TOR Exit Nodes - The Good and Bad


Those entities running TOR Exit nodes have the unique ability to monitor traffic leaving their TOR exit nodes. What they also end up doing is getting complains, tons of them. Everything from legal issues with DMCA issues, police inquiries when an exit nodes is involved in illegal activity, large amounts of bandwidth consumption with ISP's and other "issues".

One of the things we do at Jigsaw Security is monitor who is running exit nodes and how long they have existed. Those long standing servers get the trust of the TOR community. It's quite interesting to look at the list of exit nodes and then look at where they reside and also what ISP or organization running the servers. In short here are a few of the notes we have made over the years and our thoughts on TOR in general.

Why TOR?

Well that's a hard questions. The most common reason people run and use TOR related services are for the fact that in some parts of the world Government's and Regimes deem it necessary to block their citizens from accessing damaging Internet content. In China for instance the Government just recently said that VPN technologies are illegal. What is scary about this is that the Government in China wants to be able to see every single thing that their citizens are looking up on search engines and what types of web pages their citizens are using, what chat applications are being used and to see what citizens may be a threat to the Government.

What is really interesting is that TOR was developed by Naval research for providing anonymous routing of Internet traffic. The technology was extensively used to ensure that users of the network could get to websites without others being able to see where end users are going, the very reason TOR is being used in China and probably other locations. By using the technology to defeat eavesdropping on end users of the Internet, it's a great concept. In reality it has opened up many issues over the years for the operators of the TOR nodes on the network as well as the actual users.

Malicious TOR Exit Node Operators

In some cases the end users that access the TOR network do so, to remain anonymous and to avoid Internet filtering of the ISP or Governments. The TOR traffic is encrypted except for when it leaves the exit node to retrieve the actual information being requested. Operators of these TOR exit nodes include research and development labs, security researchers, Governments, Colleges and Universities and normal everyday citizens. The Exit Node Operator can capture all traffic leaving an exit node to sometimes include usernames, passwords and sensitive documents if a user logs into a resource that is not public. Over the years during research we have observed everything from pornography to illegal activity. The Exit Node operators can see it all.

We mentioned that Governments provide TOR Exit Nodes in the previous paragraph for a very specific reason. In doing so, Governments can monitor what their users and their adversaries are doing. They can also capture important documents that they normally would not be privy to as well as uncover the end user in some cases based on what they do. While the TOR network changes circuits several times during sessions, sometimes only seeing a few connections and what is returned on the TOR exit node is enough to do great harm.

We have observed in testing potentially damaging personal communications of some of the largest Governments and Corporations on the planet so it goes without saying that intelligence agencies are doing the same.

A look above at where these Exit Nodes are located. This is a weighted view showing concentrations

We mentioned that intelligence agencies are looking at traffic so these next maps may be of interest.

A concentration map showing many Exit Nodes being run out of the Kremlin

And last but not least US Government also doing the same - Location generalized to protect the US agencies involved.

We can only surmise that Government agencies may be involved in nefarious activities to steal ideas or information that can be turned into money for black budgets for their secret projects and programs. Russia for example is well known to be heavily involved in cyber espionage where ideas and information can be stolen and turned directly into cash that can fund other operations. North Korea is suspected of launching cyber attacks to gain ransomware victims to fund their Nuclear ambitions.

As you can see the intelligence agencies have definitely taken an Interest in TOR. Don't believe us just start looking through some of the Science and Technology postings on the fbo.gov website and you will notice that we are very much interested in everything from unmasking TOR users to identifying weaknesses in the protocol. In fact many of the agencies are very open about wanting to have this capability.

Hackers do it too

So one other group that we see running TOR exit nodes are hackers and criminal organizations. This would explain why our Government is interested in finding out who these criminals are and to track their activity on the TOR network. Remember the Exit Node can see the unencrypted traffic as it goes to the open Internet resource whereas the TOR network itself is encrypted in a node to node configuration.

So what are some of the things hackers may be interested in on the TOR network?

  • Being able to sniff credentials for use in attacks - if you forget your on TOR and login to something without SSL such as email, you just gave away your credentials

  • Ability to capture sensitive information - Hackers love gaining access to systems in which they can linger and learn things, the TOR network makes it easy for those curious as to what people are doing on the Internet

  • Capturing health-care and financial information - Remember health-care information is selling for more on the dark web than credit card data. This is money directly in the pockets of the malicious actors. Stealing financial information such as bitcoin wallets allows the hackers to fund other more harmful campaigns.

  • Literally to steal information - China uses this type of activity to be able to steal proprietary corporate information to compete on the world markets and gain competitive advantages, steal technologies and to circumvent controls when infiltrating corporate and Government networks.

  • To communicate securely without being detected by law enforcement

  • To launch DDOS (Distributed Denial of Service) attacks

If TOR is so bad, then why do people even use it?

As mentioned earlier being anonymous on the Internet has it's place. For instance if you want to research a competitor and look through their website, you may want to mask who you are so they don't know they are being researched. We also talked about the humanitarian reasons whereas those regimes that block information via controls, can have those controls circumvented so that their citizens can get to the information that their Governments deem threatening. Another good reason is for research. Sometimes when writing programs a developer may not want to expose the source of their network request. By using TOR you could hit a website on a schedule and come from a different IP every time you make a request. This allows you to download huge amounts of information over an extended period of time without tipping off the target of the research that you are a single person, to a web server administrator it looks like thousands of normal user request which prevents them from being able to block the request without impacting other users.

It's true things such as DDOS attacks make TOR look less and less attractive. There are other similar services available that anonamize users that are becoming more and more popular such as anonymous VPN services.

How Jigsaw Uses TOR

As mentioned we may want to scrape a website from time to time without exposing our identity to the website operator. We also use TOR to learn about the habits of end users coming from various locations in the world. In our threat intelligence products we use TOR as a reference. When an attack takes place we look to see if that activity is coming from a TOR node or a corporation that may have been compromised and having their network devices used by threat actors.

TOR is a great technology but just like anything else it can and is frequently abused. Does the good in TOR outweigh the evil? Only time will tell...

#TOR #Research

412 views

Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.