(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This is an issue that came up today when discussion how tcpdump and Wireshark display timestamps. If you do have a packet capture file (pcap), it is nice to know that the time stamps are accurate. One way to assert accuracy is to use NTP traffic that was captured in the pcap file.

First, lets limit ourself to NTP packets coming from a server. The NTP protocol uses different protocol modes. We are going to restrict ourselves to packets coming from NTP servers, which implies protocol mode 4. There is a simple Wireshark/tshark filter we can use:

 ntp.flags.mode == 4

Next, we need to extract the time stamp. In NTP, we will receive 4 different time stamps:

- Reference Timestamp: Time the clock was last set
- Origin Timestamp: Time the request was sent from the client to the server
- Receive Timestamp: Time the request was received by the server
- Transmit Timestamp: Time at the server when the request left for the client

Among these timestamps, the Transmit Timestamp seems most appropriate. We can extract this from tsharkusing the -T fields option:

tshark -r ntp.pcap -n -Y ntp.flags.mode==4 \      -T fields -e ntp.xmt -e frame.time

frame.time will give us the time stamp from the packet capture.

The output is already pretty close to what we are looking for:

Jun  6, 2016 18:27:26.073666000 EDT    Jun  6, 2016 18:27:26.119514000 EDTJun  6, 2016 18:27:27.083747000 EDT    Jun  6, 2016 18:27:27.144937000 EDTJun  6, 2016 18:27:28.072173000 EDT    Jun  6, 2016 18:27:28.113482000 EDTJun  6, 2016 18:27:29.094674000 EDT    Jun  6, 2016 18:27:29.153425000 EDT

you can tell, that the times look very close. But we can do a bit better. We can convert the times to unix timestamps, and subtract them from each other to get the difference in second. A little shell script will help here. This can be done as a one-liner, but for readability, I split it up into several lines. The script assumes that the output of the tshark command above was saved to ntp.txt

IFS=$\t\n do  then    a=$x   t=1 else    b=$x    echo $a - $b DIFF $((`date +%s -d $a`-`date +%s -d $b`))   t=0 fi -). Oh, and please DO NOT replace the spaces I used to indent the lines with TABS... just because.)

The final output:

Jun  6, 2016 18:26:26.748699000 EDT - Jun  6, 2016 18:26:26.505266000 EDT DIFF 0Jun  6, 2016 18:26:46.125142000 EDT - Jun  6, 2016 18:26:45.890823000 EDT DIFF 1Jun  6, 2016 18:26:46.325736000 EDT - Jun  6, 2016 18:26:46.091757000 EDT DIFF 0Jun  6, 2016 18:26:46.525703000 EDT - Jun  6, 2016 18:26:46.291742000 EDT DIFF 0Jun  6, 2016 18:26:48.125179000 EDT - Jun  6, 2016 18:26:47.892105000 EDT DIFF 1Jun  6, 2016 18:26:48.325629000 EDT - Jun  6, 2016 18:26:48.092543000 EDT DIFF 0

The last number indicates the difference in seconds. It should be 0 or 1 if times are synchronized well.

BTW: The exact syntax may differ a bit depending on your version of tshark. The date command also differs for various *ix systems. In particular OS X requires a different syntax.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Drive-by attacks that install the once-feared TeslaCrypt crypto ransomware are now able to bypass EMET, a Microsoft-provided tool designed to block entire classes of Windows-based exploits.

The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Short for Enhanced Mitigation Experience Toolkit, EMET has come to be regarded as one of the most effective ways of hardening Windows-based computers from attacks that exploit security vulnerabilities in both the operating system or installed applications. According to a blog post published Monday by researchers from security firm FireEye, the new Angler attacks are significant because they're the first exploits found in the wild that successfully pierce the mitigations.

"The level of sophistication in exploit kits has increased significantly throughout the years," FireEye researchers wrote. "Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode."

Read 4 remaining paragraphs | Comments

[SECURITY] [DSA 3596-1] spice security update

Cloud Pro

Ex-Tor developer Jacob Appelbaum denies rape allegations
Cloud Pro
Tor, once known only by network nerds, has now become something of a hot topic. This is thanks largely to the anonymous network's reputation for hosting drug marketplaces like Silk Road, and other unsavoury sites. But what exactly is Tor? What is it ...

and more »

Jacob Appelbaum in Berlin in 2014. (credit: re:publica)

Former Tor Project "Core Team" member Jacob Appelbaum took to Twitter on Monday morning to slam sex-related accusations against him that developed over the weekend. He also denounced the matter as a "calculated and targeted attack has been launched to spread vicious and spurious allegations against me."

"I want to be clear: the accusations of criminal sexual misconduct against me are entirely false," he wrote.

The Tor Project is the Massachusetts-based nonprofit that maintains Tor, the well-known open-source online anonymity tool.

Read 5 remaining paragraphs | Comments


SANS Announces Agenda for Houston Industrial Control Systems Security Training Event
SYS-CON Media (press release)
BETHESDA, Md., June 6, 2016 /PRNewswire-USNewswire/ --SANS Institute, the global leader in information security training, announced the agenda for the Industrial Control Systems (ICS) Security Houston, Texas training event taking place July 25 – 30 ...

and more »

A not-fazed Mark Zuckerberg seen here having a party with some balloons.

A hacker or hacking group going by the name of "OurMine Team" briefly took control of Facebook chief Mark Zuckerberg's Twitter and Pinterest accounts, apparently using information from a major LinkedIn security breech that occurred in 2012.

According to OurMine Team, the passwords to Zuckerberg's little-used Pinterest and totally dormant Twitter accounts were apparently the same as those for his LinkedIn login ("dadada"). Both Twitter and Pinterest rapidly restored control of the accounts over the weekend, and the rogue posts have now been removed—though not before they were screencapped:

LinkedIn's 2012 breach was significant and embarrassing for the company, and resulted in the theft of millions of passwords and other user information. Users were warned at the time to change their LinkedIn passwords, and those on any other platform on which they were reused. This is clearly evergreen advice, as it isn't hard for a determined hacker to cross-reference someone's username and password information with other sites.

Read 5 remaining paragraphs | Comments

FreeBSD Security Advisory FreeBSD-SA-16:24.ntp
[SECURITY] [DSA 3594-1] chromium-browser security update
[SECURITY] [DSA 3548-3] samba regression update
[SECURITY] [DSA 3595-1] mariadb-10.0 security update

BankInfoSecurity.com (blog)

Visa Unveils Prototype Ring of Payment Power
BankInfoSecurity.com (blog)
In other "body parts meet payment technology" news - no mad scientists to see here, please move along - Wells Fargo has reportedly been testing new types of biometric authentication that don't involve fingerprints. Yes, we're living on the biometric ...

and more »


InfoSecurity 2016 live blog: The low down on cyber security
Over 15,000 information security professionals, service providers, vendors, and thought-leaders attended InfoSecurity 2015 and this year's event is expected to be even bigger, with over 260 expert speakers and over 300 vendors and service suppliers set ...

Internet Storm Center Infocon Status