7. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
20. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
30. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
31. Ubuntu Linux Very%simple% NTPv4.%
Each%time%it%connects%to%a%network%(and%at% boot%time,%of%course).
$%ls%/etc/network/ifKup.d/%
000resolvconf%%avahiKdaemon%%ntpdate%%wpasupplicant%
avahiKautoipd%%%ethtool%%%%%%%%%%%%%upstart
33. Mac OS X - Mavericks New%synchronisation%service%
NTP%daemon%exits,%but%not%synchronises.%
Just%writes%in%/var/db/ntp.drift%
A%new%service%called%pacemaker%check%
that%file%and%change%the%clock.%
It%seems%it%doesnt%work%as%it%should
http://www.atmythoughts.com/livingKinKaKtechKfamilyKblog/2014/2/28/whatKtimeKisKit
34. Does NTP work?
35. /usr/libexec/ntpd-wrapper
36. Mac OS X - Mavericks
37. Windows NTPv3%but% The%most%secure.%
Synchronisation%each%7%days.%
More%than%15%hours%drift%isnt%allowed.%
Domain%members%work%in%a%different% way.
48. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
49. Task scheduler
50. Windows automatic updates
51. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
52. PKI, CAs & Certificates
53. Certificates from the past Data: Version: 3 (0x2) Serial
Number: 5d:9e:f1:65:7f:f4:0c:14:e4:19:46:87:0b:b3:7b:fc Signature
Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=UT, L=Salt Lake
City, O=The USERTRUST Network, OU=http://www.usertrust.com,
CN=UTN-USERFirst-Hardware Validity Not Before: Sep 19 00:00:00 2008
GMT Not After : Nov 22 23:59:59 2010 GMT Subject: O=The SANS
Institute, OU=Network Operations Center (NOC), OU=Comodo PremiumSSL
Wildcard, CN=*.sans.org
69. What if I cant connect?
https://www.grc.com/revocation/implementations.htm
70. DEMO
71. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
72. Conclusions & Recommendations Facts Time
synchronisation isnt managed securely by most operating system
vendors. Many security protections relies in time. If an attacker
can control the local clock, lots of things can go wrong. What to
do Configure NTP synchronisation in a secure way (Microsoft does):
Signature. Maximum drift. Block SSL certificates which expiry date
is before the browser build date or the last update (Chrome
does).
73. Special thanks to Pedro Candel (my leaked certs dealer).
Juan Garrido (microsoft guru). Tom Ritter (my factoring mentor).
All the NCC Group guys and resources. /mode +nostalgic JoseSelvi
People who created the Back to the Future saga, War Games, and all
those amazing 80s movies and series :)