Discover LinuxSecurity Features
No 'A' Word In Time
This was a conversation between Tsutomu Shimomura and his assistant Andrew as they were tracking Kevin Mitnick, in the book: Takedown.
Tsutomu's response is in no way harsh. If you are going to prosecute, your logs have to show the correct date and time. If today is Novemeber 25 2002 and a server that has been compromised shows the date and time as October 15, 2002 13:02 you have no way to know if the time between those days are accurate. Not only would it be difficult to hold up in court, it can make restoring from backup difficult, because it will take a while to go through the backups and find a clean up-to-date copy. Accurate time is crucial in all areas of computing, not just security, and all areas of our life. "It can change the opinion of a customer. It can be a breaker of trust. It can be a costly problem for businesses, managers, security folks and just about everyone."(Huston)
Most computer systems come with tools to assist in accurate time synchronization (time synch). Time synch includes maintaining the accurate time and date. Some distributions, like EnGarde Linux, come with XNTP, a Network Time Protocol (NTP) daemon, already running and ready to synchronize with external time servers. NTP, XNTP, and rdate are just a few tools that can synchronize time on servers. Time assists in correlating logs across multiple systems. In the case of Tsutomu tracking Kevin Mitnick, each server having accurate time was critical to locating him successfully and for prosecution. If the clocks weren't synchronized, it would be far more difficult to match events taking place on different machines, a necessary step to tracing someone who is connected through a string of computers on the Internet."(Shimomura)
All servers should be running time synch software including mail, web, firewalls, centralized-logging servers, etc.. One important scenario where time synch may be overlooked is when an organization uses a technique called "Port Mirroring" on their switch to setup an Intrusion Detection Sensor (IDS). When Port Mirroring is enabled, the traffic on a port, usually the main router's port, is copied to the IDS port where network traffic can be checked for malicious network activity or to gather network statistics. This is a great technique because the IDS can't be accessed unless someone physically goes to the server. The problem is that the time on the sensor can be off by minutes or hours and the date can be off by days, weeks, or months because it doesn't have a network connection to allow it to synchronize to an external server. This is not practical or acceptable for proper analysis of network traffic and security monitoring.
The IDS needs a second network card connected to the network with either no network services running or only SSH with user and host-based access control. This is done so that the IDS has a normal network connection and is able to synchronize with an external time server. That will make correlating logs with a server that has been compromised or is under attack much easier. NOTE: If you use UTC time be sure that you know the math to convert to your timezone, be certain of it. Also, be certain you can do the math fast and keep up with the changes of the time during the different seasons.
Time synchronization suggestions:
The best way to implement time synchronization is to have one or two internal servers (depending on the size of the network) synchronize with three external public time servers (most software will try one and then the others if one doesn't respond). Public Time Servers List: https://www.eecis.udel.edu/~mills/ntp/servers.html. and run a client on each server and workstation that synchronizes to those internal servers. Some public time services only allow one or two IP addresses from a network to sync with their server. You may also need to get permission to synch with some servers but there are some public ones that don't require permission. DON'T ABUSE IT! They will block you! Some time synch software uses key authentication to allow the remote server to adjust the client's hardware clock's time. BE VERY CAREFUL WITH THE PERMISSIONS YOU GIVE A REMOTE SERVER TO MODIFY ANTHING ON YOUR SYSTEMS, REGARDLESS OF KEY EXCHANGES. Usually, the local server's time synch client can set the hardware clock or another local program can set it. For example, in Linux the program "hwclock" can synchronize the hardware clock with the system's time clock. Don't set your clients to synch at the same time to one server, it may overwhelm the time server and cause a Denial-of-Service or crash it.
If a server continues to lose time then there may be some other hardware or software issues causing the problem or even the computer's battery may need to changed. (If you remove the system's battery then that may cause your BIOS password protection to be disabled so be sure your BIOS password wasn't reset when you reboot the computer).
Please make it a priority to implement time synchronization in your organization. It is critical to your overall business operation and not just for system administration or security. Remember the words from one of the best, "From my point of view running time synch is an absolute, non-negotiable requirement, for the essence of everything I do is related to time." (Shimomura)
Managers, ensure that your admins have time synchronization setup on all servers and workstations. If not, please make it a priority for your organization and don't "assume" that it is in place or settle for "assume" as a response. Also, Managers, we need your support!
"Linux Security". 2002. Linux Security - The Community's Center for Security. https://www.linuxsecurity.com/
Shimomura, Tsutomu and John Markoff. Takedown: The pursuit and capture of Kevin Mitnick, America's most want computer outlaw - By the man who did it. New York: Hyperion, 1996.
"Time Issues Revisited", Huston, Brent. ITworld.com Security Strategies. https://www.itworld.com/nl/security_strat/08282002/.
Duane Dunston is a Computer Security Analyst at STG Inc. for the National Climatic Data Center in Asheville, NC. He received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. He hangs out at Old Europe Cafe, Early Girl's eatery, Anntony's, and any place with good tea and hot chocolate.
Duane has been working in security for 5 years and wishes he had the funding for a "Basic Security Tour" so he could provide the world with hands-on training on how to implement the security recommendations from the Sans Top 20 List of the most common vulnerabilities. He knows that applying these recommendations to any network can minimize the most common types of attacks. Not only does he enjoy his work in computer security, he also likes to get involved in its ever-growing technologies. Duane says, "Security is one of those jobs where you have to stay abreast of new technologies and new ways that attackers are compromising computer systems. Security keeps evolving and the industry has to keep up with it, that is why we need well-trained, evolving security professionals supportive managers to help us with this ongoing process".