Tag Archive for Google

Whose Time Is It?

Whose Time Is It?What time is it? If you looked at the lower right corner of your Windows PC screen, you know what time it is. That is good enough for most people, but followers of the Bach Seat want to know more. How does Microsoft know that time it is? Microsoft and everybody else uses Internet Engineering Task Force (IETF) RFC 7822 standard protocol called Network Time Protocol (NTP).

Network Time ProtocolNTP is one of the oldest Internet protocols still in use. NTP was designed by UMich alum David Mills at the University of Delaware. NTP can maintain time to within tens of milliseconds over the public Internet, and better than one millisecond accuracy on a LAN. Like many other things in the network world, NTP is set up as a hierarchy. At the top of the tree are “Atomic Clocks” (Stratum 0). Corporations, governments and the military run atomic clocks.

USNO NTP Servers

Atomic clocks are high-precision timekeeping devices which use the element cesium, which has a frequency of 9,192,631,770 Hertz. That means it “oscillates” a little over nine billion times a second. Knowing the oscillation frequency and then measuring it in a device creates an incredibly accurate timekeeping mechanism. Atomic clocks generate a very accurate interrupt and timestamp on a connected Stratum 1 computer. Stratum 0 devices are also known as reference clocks.

Stratum 1 – These are computers attached to stratum 0 devices. Stratum 1 servers are also called “primary time servers”.

Stratum 2 – These are computers that synchronize over a network with stratum 1 servers. Stratum 2 computers may also peer with other stratum 2 computers to offer more stable and robust time for all devices in the peer group.

Stratum 3 computers synchronize with stratum 2 servers. They use the same rules as stratum 2, and can themselves act as servers for stratum 4 computers, and so on.

NIST's first atomic beam clockOnce synchronized, with a stratum 1, 2 or 3 server, the client updates the clock about once every 10 minutes, usually requiring only a single message exchange. The NTP process uses User Datagram Protocol port 123. The NTP timestamp message is 64-bits and consist of a 32-bit part for seconds and a 32-bit part for fractional second. 64-bits gives NTP a time scale of 232 seconds (136 years) and a theoretical resolution of 2?32 seconds (233 picoseconds). NTP uses an epoch of January 1, 1900 so the first roll over will be on February 7, 2036.

Microsoft (MSFT) has a mixed history of complying with NTP. All Microsoft Windows versions since Windows 2000 include the Windows Time service (“W32Time”) which was originally implemented to support the Kerberos version 5 authentication protocol. It required time to be within 5 minutes of the correct value to prevent replay attacks. The NTP version in Windows 2000 and XP violates several aspects of the NTP standard. Beginning with Windows Server 2003 and Vista, MSFT’s NTP which was reliable to 2 seconds. Windows Server 2016 can now support 1ms time accuracy.

Atomic clockIn 2014 a new NTP client, ntimed, was started. As of May 2017, no official release was done yet, but ntimed can synchronize clocks reliably under Debian and FreeBSD, but has not been ported to Windows or Apple (AAPL) macOS.

Accurate time across a network is important for many reasons; discrepancies of even fractions of a second can cause problems. For example:

  • Distributed procedures depend on coordinated times to make sure proper sequences are followed.
  • Authentication protocols and other security mechanisms depend on consistent timekeeping across the network.
  • File-system updates carried out by a number of computers depend on synchronized clock times.
  • Network acceleration and network management systems also rely on the accuracy of timestamps to measure performance and troubleshoot problems.
  • Each individual blockchain includes a timestamp representing the approximate time the block was created.

NTP has known vulnerabilities. The protocol can be exploited and used in distributed denial of service (DDoS) attacks for two reasons: First, it will reply to a packet with a spoofed source IP address; second, at least one of its built-in commands will send a long reply to a short request.

More vulnerabilities were recently discovered in NTP. SearchSecurity.com reports that security researcher Magnus Stubman discovered the vulnerability and, instead of going public, took the mature route and privately informed the community of his findings. Mr. Stubman wrote that the vulnerability he discovered could allow unauthenticated users to crash NTPF with a single malformed UDP packet, which will cause a null point dereference. The article explains this means that an attacker could be able to craft a special UDP packet which targets NTP, resulting in an exception bypass that can crash the process. A patch to remediate specific vulnerability — named NTP 4.2.8p9  — was released by the Network Time Foundation Project .

This is a Windows only vulnerability at this time. The author urges anyone running the NTP daemon on a Windows systems to patch it as soon as possible. This particular DoS attack against NTP could incapacitate a time-server and cause havoc in the network. The easiest fix is to apply the NTP patch the article states.

rb-
NTP is important to your network and patching and protecting it should be a priority. The threat to your environment is real. If NTP is not patched, an attacker could take advantage of the chaos created by this vulnerability to hide their tracks since timestamps on files and in logs won’t match.

Way back in the day, when I was a network administrator, I inherited a network where a directory services container was frozen. Seems that time had never been properly set up on the server holding the replica and as time passed, the server time drifted away from network time and at some point we could not make changes or force a replica update. That meant a late night call to professional services to kill the locked objects and then apply DSRepair –xkz (I think) and then re-install an R/O replica.

 

Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Whats a Lifetime on Social Media?

Whats a Lifetime on Social Media?From the scary stats department – In 2015, time spent on mobile apps exceeded time spent watching TV for U.S. consumers according to TechCrunch.  And now influencer marketing agency MediaKix has calculated more scary social media statistics. Social media users will now spend years online during their lifetime.

Time spent on social media is increasingGrowth on many of the top social media platforms continues to rise as each network rolls out new features and functionalities to better compete for users’ daily time. It must be working, not only is the number of people using social media increasing, and the time people are spending each day on social media is increasing. MediaKix says that just  Facebook (FB) users are spending an average of 50 minutes each day on the site.

In order to see how much the average person will spend on social media through out their life, MediaKix calculated the time spent across today’s most popular social media platforms. Across today’s most popular social media platforms, people are spending the following daily averages:

A lifetime on social mediaThe advertising firm says these social media consumption rates, across a lifetime will total up to:

  • YouTube: 1 year, 10 months
  • Facebook: 1 year, 7 months
  • Snapchat: 1 year, 2 months
  • Instagram: 8 months
  • Twitter: 18 days

Cumulatively, this adds up for a total of 5 years and 4 months spent on social media across a lifetime. Compare the time spent on social media against more mundane life activities.

  • Social Media: 5 years, 4 months
  • Eating & Drinking: 3 years, 5 months
  • Grooming: 1 year, 10 months
  • Socializing: 1 year, 3 months
  • Laundry: 6 months

The Santa Monica, CA firm projected the social media figures across an entire lifetime and put the numbers into the infographic below.

 

How much time do people spend on social media?

 

rb-

I have argued for a while that the social media fake news issue is a result of the American educational system. They are obsessed with teaching the common core, that they don’t teach any analytical skills. Schools need to reinstate current events and media literacy classes.

Quartz cited a survey that found that teens prefer Facebook as a news source (41%), while tweens break between YouTube (41%) and Facebook (37%). By huge margins, girls prefer Facebook for news, and boys, YouTube.

The converging trends of more time spent online, preferring social media as a news source and no education is putting democracy at risk.

Search Engine Journal offers some good suggestions on how to evaluate if a story is real or fake.

What is the Site? most major recognized sources for news journalism are not going to be producing clickbait fake news. Most of the fake news that go for “shock” value and produce fake stories are not as recognized. Look into the source itself and see whether it is a website that can be trusted.

Check the Domain – Many fake news stories use similar URLs and domain names to mimic reputable news sources, but rather than using a .com they use .com.co endings

What are the Authors’ Sources? – Good news stories contain links to other reputable reporting by respected organizations. Be wary of sources that cannot substantiate their claims.

Fact Check! – When in doubt, fact-check the information that you read! You can start with a simple search to look into the keywords or the event that is being reported on. You can also use sites like PolitiFactFactCheck, and Snopes.

Examine the Website Closely – Look at the full spectrum of details on the site. Are there other fake-looking or shocking headlines? What does the overall website look like? How is the user experience? Sometimes doing just a little further digging will make it clear if a news story is fake.

Act! – Once you identify if a story is real or fake, you can make a big difference. Do not share stories on social media that are fake and make them more visible. If you notice a friend or family member share a fake story on a social media outlet, do them a favor and comment or message them showing how you found out it was fake so they don’t repeat the same mistake.

If you come across a fake news article, comment on it stating how you arrived at the conclusion it was fake. If everyone does their part to distinguish fake news stories and make them known, then they won’t be shared as easily.

 

Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Crack Your New Phone with a Pix

Crack Your New Phone with a PixFollowers of the Bach Seat know biometrics have a limited value in replacing passwords. Despite the technical flaws another round of biometric hype is running across the intertubes. The latest round of biometric hype is coming from Samsung (005930). In the hope to revive their brand, they are on the verge of releasing the Galaxy S8. The Samsung Galaxy S8 includes the ability to use facial recognition software to unlock your brand new phone. CNet says that this idea “sounds awesome.”

Samsung Galaxy S8However, this awesome will lower the bar for your security. CNet reports that the video blogger MarcianoTech demonstrated a pre-release version of the Galaxy S8 is seen being unlocked using just a photo (at the 1:09 mark). To their credit Samsung has acknowledged that the Face Unlock feature is more for convenience than for security, and it cannot be used for mobile payments. Weak facial recognition software is a convenience for the user, it could also be very convenient for others, too.

The troubles with Face Unlock date back to 2011 when SlashGear reported that Google admitted the security system can be fooled by a picture of you and not the real thing. CNet reports that a Carnegie Mellon University spin-off in Pittsburgh, PittPatt, developed  that Face Unlock which was later acquired by Google (GOOG).

photographs are stored in facial recognition databasesJust to make Face Unlock and similar facial recognition systems more dangerous, the Guardian reports during recent testimony before congress the FBI admitted that they store about half of all adult Americans’ photographs in a facial recognition databases that can be accessed by the FBI. About 80% of photos in the FBI’s network are non-criminal entries, including driver’s licenses pictures from 18 states including Michigan (pdf) and passports.

The FBI first launched its advanced biometric database, Next Generation Identification, in 2010, augmenting the old fingerprint database with further capabilities including facial recognition. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.

Unlike with the collection of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos.

States allowing FBI to search driver license pictures

“I’m frankly appalled,” said Paul Mitchell, a congressman for Michigan. “I wasn’t informed when my driver’s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.”
So anyone with a photo of you, or maybe even just access to your Facebook photos, could potentially access your phone.

rb-

There are two important reasons why biometrics don’t work, and why the old-fashioned password is still a better option: a person’s biometrics can’t be kept secret and they can’t be revoked.

There's no real way to conceal your eyes, face or fingerprints from the worldPeople expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s no real way to conceal your eyes, face or fingerprints from the world. As far back as 2002, research  led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints  in 2016.

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life.

With the release of Windows 10, Microsoft (MSFT) stepped up their biometrics game. CNet reports that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello also supports fingerprint and iris recognition to secure your PC. For facial recognition though, Microsoft has partnered with chipmaker Intel (INTC) for its RealSense 3D camera tech to get the job done. RealSense uses depth-sensing infrared cameras to track the location and positions of objects, which Microsoft then uses to scan a person’s face or iris before unlocking the device in question.

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba and MasterCard have already come together to form a partnership known as the FIDO (Fast Identity Online) Alliance. Founded in 2013, FIDO was set up to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.

 

Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Your Mobile is Leaking

Your Mobile is LeakingThere is a vulnerability in the global phone system that allows hackers to get access to others’ telephone data using nothing but a phone number. The flaw is in the Signaling System 7 (PDF) or SS7 which is a set of telephony signaling protocols that exchanges information telephone networks.

listen to phone callsThe Register points out that SS7 signalling technology was developed in the 1970s and hasn’t been updated since, since the systems became accessible over the internet. The reported weakness in SS7 allows hackers or TLA’s to exploit the vulnerability with the phone number of the user they’re targeting to listen to phone calls, read text messages and track the user’s location.

A white paper (PDF) by independent cyber-security company Positive Technologies explains:

The process of placing voice calls in modern mobile networks is still based on SS7 technology which dates back to the 1970s. At that time, safety protocols involved physical security of hosts and communication channels, making it impossible to obtain access to an SS7 network through a remote unauthorised host. In the early 21st century, a set of signalling transport protocols called SIGTRAN were developed. SIGTRAN is an extension to SS7 that allows the use of IP networks to transfer messages.

However, even with these new specifications, security vulnerabilities within SS7 protocols remained. As a result, an intruder is able to send, intercept and alter SS7 messages by executing various attacks against mobile networks and their subscribers.

The real world result of the SS7 flaw as Alex Mathews, technical manager EMEA of Seoul Korea based Positive Technologies explained is:

Chat applications such as WhatsApp, Telegram, and others use SMS verification based on text messages using SS7 signalling to verify identity of users/numbers.

send SMS messages via the SS7 networkSMS authentication is one of the major security mechanisms for services like WhatsApp, Viber, Telegram, Facebook (FB), and is also part of second factor authentication for Google (GOOG) accounts, etc. Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user. Having done so, the attacker can read and write messages as if they are the intended recipient.

If chat history is stored on the server, this information can also be retrieved.

The hack first came to light in 2014 when security researcher Karsten Nohl demonstrated it at a convention in Germany according to FierceWireless. CBS 60 Minutes (rb- That’s still on?) caused a mild ripple after they engaged Mr. Nohl to show the vulnerability to track a new iPhone that had been given to U.S. Rep. Ted Lieu (D-CA). Mr. Lieu, who holds a degree in computer science from Stanford, agreed to use the phone to talk to his staff knowing it would be hacked. From his office in Berlin, Mr. Nohl was able to track Mr. Lieu’s movements in Los Angeles as well as to read messages and record phone calls between Representative Lieu and his staff.

U.S. cellphone networks were secureCBS correspondent Sharyn Alfonsi contacted representatives from CTIA who said that there have been reports of SS7-related security breaches abroad, “but (they) assured us that all U.S. cellphone networks were secure,” although Mr. Lieu was on a U.S. network when his phone was hacked from Germany.

The flaw “is an open secret among the world’s intelligence agencies — including ours — and they don’t necessarily want that hole plugged,” Ms. Alfonsi reported. The four major U.S. wireless operators declined to discuss more specific questions from FierceWireless. When asked whether the flaw may threaten the privacy and security of subscribers, AT&T (T) and Verizon (VZ) to CTIA, while Sprint (S) and T-Mobile (TMUS) declined to discuss SS7.

listen to phone calls,Representative Lieu has called for a congressional investigation of the vulnerabilities in SS7, writing that, “The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring U.S. government officials.” Lieu said the investigation should be conducted by the House Oversight and Government Reform Committee, of which he is a member.

The Register reports that Senator Ron Wyden (D-OR) recently joined Representative Lieu to send an open letter [PDF] to Homeland Security Secretary John Kelly asking for an update on its progress in addressing the SS7 design shortcomings. It also asks why the agency isn’t doing more to alert the public about the issue. The letter states in part:

We suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones,” “We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance.

 rb-

It is important to understand that the wired and wireless telephone network that your phone connects to is not secure and probably never will be.

Telephone networks were not designed to be secure.

In the most recent draft of the new Digital Identity Guidelines requirements from NIST warns that:

Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.

You really have to wonder if this is related to the SS7 hole and why it is only being considered for removal. Maybe some of its TLA friends want the hole to stay in place.

I previously covered the SS7 flaw implications to SMS here.

 

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Who Rules the Internet?

Who Rules the Internet?Singapore based ISP Vodien published an infographic which lists the 100 highest ranking websites in the U.S. by traffic, according to website analytics company Alexa. There are over 1.1 billion websites on the internet, but the majority of all traffic actually goes to a very small number of firms. Seven companies control 30% of the top 100 web sites and the related web traffic.

100 highest ranking websitesNot surprisingly Alphabet controls the most popular sites on the web, Google and YouTube. Surprisingly, Microsoft controls the most sites in the top 100. Redmond controls seven of the top web properties including recently purchased LinkedIn, Bing and Microsoft.com. For a long time, MSFT’s online efforts were a disaster. That seems to have changed with Azure, but I still hate Bing. According to the Vodien infographic Alphabet controls four of the most popular sites.

The Visual Capitalist points out that Google.com gets an astounding 28 billion visits per month. The next closest is also a Google-owned property, YouTube, brings in 20.5 billion visits.

Facebook (FB) controls two of the most popular web sites; Facebook (#3) and Instagram (#13).

Jeff Bezo’s firm Amazon (AMZN) directs four popular web sites;

The infographic says Verizon (VZ) now controls the Huffington Post (#49) and AOL (#59) and will control Yahoo (#5) and Tumlr (#12) if the deal closes in 2017 Q2.

Reddit.com comes in at #7 and Reddituploads.com is #61.

Online retailer eBay comes in as the #8 website.

POTUS favorite Twitter (TWTR) is the 9th ranked website and t.co is #25.

Video streamer Netflix comes in ranked #10 by Vodien.

Microsoft (MSFT) controls 7 of the top 100 web sites with recently purchased LinkedIn at #11, Live.com #14. so-so search engine Bing is #17, followed by Office.com (#23), Microsoft Online Services (#24), MSN (#37) and Microsoft.com (#41).


100 Websites that Rule the Internet

rb-

The consolidation of all of this web traffic is troubling. The current administration is going to allow online firms to sell all the personal information they collect to the government, data aggregators or anybody else to make a buck.

Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.