Forgot your password?
typodupeerror

+ - NTP: The Holy Grail of Attack Vectors?-> 1

Submitted by Time Cracker
Time Cracker (3435063) writes "Okay, stop and think about it for a moment: What is the one port that almost every firewall has open and which few bother applying stateful inspection?

Clearly, the answer is 123/UDP, the NTP port.

And, I’m not talking about just network firewalls here, either. Probably every computer, router, switch, smartphone, tablet — and just about every other intelligent device that is on any network — also allows NTP through its firewall. That is, assuming it even has a firewall.

With the rapidly growing “Internet of Things” you have to ask: How many of those devices — most of which assume only “trusted” LAN/WLAN connectivity — have a firewall? Yet, probably nearly every one of them has a clock, and most likely that clock is kept accurate using NTP.

Perhaps scariest of all, many of our critical infrastructure control systems predate even the concept of a network firewall, so they clearly don’t have one. On the plus side, many also predate NTP. The big unknown is how many systems performing safety critical functions use NTP and are unprotected from network attacks?

Unarguably, NTP is widely deployed. Debatable is how well protected NTP clients are. I would argue that more are probably completely unprotected than are even minimally protected — a question of home user computer deployments (unprotected) versus business deployments (unprotected to tightly locked down) versus networked device deployments (mostly unprotected).

In other words, NTP is a sitting duck screaming, “Hack Me!”

(Full article on Reddit: http://www.reddit.com/r/netsec/comments/1qwcn9/ntp_the_holy_grail_of_attack_vectors )"

Link to Original Source

Comment: Re:Well (Score 1) 305

by MikePikeFL (#36694446) Attached to: Could PSTN Go Away By 2018?

I totally agree with this- I have been through hurricanes in FL, blizzards and ice storms in NH, even a tornado in CT- and the copper phone line always worked despite having no power or Internet for several days (well beyond UPS and the built in battery backups of many units). During emergencies the authorities override the cell system and you can't even use your mobile. I went to VOIP for one year before I cancelled it. The Internet goes out and you're done, and it was ridiculously unreliable even when the Internet was up!

I have no cell service where I live, but I have a fempto cell that runs over my Internet connection. Sprint keeps trying to get me to drop my AT&T landline and switch to them since their fempto cell also supports a VOIP line. So _when_ the Internet or power goes out, I lose both my "landline" and my cell? No thanks!

I will rue the day that my copper line is pried from my grasp! I'm not even hip on fiber optic because you need power to send light signals. I suppose maybe by 2018 we could have affordable Solar on everyone's rooftop- I'd just have to cut down a bunch of trees!

Comment: Re:I am a Silverlight Developer (Score 1) 580

by MikePikeFL (#36386298) Attached to: Silverlight Developers Rally Against Windows 8

Google isn't stupid enough to rely on a technology that one of their competitors controls (although apparently the original poster's company is).

Not that I pretend to know all the details about what's involved with the whole mess, but since it's in the news lately, and I feel there should be somewhat a level playing field- what about Dalvik?

Comment: Re:Well duh the stock fell (Score 1) 286

by MikePikeFL (#35867264) Attached to: Google Tweaks Algorithm; EHow Traffic Plummets

Investing in any one is likely a bad idea; but the genre as a whole seems to be able to stay at least a bit ahead of the search guys, and likely makes a profit during that time. As long as regurgitating their mass of serf and/or script generated sludge in slightly different formats is cheap enough, they are unfortunately likely to be a decent investment on average.

Say! That gives me an idea! What if we bundle all these link farmer investments together, the good with the bad, and sell those off to unsuspecting investors! Do you think we could make a ton of money that way and screw a bunch of unsuspecting people? Would that work? Could we get away with that?

Comment: Re:Yes (Score 1) 615

by MikePikeFL (#35758596) Attached to: Ask Slashdot: Would You Take a Pay Cut To Telecommute?

Kids vary wildly. My wife and I can barely leave our three in the same room watching TV without them arguing. I'm afraid they're not the usual slashdot mini-Einstein/Bear Grylls that everyone else here has.

Yeah thanks for this post- it's nice to see others that feel the same way. My kids are very intelligent and energetic, but they often argue with each other to the point that drive my wife and I mad. There are good days and bad days. We are looking into solutions that don't involve filling everyone's schedules carting kids from activity to activity, yet stimulate the mind and body- while not breaking the bank at the same time in these challenging economic times. We are considering cancelling cable and signing them up for things like karate and T-ball. Outside time is important and I do intend to look at the link in one the above posts, but our kids are too young to be outside by themselves at this point.

Comment: Re:USA #1 (Score 1) 513

by MikePikeFL (#35533536) Attached to: AT&T Cracking Down On Unofficial iPhone Tethering

They are catching up. $10/mo "smart phone charge" per line coming up and restructuring their customer plans so I'm losing one of my 2 year upgrade subsidies.

If I wasn't stuck in my contract I might jump ship TO AT&T. Sprint keeps claiming "look we're unlimited AND cheaper than AT&T"- I went to AT&T and mocked up a plan and it was the same price once they start charging these ridiculous smart phone fees.

And my wife and I are not high data users- in the last 2 years, combined, the highest month was 500MB, average is around 300MB (again- COMBINED). These surcharges should be based on the USAGE PATTERNS not the TYPE OF PHONE WE BUY.

Comment: Re:Right idea, wrong implementation (Score 1) 1049

by MikePikeFL (#35321072) Attached to: Activists Seek Repeal of Ban On Incandescent Bulbs

And what about smaller appliance lights and such? ... Halogen replacements don't necessarily exist here, either... nor LEDs at all.
CFLs are better in most situations, but not all.

I was wondering the same thing- there are small lamps and other smaller fixtures where I can't even find CFLs that fit. I haven't looked for LEDs but I could start doing that too.

But the point is they are banning incandescents and there may not yet be adequate replacements. I hope they get bit by this, the fools. Stocking up seems silly, but I might just do it.

Comment: Re:Good! (Score 1) 1049

by MikePikeFL (#35321016) Attached to: Activists Seek Repeal of Ban On Incandescent Bulbs

just turn them on several minutes and they'll be fully functional when you need them

Clearly this can't work in all scenarios, like coming home from work when you aren't there ahead of time. And it's certainly less than ideal in other cases. Sometimes you just can't anticipate needing to turn that light on.

It is clear that the individual who persecutes a man, his brother, because he is not of the same opinion, is a monster. - Voltaire

Working...