Home » Data Protection » Network Security

Right on Time? The Security Implications of the Humble Computer Clock

If your company's computer clocks aren't in sync, forensics, backups, and much more can suffer. Simson Garfinkel on getting the time right.

Because clocks are so often set incorrectly, some forensic tools will allow the security practitioner to enter a time offset or "delta" when a log file is constructed. But these tools assume that a computer's time offset is constant—that if the computer was 30 minutes slow today, it was also 30 minutes slow three months ago. Unfortunately, that assumption isn't valid.

During their six-month study of more than 8,000 Web servers, Buchholz and Tjaden found that systems with the wrong time frequently drifted—or jumped—in unpredictable ways. Some systems would get steadily slower or faster, and then jump back to the correct time. Other systems were rock solid in the rate that time passed, but they were off from the correct time by minutes, hours, days or even years. Some systems followed the wrong rules for Daylight Savings Time. And some servers appeared to have multiple wrong times—that is, one query to the server would return one time offset, and other query would return a completely different time offset, and then subsequent queries would alternate between the two. (The authors hypothesized that these situations happened when two or more physical machines with different time offsets were hiding behind a single IP address through some kind of load-balancing arrangement.) You can read the entire article at www.dfrws.org/2007/proceedings/p31-buchholz.pdf.

The system's clock is used by many other processes and systems on a typical server. Since many tasks on a server are keyed to the time of day, a server whose time is wrong or erratic may not perform automatic routine maintenance like accounting, scheduled cleaning of temporary files or rebuilding of system databases. Backups may not be performed or they may be inaccurate. Security patches may not be properly applied, automatic update scripts may not properly run. If the time is wrong, the entire server is potentially suspect.

Client Time
Getting the time right on your clients is important too—and not just so that security patches get properly installed. The SSL security protocol, the basis of secure Web browser and mail downloading, requires that your client knows the correct time. That's because SSL is based on X.509 public key cryptography certificates, and every SSL certificate has two time and date stamps inside—when the certificate starts being valid and when the certificate expiries.

Time shows up in many other desktop applications. Many calendar programs display the current date in a different color and have a button that moves the calendar's display to "today." Many mail clients will change the way that date of incoming mail is displayed depending on whether the message was received today, yesterday or some other day in the past. These features won't work properly if time isn't set right.