A Rip in NTP | TechSNAP 237

The OpenZFS summit just wrapped up and Allan shares the exciting new features coming to the file system, researchers warn about flaws in NTP & of course we’ve got some critical patches.

Plus a great batch of questions, a rockin’ round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OpenZFS Dev Summit

• Earlier this week the OpenZFS Developers Summit was held, as well as the 10th Anniversary party for the open sourcing of ZFS
• The first day consisted of networking and presentations
• Videos:
  • Opening Keynote and OpenZFS Success Stories
  • OpenZFS Internals
  • Masked ZFS Send, and ZFS Send Compression
  • Live Migration of NFS shares with Zmotion
  • The birth of ZFS, with Jeff Bonwick
  • Declustered RAID
  • Eager Zero, improving performance on AWS and VMWare
  • Compressed ARC
  • Discontiguous Caching with ABD
  • Dedup Ceiling, Persistent L2ARC, and ZFS native TRIM/UNMAP
  • Sandboxing ZFS on Linux
  • Metadata Allocation Classes, and Ztour
  • Writeback Caching
  • Story Time / Q and A with Matt and Jeff
• The second day was a hackathon at Github’s offices. People worked on a number of different projects, and Nexenta provided prizes to the projects voted to be the best prototypes
• Hackathon Presentations
• During the hackathon, I worked on a new feature of ZFS to make it easier to tell what command line features the current version of ZFS supports, so my replication script can determine if a new feature is supported or not

---

Researchers warn about flaws in NTP

• NTP is one of the oldest protocols still in use on the Internet. The Network Time Protocol is used to keep a computer’s clock in sync. It is very important for many applications, including cryptography (if your clock is wrong, certificates cannot be verified, expired certificates may be accepted, one-time-passwords may not be valid yet or already expired, etc)
• “The importance of NTP was highlighted in a 2012 incident in which two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000. Computers that checked in with the Navy’s servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems”
• Researchers from Boston University announced yesterday that it’s possible for an attacker to cause an organization’s servers to stopping checking the time altogether
• “This research was first disclosed on August 20, 2015 and made public on October 21, 2015.”
• “NTP has a rate-limiting mechanism, nicknamed the “Kiss O’ Death” packet, that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years, according to a summary of the research”
• Post by researchers
• PDF: Full research paper
• The researchers outline 4 different attacks against NTP:
  • Attack 1 (Denial of Service by Spoofed Kiss-o’-Death)
  • Attack 2 (Denial of Service by Priming the Pump)
  • Attack 3 (Timeshifting by Reboot)
  • Attack 4 (Timeshifting by Fragmentation)
• It is recommended you upgrade your version of NTP to ntp-4.2.8p4
• “With the virtual currency bitcoin, an inaccurate clock could cause the bitcoin client software to reject what is a legitimate transaction”
• The paper goes on to describe the amount of error that needs to be induced to cause a problem:
  • TLS Certificate: years. Make a valid certificate invalid by setting the time past its expiration date, or make an expired certificate valid by turning the clock back
  • HSTS: a year. This is a header sent by websites that says “This site will always use a secure connection”, for sanity’s sakes, this header has an expiration date set some time in the future, usually a year. If you forward the clock past then, you can trick a browsers into accepting an insecure connection.
  • DNSSEC: months.
  • DNS Caches: days.
  • Routing (if security is even enabled): days
  • Bitcoin: hours
  • API Authenticate: minutes
  • Kerberos: minutes
• Alternatives:
  • Ntimed
  • OpenNTPd
    • Interesting feature: It can validate the ‘sanity’ of the time returned by the NTP server by comparing it against the time in an HTTPS header from a set of websites you select, like Google.com etc. It doesn’t set the time based on that (too inaccurate), but if the value from the time server is more than a few seconds off from that, ignore that time server as it might be malicious
  • tlsdate
  • NTPSec (a fork of regular NTP being improved)
• Additional Coverage: ArsTechnica

---

Adobe and Oracle release critical patches

• Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software
• All users should upgrade to Flash 19.0.0.226
• If you are worried, consider switching Flash to Click-to-Play mode
• Oracle has also released its quarterly patch update for Java, addressing at least 25 security vulnerabilities
• “According to Oracle, all but one of those flaws may be remotely exploitable without authentication”
• All users are strongly encouraged to upgrade to Java 8 Update 65
• Again, consider using click-to-play mode, to avoid allowing unexpected execution of Java
• “The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.”
• “Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java”

---

Feedback:

• Bandwidth vs the speed of light

• Unison and an encrypted remote-mounted filesystem

• ZFS pool configuration

• Chinese woman made platform shoes for penetration testing

---

Round up:

• Android 6.0 re-implements mandatory storage encryption for new devices
• A tale of software maintenance, or lack there of
• Apple’s claim of unbreakable iMessage encryption ‘basically lies’
• To follow up last weeks news that Zerodium/VUPEN will pay $1 – $3 million for an iOS 9 jailbreak, if they can keep it private, PANGU released their Jailbreak for 9.0 – 9.0.2 to the public
• Apple tells US Court that “accessing data stored on a locked iPhone would be “impossible” with devices using its latest operating system (iOS8 at the time)”
• Yahoo mail app for mobile is getting rid of passwords, and using push notifications for authentication
• Remote code exec hijack hole found in Huawei 4G USB modems
• Don’t be fooled by fake online reviews, part 2
• Teen Who Hacked CIA Director’s Email Tells How He Did It
• Cisco TALOS offers expert assistance to any hosting provider to finds they are hosting malicious content or actors
• Tim Berners-Lee warns Facebook against creating a walled garden, “don’t you dare make a phone that can only go to facebook.com.”
• Google switches to BoringSSL, but they don’t recommend that you do
• Battery Tests Find No iPhone 6s Chipgate Problems – Consumer Reports
• XVWA (Xtreme Vulnerable Web Application) is a PHP/MySQL application purposely built with one of each different type of classic vulnerability, to help security enthusiasts learn about application security

---