Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/18/2016
12:00 PM
Thomas Fischer
Thomas Fischer
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

No Place For Tor In The Secured Workplace

When it comes to corporate security, anonymity does not necessarily ensure protection of one's private information - nor that of your employer.

When does an employee cross the line from taking steps to increase their personal privacy to sacrificing the security of their company and/or their clients? It’s a blurry distinction, but an important one for organizations to be aware of while working to secure their systems.   

Expectations of privacy vary from person to person, but corporate devices are always under scrutiny. Due to company mandates for mobile software management on corporate laptops and phones, employees have become more creative when it comes to concealing their activities and accessing content that is likely unfit for the workplace. They are increasingly using tools to bypass corporate firewalls to operate anonymously.

Browsing privately using Tor

One of the most popular tools of this kind is Tor, a self-defined network of “volunteer-operated" servers that allows people to improve their privacy and security on the Internet. Instead of making a direct connection to the network, Tor uses a series of relays to route traffic across multiple points with the endpoint and each relay adding a layer of encryption. This is done to ensure that each relay is unable to examine the data as well as providing anonymity by masking the origin of the connection. This allows the user (or a malicious party) to share private information without being traced.

As Tor uses traditional Web network ports for its connections, it also enables users to circumvent blocked sites, effectively overcoming any censorship by the network’s controllers. Tor is used by more than 750,000 people every day in countries around the world, with upwards of 126,000 of those users located in the United States.

While Tor can serve as a valuable resource for situations involving sensitive communications, such as those by government agents, activists, and journalists, its use in the workplace is often a different story. Employees may use Tor for many legitimate purposes, including keeping personal health or financial information private' However, Tor is frequently used by miscreants in pursuit of explicit materials or illegal substances with the belief that those actions cannot be traced back to the user, as was demonstrated through its use on the Silk Road (before it was shut down) along with similar underground sites.

Last August, IBM advised companies to block Tor altogether, citing frequent connections with malicious activity, ranging from ransomware to hacking attempts. IBM came to this conclusion as Tor provided end users with unfettered access to the Web, unsecured download mirrors, uncontrolled connections to phishing sites and open channels that allow external actors to facilitate an attack inside or outside that network.

One common recommendation to protect sensitive information from employees using Tor is to place controls on connections to the Tor relays. But this can turn into an uphill battle for organizations due to the ever-growing number and changing structure of the Tor network.

Browser extensions = new Tor attack vectors

While Tor was traditionally installed as a separate application or service that could be controlled by software policies, browser extensions and plugins have appeared in recent years that are essentially Tor clients. This facilitates the user’s ability to use Tor for browsing but creates an additional vector that is hard to control with traditional organizational controls.

Worse, relating to the issue of information exfiltration, Tor should be seen as a high risk due to its mechanisms used to protect users’ privacy. These make it harder for organizations to track, establish, and identify any IP being leaked as well as understand where it is disseminated. In addition, Tor exit relays need to pass on data to the final destination. In order to do that, the data sent by the client needs to be unencrypted from its TOR layer of protection, leaving it vulnerable to traffic-sniffing and attackers capturing organizational credentials used to access services.

(Correction: Last sentence has been corrected per author 3/19/16)

Related Content:

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

With more than 20 years of experience, Thomas has a unique view on enterprise security with experience across multiple domains from policy and risk management, secure development and enterprise incident response and forensics. Thomas has held roles varying from a security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
thomasfischer
50%
50%
thomasfischer,
User Rank: Author
3/20/2016 | 6:56:43 AM
Re: Factually inaccurate
Hi Adam thanks for your comment, you are technical correct any encrypted traffic leaving the user's endpoint will keep its encryption at the exit node.  The original sentence (which is now corrected) was always in reference to the TOR layer encryption. At the point of exit the traffic loses its TOR encryption thus if the user is not using any other form of encryption like HTTPS/TLS, it will be vulnerable to attack and snooping. Let's remember too that you don't necessarily control the exit node that your traffic will end up at and most users won't take the time to configure their TOR client to use specific exit nodes.

The traffic at the point of exit is vulnerable and there have been a number of studies on this from people like Dan Egerstad in 2007 and from l'École upérieure d'informatique, électronique, automatique. Which have potentially shown that the traffic is both vulnerable to capture but potentially also to de-anonymization (based on analysing the captured packets).

I think you will agree that users don't necessarily pay attention to whether or not their traffic is running over TLS. As the recent public attacks  (such as heartbleed, freak, poddle, etc) on HTTPS/SSL/TLS have demonstrated, the point of exit still potentially leaves the user's traffic vulnerable to attack. How many laymen users do you know that will recognize if their traffic is being snooped or diverted via a man-in-the-middle attack?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/19/2016 | 9:23:23 AM
Re: Factually inaccurate
Thanks for the fact check, Adam. Article has been corrected, per author authorization. Tom will be responding in comments later! 
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
3/18/2016 | 3:27:17 PM
Factually inaccurate
The closing sentence of this article is factually inaccurate.  "In order to do that, the data sent by the client needs to be unencrypted" is simply untrue.  Tor allows the use of HTTPS over Tor (and even encourages it), and some organizations (Facebook) have set up Tor exit nodes to allow safe access to their systems.

 

In fact, Tor encourages use of HTTPS over Tor to address this exact issue, www.torproject.org (slash) download/download-easy.html.en#warning  Item D.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36124
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
CVE-2020-36125
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly.
CVE-2020-36126
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment term...
CVE-2020-36127
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the opt...
CVE-2020-36128
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its ...