Daylight Saving Switch Won't Help Hackers

Microsoft's not worried about the impact of the extended Daylight Saving Time (DST), which moves up by three weeks this year to March 11 and extends by one week, to November 4.

Should you be?

M3 Sweatt, chief of staff for Microsoft's customer and partner satisfaction group, says he's been working closely with customers to prepare for the time change, and the majority of Microsoft's patches for the new DST are already out. And most security tools use the atomic clock-based Coordinated Universal Time, also known as UTC, to keep time, he says, so there won't be any major security implications of an extended DST.

"I don't think a lot will be impacted by this on a security basis," he says.

Experts agree DST won't be the frenzied non-event that Y2K was, nor will it cause major security breaches. But DST could still cause some headaches and open some potential security holes. Gartner has warned that DST changes could wreak havoc on arrival and departure times for the travel sector, as well as cause potential financial transaction errors leading to late payments.

Michael Rothman, president of Security Incite, says the risk of any major security fallout due to DST is minimal. The most likely problems would stem from calendars not synchronized with the new DST. "If you have a triage meeting to discuss what to fix today, and half the team shows up an hour later, that could problematic."

Sweatt says Microsoft isn't issuing any DST patches for its Antigen or Forefront security tools because they use the UTC for time. Windows Vista and Office 2007 don't need patching because they were built with the new DST changes in mind. Networking products for the most part won't be affected by the DST changes, either, he says. "Unless they do things that render time from a DST-displayed clock."

"We have heard examples of businesses who have coded their read-time directly from a system clock... They may have to retool their applications," Sweatt says.

"It's the old [software] you worry about -- you'll get time and date discrepancies which could cause systems to crash or result in corrupted data," notes Rob Enderle, principal analyst at the Enderle Group. "Manual fixes could leave systems exposed as people have to go into a lot of systems that aren't touched very often and probably aren't that secure." Many such older systems use administrator privileges that could open up potential windows for attack, he says.

Microsoft is advising customers to watch their electronic calendars closely during those first three weeks of DST. "We're telling them 'you know your calendar best,'" Sweatt says. "For those three weeks, make note and make sure they are correct," including the start and end times, body, and subject.

Overall, security experts say they don't expect any major security fallout from the DST change, just some isolated problems. "There's too much UTC and NTP [Network Time Protocol] daemons" out there, says Ralph Logan, partner with The Logan Group. "There's always the theoretical problem with time/date shifts... But the window of opportunity [for an attacker] is so small and the technological 'advantage' is so small."

"I don't really expect the DST thing to register much past 1.0 on the Richter scale," Security Incite's Rothman says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading