7. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations
20. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations
30. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations
48. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations
51. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations
53. Certificates from the past
Data:
Version: 3 (0x2)
Serial Number:
5d:9e:f1:65:7f:f4:0c:14:e4:19:46:87:0b:b3:7b:fc
Signature Algorithm: sha1WithRSAEncryption
Issuer:
C=US, ST=UT, L=Salt Lake City,
O=The USERTRUST Network,
OU=http://www.usertrust.com,
CN=UTN-USERFirst-Hardware
Validity
Not Before: Sep 19 00:00:00 2008 GMT
Not After : Nov 22 23:59:59 2010 GMT
Subject:
O=The SANS Institute,
OU=Network Operations Center (NOC),
OU=Comodo PremiumSSL Wildcard,
CN=*.sans.org
71. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations
72. Conclusions & Recommendations
Facts
• Time synchronisation isn’t managed securely by most operating
system vendors.
• Many security protections relies in time. If an attacker can control the
local clock, lots of things can go wrong.
What to do
• Configure NTP synchronisation in a secure way (Microsoft does):
• Signature.
• Maximum drift.
• Block SSL certificates which expiry date is before the browser build
date or the last update (Chrome does).
73. Special thanks to…
• Pedro Candel (my leaked certs dealer).
• Juan Garrido (microsoft guru).
• Tom Ritter (my factoring mentor).
• All the NCC Group guys and resources.
/mode +nostalgic JoseSelvi
• People who created the Back to the Future saga, War
Games, and all those amazing 80’s movies and
series :’)