IBM Tells Administrators To Block Tor On Security Grounds

← Back to Stories (view on slashdot.org)

IBM Tells Administrators To Block Tor On Security Grounds

Posted by samzenpus on Wednesday August 26, 2015 @07:30AM from the protect-ya-neck dept.

Mickeycaskill writes: IBM says Tor is increasingly being used to scan organizations for flaws and launch DDoS, ransomware and other attacks. Tor, which provides anonymity by obscuring the real point of origin of Internet communications, was in part created by the US government, which helps fund its ongoing development, due to the fact that some of its operations rely on the network. However, the network is also widely used for criminal purposes. A report by the IBM says administrators should block access to Tor , noting a "steady increase" an attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic. "Spikes in Tor traffic can be directly tied to the activities of malicious botnets that either reside within the Tor network or use the Tor network as transport for their traffic," said IBM. "Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions."

70 comments

Min score:

Reason:

Sort:

See.. by t20alex · 2015-08-26 07:35 · Score: 0

This is why we can't have nice things.
1. Re: See.. by Anonymous Coward · 2015-08-26 07:42 · Score: 1, Insightful
  
  Internet is also used for all kind of attacks. So I guess it should be banned too!
2. Re:See.. by lgw · 2015-08-26 07:46 · Score: 2
  
  Not clear from TFS whether they're talking inbound or outbound. Inbound blocking makes sense for anything not open to the general public. Oubound blocking? Good luck with that, IBM.
  TOR has been blocked in China for many years, but it still works. There's been a blocking/stenography arms race happening between the Great Wall and TOR for years. I don't know anything about the technical details, but it seems a safe guess that TOR "bridge" connections successfully bypass all the easy or obvious ways of blocking TOR. Of course, a whitelist of allowed outbound sites will always work.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
3. Re:See.. by Anonymous Coward · 2015-08-26 08:26 · Score: 1
  
  This won't work. There is a component within the pluggable transports component called meek which basically creates a bridge for users of shared services. The core of what the pluggable transport plug-in does is disguise the traffic to look like other types of traffic. By combining this with other services an adversary can't tell the difference between Tor traffic and non-Tor traffic and combined with something called meek any blocking of a meek-bridge would have significant collateral damage anyway. There are bridges for Amazon, Azure, Google, and others. Blocking of these would cause serious economic damage. China has presumably accidentally caused such damage already. They blocked HSBC and those in China couldn't access it for days as a result. HSBC is a major major international bank.
4. Re:See.. by Anonymous Coward · 2015-08-26 08:40 · Score: 3, Interesting
  
  China is getting pretty good at it though. What is working may be blocked in 6-8 hours. It is a cat and mouse game, but that cat is getting quick, and the mice population is dwindling.
  In general, if there are a lot of different connections made by different browsers [1] coming from one IP, it is suspect, and a site needs to go like Google and have a CAPTCHA before someone can move past the intro screen. CloudFlare is a good front gate to have for almost any website because of this.
  As for blocking exit nodes, it is a common sense thing to block them via the router, OS stack, and application. In fact, if a node winds up on TOR at all, it winds up getting blocked just in case. This, combined with common sense IP geoblocking, cuts down enormously on the amount of attacks a site has to deal with.
  [1]: Try eff.org's Panopticlick. There is yet to be a functional Web browser that isn't uniquely identified.
5. Re: See.. by Anonymous Coward · 2015-08-26 23:07 · Score: 0
  
  This is the most uninformed post ever, have you not bothered to read about the technology deployed against the backbone network you keep calling the internet? Do you not grasp the fact that the "linux" you are referring to is in fact cisco and other *nix systems actually routing the traffic, which themselves can and have been compromised?
  And lets just ignore all of the LINUX servers (cent, RHEL, solaris) I've had to patch over the past years because of horrible flaws that led to remote code execution, privilege escalation..... and botnets.
  "Ransomware has everything to do with Windows"
  Windows and MAC you mean, because they are the lions share of the market no matter how butt hurt you are about it. But I agree, I have yet to hear of a ransomware attack against a linux system, desktop or server.
  "When OEM's deliver PC's with Linux, end users get safer immediately."
  False again, you are the guy making us linux users look like douches, I hope you understand this. "Linux is safer" is a myth. Linux gives us much more power and control, if we LEARN how to exercise it. You can secure a windows box just as tight as the best linux box, if you bother to learn how. The issue with "linux being safer" is 100% related to the fact that until recently, you had to LEARN how to use linux to use it, and by extension, those running linux had a better understanding of computers than the average windows user.
  Find me a fortune 500 company running a pure linux environment (network not just workstations). You won't. Find me one running a MAC network. You won't, doesn't exist, Apple computers own network is a windows network.
  The safety of an OS relies on 2 things: #1 The ability to have control over the OS & #2 Understanding how to use this control.
  Windows 10 is still brand new, and as many people are pointing out, has completely failed on #1. Does this mean that windows user is safer just booting into Linux? Hell no, if they are an average user they are not that much safer from attack. It should, however, reduce the amount of malware they need to worry about. Problem there is, an un-educated linux user is open to much more than malware.
  The user of the OS dictates the "safeness" of it. Most windows users are not that good at being a more than a user, education can fix this. And lets not forget that those who are building the botnets and writing the code are doing so on linux and even Macs. The more average users using the OS, the more we'll see targeted attacks. IOS attacks are on the upswing and that correlates with market penetration.
  Why any corporate network would allow TOR traffic is beyond me, so this can only really be an issue from the outside, they might be able to DDoS or scan you, but that's on your network architect and security designer to ensure your infrastructure is protected. You wouldn't allow that traffic internally.
6. Re: See.. by Anonymous Coward · 2015-08-27 14:31 · Score: 0
  
  This is the most uninformed post ever, have you not bothered to read about the technology deployed against the backbone network you keep calling the internet? Do you not grasp the fact that the "linux" you are referring to is in fact cisco and other *nix systems actually routing the traffic, which themselves can and have been compromised?
  OK dickhead I'll bite. Since you want to speak in absolutes, this was NOT the most uninformed post ever. If you do need some examples, ask. I'd be happy to waste some time proving that there are more uninformed posts around. I do realize other OS's exist in cyberspace besides Linux. I left that as common sense that every Oracle device on Earth doesn't necessarily have top running 24/7 in Linux dickhead. I didn't post a comment on slashdot as Internet Scripture. What I said is not comprehensive, tool. What I said is correct.
  
  And lets just ignore all of the LINUX servers (cent, RHEL, solaris) I've had to patch over the past years because of horrible flaws that led to remote code execution, privilege escalation..... and botnets.
  Sure dummy. Really elaborate that OS's besides Windows have had patches for security vulnerabilities in the past. Go off on it. Why didn't you list every single patch ever applied to every version of every OS though? Damn, don't you even know shit?
  
  "Ransomware has everything to do with Windows"
  Windows and MAC you mean, because they are the lions share of the market no matter how butt hurt you are about it. But I agree, I have yet to hear of a ransomware attack against a linux system, desktop or server.
  Yes, again, I of course know Mac's have been hosed. eg. the one where they got exploited by visiting a Mac dev site. Everybody knows this shit already. You are again trying to imply that MS has the lion's share of the market because it's "better". Idiot, it sucks ass. Linux is better. Linux is better than Mac OS X too. I use them all. I have them all installed AS I SPEAK.
  
  Find me a fortune 500 company running a pure linux environment (network not just workstations). You won't. Find me one running a MAC network. You won't, doesn't exist, Apple computers own network is a windows network.
  http://www.tecmint.com/big-companies-and-devices-running-on-gnulinux/
  You can really search this shit yourself. You thought nobody would look back on an AC post, right? Dickhead.
  
  "When OEM's deliver PC's with Linux, end users get safer immediately."
  False again, you are the guy making us linux users look like douches, I hope you understand this. "Linux is safer" is a myth. Linux gives us much more power and control, if we LEARN how to exercise it. You can secure a windows box just as tight as the best linux box, if you bother to learn how. The issue with "linux being safer" is 100% related to the fact that until recently, you had to LEARN how to use linux to use it, and by extension, those running linux had a better understanding of computers than the average windows user.
  If you think like you speak, and you use Linux, you are a douche no matter what OS you use. Your brain is Douche OS. Linux *IS* safer.
  http://www.extremetech.com/extreme/155392-international-space-station-switches-from-windows-to-linux-for-improved-reliability
  You still have to "LEARN how to exercise it" whether it is Linux, BSD, Mac, Android, Windows, etc. The point being that when you LEARN THEM ALL... LIKE I HAVE... you find out what the fuck is actually going on. I was multi-booting all existing OS's and compiling FreeBSD kernels on partition 0 as far back as at least FreeBSD 4.3. I ran Mandrake Cooker on an extended partition on drive 0, I had Solaris x86 on partition 2 of drive 1.. etc. Many partitions running many OS's even way back then dickhead. I understand how each of them inter-operate too. Windows has always been the weakest link. Windows is the piece of shi
Criminals are only a subset by Anonymous Coward · 2015-08-26 07:38 · Score: 0, Insightful

"Widely used" is just a throwaway generalization that means "this is the only thing we think this is used for."
Instructions?? by zenlessyank · 2015-08-26 07:43 · Score: 0

Here are some... http://wiki.mikrotik.com/wiki/...
Duh by Calsar · 2015-08-26 07:49 · Score: 1

Yes, I know some people just use Tor because they don't want the government watching them, but I block Tor on general principal. Most of the traffic coming out of Tor is malicious. The only exception would be if I was running a site with information I wanted to provide to oppressed countries.
1. Re:Duh by Anonymous Coward · 2015-08-26 08:07 · Score: 3, Insightful
  
  Your an idiot. Blocking Tor *won't* do a damm thing at actually solving the security problem. All it does is give you the illusion of security when you don't know what your doing.
2. Re:Duh by Anonymous Coward · 2015-08-26 08:38 · Score: 1
  
  I don't see why you're downvoted. This is true. Blocking tor isn't a solution. You should be patching your systems and not have crappy apps.
  If you have a smart load balancer that decides to threshold block tor nodes, that's fine. But explicitly blocking all tor nodes is just lazy and doesn't fix the problem.
3. Re:Duh by Anonymous Coward · 2015-08-26 09:01 · Score: 0
  
  You clearly believe that the locko n your front is adequate security, no layered defense for you.
4. Re:Duh by Calsar · 2015-08-26 09:17 · Score: 4, Insightful
  
  I didn't say blocking Tor made you secure, I simply said traffic coming out of Tor is malicious and should be blocked. If you think blocking Tor makes no difference you are wrong. A lot of attacks are coming out of Tor and you can eliminate them with little effort.
5. Re:Duh by X.25 · 2015-08-26 09:20 · Score: 1
  
  Yes, I know some people just use Tor because they don't want the government watching them, but I block Tor on general principal. Most of the traffic coming out of Tor is malicious. The only exception would be if I was running a site with information I wanted to provide to oppressed countries.
  You have access to all outgoing Tor traffic?
  Nice.
6. Re:Duh by Anonymous Coward · 2015-08-26 12:21 · Score: 0
  
  Yeah. Those 5kbit DDOSes from Tor are very scary.
7. Re:Duh by by+(1706743) · 2015-08-26 13:52 · Score: 1
  
  Your an idiot.
  
  ...don't know what your doing.
  Good effort, but next time go for the triple combo!
8. Re:Duh by Anonymous Coward · 2015-08-26 13:53 · Score: 1
  
  I sympathize with your position, I really do, but where does that argument end? A lot of email is malicious too--should we just start blocking that? Webpages are often malicious as well. Come to think of it, maybe we should just keep all of our networks local.
  Tor has lots of good purposes also. Blocking it completely seems like an indiscriminate solution.
9. Re:Duh by orlanz · 2015-08-26 15:53 · Score: 2
  
  On a personal network... I don't care, your choice. But on a business network, this is a no brainer. Its clearly from IBM's "No shit Sherlock" department. Some intern needed to write a security recommendation. Few enterprises have a business need for Tor, so why not block it? What good reason is there to have it unblocked?
  As for where it stops ummm... when it actually hinders your business? If you business doesn't have ANY need to load webpages (ie: the book network at a stock exchange), then yes, you block standard webpages. Of course if you business relies on Tor (clearly not a publicly traded company); then you wouldn't block it either. Additionally, you may not block it on your dev, guest, or honeypot network.
10. Re:Duh by Anonymous Coward · 2015-08-26 17:46 · Score: 0
  
  Of course if you business relies on Tor (clearly not a publicly traded company);
  How about you dialling back the presumptions and generalizations a bit, focusing more on things you know and less on things you fairly obviously are just speculating (being kind here) about?
11. Re:Duh by Anonymous Coward · 2015-08-26 21:36 · Score: 0
  
  I sympathize with your position, I really do, but where does that argument end? A lot of email is malicious too--should we just start blocking that? Webpages are often malicious as well. Come to think of it, maybe we should just keep all of our networks local.
  Tor has lots of good purposes also. Blocking it completely seems like an indiscriminate solution.
  "We've determined that the internet is responsible for all botnet attacks, so we're blocking the internet."
Another layer by TechyImmigrant · 2015-08-26 07:52 · Score: 2, Informative

I presume the enterprising TOR user could set up a couple of machines A and B somwhere on the internetz to act as a personal TOR entry and exit point. VPN to A. A TORs to B. B talks to the internetz.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
1. Re: Another layer by Anonymous Coward · 2015-08-26 08:00 · Score: 2, Informative
  
  That would defeat the purpose and isn't how Tor works.
2. Re: Another layer by TechyImmigrant · 2015-08-26 08:29 · Score: 1
  
  Yes. It's just an indirection to prevent attacks or filters at the entry and exit points.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
3. Re:Another layer by Anonymous Coward · 2015-08-26 09:11 · Score: 0
  
  I'm replying to your sig:
  Smarter people than you have commited suicide. I don't think it's a very convincing argument, but then again, I'm not smarter than them either.
4. Re:Another layer by Anonymous Coward · 2015-08-26 09:28 · Score: 0
  
  Then machine "B" gets nailed by every LEO from Interpol down to the local dogcatcher.
  The best way is to have an account with a VPN service, and use TOR in front. The VPN's IP space will be viewed as dodgy, but not outright banned like all TOR nodes tend to be.
5. Re:Another layer by TechyImmigrant · 2015-08-26 10:25 · Score: 1
  
  You could read the paper and see if the data speaks for itself.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
6. Re:Another layer by Anonymous Coward · 2015-08-26 19:28 · Score: 0
  
  Nice Try! I'm behind 7 layers of proxies!
7. Re:Another layer by TechyImmigrant · 2015-08-27 08:34 · Score: 1
  
  Then machine "B" gets nailed by every LEO from Interpol down to the local dogcatcher.
  The best way is to have an account with a VPN service, and use TOR in front. The VPN's IP space will be viewed as dodgy, but not outright banned like all TOR nodes tend to be.
  I wasn't proposing that as a way to conduct illegal activities. I was proposing that as a way of getting around your employers TOR block. Practically you only need machine A for most situations.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
8. Re:Another layer by Swave+An+deBwoner · 2015-08-29 11:46 · Score: 1
  
  Why not try an all meat diet? Smarter people than you do: http://www.jbc.org/content/87/...
  
  Interestingly that article you link to was published in February 1930, right near the start of the "Great Depression" and states that "These studies were supported in part by a research grant from the Institute of American Meat Packers". They were probably scared stiff that nobody would be left with enough pennies in their pocket to buy meat.
  
  You want smart people? "It is my view that the vegetarian manner of living by its purely physical effect on the human temperament would most beneficially influence the lot of mankind. - Albert Einstein in a letter to "Vegetarian Watch-Tower", 27 December 1930
This isn't security it's security theatre by Anonymous Coward · 2015-08-26 07:57 · Score: 1

Blocking Tor doesn't do a damm thing for real security. It won't stop the "attacks". There are plenty of other avenues for malicious parties to use. The idea that getting rid of Tor somehow will stop the attack is just plain silly. It might sound good to the CEO, protect your job, etc. It won't actually improve security. If you want to improve security start with ridding your company of the proprietary software whose holes *can't* and won't be fixed. Fund *bug hunting*, reduce the bloat in your applications, etc. Those are the things that will help security. If your concerned with DDoS attacks which are genuine concerns (even if not really a security issue) then go sign up for Cloud Flair or a similar service- you don't even need to enable it by default- just set it up so upon a DDoS being directed at your company you can *bring it up*.
1. Re:This isn't security it's security theatre by TheCarp · 2015-08-26 08:11 · Score: 5, Insightful
  
  > Blocking Tor doesn't do a damm thing for real security. It won't stop the "attacks". There are plenty of other avenues for malicious parties to use.
  While mostly true, you do have to consider that exit nodes that are on your internal network are probably bad juju.
  Personally, I am all for using tor, but I wouldn't want to see random users putting up exit nodes inside my network. Exit nodes really should be setup with a bit more care to make sure they can't be used to access internal hosts, especially if internal networks have public IPs, which while less common these days, is not unheard of.
  My previous 2 employers both used public IPs on their internal networks (and each had their own class public B). So, by default, a tor exit node would constitute a hole in the firewall unless specifically setup to restrict access to "local" IPs.
  Not unmanagaeble at all if you want to manage it, but, not something you want to leave in the hands of Bob in accounting.
  
  --
  "I opened my eyes, and everything went dark again"
2. Re:This isn't security it's security theatre by Anonymous Coward · 2015-08-26 09:05 · Score: 0
  
  Your assuming that the defaults actually allow Tor users to exit to the private IP space. I'm 99.5% confident that isn't the case. Users are restricted to accessing the public IP address space. Otherwise I'd agree- it's not a wise move. Though I think attacking Tor is the wrong approach anyway. If your concerned about things like printers being vulnerable within your network maybe you should start investing in improving the security of printers. Demand suppliers release code, implement / develop secure printing software (ie so that other users on the network doing the printing can't see what other users are printing), etc.
  My company does work on solving real security related issues like this and the first part of the problem is getting other companies to cooperate and begin releasing code under free software licenses. This way we and others can scrutinise the code, improve it, flash the devices with hardened versions, etc.
  Right now we don't focus on the enterprise market though which is humorous considering that's where the *real* need for security is. Not in the consumer market.
3. Re:This isn't security it's security theatre by Anonymous Coward · 2015-08-26 09:27 · Score: 0
  
  OK- I failed to read the last part of your message before replying. You're correct in that this probably would open up security issues. I think though that your network is setup wrong. Wrong in the sense that each individual machine be firewalled in this setup and no system should be trusting another. With proper security in place encrypting and authenticating services the problem would go away. Now your real problem is implementing the network in this way, which goes back to getting other companies to release the source code for things like printers, and so on, so that you can begin to secure these types of devices and implement encryption and authentication on devices such as network printers.
Blame TOR malicious botnets .. by nickweller · 2015-08-26 08:01 · Score: 5, Insightful

If security on these public and private-sector networks weren't so flaky, botnets wouldn't be such a problem. Remember all it took to compromise SONY was one malicious email attachment. Make you wonder how Internet security got so bad considering folks like the NSA helps these organizations securing their 'computers'.
1. Re:Blame TOR malicious botnets .. by Nutria · 2015-08-26 11:16 · Score: 1
  
  considering folks like the NSA helps these organizations securing their 'computers'.
  All of the technical acumen in the world can't defend against a PHB running XP who clicks on everything.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
traffic and liability by Anonymous Coward · 2015-08-26 08:05 · Score: 0

It makes sense to block Tor at work from a traffic and liability standpoint.
You don't want to be the administrator having to answer questions why [bad material] was being trafficked through your company.
Also, you don't want the overhead on your pipes.
1. Re:traffic and liability by Anonymous Coward · 2015-08-26 12:37 · Score: 0
  
  It's even simpler that that I'd say.
  Question: Is TOR required for the proper function of your organisation?
  If the answer is no, then why not block it? It's likely that the company is already blocking other things (such as torrents) anyway.
Tor is useless by fustakrakich · 2015-08-26 08:05 · Score: 1

If it can be blocked, or even if it's visible at all, it is dangerous for the user. If you can't blend in, you're gonna stick out..

--
“He’s not deformed, he’s just drunk!”
Changed Headline - Now 50% Less Clear! by Dutch+Gun · 2015-08-26 08:09 · Score: 2

You know, there's a completely different potential meaning between "IBM Tells Administrators to Block..." vs "IBM Tells Companies to Block..." I initially though IBM was discussing an internal policy, but they're advocating that OTHER companies simply block access to TOR nodes, in case it's not clear.
Still, blocking these nodes seems like a fairly weak approach to security, doesn't it? It's not like you can't disguise your movement by utilizing a botnet server. It's sort of like saying "we could improve our security by banning all incoming traffic from China and Russia". Well, sure, if you're willing to just block lots of legitimate users in the meantime. It would be far better to try to implement better technologies and policies that actually improve computer security, rather than feel-good measures like this.
For starters: eliminate dependence on old, out-of-data, vulnerable web based technologies. There are many corporate customers who still must use specific VULNERABLE versions of the Java plug-in, for instance. Oh, wait though... that would cost money! Nevermind, just block the TOR nodes, ok?

--
Irony: Agile development has too much intertia to be abandoned now.
Tor noob question by GerardAtJob · 2015-08-26 08:12 · Score: 1

Is it possible to add a proxy after a Tor node exit, bypassing the current "Ban Tor exit nodes" thus blending with traffic? So, in theory, blocking Tor exit nodes only blocks those who only use Tor .. isn't it (Ex: Not hardcode hackers, but only Tor kiddies)?

--
I can't call that English ;-)
1. Re:Tor noob question by GerardAtJob · 2015-08-27 01:09 · Score: 1
  
  I guess I was too technical, but it's possible.
  http://unix.stackexchange.com/...
  
  --
  I can't call that English ;-)
"A report by the IBM..." by jfbilodeau · 2015-08-26 08:15 · Score: 2

From the summary: "A report by _the_ IBM..." As opposed to just an IBM?

--
Goodbye Slashdot. You've changed.
1. Re:"A report by the IBM..." by Anonymous Coward · 2015-08-26 11:04 · Score: 0
  
  Correct.
2. Re:"A report by the IBM..." by by+(1706743) · 2015-08-26 14:05 · Score: 1
  
  Yeah, The International Business Machine. It's run by President and Commander in Chief Executive Officer Donald Trump.
Anonymity is a paradox by Anonymous Coward · 2015-08-26 08:16 · Score: 1

We say we want anonymity on the internet (and we do).
Yet we don't want people wearing ski-masks entering banks or gas stations.
The thing that sucks about anonymity is a small percent of people will utter destroy it. Tragedy of the commons, I guess.
No new threat. by Anonymous Coward · 2015-08-26 08:23 · Score: 0

>> “The networks contain significant amounts of illegal and malicious activity,” IBM stated in the report.
>> “Allowing access between corporate networks and stealth networks can open the corporation to the
>> risk of theft or compromise, and to legal liability in some cases and jurisdictions.”
All of the same things can be said about internet access in general. They should unplug their routers, or set up outbound-only (stateful) firewall rules.
What part of "exit node" does IBM not understand? by tlambert · 2015-08-26 08:36 · Score: 1

"IBM said its data shows a “steady increase” over the past few years in attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic."
What part of "exit node" does IBM not understand?
Once the traffic hits an exit node, it's no longer in Tor. It's also more or less impossible to "disguise botnet traffic" using Tor, since it's not like the botnet is running an entry or exit node.
At worst, a bot on one of your servers will hit a Tor entry node in order to disguise that the traffic is coming from *your* server, as opposed to somewhere else. Frankly, if you have a bot on one of your servers doing this (which makes really no sense, since there's really no economic value in protecting individual bots from discovery of their identity), the problem isn't Tor, it's that you've allowed your server to become a bot in the first place.
Why IBM is involved in this anti-Tor scare tactic is anyones guess... but if you wonder about something like that, you should probably follow the money, since blocking the Tor protocol only buys you the ability to prevent entry or exit nodes on your network, and seriously, no one is going to trust an unvalidated entry/exit node enough that they'd be willing to peer with the thing in the first place.
Incremental improvements are a good thing by sirwired · 2015-08-26 08:39 · Score: 1

It's sort of like saying "we could improve our security by banning all incoming traffic from China and Russia". Well, sure, if you're willing to just block lots of legitimate users in the meantime. It would be far better to try to implement better technologies and policies that actually improve computer security, rather than feel-good measures like this.
Yes, in a perfect world, companies would have perfect device security and it wouldn't matter from which direction an attack came.
But here in the real world, there is no such thing as perfect security, and every little bit helps. They aren't suggesting you block TOR and ignore your firewall and stop updating patches, just that among other security measures, this might help.
Anyway, what possible legitimate use could TOR have in a corporate environment outside of a media organization?
1. Re:Incremental improvements are a good thing by Spy+Handler · 2015-08-26 09:25 · Score: 1
  
  Yes, in a perfect world, companies would have perfect device security and it wouldn't matter from which direction an attack came.
  But here in the real world, there is no such thing as perfect security, and every little bit helps. They aren't suggesting you block TOR and ignore your firewall and stop updating patches, just that among other security measures, this might help.
  Anyway, what possible legitimate use could TOR have in a corporate environment outside of a media organization?
  Exactly right. Every little bit helps.
  If your company has no Chinese customers or suppliers or employees and does no business in China whatsoever, why not block China from your network? It's simple to do and costs nothing. Nobody is suggesting that you drop all your other security practices and rely just on blocking Chinese IPs.
2. Re:Incremental improvements are a good thing by Dutch+Gun · 2015-08-26 10:14 · Score: 1
  
  I suppose it depends entirely on whether you run a consumer-facing website or not. I was initially thinking about this from the perspective of companies that run such sites, in which case it doesn't make a lot of sense. However, if you're in an entirely corporate-oriented company who typically doesn't deal directly with the general public, it probably makes some sense to do so. No client of yours is going to be running a TOR browser. IBM is among those types of companies, so I guess this advice makes sense from their perspective.
  Here's an interesting question: Is IBM following their own advice? Can you reach their site though a TOR node?
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
Once again proving.... by JustAnotherOldGuy · 2015-08-26 08:40 · Score: 3, Insightful

Once again proving that anything that can be abused, will be abused. The spammers, scammers, and scum of the Earth will use anything they can to steal whatever they can.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Once again proving.... by Anonymous Coward · 2015-08-26 08:49 · Score: 0
  
  And since ANY check ultimately requires code to execute the check, and a 0/1 response, and since I can trivially NOP out your code, and change it to always return a 1, ANYTHING can be abused. And thus everything WILL be abused.
2. Re:Once again proving.... by Anonymous Coward · 2015-08-26 09:09 · Score: 0
  
  ...and scum of the Earth...
  Yes, but politicians are people too. :)
3. Re:Once again proving.... by houghi · 2015-08-27 01:08 · Score: 1
  
  Now, now. That is no way to talk about your government.
  
  --
  Don't fight for your country, if your country does not fight for you.
4. Re:Once again proving.... by JustAnotherOldGuy · 2015-08-27 05:50 · Score: 1
  
  And since ANY check ultimately requires code to execute the check, and a 0/1 response, and since I can trivially NOP out your code
  Exactly...and this is why DRM will always ultimately fail.
  It may take time to crack, but there's always a way around it, even if you have to tap into the analog output of whatever it is.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
5. Re:Once again proving.... by JustAnotherOldGuy · 2015-08-27 05:51 · Score: 1
  
  Now, now. That is no way to talk about your government.
  Sure it is. ;)
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
6. Re:Once again proving.... by Anonymous Coward · 2015-08-27 06:03 · Score: 0
  
  >Exactly...and this is why DRM will always ultimately fail.
  It doesn't fail for MMO/F2P games whose games are architected with a server backend. Just ask warframe or diablo 3 developers if they believe DRM has failed them.
That's exactly what the bad guys will do by Anonymous Coward · 2015-08-26 08:47 · Score: 0

That's exactly what will happen, except only criminals will be able to do that. After all they can afford the illegal options.
The obvious bypass is to chain some hacked server/VPN/router after Tor as a proxy, and poof you both hide behind Tor and appear to be a clearnet user.
I believe that most Tor users aren't criminals, but even if they were, blocking Tor exit nodes will accomplish absolutely nothing good.
1. Re:That's exactly what the bad guys will do by Nutria · 2015-08-26 11:11 · Score: 1
  
  I believe that most Tor users aren't criminals
  What substantiates your belief?
  
  --
  "I don't know, therefore Aliens" Wafflebox1
Re:What part of "exit node" does IBM not understan by Anonymous Coward · 2015-08-26 09:07 · Score: 0

Once the traffic hits an exit node, it's no longer in Tor. It's also more or less impossible to "disguise botnet traffic" using Tor, since it's not like the botnet is running an entry or exit node.
Did you even read the paper? Botnets are using Tor to scan and attack corporate networks. Blocking Tor exit nodes will block those scans and attacks.

since blocking the Tor protocol only buys you the ability to prevent entry or exit nodes on your network
That's why they recommending blocking all traffic to or from Tor entry and exit nodes. It is not about blocking the protocol, it's about blocking all traffic to/from known Tor nodes.
Hackers? Let's not forget the terrorists! by jareth780 · 2015-08-26 09:50 · Score: 1

Whatever is scary enough to convince us to give up privacy, that's the threat of the day. Nothing is your own except the few cubic centimetres inside your skull.
Hmm by koan · 2015-08-26 10:32 · Score: 1

Isn't TOR a little slow and lacking bandwidth to make a good hacking front?

--
"If any question why we died, Tell them because our fathers lied."
Re:What part of "exit node" does IBM not understan by tlambert · 2015-08-26 10:51 · Score: 1

Once the traffic hits an exit node, it's no longer in Tor. It's also more or less impossible to "disguise botnet traffic" using Tor, since it's not like the botnet is running an entry or exit node.
Did you even read the paper? Botnets are using Tor to scan and attack corporate networks. Blocking Tor exit nodes will block those scans and attacks.
Yes. I did. They implied but didn't specifically state, in a single sentence (the one I quoted in fact) blocking of exit nodes. All of the other sentences suggested "block Tor", which implies the protocol (which -- did you even read what I wrote? -- is pretty stupid advice).
Do you really expect people to be able to implement TorDNSEL DNS lookups on reverse addresses for all incoming connections, or that if people start using this for blocking, that it will continue to be published? Or that if people start really banging on it with queries, it won't simply go down? Because continuing to publish as soon as even a single major ISP starts blocking on behalf of all their customers would be pretty critically stupid on the part of the Tor project, don't you think?
You are also aware that it is at best 30 minutes out of date at all times, right?
Also -- you are aware it's possible to run a private Tor network, since the software is Open Source, and deploy via Amazon or similar services, using stolen credit cards, so blocking the official Tor exit nodes is unlikely to be nothing more than a trigger to escalate the arms race, right?
well duh by Anonymous Coward · 2015-08-26 13:00 · Score: 0

... encrypted tunnels into and out of your network, punching holes in your firewall? good idea? no way.
If you're doing something on your employer's network you don't want your employer to see you should probably stop doing it. Your own network? Go nuts. Want to exfiltrate data from your employer? Figure out another way to do it.