Researchers from the Hebrew University of Jerusalem have been trying to prevent time-shifting threat actors. No, seriously. In their paper entitled 'Preventing (Network) Time Travel with Chronos' 2_Deutsch_paper.pdf the quartet of computer science and engineering researchers put forward a potential solution to the legacy problem of Network Time Protocol (NTP) insecurity.
"NTP’s security vulnerabilities have severe
implications for time-sensitive applications and for security mechanisms" the researchers state, adding "while technically NTP supports cryptographic authentication, it is very rarely used in practice." These 'timeshifting attacks' on NTP are possible even if
all its communications are both encrypted and authenticated, the paper states.
So what, exactly, are the real-world implications of such attacks to the enterprise user? The list of things that could go wrong in enterprise networks is almost endless, says Alex Hinchliffe, Threat Intelligence Analyst at Unit 42, Palo Alto Networks in conversation with SC Media UK. "Most enterprises rely on redundancy to help with their resilience against failure" Hinchliffe explains, continuing "database replication events between multiple servers in a cluster could go awry." And that's not all. "Authentication, such as Kerberos, relies heavily on time and could fail" Hinchliffe concludes "as could DNS or DHCP depending on how it’s configured, especially in multi-server environments."
Then there are the "well known and understood risks of a replay attack using NTP as a threat vector" Dick Morrell, CTO of Falanx says adding to the list. The DDoS risk using an amplified attack can require "substantial remediation" when as few as 5,000 backdoored NTP servers are involved. Morrell told SC Media UK that he is also "seeing some organisations where there is the risk of users harnessing Bitcoin with the potential risk of manipulation of otherwise legitimate transactions, or where DNSSEC and HTTPS services can be simply rendered useless."
The solution, in the form of a new NTP client called Chronos, promises to achieve good synchronisation "even in the presence of powerful attackers who are in direct control of a large number of NTP servers" while remaining backwards compatible with legacy NTP servers.
It does this by leveraging distributed computing concepts, iteratively crowd-sourcing time queries across multiple servers before applying a secure algorithm to eliminate any suspicious responses. The remainder are averaged to provide the accurate time synchronisation. The researchers claim it would take a man-in-the-middle threat actor more than 20 years to be able to shift timing at a Chronos client by more than 100ms from the UTC.
So, is a replacement NTP client the only solution, or are there other ways to mitigate such time-shifting attack methodologies? "It's not the only solution" says Andy Hornegold, Principal Consultant at Context Information Security "that's not to say a new solution isn't welcome, just that it isn't the sole solution to the problem." Hornegold advises that NTP hardening is something that not only can be carried out, but should be carried out as part of an organisations broader security posture. Such measures as fire walling off NTP communications, implementing cryptographic signatures for NTP updates, restricting the available NTP commands and hardening and maintaining the underlying OS and the NTP application for example.