexed by search engines, it is often password-protected, and therefore it’s not generally accessible. The deep web includes things like financial databases, web archives, and password-protected pages.
The dark web is a small portion of the deep web. It runs on top of existing Internet infrastructure, but it is a parallel web that cannot be accessed without special tools. For this reason the dark web is sometimes referred to as the hidden web.
Websites on the dark web have domains ending in “.onion” and are sometimes known as onion sites. They’re called onion sites because of the kind of encryption technology they use to hide the IP address of the servers that host them. Websites on the dark web mask their data behind multiple layers of encryption (like the layers of an onion), and can only be accessed through the Tor network, which is a network of computers around the world maintained by volunteers. Because the routing is random and the data is encrypted, it’s extremely difficult for anyone to trace any piece of traffic back to its source.
How to access the dark web
Tor is the most popular dark web interface, with millions of users. There are a number of ways to access the Tor network, including via the Tor browser , the operating system Tails, or by installing Tor on your computer. ProtonVPN also provides one-click Tor access through the Tor over VPN feature. From there, you can browse the web normally as well as gain access to highly private and secure onion sites.
Unlike the regular web, however, even after you have connected to the dark web, it isn’t so easy to find websites. Dark web sites use randomly generated domains that aren’t easy to remember. The dark web is also difficult to index, meaning search engines are ineffective. There are a number of link directories, such as The Hidden Wiki, that attempt to catalogue the dark web. But because dark web sites change their domain frequently, you’ll find a lot of dead links. A typical onion site url looks something like this:
Some special onion sites, though, have easy to remember domain names and also SSL encryption (URLs that start with “https” instead of “http”). For example, ProtonMail’s Tor encrypted email site is at https://protonirockerxow.onion while Facebook’s onion site is at https://facebookcorewwwi.onion. You can learn more about these special onion sites here.
What’s on the dark web?
The illicit uses of the dark web are well documented: assassination services, ecommerce sites for buying guns and drugs, and so on. It’s best to stay clear of anything that seems suspect while browsing there. However, there are plenty of 100% legal things you can do on the dark web. You can read ProPublica or The New York Times, check your email in ProtonMail, or browse your Facebook wall. All of these mainstream websites offer dark web access because of the benefits to privacy and freedom of information.
One of the biggest advantages of the dark web is the difficulty of blocking it. Common forms of censorship, which block traffic to websites at specific choke points along the Internet hierarchy, do not work with encrypted overlay networks. (As a result, some dictators have, for example, tried to block Tor itself.)
For similar reasons, the dark web is more resistant to surveillance by governments and corporations (such as Internet service providers). Whistleblowers, journalists, and other professionals at risk of targeted surveillance use the dark web to communicate sensitive information. And organizations including Human Rights Watch and the Electronic Frontier Foundation support the use of and access to the dark web.
One of the only drawbacks of the dark web is its speed. For instance, because Tor bounces your traffic through multiple servers around the world, it necessarily slows your connection. But when you need it, the dark web can be vitally important: When Turkey temporarily blocked ProtonMail for some users, our onion site was one of the only ways people could gain access to email.
This is a concise, simple explanation of GDPR brought to you by Syed Balkhi and his Editorial Staff of WordPress experts.
Are you confused by GDPR, and how it will impact your WordPress site? GDPR, short for General Data Protection Regulation, is a European Union law that you have likely heard about. We have received dozens of emails from users asking us to explain GDPR in plain English and share tips on how to make your WordPress site GDPR compliant. In this article, we will explain everything you need to know about GDPR and WordPress (without the complex legal stuff).
Disclaimer: We are not lawyers. Nothing on this website should be considered legal advice.
To help you easily navigate through our ultimate guide to WordPress and GDPR Compliance, we have created a table of content below:
The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.
Basically after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). This is enough reason to cause wide-spread panic among businesses around the world.
This brings us to the big question that you might be thinking about:
Does GDPR apply to my WordPress site?
The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).
If your website has visitors from European Union countries, then this law applies to you.
But don’t panic, this isn’t the end of the world.
While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.
The EU isn’t some evil government that is out to get you. Their goal is to protect consumers, average people like you and me from reckless handling of data / breaches because it’s getting out of control.
The maximum fine part in our opinion is largely to get the attention of large companies like Facebook and Google, so this regulation is NOT ignored. Furthermore, this encourage companies to actually put more emphasis on protecting the rights of people.
Once you understand what is required by GDPR and the spirit of the law, then you will realize that none of this is too crazy. We will also share tools / tips to make your WordPress site GDPR compliant.
What is required under GDPR?
The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.
The personal data includes: name, emails, physical address, IP address, health information, income, etc.
While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:
Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM by the way, and you shouldn’t be doing that anyways).
For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.
Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted.
This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that (hmm, go figure). I’m looking at you Zenefits, still waiting for my account to be deleted for 2 years and hoping that you stop sending me spam emails just because I made the mistake of trying out your service.
Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.
This will hopefully prevent cover-ups like Yahoo that was not revealed until the acquisition.
Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.
To put it in plain English, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent (good luck getting this consent). Businesses have to delete user’s account and unsubscribe them from email lists if the user asks you to do that. Businesses have to report data breaches and overall be better about data protection.
Sounds pretty good, in theory at least.
Ok so now you are probably wondering what do you need to do to make sure that your WordPress site is GDPR compliant.
Well, that really depends on your specific website (more on this later).
Let us start by answering the biggest question that we’ve gotten from users:
Is WordPress GDPR Compliant?
Yes, as of WordPress 4.9.6, the WordPress core software is GDPR compliant. WordPress core team has added several GDPR enhancements to make sure that WordPress is GDPR compliant. It’s important to note that when we talk about WordPress, we’re talking about self-hosted WordPress.org (see the difference: WordPress.com vs WordPress.org).
Having said that, due to the dynamic nature of websites, no single platform, plugin or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.
Ok, so you might be thinking what does this mean in plain English?
Well, by default WordPress 4.9.6 now comes with the following GDPR enhancement tools:
By default, WordPress used to store the commenters name, email and website as a cookie on the user’s browser. This made it easier for users to leave comments on their favorite blogs because those fields were pre-populated.
Due to GDPR’s consent requirement, WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.
Data Export and Erase Feature
WordPress offers site owners the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data.
The data handling features can be found under the Tools menu inside WordPress admin.
These three things are enough to make a default WordPress blog GDPR compliant. However, it is very likely that your website has additional features that will also need to be in compliance.
Depending on which WordPress plugins you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.
A lot of the best WordPress plugins have already gone ahead and added GDPR enhancement features. Let’s take a look at some of the common areas that you would need to address:
Like most website owners, you’re likely using Google Analytics to get website stats. This means that it is possible that you’re collecting or tracking personal data like IP addresses, user IDs, cookies and other data for behavior profiling. To be GDPR compliant, you need to do one of the following:
Anonymize the data before storage and processing begins
Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking
Both of these are fairly difficult to do if you’re just pasting Google Analytics code manually on your site. However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re in luck.
They have released an EU compliance addon that helps automate the above process. MonsterInsights also has a very good blog post about all you need to know about GDPR and Google Analytics (this is a must read if you’re using Google Analytics on your site).
If you are using a contact form in WordPress, then you may have to add extra transparency measures especially if you’re storing the form entries or using the data for marketing purposes.
Below are the things you might want to consider for making your WordPress forms GDPR compliant:
Get explicit consent from users to store their information.
Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
Disable cookies, user-agent, and IP tracking for forms.
Make sure you have a data-processing agreement with your form providers if you are using a SaaS form solution.
Comply with data-deletion requests.
Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.
The good part is that if you’re using WordPress plugins like WPForms, Gravity Forms, Ninja Forms, Contact Form 7, etc, then you don’t need a Data Processing Agreement because these plugins DO NOT store your form entries on their site. Your form entries are stored in your WordPress database.
Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.
WPForms, the contact form plugin we use on WPBeginner, has added several GDPR enhancements to make it easy for you to add a GDPR consent field, disable user cookies, disable user IP collection, and disable entries with a single click.
Email Marketing Opt-in Forms
Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.
This can be done with either:
Adding a checkbox that user has to click before opt-in
Simply requiring double-opt-in to your email list
Top lead-generation solutions like OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. You can read more about the GDPR strategies for marketers on the OptinMonster blog.
OptinMonster – advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
Shared Counts – instead of loading the default share buttons which add tracking cookies, this plugin load static share buttons while displaying share counts.
We will continue to monitor the plugin ecosystem to see if any other WordPress plugin stands out and offer substantial GDPR compliance features.
Whether you’re ready or not, GDPR will go in effect on May 25, 2018. If your website is not compliant before then, don’t panic. Just continue to work towards compliance and get it done asap.
The likelihood of you getting a fine the day after this rule goes in effect are pretty close to zero because the European Union’s website states that first, you’ll get a warning, then a reprimand and fines are the last step if you fail to comply and knowingly ignore the law.
The EU is not out to get you. They’re doing this to protect user’s data and restore people’s trust in online businesses. As the world goes digital, we need these standards. With the recent data breaches of large companies, it’s important that these standards are adopted globally.
It will be good for all involved. These new rules will help boost consumer confidence and in turn help grow your business.
We hope this article helped you learn about WordPress and GDPR compliance. We will do our best to keep it updated as more information or tools get released.
We are not lawyers. Nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.