Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:30 PM
Connect Directly

Daylight Saving Switch Won't Help Hackers

Daylight Saving Time changes won't have a big impact on security, but some things could fall through the cracks

Microsoft's not worried about the impact of the extended Daylight Saving Time (DST), which moves up by three weeks this year to March 11 and extends by one week, to November 4.

Should you be?

M3 Sweatt, chief of staff for Microsoft's customer and partner satisfaction group, says he's been working closely with customers to prepare for the time change, and the majority of Microsoft's patches for the new DST are already out. And most security tools use the atomic clock-based Coordinated Universal Time, also known as UTC, to keep time, he says, so there won't be any major security implications of an extended DST.

"I don't think a lot will be impacted by this on a security basis," he says.

Experts agree DST won't be the frenzied non-event that Y2K was, nor will it cause major security breaches. But DST could still cause some headaches and open some potential security holes. Gartner has warned that DST changes could wreak havoc on arrival and departure times for the travel sector, as well as cause potential financial transaction errors leading to late payments.

Michael Rothman, president of Security Incite, says the risk of any major security fallout due to DST is minimal. The most likely problems would stem from calendars not synchronized with the new DST. "If you have a triage meeting to discuss what to fix today, and half the team shows up an hour later, that could problematic."

Sweatt says Microsoft isn't issuing any DST patches for its Antigen or Forefront security tools because they use the UTC for time. Windows Vista and Office 2007 don't need patching because they were built with the new DST changes in mind. Networking products for the most part won't be affected by the DST changes, either, he says. "Unless they do things that render time from a DST-displayed clock."

"We have heard examples of businesses who have coded their read-time directly from a system clock... They may have to retool their applications," Sweatt says.

"It's the old [software] you worry about -- you'll get time and date discrepancies which could cause systems to crash or result in corrupted data," notes Rob Enderle, principal analyst at the Enderle Group. "Manual fixes could leave systems exposed as people have to go into a lot of systems that aren't touched very often and probably aren't that secure." Many such older systems use administrator privileges that could open up potential windows for attack, he says.

Microsoft is advising customers to watch their electronic calendars closely during those first three weeks of DST. "We're telling them 'you know your calendar best,'" Sweatt says. "For those three weeks, make note and make sure they are correct," including the start and end times, body, and subject.

Overall, security experts say they don't expect any major security fallout from the DST change, just some isolated problems. "There's too much UTC and NTP [Network Time Protocol] daemons" out there, says Ralph Logan, partner with The Logan Group. "There's always the theoretical problem with time/date shifts... But the window of opportunity [for an attacker] is so small and the technological 'advantage' is so small."

"I don't really expect the DST thing to register much past 1.0 on the Richter scale," Security Incite's Rothman says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Security Incite
  • Enderle Group Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-07
    HESK before 3.1.10 allows reflected XSS.
    PUBLISHED: 2020-06-07
    handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows an attacker to download arbitrary files via the savefilepath field.
    PUBLISHED: 2020-06-07
    Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes...
    PUBLISHED: 2020-06-06
    The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
    PUBLISHED: 2020-06-06
    showAlert() in the administration panel in Bludit 3.12.0 allows XSS.