Illustrated photo of a person typing on a computer keyboard


(The RAND Blog)

December 17, 2014

Preventing Cyber Attacks: Sharing Information About Tor

Photo by Kacper Pempel/Reuters

by Dan Gonzales

A number of cyber security bills have been under consideration in Congress for several years that would require more information sharing between the U.S. government and private industry. The intent of these bills is to protect critical infrastructure and financial firms in the United States by helping to prevent cyber attacks. Private industry has resisted some bills because they may require U.S. firms to share sensitive and possibly proprietary information with the government. Those are legitimate concerns. However, information can flow the other way, too. Little has been said about U.S. government information that could and should be shared to enhance the cyber security of private firms. At least one type of information should be shared with U.S. critical infrastructure and financial firms—the IP addresses of Tor network nodes. Tor is a global network that helps users maintain anonymity by obfuscating users' true online locations. While it has many benefits, it is increasingly used to hide criminal activity online. The recent cyber attacks against JPMorgan Chase and Sony Pictures Entertainment highlight the need for such information sharing.

Earlier this year unknown cyber attackers infiltrated the network of one of the largest banks in the U.S. financial system, JPMorgan. The malware used in the attack slipped by the bank's antivirus filters, a not uncommon scenario today. The attack was discovered only by accident. An external website, used to register runners for a JPMorgan sponsored charity race, was found to be hacked. The command-and-control servers for the malware used in the attack against the race website and the bank turned out to be the same. The IP addresses for these servers provided a valuable clue needed to identify the bank compromise. In this case, the compromise was caught early enough so that no financial information was compromised. Even so, the names and email addresses of JPMorgan account holders that were stolen from the bank were posted on black market sites and forums hosted on Tor.

The recent attack on Sony Pictures was equally sophisticated. Command and control of the malware used in the attack appears to have originated from a luxury hotel in Bangkok, Thailand. This piece of information was obtained by IP address sleuthing. A large amount of personal data, including digital copies of several unreleased movies (perhaps several terabytes), was copied and moved from the movie studio through the Sony PlayStation network. The PlayStation network runs on the Amazon Web Services cloud. The stolen movie studio network data exited Sony Pictures through the PlayStation network, and then was sent to a number of file sharing sites via Tor. This circuitous route was used to mask the trail of the attackers and to enable large amounts of stolen data to be stealthily removed from the Sony network.

A few days ago, in a non-public report obtained by Krebs on Security, the U.S. Department of the Treasury issued a warning to U.S. banks to block account transactions that use Tor. The Treasury report found that the majority of bank account takeovers by cyber thieves might have been prevented had affected banks blocked transactions coming through Tor.

Tor, like other anonymity networks, has many legitimate uses. It is used by journalists, human rights defenders, and pro-democracy activists in countries where censorship is common and Internet access is tightly controlled and monitored. However, as cyber attackers become more sophisticated, they may use the Tor network in more cyber attacks, and use it to exploit the data they capture from critical infrastructure and financial firms. This will make it increasingly difficult for defenders to track and protect against cyber intrusions. There is no reason why legitimate bank customers, studio employees, or others that need to communicate with private firms like Sony Pictures or JPMorgan would need to use Tor. The U.S. government should provide the information it has on the constantly changing set of Tor nodes that exist around the globe. Tor IP addresses could then be blocked to prevent potentially damaging cyber attacks in the future.

Daniel Gonzales is a senior physical scientist at the nonprofit, nonpartisan RAND Corporation.

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.

Related Resources