SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
SoylentNews
posted by
martyb
on Thursday October 22 2015, @10:44PM
from the does-anyone-really-know-what-time-it-is? dept.
from the does-anyone-really-know-what-time-it-is? dept.
Ars Technica reports on a vulnerability where unencrypted Network Time Protocol (NTP) traffic can be exploited by man-in-the-middle attacks to arbitrarily set the times of computers to cause general chaos and/or carry out other attacks, such as exploiting expired HTTPS certificates.
While NTP clients have features to prevent drastic time changes, such as setting the date to ten years in the past, the paper on the attacks presents various methods for bypassing these protections.
There is a pdf of the report available.
This discussion has been archived.
No new comments can be posted.
New Attacks on Network Time Protocol can Defeat HTTPS and Create Chaos
|
Log In/Create an Account
| Top
| 19 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
You will be married within a year.
(Score: 3, Interesting) by frojack on Friday October 23 2015, @02:26AM
Its FAR from as complex as you seem to make it. Buy an atomic clock? Seriously? Are you launching rockets or what?
Forget your local ISP, most of them are clueless.
Sync your clock to one of the pool sources (like just about every linux distro does out of the box) and call it a day.
Don't trust pools? Hard code it to hit your State's University Clock, almost every large EDU runs a stratum 1, 2, and 3 clocks.
Most are underutilized. You can use their stratum 1 clock and nobody will care. But you should probably use their stratum 2.
http://www.washington.edu/tools/time.cgi [washington.edu]
No, you are mistaken. I've always had this sig.
(Score: 4, Informative) by MrNemesis on Friday October 23 2015, @07:11AM
Those who are either truly paranoid or in need of really accurate time can buy themselves a GPS or radio clock and plug it into their local NTP server, thus having a stratum 1 inside your data centre and obviating the need for reliance on an external network.
If you don't have true paranoia or the need for really accurate time, it's not expensive to do it because it's geeky and cool.
Turning your Raspberry Pi into a stratum 1 server [satsignal.eu]
GPS and radio inputs [pvelectronics.co.uk] for your Nixie Tube clock [pvelectronics.co.uk].
"To paraphrase Nietzsche, I have looked into the abyss and been sick in it."
(Score: 2) by Hyperturtle on Friday October 23 2015, @07:24PM
(Awesome, someone who knows what the nixie tube clock is! I wanted one to put into my pipboy 3000 burned out clock from the fallout 3 collectors clock. Those things broke within weeks. Having a real nixie tube clock in it would be awesome... but then I guess I am a geek when it comes to that.)
I entirely approve of the raspberry pi; it can do it, managed switches can do it, routers can do it, windows servers can do it, and windows servers can do it with the addition of 3rd party software so that way they can more reliably do it (that windows time service is not very good.. maybe its fixed up post 2012 but I've had to take pains to correct for drift).
I have to concede that perhaps a raspberry pi or core switch is not the most reliable of time clocks -- i really dont know how reliable the clock in a raspberry pi is, or if it is emulated or what. But if it acts as a server and pulls time from another location, it can be used as the focus point for a small network. That source may still be at risk, but it prevents everything from going out and keeps this traffic local.
I imagine the raspberry pi can do the NTPSEC, do you know if that has been ported to any of the distributions?
I get the idea that many people here do not work in large environments, and that some of my ideas can be bit overkill (or simply not applicable) -- but for a place with network hardware that is unmanaged and such, your solution is a great choice.
I expect MS to push the existing "IOT" windows 10 for raspberry pi into a windows 2016 nano server for raspberry pi. If they do, I'd hope to use that to create a type of headless read only DC for small offices, but that's just me speculating. It could be the cost is prohibitive compared to $50, but we'll see. Many places, I expect would adopt this type of solution than have to learn linux, cool not withstanding.
Anyway this type of solution is great for the small business/medium business and for home use to experiment with, so if anyone wants to ignore my other thoughts, go with this one to keep traffic mostly local and limit the exposure of regular NTP traffic. I recommended a similar choice for network switches and such, but it now occurs to me that this may be easier for many to do, and cheaper besides!
(Score: 2) by Hyperturtle on Friday October 23 2015, @06:18PM
Right, I avoided using the public pools because those are what were cited as being vulnerable. Someone between you and them can alter your NTP because it isn't local, set back your clock, and then present you an invalid expired fake certficate that suddenly is more valid than it was before, since the time is now showing it's a valid cert and there was no way to protect the NTP exchange in the pools.
Almost anything over the internet is the problem, because NTP is generally not encrypted. If you said to use an IPSEC tunnel to a place that had time, then sure. But I do not agree with your suggestion because it is the dependency on such that has perpetuated the ability to cause problem cited.
Keeping it local is why I suggested it.
There are atomic clocks that are heinously expensive and over kill, and there clocks that use GPS to sync with satellites and have a 10 megabit network connection for not that much money... you just have to not have 10 floors of metal blocking that signal.
atomic clocks for network time also are available for a few thousand dollars and less.
I do realize that many places with a few servers--do not have a few thousand for an atomic clock. Heck I dont have one, but it would be cool to get a nixie tube one :)
Part of my disconnect is that I do not have a good grasp on the workplace people here have, and such costs may be pure fantasy for them, as they were for you. I don't want to discount such ideas under the assumption everything has to be done on the cheap, but I also provided cheap ways to do it. I am guessing you don't have a phone system managed by one vendor, a data network by another, and windows by other people.
Many places have desk phones that display a different time than the desk computers, which also is different from the the cell phone in your pocket.
When there is an issue, checking logs on network hardware to compare who came in when and on what -- oh look the network is 12 minutes off and the servers are 5 minutes off and the phones are 2 minutes off from the servers and wait what was the central NTP time source? it went through the compromised firewall?
These are concerns I have to deal with, so I try to contain the time locally, while using a single host or two to pull time from trusted resources and then set those devices as ntp servers.
There is no way I would let everything on the network pull time from some outside place, even if it is convenient. It may be low priority to correct, but I ultimately want control of the time done locally, and the actual time servers themselves -- I have options and is not too hard to set up, either with a dedicated device or reliance on the ISP router.
If you have an MPLS cloud, often those telco routers are great for this because they often themselves are synced to an atomic clock at the ISP or paid for to access by the ISP, and you can get the benefit of a high stratum time source by proxy of using the telco router. Note I say telco, not internet. Having internet access doesn't mean using the internet to get that access to NTP -- you likely can access telco specific routers within their network prior to passing their network edge to reach the internet, or in MPLS, just in their local cloud anyway and never come close to the internet.
Anyway, there are many options. It can be made harder than it has to be, yes, but I wanted to avoid the really easy solution because the problem was that solution. It wasn't that there is no time, its that the time itself is insecure and using public resources to get time is to be trusted as a convenience at best without further administrative correction.