Corporate security pros can add a new task to their busy days: handling panicky employees worried about privacy who are using the onion router (Tor) browser as a way to protect their online activity.
That practice translates into additional security alerts that require time-consuming manual sorting to determine whether the persons behind Tor sessions are friend or foe, says George Gerchow, vice president of security and compliance at Sumo Logic.
Ever since congressional action started a few weeks ago to roll back privacy regulations governing ISPs, Gerchow says has seen a dramatic increase in the use of Tor for accessing his company’s services, meaning security analysts have to check out whether the encrypted, anonymized traffic coming through Tor is from a legitimate user.
Because the source address is that of a Tor node, it’s difficult to determine whether the sender is actually authorized. These login attempts from Tor could originate from attackers who have stolen a legitimate user’s credentials, he says. So that kicks in an investigation.
“We start forensics right away,” Gerchow says. “Is it really a customer? Is it really the person we think it is?”
In some cases finding out means directly contacting the person whose login was used to confirm that their credentials haven’t been compromised. Tor sessions used to crop up once a week or so, but now they roll in as often as 15 times a day, he says. That means added workload for security analysts.
Gerchow says that so far every Tor login session Sumo Logic has come across proved to be a legitimate user who has taken to using the browser on their own initiative to prevent ISPs from selling browsing history to marketers so they can direct ads at them. “People are just trying to protect themselves,” he says.
But the danger is that if so many of these come in and are found not to be threats then analysts become numb to them. Eventually one of the Tor logins will be an attacker. “What if we miss one?” he says.
Gerchow’s looking for ways to automate the process in order to reduce the time it takes to check out these logins. He’s also urging universal use of multi-factor authentication to make it that much harder for attackers to compromise credentials.
Privacy rollback aftermath
Use of Tor and other means to obfuscate who’s using the internet are likely to increase now that President Donald Trump has signed the rollback into law.
The law nullifies regulations set by the Federal Communications Commission in December that made ISPs get customer approval before they could sell information about their browsing habits. Now ISPs can sell it by default and customers have to opt out, a more involved process, says Ernesto Falcon, legislative counsel for the Electronic Frontier Foundation.
Sign up for Computerworld eNewsletters.