.

Dangers of TOR in the workplace

<<

xcircusmusician

Newbie
Newbie

Posts: 7

Joined: Thu May 27, 2010 10:45 pm

Post Tue Aug 24, 2010 7:00 pm

Dangers of TOR in the workplace

Does anyone have advice/thoughts/insight on the 'potential' dangers of running the proxy 'TOR' in the workplace?  Hypothetically: 500 computers in an ISP environment?  Hypothetically: 30+ individuals running TOR for 'personal' interests.  Your thoughts/experience is much appreciated.
Regards,
      Michael
<<

vekarman

User avatar

Newbie
Newbie

Posts: 28

Joined: Thu Mar 19, 2009 1:21 am

Post Wed Aug 25, 2010 4:17 am

Re: Dangers of TOR in the workplace

As I understood, the ISP site itself does not host any TOR proxies, but would like to figure out the effects of allowing staffs/users to use TOR proxies.

TOR proxies are basically used to obfuscate the source IP address. Generally, TOR proxies are hosted in countries without much regulations and without answerability. Primarily they are used to carry out illegal activities/cyber crimes to evade tracing to the real initiator. Hence, we will see more single users would be using them, not corporate like any ISP. Further more, these TOR Proxies itself might push back Malware to users. Or it may record the activities being carried out and either mis-use it or use it for cyber ransom. 

First of all the need to use TOR proxies. If business need does not require it to be used, policy should be created to that effect.
CISSP
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Aug 25, 2010 8:11 am

Re: Dangers of TOR in the workplace

Let's look at the fundamental flaw of TOR... Anonymity... But for whom? If I set up a Tor node for others to connect "anonymously" to the world, guess what? I can see anything that traverses through my node. How do you know I don't have a rogue node? How can you be sure you're not connecting to a rogue node. You can't. This has already been proven and is likely continuously being done. (rogue sniffing nodes)

In January 2007, the nascent Wikileaks project used a Tor exit node to capture its initial 1.2 million documents from users, ostensibly Chinese hackers engaged in government espionage.[18]

In September 2007, Dan Egerstad, a Swedish security consultant, revealed that he had intercepted usernames and passwords for a large number of email accounts by operating and monitoring Tor exit nodes.[19] As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption, e.g. TLS. While this may or may not inherently violate the anonymity of the source, depending on the data transferred, it affords added opportunities for data interception by self-selected third parties, greatly increasing the risk of exposure of sensitive data by users who are careless or who mistake Tor's anonymity for security.[20]


Source http://en.wikipedia.org/wiki/Tor_%28ano ... Weaknesses

WikiLeaks Was Launched With Documents Intercepted From Tor
http://www.wired.com/threatlevel/2010/0 ... documents/

So let's look at the concept for a moment.

  Code:
Coworker --> use of work network --> anonymize --> World


How is this in any shape form or fashion work related. What is so mission critical that someone need use anonymity software to do ANYTHING. It would defeat any argument. "We need to ensure..." Ensure what, you're exposing yourself to an unknown party and potential attacker - how can you be sure I'm not randomly sniffing my node?

If security is key here, then a company needs encryption (PGP, etc.) however, if they're in a country that doesn't allow for encryption programs, there is still a better option, e.g., hushmail, renting out cloudspace in another country, etc., there is no need for TOR in the workplace from my point of view. On the contrary, how do I know my employees won't use it to exfiltrate data without a trace?

The Anonymous Dream
Tor_User --> Random Node --> Internet (Where Tor_User = Unknown because endpoint see's RandomNode)

The Harsh Reality
Tor_User --> RandomNode (installs tap: take a copy of everything before we send it) --> Internet (Internet sees random node... Tor User feels safe... RandomNode compromises data)

So what makes you think say a competitor or government doesn't have rogue Tor nodes? Hell forget those, let's say ANYONE period having rogue Tor nodes. The risks outweigh the costs if you're truly using it for *real world* purposes. There is no reliability and no accountability. The accountability part (why wouldn't you want someone knowing who you are unless you have something to hide) is what the Tor user is trying to avoid (from my perspective) but it's that same accountability that will can come back to haunt them. Haunt them in the sense that: "OMG, all my IP (intellectual property) was compromised... How could someone do this! We've never been 'owned'" Sure you never been compromised... You GAVE your data away.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software