IBM’s Security Report Suggests Users To Avoid TOR

Security researchers have suggested that corporations and enterprises should block all of the encrypted and anonymised traffic that they are receiving through a network called The Onion Router (widely known as TOR) in an attempt to secure their corporate networks …… And also to prevent themselves from becoming legally responsible for cyber attacks, distribution of malware, or transmission of criminal material, reveals the third quarter report published by IBM Security’s X-Force Threat Intelligence division.

TeslaCrypt looks like AlphaCrypt Malware uses TOR to transfer ransomware


For those who don’t know, TOR network was initially designed back in 2004 by the United States Navy’s research department to provide their members with a secure network while anonymizing their Internet traffic. This was all done in an attempt to protect all the communications of the US Navy officials.

Later TOR gained a lot of popularity among the Internet users to anonymously use on the World Wide Web. But as we all know, there are negative and positive use of every software, this tool increasingly became widespread among hackers who were interested in initiating various types of malware and ransomware attacks, becoming a serious threat for the safety and security of the Internet.

The security report by X-Force reveals that the TOR network is being used to carry out numerous attacks and the number of attacks has been increasing with every passing year. The researchers have been actively monitoring the TOR exit nodes to identify the types of attacks being originated from the network.

From the beginning of January 2015 until May 2015, near to almost 200,000 malicious events have been originated from the usage of TOR network in the United States alone, the report reveals.

Tor Network Malicious Events Originating Countries

The most common types of attacks that have been increasingly infecting the TOR network, according to the X-Force researchers, are SQL injection (SQLi), vulnerability scanning and Distributed Denial of Service (DDoS) attacks.

The research papers have also outlined the ways through which attackers can negatively use your corporate network to distribute malware and how you can protect your network to safeguard yourself from any legal charges.

For example, connection to the TOR circuit can be easily executed through USB flash drive containing Linux-based operating system The Amnesic Incognito Live System (also known as TAILS) and does not require attacker to install anything onto the targeted corporate computer system, leaving no evidence on the affected network or system. This will allow your network to act as a privately subscribed and encrypted proxy.

We believe that any corporations would not like to see a TOR node running on their network, considering it could cause severe concerns for the safety of their network. The security researchers said in the report:

“Running a TOR relay is a donation of bandwidth and an open door to several forms of liability. More important, if a TOR relay is running on a network, the administrator could be an unwilling facilitator of an attack on other networks or within his or her own networks.”

Hackers Hiding Vawtrak Banking Malware Command Servers in Tor

So for corporations, X-Force has listed some recommended steps that they should follow to prevent their network from being used by TOR relays while further protecting their network. Those recommendations include:

  • Prohibiting the use of unapproved encrypted proxy services
  • Prohibiting the use of personally subscribed proxy services
  • Prohibiting the downloading and installation of unapproved software
  • Prohibiting the use of personally owned removable devices such as USB, optical media and Secure Digital (SD) cards
  • If the use of removable media is required, mandating the use of only company-approved devices
  • Prohibiting the booting of corporate computers to any other media than the hard drive
  • Altering the BIOS of computers to boot only to the hard drive
  • Disabling autorun for removable devices
  • Using publicly available lists of proxy nodes to block network traffic to and from those sites
  • Implementing a comprehensive desk audit program to ensure compliance.

They have also mentioned that every network should be configured in such a way so that it automatically denies any connection request to or from any anonymizing network.

Report typos and corrections to [email protected]



Related Posts