Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/18/2016
12:00 PM
Thomas Fischer
Thomas Fischer
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

No Place For Tor In The Secured Workplace

When it comes to corporate security, anonymity does not necessarily ensure protection of one's private information - nor that of your employer.

When does an employee cross the line from taking steps to increase their personal privacy to sacrificing the security of their company and/or their clients? It’s a blurry distinction, but an important one for organizations to be aware of while working to secure their systems.   

Expectations of privacy vary from person to person, but corporate devices are always under scrutiny. Due to company mandates for mobile software management on corporate laptops and phones, employees have become more creative when it comes to concealing their activities and accessing content that is likely unfit for the workplace. They are increasingly using tools to bypass corporate firewalls to operate anonymously.

Browsing privately using Tor

One of the most popular tools of this kind is Tor, a self-defined network of “volunteer-operated" servers that allows people to improve their privacy and security on the Internet. Instead of making a direct connection to the network, Tor uses a series of relays to route traffic across multiple points with the endpoint and each relay adding a layer of encryption. This is done to ensure that each relay is unable to examine the data as well as providing anonymity by masking the origin of the connection. This allows the user (or a malicious party) to share private information without being traced.

As Tor uses traditional Web network ports for its connections, it also enables users to circumvent blocked sites, effectively overcoming any censorship by the network’s controllers. Tor is used by more than 750,000 people every day in countries around the world, with upwards of 126,000 of those users located in the United States.

While Tor can serve as a valuable resource for situations involving sensitive communications, such as those by government agents, activists, and journalists, its use in the workplace is often a different story. Employees may use Tor for many legitimate purposes, including keeping personal health or financial information private' However, Tor is frequently used by miscreants in pursuit of explicit materials or illegal substances with the belief that those actions cannot be traced back to the user, as was demonstrated through its use on the Silk Road (before it was shut down) along with similar underground sites.

Last August, IBM advised companies to block Tor altogether, citing frequent connections with malicious activity, ranging from ransomware to hacking attempts. IBM came to this conclusion as Tor provided end users with unfettered access to the Web, unsecured download mirrors, uncontrolled connections to phishing sites and open channels that allow external actors to facilitate an attack inside or outside that network.

One common recommendation to protect sensitive information from employees using Tor is to place controls on connections to the Tor relays. But this can turn into an uphill battle for organizations due to the ever-growing number and changing structure of the Tor network.

Browser extensions = new Tor attack vectors

While Tor was traditionally installed as a separate application or service that could be controlled by software policies, browser extensions and plugins have appeared in recent years that are essentially Tor clients. This facilitates the user’s ability to use Tor for browsing but creates an additional vector that is hard to control with traditional organizational controls.

Worse, relating to the issue of information exfiltration, Tor should be seen as a high risk due to its mechanisms used to protect users’ privacy. These make it harder for organizations to track, establish, and identify any IP being leaked as well as understand where it is disseminated. In addition, Tor exit relays need to pass on data to the final destination. In order to do that, the data sent by the client needs to be unencrypted from its TOR layer of protection, leaving it vulnerable to traffic-sniffing and attackers capturing organizational credentials used to access services.

(Correction: Last sentence has been corrected per author 3/19/16)

Related Content:

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

With more than 20 years of experience, Thomas has a unique view on enterprise security with experience across multiple domains from policy and risk management, secure development and enterprise incident response and forensics. Thomas has held roles varying from a security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
thomasfischer
50%
50%
thomasfischer,
User Rank: Author
3/20/2016 | 6:56:43 AM
Re: Factually inaccurate
Hi Adam thanks for your comment, you are technical correct any encrypted traffic leaving the user's endpoint will keep its encryption at the exit node.  The original sentence (which is now corrected) was always in reference to the TOR layer encryption. At the point of exit the traffic loses its TOR encryption thus if the user is not using any other form of encryption like HTTPS/TLS, it will be vulnerable to attack and snooping. Let's remember too that you don't necessarily control the exit node that your traffic will end up at and most users won't take the time to configure their TOR client to use specific exit nodes.

The traffic at the point of exit is vulnerable and there have been a number of studies on this from people like Dan Egerstad in 2007 and from l'École upérieure d'informatique, électronique, automatique. Which have potentially shown that the traffic is both vulnerable to capture but potentially also to de-anonymization (based on analysing the captured packets).

I think you will agree that users don't necessarily pay attention to whether or not their traffic is running over TLS. As the recent public attacks  (such as heartbleed, freak, poddle, etc) on HTTPS/SSL/TLS have demonstrated, the point of exit still potentially leaves the user's traffic vulnerable to attack. How many laymen users do you know that will recognize if their traffic is being snooped or diverted via a man-in-the-middle attack?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/19/2016 | 9:23:23 AM
Re: Factually inaccurate
Thanks for the fact check, Adam. Article has been corrected, per author authorization. Tom will be responding in comments later! 
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
3/18/2016 | 3:27:17 PM
Factually inaccurate
The closing sentence of this article is factually inaccurate.  "In order to do that, the data sent by the client needs to be unencrypted" is simply untrue.  Tor allows the use of HTTPS over Tor (and even encourages it), and some organizations (Facebook) have set up Tor exit nodes to allow safe access to their systems.

 

In fact, Tor encourages use of HTTPS over Tor to address this exact issue, www.torproject.org (slash) download/download-easy.html.en#warning  Item D.
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.