Vulnerabilities / Threats
3/18/2016
12:00 PM
Thomas Fischer
Thomas Fischer
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

No Place For Tor In The Secured Workplace

When it comes to corporate security, anonymity does not necessarily ensure protection of one's private information - nor that of your employer.

When does an employee cross the line from taking steps to increase their personal privacy to sacrificing the security of their company and/or their clients? It’s a blurry distinction, but an important one for organizations to be aware of while working to secure their systems.   

Expectations of privacy vary from person to person, but corporate devices are always under scrutiny. Due to company mandates for mobile software management on corporate laptops and phones, employees have become more creative when it comes to concealing their activities and accessing content that is likely unfit for the workplace. They are increasingly using tools to bypass corporate firewalls to operate anonymously.

Browsing privately using Tor

One of the most popular tools of this kind is Tor, a self-defined network of “volunteer-operated" servers that allows people to improve their privacy and security on the Internet. Instead of making a direct connection to the network, Tor uses a series of relays to route traffic across multiple points with the endpoint and each relay adding a layer of encryption. This is done to ensure that each relay is unable to examine the data as well as providing anonymity by masking the origin of the connection. This allows the user (or a malicious party) to share private information without being traced.

As Tor uses traditional Web network ports for its connections, it also enables users to circumvent blocked sites, effectively overcoming any censorship by the network’s controllers. Tor is used by more than 750,000 people every day in countries around the world, with upwards of 126,000 of those users located in the United States.

While Tor can serve as a valuable resource for situations involving sensitive communications, such as those by government agents, activists, and journalists, its use in the workplace is often a different story. Employees may use Tor for many legitimate purposes, including keeping personal health or financial information private' However, Tor is frequently used by miscreants in pursuit of explicit materials or illegal substances with the belief that those actions cannot be traced back to the user, as was demonstrated through its use on the Silk Road (before it was shut down) along with similar underground sites.

Last August, IBM advised companies to block Tor altogether, citing frequent connections with malicious activity, ranging from ransomware to hacking attempts. IBM came to this conclusion as Tor provided end users with unfettered access to the Web, unsecured download mirrors, uncontrolled connections to phishing sites and open channels that allow external actors to facilitate an attack inside or outside that network.

One common recommendation to protect sensitive information from employees using Tor is to place controls on connections to the Tor relays. But this can turn into an uphill battle for organizations due to the ever-growing number and changing structure of the Tor network.

Browser extensions = new Tor attack vectors

While Tor was traditionally installed as a separate application or service that could be controlled by software policies, browser extensions and plugins have appeared in recent years that are essentially Tor clients. This facilitates the user’s ability to use Tor for browsing but creates an additional vector that is hard to control with traditional organizational controls.

Worse, relating to the issue of information exfiltration, Tor should be seen as a high risk due to its mechanisms used to protect users’ privacy. These make it harder for organizations to track, establish, and identify any IP being leaked as well as understand where it is disseminated. In addition, Tor exit relays need to pass on data to the final destination. In order to do that, the data sent by the client needs to be unencrypted from its TOR layer of protection, leaving it vulnerable to traffic-sniffing and attackers capturing organizational credentials used to access services.

(Correction: Last sentence has been corrected per author 3/19/16)

Related Content:

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

With more than 20 years of experience, Thomas has a unique view on enterprise security with experience across multiple domains from policy and risk management, secure development and enterprise incident response and forensics. Thomas has held roles varying from a security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
thomasfischer
50%
50%
thomasfischer,
User Rank: Author
3/20/2016 | 6:56:43 AM
Re: Factually inaccurate
Hi Adam thanks for your comment, you are technical correct any encrypted traffic leaving the user's endpoint will keep its encryption at the exit node.  The original sentence (which is now corrected) was always in reference to the TOR layer encryption. At the point of exit the traffic loses its TOR encryption thus if the user is not using any other form of encryption like HTTPS/TLS, it will be vulnerable to attack and snooping. Let's remember too that you don't necessarily control the exit node that your traffic will end up at and most users won't take the time to configure their TOR client to use specific exit nodes.

The traffic at the point of exit is vulnerable and there have been a number of studies on this from people like Dan Egerstad in 2007 and from l'École upérieure d'informatique, électronique, automatique. Which have potentially shown that the traffic is both vulnerable to capture but potentially also to de-anonymization (based on analysing the captured packets).

I think you will agree that users don't necessarily pay attention to whether or not their traffic is running over TLS. As the recent public attacks  (such as heartbleed, freak, poddle, etc) on HTTPS/SSL/TLS have demonstrated, the point of exit still potentially leaves the user's traffic vulnerable to attack. How many laymen users do you know that will recognize if their traffic is being snooped or diverted via a man-in-the-middle attack?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/19/2016 | 9:23:23 AM
Re: Factually inaccurate
Thanks for the fact check, Adam. Article has been corrected, per author authorization. Tom will be responding in comments later! 
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
3/18/2016 | 3:27:17 PM
Factually inaccurate
The closing sentence of this article is factually inaccurate.  "In order to do that, the data sent by the client needs to be unencrypted" is simply untrue.  Tor allows the use of HTTPS over Tor (and even encourages it), and some organizations (Facebook) have set up Tor exit nodes to allow safe access to their systems.

 

In fact, Tor encourages use of HTTPS over Tor to address this exact issue, www.torproject.org (slash) download/download-easy.html.en#warning  Item D.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.