IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [time]

For security issues relating to the system time of a host, or relating real-world clocks more generally. Please use the tags [timestamp] or [performance] for questions on those topics.

Examples of correct usage include protocols that are sensitive to the server and client having sycronized system clocks, or protocols that must be completed within a certain amount of time.

37 questions
3
votes
3 answers

Feasibility of time-based database brute-force attacks on websites

I recently learned that there is an attack that utilizes the fact that when brute-forcing a compared string (e.g. hash from a password or token) in a database the query fails a few nanoseconds earlier if the beginning of the string is different than…
23785623985
  • 85
  • 4
3
votes
3 answers

Is server startup time sensitive information?

Let's say we have a web server. Server startup time is the time the server process was started. Say, the startup time was being leaked via its response headers due to the carelessness of a programmer by not getting current time while the generation…
candh
  • 133
  • 5
3
votes
1 answer

Can AWS Time Sync be argued PCI compliant?

We're setting up a card processing service on Amazon AWS, and were wondering whether the AWS Time Sync service could be incorporated without running afoul of the PCI time sync requirements? Specifically, the requirements talk about all hosts,…
zanerock
  • 131
  • 3
2
votes
1 answer

Are servers that do not implement time services vulnerable to clock skew attacks?

An article describes clock skew attack possibilities §§: These can be attacked by repeatedly connecting to the hidden service, causing its CPU load, hence temperature, to increase and so change the clockskew. Then the attacker requests timestamps…
Pacerier
  • 3,253
  • 6
  • 34
  • 61
2
votes
1 answer

Secure way to update Date & Time of a Linux Embedded Device

I have a Linux (4.9.171) machine running on ARM Cortex-A processor. The system has internet connection and talks to my server over SSL. At the first boot, I can configure the date and time to it. However, if my system restarts, it won't have a right…
abhiarora
  • 123
  • 4
2
votes
1 answer

Authorization expiration without reliable clock / time

I've been looking, but I think its impossible to find a pairing solution that has the benefits of authorization expiration and renewal (like x509 cert expiry and OAuth expires_in), but that works without a reliable clock. I want it because renewal…
Raveclatter
  • 21
  • 1
1
vote
1 answer

Is "time locking" a good strategy for protecting data with HSMs?

I've read several times that many HSMs support configurable rate limiting on cryptographic operations, as a way of protecting against a hacker that compromises a server that has access to the HSM. So if a hacker compromised a server and then…
bnsmith
  • 67
  • 8
1
vote
3 answers

Is it safe to assume that my computer's clock will always be synced with actual time within the second or a few seconds at the worst?

Years ago, I was running a service where the moderators were able to do various actions with massive privacy implications if the accounts or contributions were less than a short period of time. I did this by checking the timestamp against the…
Ned
  • 11
  • 1
1
vote
1 answer

Difference between system uptime and last boot time in windows

As it shows in attached pictures, there is a "Difference between system uptime and last boot time" in my windows, it becomes an issue because AV, SIEM or every monitoring system shows a different time between system and boot. Because of this…
R1W
  • 1,617
  • 3
  • 15
  • 30
1
vote
1 answer

Is it possible to verify that a signature was made prior to the content of the document it is found on?

In What to do after I signed a blank sheet of paper given to me by my manager?, a distressed individual (B) has signed a blank piece of paper and given it to an adversary (A). A has openly stated to B that her intention is to use this paper to…
Fiksdal
  • 3,076
  • 3
  • 18
  • 29
1
vote
1 answer

How is resynchronization performed for security keys / MFA devices?

When a MFA (time based) device security key drifts out of synchronization there is a procedure to resynchronize it. But there is no input to the device itself. Smartphone apps don't have this problem. I assume this is because the app has access to…
Skaperen
  • 315
  • 2
  • 11
1
vote
1 answer

techniques of sql injection (boolean based, UNION query-based, stacked queries and time-based blind)

I would like to know about these 2 SQL Injection techniques. I completed my studies in SQL databases and my teacher told me about SQL injection, then I became interested in this topic. I discovered a tool that does this automatically, but I only…
d. fritoti
  • 63
  • 6
1
vote
5 answers

Does disclosing server local time to users cause any security risks?

I need to implement a number of web pages for resetting an API access key: user must be logged in first user gets to "confirmation" page that has a "confirmation" link with a time token inserted user follows a "confirmation" link server gets the…
sharptooth
  • 2,161
  • 1
  • 19
  • 22
1
vote
1 answer

Can setting the date on your iPhone to the epoch really brick it?

So, I've started seeing warnings that there is a troll/hoax saying that people should set the date on their phone to 1st January 1970 to get a retro logo to display. The warnings say that this will end up bricking your phone, and even a reset of the…
HorusKol
  • 139
  • 7
1
vote
0 answers

How to get a completely isolated virtual time using Xen?

Referring to the following quote https://www.kernel.org/doc/Documentation/virtual/kvm/timekeeping.txt 4.8) Covert channels and leaks In addition to the above problems, time information will inevitably leak to the guest about the host in anything…
adrelanos
  • 680
  • 7
  • 21
1
2
3