Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DST and time sensitive transactions - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DST and time sensitive transactions
We've raised the Daylight Saving Time (DST) changes in the US a couple of times.  First when Microsoft pushed out a patch back in November 2006 and again in January when it was becoming clear that this might slip past a lot of people. 

It was raised again this week, with March 11 getting closer,  when we were requested to provide some comment on the impact of the early change.  

One of the impacts was raised in a field notice from Cisco (FN - 62663 - U.S. Daylight Savings Time Policy Changes Effective March 2007 - for ACS Windows).   Cisco's Secure Access Control Server (ACS) is used to provide authentication services through Radius and TACACS and is used in Kerberos implementations.  Kerberos allows for a time slide of about 10 minutes between the server and the client when authenticating.  So if the time is out by one hour, then the authentication will fail. 

No doubt the problem is not limited to this one implementation.   There are a number of Single Sign-On (SSO) or two factor authentication solutions that have a time reliance.  All of whom may have a similar issue. 

Other areas that may be an issue are log records as well as correlation engines.

Quite a number of vendors have been pumping out notifications on this topic the last couple of weeks, you may wish to give them the quick once over, just to double check if your environment will be affected.

Mark H
shearwater
Mark

391 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!