Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/18/2016
12:00 PM
Thomas Fischer
Thomas Fischer
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

No Place For Tor In The Secured Workplace

When it comes to corporate security, anonymity does not necessarily ensure protection of one's private information - nor that of your employer.

When does an employee cross the line from taking steps to increase their personal privacy to sacrificing the security of their company and/or their clients? It’s a blurry distinction, but an important one for organizations to be aware of while working to secure their systems.   

Expectations of privacy vary from person to person, but corporate devices are always under scrutiny. Due to company mandates for mobile software management on corporate laptops and phones, employees have become more creative when it comes to concealing their activities and accessing content that is likely unfit for the workplace. They are increasingly using tools to bypass corporate firewalls to operate anonymously.

Browsing privately using Tor

One of the most popular tools of this kind is Tor, a self-defined network of “volunteer-operated" servers that allows people to improve their privacy and security on the Internet. Instead of making a direct connection to the network, Tor uses a series of relays to route traffic across multiple points with the endpoint and each relay adding a layer of encryption. This is done to ensure that each relay is unable to examine the data as well as providing anonymity by masking the origin of the connection. This allows the user (or a malicious party) to share private information without being traced.

As Tor uses traditional Web network ports for its connections, it also enables users to circumvent blocked sites, effectively overcoming any censorship by the network’s controllers. Tor is used by more than 750,000 people every day in countries around the world, with upwards of 126,000 of those users located in the United States.

While Tor can serve as a valuable resource for situations involving sensitive communications, such as those by government agents, activists, and journalists, its use in the workplace is often a different story. Employees may use Tor for many legitimate purposes, including keeping personal health or financial information private' However, Tor is frequently used by miscreants in pursuit of explicit materials or illegal substances with the belief that those actions cannot be traced back to the user, as was demonstrated through its use on the Silk Road (before it was shut down) along with similar underground sites.

Last August, IBM advised companies to block Tor altogether, citing frequent connections with malicious activity, ranging from ransomware to hacking attempts. IBM came to this conclusion as Tor provided end users with unfettered access to the Web, unsecured download mirrors, uncontrolled connections to phishing sites and open channels that allow external actors to facilitate an attack inside or outside that network.

One common recommendation to protect sensitive information from employees using Tor is to place controls on connections to the Tor relays. But this can turn into an uphill battle for organizations due to the ever-growing number and changing structure of the Tor network.

Browser extensions = new Tor attack vectors

While Tor was traditionally installed as a separate application or service that could be controlled by software policies, browser extensions and plugins have appeared in recent years that are essentially Tor clients. This facilitates the user’s ability to use Tor for browsing but creates an additional vector that is hard to control with traditional organizational controls.

Worse, relating to the issue of information exfiltration, Tor should be seen as a high risk due to its mechanisms used to protect users’ privacy. These make it harder for organizations to track, establish, and identify any IP being leaked as well as understand where it is disseminated. In addition, Tor exit relays need to pass on data to the final destination. In order to do that, the data sent by the client needs to be unencrypted from its TOR layer of protection, leaving it vulnerable to traffic-sniffing and attackers capturing organizational credentials used to access services.

(Correction: Last sentence has been corrected per author 3/19/16)

Related Content:

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

With more than 20 years of experience, Thomas has a unique view on enterprise security with experience across multiple domains from policy and risk management, secure development and enterprise incident response and forensics. Thomas has held roles varying from a security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
thomasfischer
50%
50%
thomasfischer,
User Rank: Author
3/20/2016 | 6:56:43 AM
Re: Factually inaccurate
Hi Adam thanks for your comment, you are technical correct any encrypted traffic leaving the user's endpoint will keep its encryption at the exit node.  The original sentence (which is now corrected) was always in reference to the TOR layer encryption. At the point of exit the traffic loses its TOR encryption thus if the user is not using any other form of encryption like HTTPS/TLS, it will be vulnerable to attack and snooping. Let's remember too that you don't necessarily control the exit node that your traffic will end up at and most users won't take the time to configure their TOR client to use specific exit nodes.

The traffic at the point of exit is vulnerable and there have been a number of studies on this from people like Dan Egerstad in 2007 and from l'École upérieure d'informatique, électronique, automatique. Which have potentially shown that the traffic is both vulnerable to capture but potentially also to de-anonymization (based on analysing the captured packets).

I think you will agree that users don't necessarily pay attention to whether or not their traffic is running over TLS. As the recent public attacks  (such as heartbleed, freak, poddle, etc) on HTTPS/SSL/TLS have demonstrated, the point of exit still potentially leaves the user's traffic vulnerable to attack. How many laymen users do you know that will recognize if their traffic is being snooped or diverted via a man-in-the-middle attack?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/19/2016 | 9:23:23 AM
Re: Factually inaccurate
Thanks for the fact check, Adam. Article has been corrected, per author authorization. Tom will be responding in comments later! 
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
3/18/2016 | 3:27:17 PM
Factually inaccurate
The closing sentence of this article is factually inaccurate.  "In order to do that, the data sent by the client needs to be unencrypted" is simply untrue.  Tor allows the use of HTTPS over Tor (and even encourages it), and some organizations (Facebook) have set up Tor exit nodes to allow safe access to their systems.

 

In fact, Tor encourages use of HTTPS over Tor to address this exact issue, www.torproject.org (slash) download/download-easy.html.en#warning  Item D.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.