Excuse me, Server, Do You Have the Time? presented at ShmooCon 2017

by Brian Cardinale,

Summary : Applications are happy to tell you their current time, often accurate to the millisecond, to the casual passerby. However, your friendly app may be revealing more than just how soon until brunch or the Shmoo servers get DoS’d.
This talk will demonstrate why developers and server admins should consider current time in milliseconds as a piece of sensitive information. This talk will address, among other things, how application and penetration testers can identify time-based data. It will provide guidance for developers on how to avoid using time-based functions all together. And finally, it will demonstrate, in no uncertain terms, that hashing or encrypting predictable data to obfuscate it is merely putting a thin veil over the problem that a dedicated attacker will gleefully torch!
Practical examples will be demonstrated on how to detect and reverse time-based tokens in encrypted, hashed, or obfuscated forms. Code examples for predicting time-based UUID/GUIDs will be demonstrated and released. Methodology on how to determine the values an application uses when creating predictable tokens will be demonstrated.