fbpx

RUSSIA’S ELITE HACKERS HAVE A CLEVER NEW TRICK THAT’S VERY HARD TO FIX

old-style-computer

RUSSIA’S ELITE HACKERS HAVE A CLEVER NEW TRICK THAT’S VERY HARD TO FIX

ALYSSA FOOTE/GETTY IMAGES

By 

THE FANCY BEAR hacking group has plenty of tools at its disposal, as evidenced by its attacks against the Democratic National Committee, the Pyeongchang Olympics, and plenty more. But cybersecurity firm ESET appears to have caught the elite Russian team using a technique so advanced, it hadn’t ever been seen in the wild until now.

ESET found what’s known as a UEFI rootkit, which is a way to gain persistent access to a computer that’s hard to detect and even harder to clean up, on an unidentified victim’s machine. The technique isn’t unheard of; researchers have explored proofs of concept in the past and leaked files have indicated that both the CIA and the independent exploit-focused company Hacking Team have had the capability. But evidence that it has happened, in the form of malware called LoJax, represents a significant escalation in the Fancy Bear—which ESET calls Sednit—toolkit.

In a Flash

If “LoJax” sounds vaguely familiar, it’s because you might recall LoJack—formerly known as Computrace—security software that lets you track your laptop in the event of theft. LoJack turns out to be potent stuff. It sits in a computer’s firmware, making regular calls back to a server to announce its location. Crucially, that also means you can’t get rid of it by reinstalling your operating system or swapping in a new hard drive.


“It allows the attacker to take over the machine and download whatever they want.”

RICHARD HUMMEL, ARBOR NETWORKS


That’s an intentional security feature: If someone steals your computer, you want to make it as hard as possible for them to evade detection. But it also presents a unique opportunity to bad actors, as outlined in a 2016 presentation at a security conference called Zero Nights, and again in more detail this May by researchers at security firm Arbor Networks. Essentially, Fancy Bear figured out how to manipulate code from a decade-old version of LoJack to get it to call back not to the intended server, but one manned instead by Russian spies. That’s LoJax. And it’s a devil to get rid of.

“Whenever a computer infected with a UEFI malware boots, it will place the LoJax agent on the Windows file system, so that when Windows boots, it’s already infected with the LoJax agent. Even if you clean LoJax from Windows, as soon as you reboot, the UEFI implant will reinfect Windows,” says Alexis Dorais-Joncas, ESET’s security intelligence team lead.

It is possible to remove LoJax from your system entirely, but doing so requires serious technical skills. “You can’t just restart. You can’t just reinstall your hard drive. You can’t replace your hard drive. You actually have to flash your firmware,” says Richard Hummel, manager of threat intelligence for Arbor Networks. “Most people don’t know how to do that. The fact that it gets into that spot where it’s really difficult to use makes it really insidious.”

Most antivirus scanners and other security products also don’t look for UEFI issues, making it even harder to detect whether malicious code is there. And if it is, you’re in trouble.

“Decade-old software and hardware vulnerabilities are easily exploited by modern attackers, so companies must use good endpoint hygiene best practices including ensuring endpoints and firmware are up-to-date, leveraging anti-malware, and confirming other endpoint protection agents are always present and healthy,” says Dean Ćoza,  executive vice president of products at LoJack developer Absolute. “We take the security of our platform extremely seriously, and are working to confirm these issues do not impact our customers or partners.”

Takeover

The malware ESET observed does not itself actively steal data from an infected device. Think of it not as a robber, but as a door into your house that’s so hidden, you can’t see it even if you pore over every wall. LoJax gives Fancy Bear constant, remote access to a device, and the ability to install additional malware on it at any time.

“In effect, it allows the attacker to take over the machine and download whatever they want,” says Hummel. “They can also use the original intent of the malware, which is to track the location of the infected machines, possibly to specific owners that may be of interest to the attackers.”


“Probably more attacks will take place.”

ALEXIS DORAIS-JONCAS, ESET


Several details about the Fancy Bear UEFI attack remain either vague or unknown. ESET’s Dorais-Joncas confirmed that the device they spotted it on was “infected by several pieces of malware,” and that the hacking group targeted government entities in Europe. They don’t know exactly how Fancy Bear hackers gained access to the victim’s device in the first place, but Dorais-Joncas suggests that they likely followed their typical strategy of a spearphishing attack to gain an initial foothold, followed by movement through a network to locate more high-value targets.

The security firm has more specificity, though, in terms of how exactly Fancy Bear operated once it got that initial control. First, the hackers used a widely available tool to read the UEFI firmware memory, to better understand what specific device they were attacking. Once in possession of that image, they modified it to add the malicious code and then rewrote the infected image back to the firmware memory. The process was not automated, says Dorais-Joncas; a human behind a keyboard went through every step.

Those details offer some hope for future potential victims. Namely, the attackers were only able to write onto the target computer’s firmware in the first place because it was an older device; Intel and others have baked in better protections against that behavior, especially after the Hacking Team and CIA revelations. Using the Windows Secure Boot feature, too, would prevent this type of attack, since it checks to make sure that the firmware image on your computer matches up with the one the manufacturer put there.

“On the other hand,” says Dorais-Joncas, “probably more attacks will take place,” given that Fancy Bear has figured out how to do it successfully. And now that it’s widely known that Fancy Bear did it, copycats may not be far behind.

“Whenever we see these new tactics, it does not take long for other hackers to figure out how they did it and to mimic it,” says Hummel.

Russia’s hackers already have an elaborate hacking toolkit. But the introduction of a UEFI rootkit—stealthy, complex, pernicious—affirms just how advanced their capabilities have become. And more importantly, how hard they are to defend against.

The Best Reason to use a Professional WordPress Developer

wordpress-locked

Thousands of WordPress sites backdoored with malicious code

Malicious code redirects users to tech support scams, some of which use new “evil cursor” Chrome bug.

 


Thousands of WordPress sites have been hacked and compromised with malicious code this month, according to security researchers at Sucuri and Malwarebytes.

All compromises seem to follow a similar pattern –to load malicious code from a known threat actor– although the entry vector for all these incidents appears to be different.

Researchers believe intruders are gaining access to these sites not by exploiting flaws in the WordPress CMS itself, but vulnerabilities in outdated themes and plugins.

Also: Access to over 3,000 backdoored sites sold on Russian hacking forum

When they gain access to a site, they plant a backdoor for future access and make modifications to the site’s code.

In most cases, they modify PHP or JavaScript files to load malicious code, although some users have reported seeing modifications made to database tables as well.

Malwarebytes security researcher Jérôme Segura said this malicious code filters users visiting the compromised sites and redirects some to tech support scams.

CNET: How to avoid tech support scams

He says some of the traffic patterns seen during the redirection process match the patterns of a well-known traffic distribution system used by several malware distribution campaigns.

Segura also said that some of tech support scams that users are landing on are using the “evil cursor” Chrome bug to prevent users from closing the malicious site’s tab, a trick that the researcher first spotted last week.

TechRepublic: Why that email from your boss could be a scam waiting to happen

This WordPress site hijacking campaign appears to have started this month, according to Sucuri, and has intensified in recent days, according to Segura.

Googling just one of the pieces of the malicious JavaScript code added to the hacked WordPress sites reveals just a small portion of the total number of hacked sites. In this case, this string search yielded over 2,500 results, including a corporate site belonging to Expedia Group, the parent company behind the Expedia portal.

wp-spam-campaign.png

Last week, ZDNet revealed that attackers had been scanning the Internet in an attempt to exploit a recent vulnerability in a popular WordPress plugin.

While Sucuri did not find confirmation that this vulnerability was now being used in this recent wave of site hacks, the company did confirm our initial report, based on WordFence’s telemetry.

Contact Spearhead Multimedia today and get your free WordPress Website security evaluation.

We offer special incentives for new clients who want to move to a new, secure host, update and harden their WordPress websites and create new WordPress websites.  Call 954-202-8004 or use the Contact Us form.

What is the dark web? The good and bad of the Internet’s most private corner

ProtonMail-What-is-the-dark-web-diagram-2

What is the dark web? The good and bad of the Internet’s most private corner

You may have heard the dark web is a place for drug dealers and hitmen. That’s correct, but there’s more to it than that. In this article, find out what is the dark web, how to access it, and what you might find there.

The dark web is a part of the Internet that requires special software to access and is not indexed by search engines. It offers much greater privacy than the widely accessible parts of the World Wide Web.

That privacy also makes the dark web a setting for illegal activity, scams, and offensive content. The high-profile rise and fall of the Silk Road marketplace for illicit drugs is the best-known example of this. But despite the sensational media coverage, few people really understand what the dark web is or how it works. For instance, it might surprise some people to learn that The New York Timesand Facebook both maintain websites on the dark web.

The dark web isn’t “dark” because it’s bad; it’s dark because it’s the only place on the Internet that offers a bit of privacy. In this article, we’ll explain how that works, what actually happens on the dark web, and how you can check it out for yourself.

What is the dark web?

Think of the Internet as divided into three parts: the clearweb, the deep web, and the dark web.

The clearweb is the Internet most of us are familiar with. Its pages are searchable in Google, but it makes up just a small percentage of all the content on the Internet. The deep web comprises the majority of the Internet, but it is not indexed by search engines, it is often password-protected, and therefore it’s not generally accessible. The deep web includes things like financial databases, web archives, and password-protected pages.

The dark web is a small portion of the deep web. It runs on top of existing Internet infrastructure, but it is a parallel web that cannot be accessed without special tools. For this reason the dark web is sometimes referred to as the hidden web.

Websites on the dark web have domains ending in “.onion” and are sometimes known as onion sites. They’re called onion sites because of the kind of encryption technology they use to hide the IP address of the servers that host them. Websites on the dark web mask their data behind multiple layers of encryption (like the layers of an onion), and can only be accessed through the Tor network, which is a network of computers around the world maintained by volunteers. Because the routing is random and the data is encrypted, it’s extremely difficult for anyone to trace any piece of traffic back to its source.

How to access the dark web

Tor is the most popular dark web interface, with millions of users. There are a number of ways to access the Tor network, including via the Tor browser , the operating system Tails, or by installing Tor on your computer. ProtonVPN also provides one-click Tor access through the Tor over VPN feature. From there, you can browse the web normally as well as gain access to highly private and secure onion sites.

Unlike the regular web, however, even after you have connected to the dark web, it isn’t so easy to find websites. Dark web sites use randomly generated domains that aren’t easy to remember. The dark web is also difficult to index, meaning search engines are ineffective. There are a number of link directories, such as The Hidden Wiki, that attempt to catalogue the dark web. But because dark web sites change their domain frequently, you’ll find a lot of dead links. A typical onion site url looks something like this:

http://3g2upl4pq6kufc4m.onion/

Some special onion sites, though, have easy to remember domain names and also SSL encryption (URLs that start with “https” instead of “http”). For example, ProtonMail’s Tor encrypted email site is at https://protonirockerxow.onion while Facebook’s onion site is at https://facebookcorewwwi.onion. You can learn more about these special onion sites here.

What’s on the dark web?

The illicit uses of the dark web are well documented: assassination services, ecommerce sites for buying guns and drugs, and so on. It’s best to stay clear of anything that seems suspect while browsing there. However, there are plenty of 100% legal things you can do on the dark web. You can read ProPublica or The New York Timescheck your email in ProtonMail, or browse your Facebook wall. All of these mainstream websites offer dark web access because of the benefits to privacy and freedom of information.

One of the biggest advantages of the dark web is the difficulty of blocking it. Common forms of censorship, which block traffic to websites at specific choke points along the Internet hierarchy, do not work with encrypted overlay networks. (As a result, some dictators have, for example, tried to block Tor itself.)

For similar reasons, the dark web is more resistant to surveillance by governments and corporations (such as Internet service providers). Whistleblowers, journalists, and other professionals at risk of targeted surveillance use the dark web to communicate sensitive information. And organizations including Human Rights Watch and the Electronic Frontier Foundation support the use of and access to the dark web.

One of the only drawbacks of the dark web is its speed. For instance, because Tor bounces your traffic through multiple servers around the world, it necessarily slows your connection. But when you need it, the dark web can be vitally important: When Turkey temporarily blocked ProtonMail for some users, our onion site was one of the only ways people could gain access to email.

So, there’s no reason to be afraid of the dark web. On the contrary, the dark web is an essential privacy tool. As governments work to weaken encryption with backdoors and corporations gain greater access to everything we do, privacy and security technologies like the dark web must be vigorously defended. And that starts with understanding them beyond sensational headlines.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

The Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know

GDPR-general-data-protection-regulation. Internet-business-safety.

This is a concise, simple explanation of GDPR brought to you by Syed Balkhi and his Editorial Staff of WordPress experts.

 

Are you confused by GDPR, and how it will impact your WordPress site? GDPR, short for General Data Protection Regulation, is a European Union law that you have likely heard about. We have received dozens of emails from users asking us to explain GDPR in plain English and share tips on how to make your WordPress site GDPR compliant. In this article, we will explain everything you need to know about GDPR and WordPress (without the complex legal stuff).

 

Disclaimer: We are not lawyers. Nothing on this website should be considered legal advice.

To help you easily navigate through our ultimate guide to WordPress and GDPR Compliance, we have created a table of content below:

Table of Content

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.

What is GDPR?

You’ve likely gotten dozens of emails from companies like Google and others regarding GDPR, their new privacy policy, and bunch of other legal stuff. That’s because the EU has put in hefty penalties for those who are not in compliance.

Fines

Basically after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). This is enough reason to cause wide-spread panic among businesses around the world.

This brings us to the big question that you might be thinking about:

Does GDPR apply to my WordPress site?

The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).

If your website has visitors from European Union countries, then this law applies to you.

But don’t panic, this isn’t the end of the world.

While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.

GDPR Fines and Penalties

The EU isn’t some evil government that is out to get you. Their goal is to protect consumers, average people like you and me from reckless handling of data / breaches because it’s getting out of control.

The maximum fine part in our opinion is largely to get the attention of large companies like Facebook and Google, so this regulation is NOT ignored. Furthermore, this encourage companies to actually put more emphasis on protecting the rights of people.

Once you understand what is required by GDPR and the spirit of the law, then you will realize that none of this is too crazy. We will also share tools / tips to make your WordPress site GDPR compliant.

What is required under GDPR?

The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.

The personal data includes: name, emails, physical address, IP address, health information, income, etc.

GDPR Personal Data

While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:

Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM by the way, and you shouldn’t be doing that anyways).

For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.

Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted.

This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that (hmm, go figure). I’m looking at you Zenefits, still waiting for my account to be deleted for 2 years and hoping that you stop sending me spam emails just because I made the mistake of trying out your service.

Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.

This will hopefully prevent cover-ups like Yahoo that was not revealed until the acquisition.

Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.

GDPR Data Protection Officer

To put it in plain English, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent (good luck getting this consent). Businesses have to delete user’s account and unsubscribe them from email lists if the user asks you to do that. Businesses have to report data breaches and overall be better about data protection.

Sounds pretty good, in theory at least.

Ok so now you are probably wondering what do you need to do to make sure that your WordPress site is GDPR compliant.

Well, that really depends on your specific website (more on this later).

Let us start by answering the biggest question that we’ve gotten from users:

Is WordPress GDPR Compliant?

Yes, as of WordPress 4.9.6, the WordPress core software is GDPR compliant. WordPress core team has added several GDPR enhancements to make sure that WordPress is GDPR compliant. It’s important to note that when we talk about WordPress, we’re talking about self-hosted WordPress.org (see the difference: WordPress.com vs WordPress.org).

Having said that, due to the dynamic nature of websites, no single platform, plugin or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.

Ok, so you might be thinking what does this mean in plain English?

Well, by default WordPress 4.9.6 now comes with the following GDPR enhancement tools:

Comments Consent

WordPress Comments Opt-in for GDPR

By default, WordPress used to store the commenters name, email and website as a cookie on the user’s browser. This made it easier for users to leave comments on their favorite blogs because those fields were pre-populated.

Due to GDPR’s consent requirement, WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.

Data Export and Erase Feature

WordPress Data Handling - GDPR

WordPress offers site owners the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data.

The data handling features can be found under the Tools menu inside WordPress admin.

Privacy Policy Generator

WordPress Privacy Policy Generator for GDPR

WordPress now comes with a built-in privacy policy generator. It offers a pre-made privacy policy template and offers you guidance in terms of what else to add, so you can be more transparent with users in terms of what data you store and how you handle their data.

These three things are enough to make a default WordPress blog GDPR compliant. However, it is very likely that your website has additional features that will also need to be in compliance.

Areas on Your Website that are Impacted by GDPR

As a website owner, you might be using various WordPress plugins that store or process data like contact formsanalyticsemail marketingonline storemembership sites, etc.

Depending on which WordPress plugins you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.

A lot of the best WordPress plugins have already gone ahead and added GDPR enhancement features. Let’s take a look at some of the common areas that you would need to address:

Google Analytics

Like most website owners, you’re likely using Google Analytics to get website stats. This means that it is possible that you’re collecting or tracking personal data like IP addresses, user IDs, cookies and other data for behavior profiling. To be GDPR compliant, you need to do one of the following:

  1. Anonymize the data before storage and processing begins
  2. Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking

Both of these are fairly difficult to do if you’re just pasting Google Analytics code manually on your site. However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re in luck.

They have released an EU compliance addon that helps automate the above process. MonsterInsights also has a very good blog post about all you need to know about GDPR and Google Analytics (this is a must read if you’re using Google Analytics on your site).

MonsterInsights EU Compliance Addon

Contact Forms

If you are using a contact form in WordPress, then you may have to add extra transparency measures especially if you’re storing the form entries or using the data for marketing purposes.

Below are the things you might want to consider for making your WordPress forms GDPR compliant:

  • Get explicit consent from users to store their information.
  • Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
  • Disable cookies, user-agent, and IP tracking for forms.
  • Make sure you have a data-processing agreement with your form providers if you are using a SaaS form solution.
  • Comply with data-deletion requests.
  • Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.

The good part is that if you’re using WordPress plugins like WPFormsGravity FormsNinja Forms, Contact Form 7, etc, then you don’t need a Data Processing Agreement because these plugins DO NOT store your form entries on their site. Your form entries are stored in your WordPress database.

Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.

WPForms, the contact form plugin we use on WPBeginner, has added several GDPR enhancements to make it easy for you to add a GDPR consent field, disable user cookies, disable user IP collection, and disable entries with a single click.

GDPR Form Fields in WPForms

Email Marketing Opt-in Forms

Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.

This can be done with either:

  1. Adding a checkbox that user has to click before opt-in
  2. Simply requiring double-opt-in to your email list

Top lead-generation solutions like OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. You can read more about the GDPR strategies for marketers on the OptinMonster blog.

WooCommerce / Ecommerce

If you’re using WooCommerce, the most popular eCommerce plugin for WordPress, then you need to make sure your website is in compliance with GDPR.

The WooCommerce team has prepared a comprehensive guide for store owners to help them be GDPR compliant.

Retargeting Ads

If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cooke Notices.

Best WordPress Plugins for GDPR Compliance

There are several WordPress plugins that can help automate some aspects of GDPR compliance for you. However, no plugin can offer 100% compliance due to the dynamic nature of websites.

Beware of any WordPress plugin that claims to offer 100% GDPR compliance. They likely don’t know what they’re talking about, and it’s best for you to avoid them completely.

Below is our list of recommended plugins for facilitating GDPR compliance:

  • MonsterInsights – if you’re using Google Analytics, then you should use their EU compliance addon.
  • WPForms – by far the most user-friendly WordPress contact form plugin. They offer GDPR fields and other features.
  • Cookies Notice – popular free plugin to add an EU cookie notice. Integrates well with top plugins like MonsterInsights and others.
  • Delete Me – a free plugin that allows users to automatically delete their profile on your site.
  • OptinMonster – advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
  • Shared Counts – instead of loading the default share buttons which add tracking cookies, this plugin load static share buttons while displaying share counts.

We will continue to monitor the plugin ecosystem to see if any other WordPress plugin stands out and offer substantial GDPR compliance features.

Final Thoughts

Whether you’re ready or not, GDPR will go in effect on May 25, 2018. If your website is not compliant before then, don’t panic. Just continue to work towards compliance and get it done asap.

The likelihood of you getting a fine the day after this rule goes in effect are pretty close to zero because the European Union’s website states that first, you’ll get a warning, then a reprimand and fines are the last step if you fail to comply and knowingly ignore the law.

The EU is not out to get you. They’re doing this to protect user’s data and restore people’s trust in online businesses. As the world goes digital, we need these standards. With the recent data breaches of large companies, it’s important that these standards are adopted globally.

It will be good for all involved. These new rules will help boost consumer confidence and in turn help grow your business.

We hope this article helped you learn about WordPress and GDPR compliance. We will do our best to keep it updated as more information or tools get released.

If you liked this article, then please subscribe to our YouTube Channel. You can also find us on Twitter and Facebook.

Additional Resources

Legal Disclaimer / Disclosure

We are not lawyers. Nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.

WPBeginner founder, Syed Balkhi, is also the co-founder of OptinMonsterWPForms, and MonsterInsights.

Font Resize