Excuse me, Server, Do You Have the Time?

Presented at ShmooCon XIII (2017), Jan. 15, 2017, 11 a.m. (60 minutes)

Applications are happy to tell you their current time, often accurate to the millisecond, to the casual passerby. However, your friendly app may be revealing more than just how soon until brunch or the Shmoo servers get DoS'd.

This talk will demonstrate why developers and server admins should consider current time in milliseconds as a piece of sensitive information. This talk will address, among other things, how application and penetration testers can identify time-based data. It will provide guidance for developers on how to avoid using time-based functions all together. And finally, it will demonstrate, in no uncertain terms, that hashing or encrypting predictable data to obfuscate it is merely putting a thin veil over the problem that a dedicated attacker will gleefully torch!

Practical examples will be demonstrated on how to detect and reverse time-based tokens in encrypted, hashed, or obfuscated forms. Code examples for predicting time-based UUID/GUIDs will be demonstrated and released. Methodology on how to determine the values an application uses when creating predictable tokens will be demonstrated.

Presenters:

• Brian Cardinale
  Brian Cardinale (@brian_cardinale) is an information security professional, developer and info-sponge. He is currently a senior member of Veracode's application penetration testing team. He has applied his knowledge toward securing hundreds of commercial and government networks throughout his career. Brian has played a key role in developing multiple enterprise software projects to help facilitate other organizations secure their networks. He holds the title of Certified Information Systems Security Professional and has a bachelors in Network and Communications Management.

Links:

• https://infocon.org/cons/ShmooCon/ShmooCon 2017/Excuse Me Server Do You Have The Time.mp4

Similar Presentations:

• Black Hat Europe 2021 / Clocking On