Stagefright Bug Takes Center Stage On 950 Million Android Devices

Android Stage Fright

A series of bugs and security loopholes in the Android operating system could allow hackers to take control of up to 95% of Android smartphones simply by sending an MMS message with malware attached.

What is the Stagefright bug?

Stagefright is the name of the Android operating system’s media library, which the bug is named after. It affects all Android devices running version 2.2 and up and there is currently no patch. The recipient doesn’t even have to open the message. By default the Android operating system downloads unread messages, triggering the malware. An attacker could send the MMS with malware attached, take control of the phone and delete it before the user is any wiser.

When will the bug be resolved?

The mobile security company Zimperium Labs discovered the flaw and alerted Google in April. Google is working on a patch for its Nexus devices, but it won’t be available until next week. For other device manufacturers, it could take a lot longer.

Very few manufacturers run vanilla Android on their devices. Most devices have customized software that will require testing. Google will provide the software fix to the manufacturer, which then must test the update on their devices. The manufacturer will apply the update to the base version of their OS, then test each individual product line. After the manufacturer is finished, they send the update to the wireless carrier. Sometimes carriers do their own testing before pushing the update out to users. It could be weeks or months before non-Nexus devices see an update. The cost of testing means some older devices may never get it.

What can you do to protect your device now?

The key to protecting your smartphone is preventing the device from automatically downloading MMS messages from the server. Open your default messaging app and press the Menu button. Select Settings and look for an “Auto-retrieve” checkbox. Some devices may have the option under “Advanced settings.” Unchecking this box will stop the device from downloading the messages, allowing you to delete messages from any numbers you don’t recognize before you open them. If you can’t find the setting, contact your wireless carrier or device manufacturer for assistance.

Is Stagefright the only vulnerable part of the Android OS?

There are no confirmed cases of hackers using it, but the sheer number of vulnerable devices makes this a major security flaw. Zimperium Labs indicated in a blog post that others had previously uncovered bugs in Stagefright, and that it is possible the bug could be in use.

 

About the author:

Scott N. Schober is a CEO, author and cyber security and wireless tech expert who regularly appears on popular TV news networks, radio programs and tech industry speaking engagements. He appears regularly on Bloomberg TV, CCTV-America, CTV News, ABC and more as a cyber security expert. His new book entitled Hacked Again will be available in the fall. Scott is also the host of a weekly cyber security video podcast called 2 Minute CyberSecurity Briefing on iTunes and Youtube.

Chrysler Recalls 1.4 Million Hackable Cars But Is It Enough?

hacking_ahead

Car companies have a history of large scale recalls for their products. After all, the safety of their customers fall directly on the shoulders of automakers so why take a chance? But what about computer glitches or even hacks? When is proactive too proactive and when is it not even enough?

Some of today’s cars come equipped with the option to connect to the Internet, but are they safe from hackers? Connected cars can access wireless broadband networks via built-in cellular modems. They allow passengers to stream audio and video, access traffic information and navigate using a touchscreen on the dash. Cyber security experts worry that these connected cars lack adequate digital security and are vulnerable to malicious hackers.

Last week two white hat hackers demonstrated the ability to take control of critical functions on a 2014 Jeep Cherokee to a Wired Magazine reporter. Hackers Charlie Miller and Chris Valasek were able to disable the transmission, spray the windshield with wiper fluid and even engage and disable the brakes. The pair will be presenting details on how they accomplished the hack at next month’s Black Hat cyber security conference in Las Vegas.

The pair said the hack seems to work on any Chrysler vehicle equipped with the Uconnect entertainment system. The Unconnect uses Sprint’s network, and an attacker can scan the carrier’s network for vulnerable targets using a Sprint phone as a WiFi hotspot. Once an attacker has the vehicle’s network information, they can wirelessly overwrite the firmware in the device and take control of the vehicle’s functions from virtually anywhere. Even more alarming, a skilled hacker could program the compromised Unconnect to scan, locate and attack other vehicles through Sprint’s network like a computer worm.

Several years ago Miller and Valasek demonstrated hacking different vehicles through the diagnostic port used by mechanics. Some in the automotive industry scoffed at the potential threat because the hacker would need physical access to the vehicle and the port. Now the prospect of remote hacking has the industry spooked.

Miller and Valasek have been working with Chrysler since they discovered the vulnerability, and the automaker has issued a patch that closes the security loophole. However, the pair plan to release parts of their code at the Black Hat conference for peer review. The released code will allow potential digital carjackers to access some of the less dangerous attacks.

Chrysler has issued a recall notice for over 1.4 million vehicles urging owners to install the software update. The patch requires the vehicle’s owner to take it to the dealer or download it onto a USB thumb drive, so many vehicles will probably remain vulnerable at the time of the conference. If you own one of these vehicles and aren’t sure if it needs the patch, you can check by entering your vehicle’s VIN number into this website here.

There is no doubt that connected cars are traveling on a highway where old tech thinking and new tech thinking must eventually merge. On the one hand, obscure security holes detected in your PC’s OS usually results in an immediate and unconsented updates to your computer. This is for your own good. Malware and viruses are hardly life threatening on any PC but the same cannot be said about a connected car. The dangers have been clearly demonstrated by many car hackers past and present even if they are not an immediate threat to your ’98 Corolla.

So why hasn’t the auto industry defined and implemented procedures to auto update or at the very least, allow consumers to easily update their connected vehicles easily and securely?

On the other hand, Chrysler recalls 1.4 million vehicles based on the possible threat of a hack to those cars. No one has been injured and the hacking threat is still largely unproven but Chrysler is being very proactive here. Let’s just hope that connected car industry doesn’t shut down the entire auto industry before we can experience all the safety and conveniences that connected vehicles offer.

About The Author

Scott N. Schober is a cyber security and wireless technology expert, CEO of Berkeley Varitronics Systems, Inc. and author of Hacked Again. He has appeared on hundreds of television, radio and published news pieces as a cyber security expert and a presenter and panelist at many tech conferences.

37 Million Adulterers Potentially Exposed In Ashley Madison Hack

impactteam-580x657

Most everyone has heard of Ashley Madison, an online dating website that helps married people cheat on their spouse. If you are happily married like myself, you wonder who in the world would actually use this website, let alone provide your private and credit card info to them. The CTO of ALM or Avid Life Media that runs Ashley Madison has been quoted in the past as saying “I would hate to see our systems hacked and/or the leak of personal information” but it looks like he’s being quoted again today by the hackers who apparently breached Ashley Madison potentially exposing its 37 million users’ data. This blows my mind as the majority of their customer base claim to be in the United States which has a population of around 320 million people. That would make roughly 10% of all americans customers of Ashley Madison.

Late Sunday night on July 19th, AshleyMadison.com was apparently hacked by a group calling themselves The Impact Team. These hackers claimed not just names and credit cards numbers, but also addresses, users fantasies, nude pictures, conversations and more. The hackers are not demanding any kind of money ransom so what do they want? In a manifesto posted claiming ALM lied about a $19 fee allowing customers to completely erase their profile information, The Impact Team has vowed to release all of that supposed erased customer data unless ALM shutters all operations on Ashley Madison and EM or Established Men.

Ashley Madison offers several levels of customers protection they could also pay a charge of $19 to fully delete every email, photo and association to the site. Every month there are anywhere from 8,000 to 18,000 people that have opted for this $19 full erasure protection which translates to about $1 million dollars of revenue a year for Ashley Madison. To their credit this is a unique feature as typical dating sites do not provide any way to delete your digital footprint.

One could easily imagine if The Impact Team posted the compromised data how a scandalous mess would start to unfold. I think it is fairly safe to say any politician or celebrity that has used Ashely Madison’s service is probably sweating bullets right now over the potential media frenzy. This has the makings of another iCloud celebrity nude photo scandal.

Ashley Madison’s slogan is “Life is short. Have an affair.” Back in the days of ancient Israel adultery was punishable by death and it’s looking more and more like AshleyMadison.com’s days are numbered too. Perhaps instead of providing free credit monitoring services it would be more appropriate for AshleyMadison.com to provide free divorce certificates. I think for the time being they will have to postpone their announced IPO for $200 million until they can clean this cyberbreach mess up.

Subscribe to my weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit www.CyberSecurityDictionary.com for more terms and definitions.

Are Metal Detectors Effective at Finding Cell Phones?

metal_detectors

From schools to board rooms to prisons, many organizations have an interest in controlling access to cell phones or keeping them out entirely. Many of them rely on traditional metal detectors to locate contraband phones, but how effective are they? Metal detectors work fine for detecting metal objects like knives and guns, but their drawbacks limit their usefulness in detecting cell phones.

False Alarms: Metal detectors cannot differentiate between cell phones and other metallic objects. They can be set off by keys, belt buckles, studs in clothing, jewelry and even internal medical devices like pacemakers and metal plates.

Composition: Metal detectors require a minimum metal content, and many phones have very little metal in them. They are mainly made up of glass and plastic, which do not trip metal detectors. When smuggling phones into prisons, smugglers further reduce the risk of detection by disassembling phones and smuggling the parts independently. Smugglers also wrap phones or their parts in electrical tape or dense material to make them more difficult to detect.

Phone Size: While the fad for small phones is over in the general population thanks to smartphones, they are still in demand in prisons. Some cell phones are the size of a key fob or wristwatch. Their small size makes them easier to hide inside the subject’s body, and their low metal content makes it difficult for metal detectors to pick them up.

Coverage: Stand-alone metal detectors may not offer head-to-toe coverage, allowing people to hide cell phones in their shoes. Metal detector wands can detect phones anywhere on the body, but their range is limited to a few inches, so a thorough search requires passing the wand over the subject’s entire body.

Time: An employee using a metal detector wand can only scan one subject at a time and a thorough scan is relatively time-consuming. Some people also consider them invasive. This makes them unsuitable for locations with high traffic volume.

Cost: Stand-alone metal detectors are expensive and not portable. Both types require an active attendant, which makes them costly to operate.

If your organization needs to prohibit or control cell phone use, it’s best to use a detector made specifically for finding cellular devices. BVS offers mounted, walkthrough and handheld cell phone detectors that can find phones even when the devices are powered off. These devices are cost-effective and can detect a phone anywhere on the subject. Contact us today for more information.

About BVS:

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

Before You Deploy A Wireless Base Station, Read This.

stimulus_transmitter

With CTIA Super Mobility 2015 fast approaching, I thought it would be timely to review a checklist of must-have features for anyone in the drive test or wireless network deployment industries.

When setting up or testing a tower or wireless base station in an area where coverage is high and the network is operational, finding a test signal isn’t usually a problem. But site selection in remote areas, installation and testing of wireless equipment in locations where there is no signal from the network presents special challenges.

During the site selection process, choosing the wrong location can result in sub-optimal signal performance and penetration. Features such as landscape topography and existing radio transmitters can cause interference, so drive testing the area with a wireless receiver is essential.

Remote areas may not have a strong enough signal to test newly installed or malfunctioning equipment due to distance or radio interference. Large-scale natural disasters such as hurricanes, wildfires, long-term power outages and major earthquakes can knock out the network even in populated areas.

All of these situations have the same solution. Technicians need a portable transmitter system that can broadcast test signals. The transmitter ideally should have the following features:

  • Be capable of transmitting on all frequencies, channels and modulation the tower or base station has or will have. Cell towers and WiFi base stations can transmit on several frequencies simultaneously.
  • Multiple bands to speed up testing times. A dual or multi-band transmitter can cut drive test times in half.
  • Remote control capability. This means the operator does not need to be present to control the device. It allows a technician or aid to give commands to the transmitter and change settings while drive testing or away from the unit.
  • Battery backup so the transmitter retains its settings in case of a power loss.
  • Water-resistant and ruggedized for dependable operation in the field.
  • Adjustable power output.

Berkeley Varitronics Systems (BVS) designs and manufactures innovative RF analysis and wireless threat detection tools for businesses and government. BVS equipment helps organizations manage secure facilities and maintain wireless communication systems.

We will be exhibiting many new test transmitters and receivers including the new Squid-4G M2M Tester in the “M2M zone” booth 5050 at the CTIA Super Mobility Conference and Expo Sept. 9-11 in Las Vegas. Click here for a free pass courtesy of BVS. See you at the show!

Is Drone Skyjacking The New Hijacking?

Screen Shot 2015-06-23 at 6.23.41 PM

Right now most civilian drones are owned by hobbyists for recreational use, but many companies are exploring commercial uses. Drones have already been used for shooting nature documentaries and commercials, aerial surveys on remote properties, checking on crops for farmers and even delivering pizza. They have the potential to revolutionize many aspects of our daily lives. But drones haven’t escaped the notice of cyber criminals.

Why Are Hackers Targeting Drones?

Drones can carry small payloads, which often includes a camera for transmitting wireless video back to the operator. Cyber criminals might tap into the video signal and gain access to valuable surveillance information, or simply hijack the drone to steal it and its cargo or perform other illegal activities.

It seems certain that at some point drones will be required to carry identification information. When that happens, a cyber criminal might hijack a drone to avoid identification much like a street criminal would steal a car to perform a robbery.

Even with legal drones one of the biggest security concerns is their current lack of traceability. Here in the United States, a civilian drone entered the restricted area around the White House during the early morning hours of January 27th and crashed on the lawn. Officials had no way of identifying who it belonged to or what their intentions were. The crash turned out to be an accident and the operator turned himself in the next morning, but it was a wake-up call for security experts. Other operators aren’t so benign. In the United Kingdom police have already confirmed high-tech burglars are using drones to identify houses vulnerable to break-ins.

Why Are Drones Vulnerable to Hacking Attempts?

Unlike simple remote-controlled helicopters, drones have their own computing power. Think of them as flying smartphones without the screen. They have GPS capabilities and can fly along pre-programmed paths, or the operator can manually control them from afar using WiFi signals. If a drone loses control signals from the operator it can return to a designated location on its own.

On the same day the drone crashed on the White House lawn, a cyber security expert uncovered a flaw in Parrot® drones that allowed malware to kill their engines and make them fall from the sky. If the drone is high enough, the malware can restart the engines and take control of the drone.

This isn’t the first time Parrot drones have been used in a drone hack. Two years ago, a legal hacker released instructions on how to build a Parrot drone capable of tracking down other drones and hijacking them using wireless signals. Dubbed SkyJack, the hijacker drone monitors wireless signals and targets MAC addresses registered to Parrot drones. It can force the targeted drone to disconnect from the device controlling it and connect to the hijacker’s signal.

The problem is lack of stringent security measures built into drone operating systems. Many drone models have no security or rely entirely on weak WiFi security measures. As drones become more popular and widely used, drone manufacturers must take the threat of potential drone skyjackers more seriously.

About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

How Do You Set Up A “No Phone Zone”?

image description

Cell phones are a modern marvel, but they can also be a tremendous problem for any organization trying to enforce security or safeguard confidential information. The effects of contraband cell phones can be tremendous. Cell phones have been used to intimidate witnesses in criminal courtrooms, break prisoners out of jail and steal classified information.

The private sector isn’t immune to the risks of smuggled cell phones. Attendees use them to record concerts. Students use them to cheat on tests. They’re also unwelcome guests in call centers, secure facilities and confidential meetings. The infamous “47 percent” quote that may have cost Republican candidate Mitt Romney the 2012 Presidential election was secretly recorded on a cell phone at a private fundraiser where phones were prohibited.

Ineffective Detection Tools

The major challenge in keeping cell phones out is they are easily concealed inside clothing and handbags. The recent mobile trend is toward larger smartphones, but feature phones are still readily available and some models are smaller than a credit card. These old-school devices are primitive compared to modern smartphones, but they are capable of sending and receiving texts, recording audio and taking pictures and video.

Conventional metal detectors can find many phones, but walkthrough units are bulky and not portable. Handheld wands are portable, but their range is limited to a few inches so an operator must sweep the detector over the subject’s entire body. Both types will alert to other metal objects.

Most cell phone detectors rely on radio frequency signals to locate devices, but they are ineffective if the phone is powered off or has the wireless antenna disabled. Fortunately, there are tools available to specifically uncover hidden cellular devices, even if they’re not transmitting

Effective Detection Tools

The BVS SentryHound is a portable cell phone detection system that scans subjects as they walk between two posts. It’s very similar to the anti-theft scanners retailers use to prevent shoplifting, but instead of security tags it detects ferromagnetic compounds inside the phone. The posts have a single row of LED lights running their entire length. When the SentryHound finds a device, it sounds an audible alert and illuminates the section of lights closest to the phone. It can also trigger an external device such as a security camera or remote alarm.

The Manta Ray is a handheld cell phone detector that also detects ferromagnetic compounds. Operators can use it to scan handbags, luggage and small parcels without opening them. Buckles and studs will not trigger false alarms.

The SentryHound and Manta Ray are ideal for temporary and permanent “no phone zones.” They allow operators to scan subjects and their possessions quickly and effectively, without labor-intensive searches or compromising the subject’s privacy and dignity.

 

About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

LastPass Hacked And Why I Have Never Used It

lastpass

I have always felt the concept of LastPass as well as other password managers makes sense for users that would otherwise create simple ‘easy to remember’ passwords as opposed to long strong complex passwords with a password manager. Surely, having numerous passwords in the cloud encrypted is better than jotted down on a sticky note that resides under your keyboard, right? The reason I personally do not use password managers like LassPass is the distant fear of a major hack. What if my password manager gets hacked and a hacker gets my master password? This would be tantamount to giving a thief the keys to my front door when I am heading off to vacation.

It seems my fears, as well as many other security experts’ fears have come to fruition with the announcement that LastPass was a victim of a targeted attack in which user information was compromised. On Monday, June 15th, LastPass announced through a blog post that hackers had breached their databases and compromised email addresses and password reminders as well as encrypted master passwords. Apparently, they discovered the breach after detecting rather suspicious activity on their network.

What can hackers do with the compromised information?
Unfortunately, there is a percentage of LastPass users that will undoubtedly be the victim of targeted email phishing attacks as a result of this breach. Phishing is an effective, focused attack where the cyber thugs send victims emails with an embedded link that fools users into revealing more data. LastPass users have been informed by LastPass about this breach and they recommend that users update their LastPass master password. Cyber thieves have already keyed in on this and are no doubt, readying focused email phishing attacks that might have a message:  UPDATE your LastPass master password immediately. An unsuspecting LastPass user may click on the attachment and be redirected to a site that looks awfully close to LastPass but is just there to collect more information from naive users. They would be prompted to enter their old master password and then asked to create a new complex strong secure password. Now the cyber hackers have the master password without having to steal it or decrypt it. The unsuspecting users have hand-delivered this information directly to the hacker’s servers.
Even though they did not get all the encrypted individual passwords, the breach could also result in other compromises such as unlocking a user’s email account where you need the email address and password reminder allowing them to gain access to your email and a trove of other valuable private information.
If the hackers are truly advanced there is a chance, although unlikely, that they can hack the encryption to crack the master password. This is extremely difficult, but then again, who would have thought a security company that provides encrypted password protection would ever be hacked in the first place? To make matters worse, this is actually the second breach that LastPass has faced. Four years ago, LastPass also faced a targeted attack.
What can LastPass customers do?
I highly recommend to anyone reading this to change your LastPass master password. Do not use passwords based on any personal information such as your spouse, child, or pet’s name, birthday, address, etc. Also make sure your password is not anything that can be easily obtained from a search or pulled from social media. Your master password should be at least 15 alphanumeric characters and have a mix of numbers, symbols, with both upper and lower case characters. Keep in mind, 80% of ALL security breaches involve stolen and weak passwords.
It is important if you are accessing your LastPass account remotely or from another device to utilize multi-factor authentication. This is an added layer of security that requires a single one time password that is sent to your mobile phone as a text, for example.
At the end of the day we all live in a corrupt world where cyber thieves prey on the innocent. This breach will certainly be a wake up to many users. I personally use a little black book that is kept under lock and key in a locked safe, in a locked room, in a locked building that is monitored 24/7 with cameras/DVR’s and an alarm. I change my long & strong passwords every three months and am a bit paranoid. I was not always this paranoid until my company was hacked; credit card, debit card, checking account, twitter account, web site, etc. I decided to share my trial and errors in being a victim of repeated hacks and what practical steps people can take to protect themselves.
Look for my upcoming book entitled Hacked Again and in the meantime, subscribe to my 2 Minute Cyber Security Briefing video podcast on on iTunes or Youtube for the latest cybersecurity news and tips.

M2M Dead Ends And How To Avoid Them

dead-zone-cell-phone

If your M2M site is in a remote area on the edge of the coverage zone, the carrier selection and antenna placement can mean the difference between having good, reliable signal and having none.

A carrier’s coverage map can tell you whether service is available in the area and sometimes how fast the service is, but they are not a reliable indicator of whether signal is available at the site. Most coverage maps do not give specific information about where the towers are located.

Even if you know the location and carrier of the nearest tower, it doesn’t guarantee signal at your site. There are many factors that affect the tower’s coverage radius. The antennas placed on the tower are directional, and the range of the tower varies depending on the cellular technology. Even the number of devices using the tower can affect the service on the edge of the tower’s coverage radius.

The topography of the landscape can also affect signal strength. Physical obstructions such as hills and trees can also block the signal. If the surrounding terrain is hilly, the maximum range of the tower could be as short as a few miles. Towers have a small “dead zone” around them, and the dead zone grows in proportion to the tower’s elevation. Carriers prefer to place towers on high ground to maximize their range, but if the tower is situated on a large hill and your site is located directly at the foot it may fall into the dead zone.

There are also temporary conditions that can affect whether your site has service. Towers have a limited number of available connections, and the more devices that are connected the smaller the maximum coverage radius gets. If a large number of devices are connected at the same time, the tower will start to refuse new connections until an open channel is available. This is a serious issue in rural areas where the carrier only has one tower covering the site. Weather can also affect the signal strength. Rain and strong winds cause interference that can put your site out of communication range.

Once you have determined which carriers in the area provide service, you must measure the available signal at your site and choose the best location to place the antenna. BVS manufactures tools that can help you determine the optimal carrier and location for your M2M installation, minimizing deployment time and helping you avoid costly mistakes. Contact us today for information on our Squid-PRO M2M Installation Tool.

About BVS:

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

Global Governments Attempt to Peel The Onion Router

The Dark Web 07g

Tor has been embraced by lawful and unlawful users alike. It helps those who value their online privacy and dissidents who live in countries with oppressive governments, but it also provides ways for cyber criminals, terrorists and other bad guys to avoid identification. This has made breaking Tor’s anonymity a top priority for government agencies both at home and abroad.

What is Tor?

Short for The Onion Router, Tor is a network of donated servers run by volunteers around the globe. Tor works by routing traffic through a random network of computers called relays. For example, say you are located here in Maryland and want to access a web page on a server in Australia. Under normal circumstances, you type in the URL and the packets take a more-or-less direct route from your computer to the Australian server and back.

With Tor, the packets may bounce from relay to relay anywhere in the world, and at each at each step the traffic is encrypted. Each relay only knows where the packet came from and where it is going next. No single computer in the chain knows the entire route. This is what makes Tor users so difficult to identify.

In the United States:

The United States government seems to be of two minds about Tor. On one hand, Tor is a brainchild of the U.S. military. It was created to protect whistleblowers and journalists operating in restricted areas from repartitions, and in 2012, over half of the Tor Project’s revenue came from government grants.

On the other hand, the National Security Agency (NSA) has been working to unmask Tor’s users. The classified documents released by Edward Snowden in 2013 revealed the NSA has had success in separating Tor traffic from regular Internet traffic. This is due to their ability to monitor huge chunks of Internet traffic through connections to the large telecommunications companies that provide Internet access to most of the country’s population.

They have been less successful in separating one Tor user from another. Their best success has come from not from the Tor package, but from the browser it comes from. The default Tor package uses the Firefox browser, which has some vulnerabilities. Most of these vulnerabilities come from plugins like Javascript and Adobe Flash.

Most governments cannot use the NSA’s technique for separating Tor traffic from normal traffic because they lack the close ties to telecom companies or the ability to monitor large swaths of Internet activity in real time.

In Russia:

Last year the Russian Ministry of the Interior ran a contest for Russian nationals and companies with a goal of finding a workable method of de-anonymizing Tor’s users. The grand prize? A contract worth a cool 4 million rubles, equivalent to $111,000 USD. News reports indicate the contract was awarded, but the Russian government did not name the winner.

In China:

While the Chinese government has been silent on what efforts they are taking to unmask Tor users, it is known they have taken the approach of blocking access to the Tor software and public relays. The “Great Firewall of China” is capable of deep packet inspection and can identify and block non-public relays based on specific protocols unique to Tor. It is possible for Tor users in China to get around these blocks using different techniques.

What’s in Tor’s Future?

The Tor Project has a core of a small number of employees, but uses a network of volunteers and crowdsourced labor to patch vulnerabilities and keep its users anonymous. When the annual Black Hat security conference announced a panel on how to de-anonymize Tor users, the team went to work on closing the loophole before the conference even took place. It seems that for now, Tor will remain a useful tool for those who wish to keep their online activities secret, for better or worse.

About The Author:

Scott N. Schober is a Cyber Security Expert and the President and CEO of Berkeley Varitronics Systems, Inc., a 40-year-old provider of advanced wireless RF test and security solutions. Scott has overseen the development of numerous cell phone detection tools used to enforce a ‘no cell phone policy’ in correctional, law enforcement, corporate, university, military and secured government facilities.