My name is Jose Selvi,we are going the talk about some kind of attacks that we can use against as a cell using time synchronization and text. I have been working, just a brief presentation, I have been working for the last 10 years in the security industry. At the moment I am senior security NCC group. You have my Twitter on my blog in case you want to follow me but at the end of the presentation I have the e-mail and everything. So I am from Spain. I am from city that is called Valencia, near the Mediterranean sea where is a nice city, where the paella is from, you know. With beautiful… [Laughter and Applause] It’s a nice city if you you are nearby at some point and you want to have a ring in the mix just need to drop me an e-mail and I will be happy to share some things with you. So this is key question in this talk. I remember when I was a kid or well a teenager and computer were built thinking like they were stand alone boxes but now everything is different. Then there’s the signs, the systems thinking that the computer is going to be connected to internet, right? And for example, now we have automatic updates and we have time synchronization using the internet, not the [indiscernible] as I would use when I was a kid. So that is something that we are going to talk about some features. I don't think they are box so but they work, well they should work, but we can abuse different functionalities so I consider the functional like features more or less than box. So let's go. This is the plane for today. I think the versus to start from the beginning but what happened when I started to bring this results. So what happened was I was doing like a demo. We had a set of demos to show clients and one of this demos was to use SSL strip but most of you know and we had a problem and suddenly it didn't work. It didn't work because there was something new at that moment. [indiscernible] HTTP [indiscernible] security. And that is why I started doing this time synchronization attacks. So how it works. so when you is first UBS connection is server sends a header that says, this is max security, max 8 and a number of seconds. This means, okay, in the following 3 million seconds, you are going to connect always using HTTPS. If the user types the host name you are always going to connect using HTTPS. If the user clicks an hTTP link, you are going to connect using HTTPS. So this is what a HTTPs does. The harder part is the part of client, the browser part because the browser has to managed all these, has to keep these policies on the time and everything. At this moment, all the models and [indiscernible] support this. I think the only exception is Internet Explorer, but most of them… >> It does [ From audience] >> Oh, it does. Okay, cool. Perfect. Six months ago, are you sure? Okay. So for us, then if we are trying to get an HTTP connection we have this problem. We make a can an HTTP connection if HTTPS is working. So we can reach our target, the victim is behind the wall. This is very frustrating. But this worse because say that this in the first days of HTTPS connection you think so we have a opportunity before this first ATPS connection so people from Google, from Mozilla, say okay let’s do, [indiscernible] with a host, then those host are the HSPS enforced by default. Okay, so with this host is even more difficult. So what I thought about this is, if the victim is protected this time, then what I need is the machine. So I just need to go 3 million seconds into the future and the [indiscernible], going MO SILC and have aliases with unknown host and those host they are HAT is enforced by the host and with this host is even more difficult so what I thought about this I thought okay if the victim is protected in this time then what, what they need is a time machine. So I need to go 3 millions seconds into the future and then I test the (indiscernible) and the HSPS is going expire. So then I can reach my target. [Explosion Sound] I love this sound. [Laughter] So what happened with all the lists because we have saved and those hosts are in enforced by default. The belief is if you read the recommendation this is from google what I understood when I read this from the first time it is like… they are like a static list and says that out of the box. I can't figure out of the box. What Mozilla says, which is the same, it says it is enforced by default. And this is e-mail that another vendor sent me that say these are not the same. That HADS is enforced by default. But the real truth is that the list is loaded, it is not the static. (indiscernible) When this host in the list when you clean the cache, and when you install the [indiscernible] for the first time, it is like creates a dynamic entry with max 8. Which is what, let’s say this max 8 is 10 weeks. So it is not really even recommendation either the recommendation says enforced by default it is not really enforced by default it is 10 weeks so this kind of confusions sometimes can be a bit problematic. [Laughter] [Applause] The only browser that I have seen the a problem that is really static is apple Safari. There’s a file released that you have the host and something is INF. I haven’t found a recommendation on this but I have tested if you change the clock on your computer 10 years into the future, 20 years into the future, it doesn't matter. They are always protected. So this… so only for SAFARI this list is static. For the other ones… they’re not static. So we know if we have a time machine we can do something with this HSPS. Do you know of anyway to change the clock on the computer from the network? NTP. Yes. NTP is what most, I think is all the properties I have seen used to synchronize the time. Well some of them are slightly different but 99 percent is NTP. The configuration may be different but most of them are not secured by default. So you can do a man in the middle attack against this protocol. This is example of NPT packet and the format in the request and responses is the same there is only a flag that can change that says client or server and time stamps are used to know what the proper date and time. There are some knots behind this but not interesting for us now. So what did was create a tool that on this server but with some modifications the use some flags this serai server attacks. I up loaded the latest version a half hour ago. So this is flags. This is much easier that we see some examples. So for example, don't pay attention to minus sign. It means not show the banner but if you use the script without any other flag (indiscernible) try to find a way into the future at least a thousand days into the future with the same weekday, month day as today. Because this is the day that the user can be come (indiscernible) someone say it’s Monday, or say it’s Wednesday, it can ruin the user. But the [indiscernible] that we can use for example is a minus sign 10 and 10 days into the future but we can use minus 10D to go 10 days into the past or minus twoY to do 2 years into the past, we can do a lot with that. We can say a specific date. There’s minus for random dates. So [indiscernible] the first. So this is Microsoft’s website. Here are some scripts. We are going to intercepts the HTTP connections. I have found and I think that the server that the going to intercept the old NTP connections so if I try to type (indiscernible) and HSDS works, I won’t be able to intercept the HTTP connection. And if it doesn’t work I am going to intercept the DB connection. So let’s see what happened. We opened Firefox and Chrome or something, and what is left? There is something really important that we need now, a piece for hacking that is the proper music. [Back to the Future Theme Song Playing] So it working. [Applause] [Theme Song Continues] Enough music. [Laughter] So what happened was that we changed the clock in the computer then the cache expired so when the user connects the computer sees that its 3 million seconds in the future so they both connect using NTP. So we can use SST. They’re not all attacks but I have found to be less useful, so I coded them because I wanted to try them but for example our replay attack you can say or have the pick up file we have response, I say okay, just replay this response. Or you can do like a spoofing or coding attack just the same. But waiting for a request, just following responses. The problem they have found is that NTP in windows Mac has security playing control and they transmit time stamp has to be is same originally time stamp in the response. So you just replay something, it’s not the same value. So they just ignore the response. But it is still in the tool because who knows maybe another implementation can be used. Okay but in different operating systems, the same operation work in a different way. So for example in (indiscernible) is synchronization happens each time of a interface and interface goes up so if you control the physical medium or or wireless network or whatever, you can just keep the computer out of network and when the computer joins again, you have synchronization so you can intercept this and the last time the last version there is not additional protection to that. So you can change the date. You have interview request each minute. The only problem with that is that they do something slightly different. I mean, with NTP you can just change the clock with a new date or make the time slower or faster, because they don't want to make jumps so this is what this does. So this is a problem because if you want the change 10 years the clock 10 years into the future you can some time wait for that synchronization but there is point that the first three synchronizations are standard and they change the clock. No speed up or slow down just changes the clock. So if I we are there when boots up you can do the same as you have seen with Macros S. MACROS S [indiscernible] … do something similar done. But the problem we have here is that really there are like two parts NTP that is running all the time and other servers that is checking the information that NTP is storing in a file but I have found or a lot of people have found that doesn't seem to work. Doesn't seem to work and I mean the NTP… So if you look sites google you see people saying didn't work I don't know what happened. But my computer is not doing synchronization properly. And even there are people that have just okay let me to download my NTP and now it works. But doesn't mean that we can do the attack, I mean we can do the attack but we have the same limitation. This is script that is run when one of scripts when the macro starts. First we have all we found SNTP is simple NTP code that this code works. I mean, if you intercept this you can change the clock and then we have NTP demon that is where the back is. I guess that there is back because it is not working the synchronization. There is another way to force us synchronization that is to open the data and time preferences. If user opens this window there is synchronization you can change the clock as well. But this is what I did. I opened the menu because it is easier done without the Mac again. Windows that most robust time synchronization because it synchronize once a week and don't allow changes more than 15 hours you can only change 15 hours into the future or past which is not enough for most. So it is implementation. They work in a different way. You sign it with different keys and its robust as well. Because if you look at the task that is scheduled, you have the [indiscernible] of time in series that is doing this synchronization and you can see that happens once a week. This value is, this 50 [indiscernible] value is not something that is hard coded. It is the value in the register and different in different versions for example in window seven and eight it is 15 hours. But for example, Windows Seven is two days. It will be different in another version and when they computer joins domain it is different as well. So it changes depending on the configuration of the role of the server of the local station. So attacking windows using this technique is difficult in the full configuration but I have found people talking and on the internet about this and there are people that think that once a week is not enough. So there are people on the internet to change this frequency to twice a day or (indiscernible) or 85 minutes or something like that. So what do you think happens if I can change 15 hours on the clock but from once synchronization to another the time is less than 15 hours. What we can do is to jump just a few seconds before the next synchronization then why does that few seconds jump again and jump again and jump again like this. Fifteen hours, 15 hours 15 hours, 15 hours, right. I call this attack, time attack because it is similar to (indiscernible) stone skimming. The stone is just jumping in the water, jumping and jumping and jumping so we are doing the same but with the time so it makes sense, more or less. So this will be the comment says that we want to jump 15 hours minus 10 seconds. Okay. I have a number for this but I have video because it takes around two hours to happen and we don't have two hours. People in the staff we don't have two hours right. No. So I will fast forward the video. You have the -- you can review and look at the clock the bottom right you see the clock is changing 15 hours, 15 hours, 15 hours. Sometimes, from time to time, the window needs the response. And you have to do the following, do the following jump. So in around two hours I think it was like a month-and-a-half in the future like that so in four or five hours you can do the same attack that we have seen but just with this configuration. This is not the default configuration. But it’s something that you can find because there is lot of people saying they changed the time synchronization because it’s much better if you synchronize [indiscernible] or something like that. There is another way that these are less likely that the manual update. In windows you manually update the date, it works. Doesn't matter 15 hour limitation. Doesn't matter. It updates. But this is likely because it not like in (indiscernible) you just open a windows and that all. In windows you open a couple of window as click where it says update now so it less likely. So as you have seen, this is not a single bullet. An attack like this… You can use the attack in all computers and all configurations and something that you can use. And that I have used. So when I presented this I presented an [indiscernible] attack last year and when I presented this I have people working here from Google and people saying what happened with that and they sent me e-mail saying what happened with that. We had some e-mails and at some point and I said that, lot of things go wrong when the clock is stopped and he was right. That the moment I was reciting all the attack surfaces. This is what I'm going to talk about now. I don't have a number for this because it is difficult to find to… to draw a number for this. With this but on that when the even if not more the most likely scenario in window if you change the time 10 years into the future and then the clock goes back to person there are some things that we are in the process of. In some task dependent on the configuration of the task the next execution is calculated from the last execution. So what happens if the last execution was 10 years into the future. That the following [indiscernible] is 10 years or more into the future. So it only happens with certain tasks depending on the configuration of the task. One of those task is window automatic updates. [Laughter] So I mean if user tried to update manually it works but if you don't -- if you just trust that the computer is going to warn you I have updates for you at least in the time that I have the computer testing this, I didn't have any update. I might have updates on other computers. So this is something that could happen when the clock is off. I have another attack this is against the public interested code. We use SSR and we use certificates all the time. Those certificates are security based on the task on the CAs of the signing the certificates. On all the certificates, there’s like a preview of when the certificate is valid. But so if I can control the clock in a computer what I can do to use certificates from the past. Because that used to be valid at some point in the past and are not valid now. So it a time to bring back to life of well-known attacks. For example, We can explain weak certificates. I didn’t, I didn’t have any archive of this certificate but I have found… there’s a… there’s an observatory from 2010 with certificates so then you can try to find for example certificates with less well more than a 1024 bits that now are invalid for example. If you look at this you have a number of certificates in data base so I was trying to think let's find something for the demo at Def Con. It would be nice to have something from Las Vegas so I said, what I found was a few online casinos. Have you seen the movie 21 blackjack? Yes. I don't want to check if this things happen or not. [Laughter] So okay let's find another example like (indiscernible) so I found something that doesn’t seems very dangerous for me. I am less afraid of this. [Laughter] So it’s not the main domain but it’s one domain of this domain so what I did was it was a certificate. The key was 512 but we know that we can correct this and factor this now. I used several IC2 boxes (indiscernible) and it took like three days or four days or something like that. So I have this certificate from the past and now I have the key, I can change the clock of the victim computer. Maybe I could have interesting attack here. So let me show… [No audio] Okay. We are going to change now the [indiscernible] rules. Now we're going to intercept same NTP but the HTTPS instead of the ATP. We're going the say window want to go four years into the past. The time that is needed for this certificate to be valid now. So let’s see. [Indiscernible] We're going to update now. And this is 2011 sorry. So let's see what happens when we visit the site. Okay. [Applause] The certificate changed is valid and we have no warnings. This demo I mean, it could happen the same in a few years with 1024 keys. At this moment the browser updated doesn't accept 500 keys so this browser is a bit old. But this is an example to show you that the same thing could happen with [indiscernible] keys. So… The thing that happened with certificates that has been stolen in security incident for example we have a product key they are same could happen certificate were leaking using (indiscernible) maybe now is too soon to use certificates but maybe in a few years the certificates expire. For example, one that I like (indiscernible) this is something that happens in 2008 so we have some certificates that we can use. You can find this certificates in (indiscernible) website I believe, because they are received from 2010 and this bug is two years before so find some of them but not interesting ones but if you look at the internet what I found this page they do plug in for Firefox I think. They have all the certificates that they found to be generated (indiscernible) back. So at the end of the day, what we need for that is the like the top group certificate has to be in the browser, the same the same, well the certificate. The other certificates in [indiscernible] doesn't matter if it is expired I just need to have all the product keys that is certificate in the certificate chain and the product key of the host certificate and you can do this attack. What happens with revocation. You can use a certificate but what if it’s broken. The point is that what I felt is okay but the list is a lot of ways. It is not -- I mean, it has a size and if you are always storing more certificates and more certificates and more certificates and more certificates, this is not convene because the user as the host has to download the file. So I was reading on trying things and what I have found is that seems that it is not mandatory that a certificate isn’t on this list after it expires. Because it’s invalid because it has expired. So I can't be sure about this but I have some suspect but I think there are some CAs that are removing all certificates because I found when I did some (indiscernible) to see to compare the issue date of CA with the first revoked certificate. And I found that some of them that for example there is difference of four years, six years. If you see a series that was issued and the first revoke certificate is 60 years into the future, what I think they are removing the or revoking certificates that are not valid. [Indiscernible] But this is just what I think. I can't tell you this a hundred percent sure. What is the -- if the browser is checking that the certificate is removable or not using the old service it can be easier because what happens with configuration of I think all the browser they have tested is that when they do a connection to check for a certificate is revokable or not if they don't have a response they continue. So just drop the connection to this service. You don't have the check so you can use revoke certificates. So I have that. [No audio] Okay, let me change the host we are using. And [indiscernible] at the same because we are getting the HTTPS in the ATP and this time we are going to go to 10 years into the past. So we are going the use certificate [indiscernible] generated using the old (indiscernible) and we have the internet key. [indiscernible] And now I am going to restart the demon [indiscernible] because just because reboot the system will take more time but it is same. Okay. We have synchronization now. Let’s see, okay. The date has changed now so we can visit the site. The site the certificate was tools. Tools dot i-e-t-f dot org. So this site. Okay? Okay. The certificate we have connection is valid. The site seems the originally one but I have links now links is security reaction[ Indiscernible] [Applause] The certificate… no. It's different from… let me show you, it is different from if… it’s different because they changed the provider. It’s completely different but it’s valid. Okay. So you know the time synchronization well it is something that should have more security controls like Microsoft does for example. The security controls, for example, with Chrome has a warning if a certificate is -- if data in the system is older than the build time of the browser so there are some controls that could help. I would like to speed up things because this is my third year here. So I’m ready for some questions on Microsoft, but [indiscernible] because it was my first time, to thank you guys and my associates and to the people who created all those movies in the 80’s for a wonderful title. I think we don't have questions. Thank you. [Applause] [Music Playing]