The Onion Router is in a Pickle.

 In ITC's Threat of the Week

The Onion Router or TOR as it is fondly known by the security community, privacy aficionados, journalists, blaggers and significantly; criminals, is in hot water.

For those who do not fall into the categories above and want a hint, TOR consists of loads of servers (15,000ish relays and bridges) that securely (via encryption) and non deterministically (i.e. the route through the network is semi random and therefore hard to intercept) route traffic from a user to a destination – that is to say that the traffic traverses the TOR piece of the network securely, pops out from a TOR ‘exit node’ and arrives at the destination appearing to come from that node with the original source totally invisible to the receiving host. Here is a diagram that explains this:

Tor-onion-network

While there are MANY extremely legitimate uses of this technology – think about using the Internet in a country with an oppressive regime, or users who want to protect their families traffic (their kids for instance), journalists requiring secrecy and anonymity when at work in shady locations (like London), it is a matter of fact that a lot of crime hides behind, or uses the TOR network.

From the world famous Silk Road Market to hacking sites and places to buy any range of materiel (credit card details – check, usernames and passwords – check, crack cocaine – check, rocket launchers – check, nuclear weapons – not yet), bad guys are all over TOR. Actually we believe the good guys are all over TOR as well, hosting many of the exit nodes for errm, research purposes.

TOR is the primary platform for delivering Malware, Botnets and all the bad stuff you don’t want. Recent RansomWare software goes as far as to update itself over TOR by sending code updates encrypted in flavicons (small icons). Unbelievable stuff.

Well, enough is enough and the big boys have woken up. This week IBM no less (via their mighty morphing X-FORCE) has recommended that businesses block traffic to and from TOR exit nodes, and what is more, we agree! David and Goliath united!

IBM claims to have identified hundreds of thousands of malicious events traversing TOR and claims that it is now too dangerous to tolerate. You can read the X-Force quarterly report here, it is very good stuff:

http://public.dhe.ibm.com/common/ssi/ecm/wg/en/wgl03086usen/WGL03086USEN.PDF

We have been tracking traffic to and from TOR on our NetSure360° managed security service for years and use it as part of Malware detection for our customers. We will now be following the advice of Big Blue and advising our customers to block this traffic if it is not detrimental to their business, and since we try not to work with organised crime gangs, that should be most of our customers.

If you want to understand more about this pickle, or want some help on getting out of the soup, no need to cry, please contact us on: 020 7517 3900 or email enquiries@itcsecure.com

Author: Kevin Whelan

Recent Posts

Leave a Comment