Tor at work - the privacy and security dilemma

Thomas Fischer believes that the Investigatory Powers Bill will incentivise more citizens to use Tor to protect their online privacy. In turn, this could lead to more people using the Tor network at work, either for privacy reasons or to bypass the company firewall and browsing policies.

Thomas Fischer, global security advocate, Digital Guardian
Thomas Fischer, global security advocate, Digital Guardian

The Investigatory Powers Bill going through Parliament this week – also referred to as the Snooper's Charter – makes explicit in law the powers of the British security services to hack into and bug citizens' computers and phones, as well as access their web browsing data. That's a pretty significant invasion of privacy in many people's eyes and will almost certainly incentivise people to look for ways to stay anonymous online. In its current state, the Bill requires that communications service providers store user's browsing data for up to twelve months. However, there are tools available that can anonymise this metadata so that it is not attached to an individual. 

Private browsing using Tor

One of the most popular tools for this is Tor, a self-defined network of “volunteer-operated servers that allow people to improve their privacy and security on the internet”. Instead of making a direct connection to the network, Tor uses a series of relays to route traffic across multiple points, with the endpoint and each relay adding a layer of encryption. This is done to ensure that each relay is unable to examine the data, as well as providing anonymity by masking the origin of the connection. This allows the user (or a malicious party) to conduct activities, without being traced.

As Tor uses traditional web network ports for its connections, it also enables users to circumvent blocked sites, effectively overcoming any censorship by the network's controllers. Tor's own metrics show that around 2,000,000 people directly connect to Tor every day in countries around the world, with around 80,000 of those users located in the United Kingdom.

Tor at work

While Tor can serve as a valuable resource for situations involving sensitive communications, such as those by government agents, activists, and journalists, as more people become familiar with its capabilities, it will almost certainly start to be used in the workplace.

Employees may use Tor for many purposes, including keeping personal health or financial information private. It can also be used to access sites that might otherwise be blocked by company firewalls. While that sounds quite harmless, Tor is frequently also used by miscreants in pursuit of explicit materials or illegal substances, with the belief that those actions cannot be traced back to the user. This was demonstrated through Tor's use on the Silk Road (before it was shut down) along with similar underground sites.

Last year, IBM advised companies to block Tor altogether, citing frequent connections with malicious activity, ranging from ransomware to hacking attempts. IBM came to this conclusion as Tor provided end users with unfettered access to the web, uncontrolled connections to phishing sites and open channels that allow external actors to facilitate an attack inside or outside the network.

Browser extensions are the new Tor attack vector

While Tor was traditionally installed as a separate application or service that could be controlled by software policies, browser extensions and plugins have appeared in recent years that are essentially part of Tor. This creates an additional vector that is hard to control with traditional organisational controls.

Tor is also a high risk to businesses due to the mechanisms it uses to protect users' privacy. These mechanisms make it very difficult for organisations to track, establish and identify any intellectual property or data being leaked, as well as understand where it is being sent. In addition, although network traffic may be encrypted while in the tunnel, Tor will remove its layer of protection when the traffic exits the final Tor node. Various security researchers have shown that at this point, it is possible to capture and de-anonymise the data.

Keep on top of Tor

When does an employee cross the line from taking steps to increase their personal privacy to sacrificing the security of their company and their clients? It's a blurry distinction, but an important one for organisations to be aware of while working to secure their systems. One common recommendation to protect sensitive information from employees using Tor, is to place controls on connections to the Tor relays. But this can turn into an uphill battle for organisations due to the ever-growing number of relay points and changing structure of the Tor network.

From a technology point of view, businesses need to consider both the network layer and the endpoint. At the network layer, it is possible to use deep packet inspection and published lists of known Tor nodes to detect and block the machines that are connecting to Tor. IT security teams should also look to detect and contain the deployment of unnecessary or unapproved software on company endpoints. That said, by far the best solution is to educate employees about the significant risk that non-approved technology can have on the business and try to prevent the use of Tor in the first place.

Contributed by Thomas Fischer, global security advocate, Digital Guardian