How organizations keep track of time has a major impact on the overall security of the organization’s IT infrastructure, for two reasons. First, the mechanisms used to keep track of time are among the most vulnerable to exploitation by a hacker. Second, time stamps are critical evidence for retracing a hacker’s movements inside a target system—and therefore hardening the system against future attacks.
With respect to time-related vulnerabilities, one of the most common involves the Network Time Protocol (NTP). This program, present on virtually all computers, allows systems to synchronize their clocks with a time source over a UDP/IP network, such as the Internet or a corporate local area network. A potential problem arises if this time source is located beyond the corporate firewall. If it is, that means there must be a “hole”
left open in the firewall (specifically port 123) to allow packets containing the time and information through. (Even if the time source is not outside the firewall, that does not automatically mean that port 123 is closed, only that it is not needed. The system administrator must still make sure unused ports are closed.) One way to exploit this opening is to crash the NTP program itself. This can be done (on several variations of both the Unix® and Linus® operating systems) by sending too much data in an NTP packet. The result is a denial of time services and (depending on what else is happening on the network) potentially a crash the network itself.
A second way to exploit NTP is to construct a packet which doesn’t crash the NTP program, but instead used that program to take over the target machine—using the same privileges as the NTP program itself (typically system administrator-level).
Even if the organization blocks all access to port 123 except from the external time source, that still leaves open the possibility that a hacker could attack the network from there.
A more insidious effect of weak timekeeping is that it damages the ability to investigate security breaches and other kinds of system problems. Hackers, for example, will often exploit backdoors, and proxy computers when mounting an attack—both to hide their tracks and to exploit whatever opportunities (like NTP system privileges) the hacker encounters along the way. Finding these stopping off points is critical for shutting the door to future attacks—and requires precise measurement of time in order to reconstruct the exact sequence of events. Log files and application time stamps obviously become essential pieces of evidence.
Of course, this is the same kind of evidence used for investigating system problems generally—not just hacker break-ins. Since network log files usually consist of time stamps from different machines, administrators can use them to reconstruct the events leading up to an incident occurring anywhere on the network. Performance related statistical information can also be collected and analyzed, allowing administrators to identify process bottlenecks and other opportunities for system optimization. All of this obviously depends on whether time stamps are synchronized to the correct time.
Finally, there is the performance of security systems themselves to consider—including firewalls, access card readers, and digital certificate authentication systems. Like many other systems an organization owns, these too can be compromised by weak network timekeeping. Take digital certificate authentication systems; these are used to check certificates used to authorize payments, sign contracts and carry out other sensitive business that
requires proof of identity. As a security precaution, certificates are issued with a validity period and must periodically be renewed. If the authentication system clock is out of sync, an expired certificate may be accepted, potentially allowing for security breaches. A similar problem exists in firewalls, which may be opened temporarily during certain parts of the day—for example, to perform maintenance or file uploading on remote servers. If their systems’ clocks are not set correctly, these firewalls may be left open (or allowed to open) arbitrarily.
A reverse example is access card readers. Here an out-of-sync system may fail to recognize a legitimate card. That can occur because the card and the reader use the current time to generate an entry code. If their clocks are out of sync, so will be the codes and the cards will not work.
Get more information on Microsemi’s timing and synchronization solutions now.
The next article in this series will go into legal liability on keeping an accurate time on a network.
Read the previous articles in this series:
Leave a Reply
You must be logged in to post a comment.