In this section you will learn what Time Attack is. Using an example, we will analyze how an attacker can detect vulnerabilities in the security of a computer or the Internet. You will learn what this security exploit is. This topic is not well covered on the Internet, and even more so objectively, now we will understand what it is and how it works in simple language with examples. We beat the situation in which you are an employee of the special service, and your task is to find out a particularly dangerous criminal who is engaged in blackmail and periodically appears on the network and only for data transmission. We will show a service that helps to check whether an IP address was used as a node for transmitting traffic to Tor; We will tell you how to check whether the TOR browser is configured to work; How to check if a person is using a proxy, VPN or TOR; What can get in the way of a timing attack? How to protect against Time Attack; You will learn how to secure your messenger below in the article; We will also consider examples of Time Attack vectors; Clock Leak Attack; Protection against clock leakage vector; Counter-measures of an attack on receiving TCP ISN CPU information; TCP timestamps (TCP timestamp), kernel sysctl; iptables for limiting (blocking) incoming ICMP messages and traffic; How to remove timer output function from Linux TCP ISN code After reading this article, you will have an understanding of what Time Attack is and what it is and how to protect against Time Attack. If your messenger can hide your status information, use this information for your safety.
A timing attack is a security exploit that allows an attacker to discover vulnerabilities in the security of a computer or network system by learning how long it takes the system to respond to various inputs. The timing characteristics will vary depending on the encryption key, as different systems take slightly different amounts of time to process different inputs. Variables include performance optimizations, branching and conditional statements, processor instructions, RAM, and cache access. A timing attack looks at how long it takes the system to do something and uses statistical analysis to find the correct decryption key and gain access.
We know that the target that needs to be de-anonymized connected on 04/11/2022 at 11:07 AM and disconnected at 12:30 PM. At these time points (+/- 5 minutes) near the country, 3000 people connected and disconnected from the Tor network. We take those 3000 and see who reconnected at 14:17 and disconnected at 16:54, how many people do you think will be left? Yes, step by step, the circle narrows, and as a result, you will be able to determine the place of exit to the network of your victim or criminal. The more often he enters the network and the fewer other users at that time, the faster the timing attack will work.
Now you have a log of his activity for several days in your hands, it’s time to use the ORM (operational and search measures) system. Similar systems are at the disposal of the special services of most countries, in Russia it is SORM. You need to find out who was connected to the Tor network in your country during this time frame of +/- 5 minutes. We know that the target that needs to be de-anonymized connected on 04/11/2022 at 11:07 AM and disconnected at 12:30 PM. At these time points (+/- 5 minutes) near the country, 3000 people connected and disconnected from the Tor network. We take those 3000 and see who reconnected at 14:17 and disconnected at 16:54, how many people do you think will be left? Yes, step by step, the circle narrows, and as a result, you will be able to determine the place of exit to the network of your victim or criminal. The more often he enters the network and the fewer other users at that time, the faster the timing attack will work.
Перевіряє чи використовувалась IP-адреса як вузол у мережу лукоподібних.
Перевіряє, чи налаштований для роботи браузер Tor.
дізнається, чи людина використовує проксі, VPN або TOR.
Якщо у вашому месенджері можна приховати дані про ваш статус, приховайте цю інформацію.
Будь-який аналіз, збирання інформації в Osint – це логіка не забувайте про це ні коли!
For details on time synchronization mechanisms, there is a material in whonix (click here). The most interesting thing is that there is protection against it, we will go on about it. sdwdate is mostly used to fight. Read more here. in connection with software that moves the clock several seconds and nanoseconds into the past or future during boot time (boot time) in a random (not infrequently pseudo-random) manner or otherwise called Boot Clock Randomization, although sdwdate performs a similar function (in to some extent). In this way, you can confidently protect yourself from removing the time-base fingerprint and from setting the connection time, which I wrote above. The main thing is to use sdwdate (which also randomizes the system clock), by the way, it will be much safer than using programs to synchronize and set the system time:
But, as practice has shown, sdwdate can incorrectly randomize the clock, so it is better to use in connection with the above
So, in principle, it is possible to defend against Time Attack, and successfully, only a lot will depend on your vigilance, the desire to dig into the technical documentation of the tools above, to dig into the general stuff related to time synchronization, attacks and countermeasures. And in the end, this will be considered one of the last arrays of vectors of attacks that will be used to establish identity after the events in which you will be accused (which will attack and cause any damage, in the case of an attempted crime is rarely used) . And of course in terms of your IS plays a big role in choosing the operating system, of course if you’re on windows or MacOS – everything is bad.
All these tools and add-ons are already in whonix (https://www.whonix.org/) and QubeOs (https://www.qubes-os.org/).
We have analyzed both the vectors of attacks and the possibility of defense, and most importantly you understand the logic of this vector of attack.