No Place for Tor: IBM Preaches Zero Tolerance for Tor in Enterprise
A new report from IBM’s X-Force concludes that enterprise networks are no place for Tor.
Revelations of rampant government surveillance have brought privacy-enhancing technologies like Tor (The Onion Router) to the attention of millions of Internet users. But technology giant IBM is telling enterprise customers that corporate networks are "no place for Tor." The company is advising IT administrators to take steps to remove and actively block use of the anonymous browsing technology from their networks.
The warning comes in the latest Threat Intelligence Report from IBM X-Force, the company’s security research team. IBM said that Tor use is frequently connected with malicious activity – from ransomware to hacking attempts - in forensic investigations of customer incidents. IBM advises IT administrators to eradicate any Tor nodes from their network.
“An administrator is unlikely to want someone to implement a Tor relay on network assets where the administrator has ultimate responsibility,” the report notes. “In essence, running a Tor relay is a donation of bandwidth and an open door to several forms of liability."
A Tor relay running on a enterprise network could be used to facilitate an attack within that environment or on other networks, the report concludes.
IBM says that companies should create a “comprehensive corporate policy” for acceptable use of the company’s network that would prohibit the use of unapproved encrypted proxy services or "personally subscribed proxy services" like Tor. Companies should also take steps to prevent employees from using unapproved external devices (like USB drives) and disabling the Autorun feature, or from configuring their work systems to boot into alternative operating systems, like the privacy-protecting TAILS OS.
IT departments should take steps to make sure company devices can only boot to the hard drive (like altering the BIOS) and take steps to block access to known Tor relays and exit nodes, as well as sites from which the software can be downloaded.
Conflicts like this are nothing new. It’s a truism that many privacy-enhancing technologies do double duty as crime abetting technologies. This has always been the case. The royal families of Europe were among the most enthusiastic adopters of cryptography to protect sensitive communications. Louis XIV had a court cryptographer who developed a unique encryption algorithm - dubbed the Great Cipher - just for him and his closest advisors. In England, a cipher was used in the Babington Plot to conceal the meaning of messages plotting the overthrow of Queen Elizabeth I.
So it is with Tor, which is a neutral platform that shields both mundane e-mail communications and web browsing sessions as well as illicit drug purchases on dark markets like Agora.
In the modern context, the issues of use and misuse often inform public debates about technologies like encryption, as governments look for ways to limit the spread of super-strong encryption tools so as to maintain their ability to spy on enemies, prevent crimes and, presumably, protect their interests. In the 1990s, the U.S. government’s effort to limit the spread of public key encryption technology was unsuccessful. But the issue has come roaring back in the wake of the Edward Snowden revelations, as Internet users clamor for better protection of their personal data, while governments and law enforcement worry they will be blinded to the work of terrorists, criminals and nation-state actors by such technologies.
So consider this one more consequence of the Snowden revelation: a keen awareness among employees of the many ways that their boss, employer, or government might spy on their thoughts, writings and online activities. And, clearly, most users of Tor use the technology out of concern for their privacy, not a desire to engage in illegal or deceptive activity.
From the enterprise’s standpoint, however, intent really doesn’t matter. Any use of encryption technology that isn’t explicitly sanctioned by the enterprise (for example: in connection with a specific application, third party integration or business process) is likely to be “bad news” for the organization – a telltale sign of malware compromise or data exfiltration by a malicious insider or a third party.
Where does this leave the privacy-loving employee? Out in the cold, unfortunately. The simple truth is that – in the U.S., anyway – you have no expectation of privacy when you’re using your employer’s technology and its network to conduct your business. Privacy enhancing technologies like Tor and TAILS are a great idea for personal use at home and in the local Starbucks. Unfortunately, you’ll also have to check them at the office door.