Close door on TOR or face liability for threats: researchers

Enterprises and other organisations must block encrypted, anonymised traffic via The Onion Router (TOR) network to prevent them from becoming liable for transmitting criminal material, malware and cyber attacks, researchers have warned.

TOR was originally devised and deployed by a research unit of the United States Navy in 2004. It provides a way to obfuscate and hide internet traffic, and the US Navy intended TOR to be used to protect government communications.

Since then however, TOR has increasingly become a tool used by digital miscreants to anonymously conduct attacks and to transmit ransomware payments, malware and other threats, IBM's X-Force security unit stated it its latest quarterly report [pdf].

Attacks such as Structured Query Language database command injections (SQLi), vulnerability scanning and denial of service have all started emanating from the TOR network in great numbers, X-Force warned.

Part of the problem is that it's very easy to set up and run temporary TOR instances, for example by simply booting up a corporate computer through a memory stick loaded with The Amnesic Incognito Live System (TAILS) Linux distribution, which leaves no trace of itself once shutdown and disconnected.

A TOR node running on a business network could have severe consequences, the researchers said.

"In essence, running a TOR relay is a donation of bandwidth and an open door to several forms of liability. More important, if a TOR relay is running on a network, the administrator could be an unwilling facilitator of an attack on other networks or within his or her own networks," the researchers wrote.

X-Force recommended administrators block access to the TOR website and other anonymising sites associated with the project.

To further lock down corporate networks and prevent TOR nodes running, X-Force suggested a range of policies to be implemented. These include:

• Prohibiting the use of unapproved encrypted proxy services
• Prohibiting the use of personally subscribed proxy services
• Prohibiting the downloading and installation of unapproved software
• Prohibiting the use of personally owned removable devices such as USB, optical media and Secure Digital (SD) cards
• If the use of removable media is required, mandating the use of only company-approved devices
• Prohibiting the booting of corporate computers to any other media than the hard drive
• Altering the BIOS of computers to boot only to the hard drive
• Disabling autorun for removable devices
• Using publicly available lists of proxy nodes to block network traffic to and from those sites
• Implementing a comprehensive desk audit program to ensure compliance.

X-Force noted that use of TOR by ransomware distributors to receive payments has risen in the last couple of years, with one variant, CryptoWall, netting blackmailers US$18 million in 2015 alone.