Home » Data Protection » Network Security

Right on Time? The Security Implications of the Humble Computer Clock

If your company's computer clocks aren't in sync, forensics, backups, and much more can suffer. Simson Garfinkel on getting the time right.

Many e-mail clients automatically classify messages "from the future" as spam; spammers may set the date header in their message to be hours, days or weeks in the future in order to make their spam messages appear at the top of the user's mailbox. So if your computer's clock is in the past, it may think that every message it receives is spam.

Many standalone devices also have a built-in clock, which are frequently wrong as well. Setback thermostats that have the wrong time may make you inappropriately hot or cold. Recently, I had to consider the log of an electronic door lock to figure out who had entered a room—and when. The log took a lot longer to parse than it should have because it was off by an hour and 15 minutes and because it didn't adjust itself automatically when Daylight Savings Time rolled around.

How to Get the Time?
Getting and keeping accurate time actually requires two independent operations. First, the computer needs to have some way of knowing a precise point or mark in time; second, the computer needs to be able to adjust the frequency or drift of its clock to stay in sync with some presumably more accurate external source. Fortunately, having accurate time is so important that Windows, MacOS, Linux, PalmOS and practically every other modern operating system has built-in support for the Internet Network Time Protocol (NTP), which performs both of these features automatically.

But even though support for NTP is widely deployed, many systems have it disabled. Worse, few systems will alert when NTP is turned off. And worse still, the systems won't alert when their clocks are obviously wrong, even though such an alert would be an easy thing to do. While working on this article I checked NTP on five Macs, two PCs and a Linux system: Only one Mac and one PC had NTP enabled. The other systems were off by minutes, although the Linux server was off by more than two hours. Whoops.

When it's working properly, the NTP system should perform two related functions. When the computer boots it should ask a remote "time server" for the current time and set the computer's clock accordingly. And once the system is running, NTP should periodically monitor the remote time server and gently slow down or speed up the computer's clock so that it stays accurate and so that there are no sudden jumps in apparent passage of system time. (At least this is the way that it is supposed to work in practice. Some implementations crassly reset the system's clock to the reference clock. I've seen this cause problems with applications like Palm's desktop calendar.)