ARN

Privacy rollback can cause headaches for corporate security pros

Tracking down who’s using Tor can be a nightmare

Corporate security pros can add a new task to their busy days: handling panicky employees worried about privacy who are using the onion router (Tor) browser as a way to protect their online activity.

That practice translates into additional security alerts that require time-consuming manual sorting to determine whether the persons behind Tor sessions are friend or foe, says George Gerchow, vice president of security and compliance at Sumo Logic.

Ever since congressional action started a few weeks ago to roll back privacy regulations governing ISPs, Gerchow says has seen a dramatic increase in the use of Tor for accessing his company’s services, meaning security analysts have to check out whether the encrypted, anonymized traffic coming through Tor is from a legitimate user.

Because the source address is that of a Tor node, it’s difficult to determine whether the sender is actually authorized. These login attempts from Tor could originate from attackers who have stolen a legitimate user’s credentials, he says. So that kicks in an investigation.

“We start forensics right away,” Gerchow says. “Is it really a customer? Is it really the person we think it is?”

In some cases finding out means directly contacting the person whose login was used to confirm that their credentials haven’t been compromised. Tor sessions used to crop up once a week or so, but now they roll in as often as 15 times a day, he says. That means added workload for security analysts.

Gerchow says that so far every Tor login session Sumo Logic has come across proved to be a legitimate user who has taken to using the browser on their own initiative to prevent ISPs from selling browsing history to marketers so they can direct ads at them. “People are just trying to protect themselves,” he says.

But the danger is that if so many of these come in and are found not to be threats then analysts become numb to them. Eventually one of the Tor logins will be an attacker. “What if we miss one?” he says.

Gerchow’s looking for ways to automate the process in order to reduce the time it takes to check out these logins. He’s also urging universal use of multi-factor authentication to make it that much harder for attackers to compromise credentials.

Privacy rollback aftermath

Use of Tor and other means to obfuscate who’s using the internet are likely to increase now that President Donald Trump has signed the rollback into law.

The law nullifies regulations set by the Federal Communications Commission in December that made ISPs get customer approval before they could sell information about their browsing habits. Now ISPs can sell it by default and customers have to opt out, a more involved process, says Ernesto Falcon, legislative counsel for the Electronic Frontier Foundation.

The legislation also bars the FCC from addressing this issue in the future. Enforcing privacy is now shifted to the Federal Trade Commission.

+ RELATED: 10 privacy tips for the post-privacy internet +

Falcon predicts that at some point ISPs will push the envelope on selling this data and there will be pushback. “The day will come when the FCC will have to act because something so egregious happens,” he says.

Jonathan Hill, dean of the Seidenberg School of Computer Science and Information Systems at Pace University, is similarly concerned. “The Pandora’s box is now open, and we don’t know what’s going to fly out,” he says.

Businesses have other reasons to worry about the new law, Hill says. Most businesses have contracts with their providers that spell out limits on what they can do with browsing histories, but there are cracks that these restrictions could fall through. For example, telecommuters likely use their home internet service, so that consumer account would not be subject to the contract, Hill says.

He recommends that businesses review those contracts to be sure they restrict use of these histories.

ISPs are not allowed to sell information that is directly linked to an individual’s name, he says, but that data is stored by ISPs. The fear is that the data and the personal identification could somehow be hacked, he says.

Training of employees on safe browsing is important in general, he says. Traveling workers should avoid using airport Wi-Fi, he says, because glimpses of browsing and hence what the employee is interested in, can be hacked. Knowing that could be valuable to competitors, he says. “Don’t connect to airport Wi-Fi except with a VPN,” he says.

Omer Tene, vice president of research at the International Association of Privacy Professionals, is less concerned that ISPs will actually violate corporate privacy agreements, but he does recommend use of encryption or a VPN when connecting to corporate resources. “There are bigger threats out there than Verizon,” he says.