Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How safe is using a NTP Server?


  • Please log in to reply
5 replies to this topic

#1 Speedster159

Speedster159

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 03 July 2016 - 01:11 PM

I'm planning on syncing my time with the NTP server that our government provides us for 'Philippine Standard Time' but I'd like to know if there are any risk in doing so?

ntp.pagasa.dost.gov.ph


BC AdBot (Login to Remove)

 


#2 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:34 AM

Posted 03 July 2016 - 08:49 PM

Did you know that President Aquino recently signed a law called Republic Act 10535 or The Philippine Standard Time Act of 2013 and requires all national and local government offices to display the Philippine Standard Time on their official time devices. http://www.ilonggotechblog.com/2013/06/how-to-pst-synchronize-your-computer-from-pagasa-ntp-server-using-windows-7-8-xp.html


I find it interesting that it's become law. Only security risk is the fact the government can log IPs.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 PM

Posted 04 July 2016 - 04:06 PM

What operating system is on your server?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 mremski

mremski

  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:10:34 AM

Posted 05 July 2016 - 10:52 AM

In theory, you should be able to use any ntp server, you don't have to use the local government one, you would just need up to date timezone data on your local machine. 

The biggest risk would be on your client if it has security vulnerabilities (I think that gets to the heart of why Didier is asking what version of OS);  malformed responses from a NTP server could trigger a client side vulnerability.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#5 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:34 AM

Posted 06 July 2016 - 07:50 PM

In theory, you should be able to use any ntp server, you don't have to use the local government one, you would just need up to date timezone data on your local machine. 
The biggest risk would be on your client if it has security vulnerabilities (I think that gets to the heart of why Didier is asking what version of OS);  malformed responses from a NTP server could trigger a client side vulnerability.


Yes, a plausible zero day exploit in the NTP of OS, but the law requires only national, local government offices, and media networks. It's not clear if every Philippine national has to?

all government offices and media networks will be required to use Philippine Standard Time as a basis to set their timepieces. https://en.wikipedia.org/wiki/Philippine_Standard_Time#Juan_Time

President Benigno Aquino III has recently signed into law Republic Act 10535, or the Philippine Standard Time Act of 2013, which requires all national and local government offices, as well as broadcasting organizations to display PhST as provided by the Philippine Atmosperic, Geophysical, and Astronomical Services Administration or PAGASA, the country’s official timekeeper.
http://news.abs-cbn.com/nation/12/30/13/start-year-time-philippine-standard-time
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#6 mremski

mremski

  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:10:34 AM

Posted 07 July 2016 - 06:23 AM

CC, thanks for the link.  It's interesting that it's law and they must sync to a national timekeeper.   Easy to makes the trains run on time when you control "time"  :)


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users