Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/18/2016
12:00 PM
Thomas Fischer
Thomas Fischer
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

No Place For Tor In The Secured Workplace

When it comes to corporate security, anonymity does not necessarily ensure protection of one's private information - nor that of your employer.

When does an employee cross the line from taking steps to increase their personal privacy to sacrificing the security of their company and/or their clients? It’s a blurry distinction, but an important one for organizations to be aware of while working to secure their systems.   

Expectations of privacy vary from person to person, but corporate devices are always under scrutiny. Due to company mandates for mobile software management on corporate laptops and phones, employees have become more creative when it comes to concealing their activities and accessing content that is likely unfit for the workplace. They are increasingly using tools to bypass corporate firewalls to operate anonymously.

Browsing privately using Tor

One of the most popular tools of this kind is Tor, a self-defined network of “volunteer-operated" servers that allows people to improve their privacy and security on the Internet. Instead of making a direct connection to the network, Tor uses a series of relays to route traffic across multiple points with the endpoint and each relay adding a layer of encryption. This is done to ensure that each relay is unable to examine the data as well as providing anonymity by masking the origin of the connection. This allows the user (or a malicious party) to share private information without being traced.

As Tor uses traditional Web network ports for its connections, it also enables users to circumvent blocked sites, effectively overcoming any censorship by the network’s controllers. Tor is used by more than 750,000 people every day in countries around the world, with upwards of 126,000 of those users located in the United States.

While Tor can serve as a valuable resource for situations involving sensitive communications, such as those by government agents, activists, and journalists, its use in the workplace is often a different story. Employees may use Tor for many legitimate purposes, including keeping personal health or financial information private' However, Tor is frequently used by miscreants in pursuit of explicit materials or illegal substances with the belief that those actions cannot be traced back to the user, as was demonstrated through its use on the Silk Road (before it was shut down) along with similar underground sites.

Last August, IBM advised companies to block Tor altogether, citing frequent connections with malicious activity, ranging from ransomware to hacking attempts. IBM came to this conclusion as Tor provided end users with unfettered access to the Web, unsecured download mirrors, uncontrolled connections to phishing sites and open channels that allow external actors to facilitate an attack inside or outside that network.

One common recommendation to protect sensitive information from employees using Tor is to place controls on connections to the Tor relays. But this can turn into an uphill battle for organizations due to the ever-growing number and changing structure of the Tor network.

Browser extensions = new Tor attack vectors

While Tor was traditionally installed as a separate application or service that could be controlled by software policies, browser extensions and plugins have appeared in recent years that are essentially Tor clients. This facilitates the user’s ability to use Tor for browsing but creates an additional vector that is hard to control with traditional organizational controls.

Worse, relating to the issue of information exfiltration, Tor should be seen as a high risk due to its mechanisms used to protect users’ privacy. These make it harder for organizations to track, establish, and identify any IP being leaked as well as understand where it is disseminated. In addition, Tor exit relays need to pass on data to the final destination. In order to do that, the data sent by the client needs to be unencrypted from its TOR layer of protection, leaving it vulnerable to traffic-sniffing and attackers capturing organizational credentials used to access services.

(Correction: Last sentence has been corrected per author 3/19/16)

Related Content:

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

With more than 20 years of experience, Thomas has a unique view on enterprise security with experience across multiple domains from policy and risk management, secure development and enterprise incident response and forensics. Thomas has held roles varying from a security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
thomasfischer
50%
50%
thomasfischer,
User Rank: Author
3/20/2016 | 6:56:43 AM
Re: Factually inaccurate
Hi Adam thanks for your comment, you are technical correct any encrypted traffic leaving the user's endpoint will keep its encryption at the exit node.  The original sentence (which is now corrected) was always in reference to the TOR layer encryption. At the point of exit the traffic loses its TOR encryption thus if the user is not using any other form of encryption like HTTPS/TLS, it will be vulnerable to attack and snooping. Let's remember too that you don't necessarily control the exit node that your traffic will end up at and most users won't take the time to configure their TOR client to use specific exit nodes.

The traffic at the point of exit is vulnerable and there have been a number of studies on this from people like Dan Egerstad in 2007 and from l'École upérieure d'informatique, électronique, automatique. Which have potentially shown that the traffic is both vulnerable to capture but potentially also to de-anonymization (based on analysing the captured packets).

I think you will agree that users don't necessarily pay attention to whether or not their traffic is running over TLS. As the recent public attacks  (such as heartbleed, freak, poddle, etc) on HTTPS/SSL/TLS have demonstrated, the point of exit still potentially leaves the user's traffic vulnerable to attack. How many laymen users do you know that will recognize if their traffic is being snooped or diverted via a man-in-the-middle attack?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/19/2016 | 9:23:23 AM
Re: Factually inaccurate
Thanks for the fact check, Adam. Article has been corrected, per author authorization. Tom will be responding in comments later! 
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
3/18/2016 | 3:27:17 PM
Factually inaccurate
The closing sentence of this article is factually inaccurate.  "In order to do that, the data sent by the client needs to be unencrypted" is simply untrue.  Tor allows the use of HTTPS over Tor (and even encourages it), and some organizations (Facebook) have set up Tor exit nodes to allow safe access to their systems.

 

In fact, Tor encourages use of HTTPS over Tor to address this exact issue, www.torproject.org (slash) download/download-easy.html.en#warning  Item D.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.