What time is it, anyway? Securing NTP Presented by: Shaun Kelly @DefaultPermit [email protected] Disclaimer While the information in this presentation is intended be accurate and up to date and all clocks should be synchronized to UTC… …the presenter is speaking for herself, and all views, opinions and mistakes are her own and not the views, opinions, property or mistakes of any past, present, or future employer, organization or time travel agency. Tweet along: #Sec360 www.Secure360.org The Brief Bio • Learned programming on the MECC/MTS Timeshare system, which was a CDC Cyber series mainframe. • Actually used to “dial” to dial-in • Developed code in SPITBOL (DEC’s SNOBOL) • System admin, networking, lots of database background • Built a former employer’s first (maybe 2nd) Web-based application • Running a Public NTP Pool server and watching attacks in real time, now it’s personal • Certs too – CISSP-ISSAP, CSSLP, CCSK Tweet along: #Sec360 www.Secure360.org What time is it? Tweet along: #Sec360 www.Secure360.org What time is it? Tweet along: #Sec360 www.Secure360.org What time is it, really? Tweet along: #Sec360 www.Secure360.org Segal’s Law • “A man with a watch knows what time it is. A man with two watches is never sure.“ – Segal’s Law • “But I would add further: A man with three clocks is more sure than a man with two clocks.” – LeapSecond.com The Network Time Protocol addresses these issues. Tweet along: #Sec360 www.Secure360.org Preview • Why is accurate time important? • A brief history of timekeeping • NTP basics • The NTP server pool • NTP attacks • Mitigations • Build a Raspberry Pi Stratum 1 NTP server Tweet along: #Sec360 www.Secure360.org Why is securing accurate time important? • Replay attacks – expired credentials -> unexpired • DOS attacks – unexpired credentials -> expired • Log correlation becomes difficult or impossible • Hiding other attacks by altering timestamps • BGP attacks – Border Gateway Protocol, helps manage network routing. • DDOS – Distributed Denial of Service attacks • High speed trading? Security Cameras? Outside the box attacks? App dependent needs? • Navigation or attacks on navigation • Kind of a case study, parallels with other older software and protocols • PCI-DSS Tweet along: #Sec360 www.Secure360.org PCI Section 10.4 (I am not a QSA but….) “10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. Note: One example of time synchronization technology is Network Time Protocol (NTP). 10.4.1 Critical systems have the correct and consistent time. 10.4.2 Time data is protected. 10.4.3 Time settings are received from industry-accepted time sources.” What this might mean specifically to you may depend on your QSA Tweet along: #Sec360 www.Secure360.org
Description: