SoylentNews is people
SoylentNews
posted by
martyb
on Thursday October 22 2015, @10:44PM
from the does-anyone-really-know-what-time-it-is? dept.
from the does-anyone-really-know-what-time-it-is? dept.
Ars Technica reports on a vulnerability where unencrypted Network Time Protocol (NTP) traffic can be exploited by man-in-the-middle attacks to arbitrarily set the times of computers to cause general chaos and/or carry out other attacks, such as exploiting expired HTTPS certificates.
While NTP clients have features to prevent drastic time changes, such as setting the date to ten years in the past, the paper on the attacks presents various methods for bypassing these protections.
There is a pdf of the report available.
This discussion has been archived.
No new comments can be posted.
New Attacks on Network Time Protocol can Defeat HTTPS and Create Chaos
|
Log In/Create an Account
| Top
| 19 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
If little else, the brain is an educational toy.
-- Tom Robbins
(Score: 2) by ledow on Friday October 23 2015, @07:24AM
They still do.
I work in a school and we've just bought a system from a manufacturer that has an NTP clock on it, and uses a licensed frequency to sync all your clock and bell systems across the site as well. It's used in stock exchanges, etc. to sync everything together, and it doesn't come cheap.
Although NTP isn't extremely secure, it works the same way as Bitcoin - if you have enough good servers on your list, you will be fine and cancel out the dodgy ones. Using things like the NTP pool is a way to both greatly enhance the number of peers you see, but also to introduce untrusted peers into the mix, and it appears to do quite well thanks. If you don't trust it, there's no reason you can't run a local NTP server - most networks need one if for no other reason that to get the phones in sync with the computers, etc. Just choose a good peer and then have your clients sync from your server and the Internet too. If either local or remote get out of sync, whatever is in the minority will be rejected.
The most dangerous thing for this would be, for example, time.microsoft.com - an NTP server used and relied on by millions but a single point of failure. I never got why Windows doesn't let you use multiple peers without having to do it manually in the registry. It's just ridiculous.
However, on most networks, being even 5 minutes out of sync will set off alarm bells. You won't be able to authenticate against your domain, on Windows, and Kerberos tickets will start failing on other systems. So it's not going to happen without you noticing. Sure, it's not a SPECIFIC defence against it, but your clocks getting out of sync isn't going to go unnoticed for very long.