By Andy Oram
June 3, 2002
This article was originally published on the O’Reilly Media web site.
A recent report from the National Association for Security and Trust Evaluation warns of an increase in serious security breaches known as Denial of Responsibility (DoR) attacks. “Each attack is much more dangerous than traditional security flaws,” says Warren N. Veighn of the Association, “because the extent of the vulnerabilities is so great, the time they affect deployed systems can stretch out to decades, and getting the source of the problem to react appropriately is by definition very difficult.”
DoR attacks used to be of a simple, garden-variety type where a computer manufacturer obscures the fact it has shipped a system with bugs (sometimes known to the company in advance). More recent DoR attacks include the inclusion of “cool features” that benefit only a few curious experimenters but open the door to serious intrusions.
“And the new crop of DoR is even worse,” explains Veighn, “involving requirements from governments or major service vendors that data be stored in an insecure and easily targeted fashion. One never hears them talk of the true effects of these decisions.” DoR attacks are viral, in the sense that they begin in a governmental directive or software company, but spread rapidly to major customers who wish to minimize the risks created by the software flaws.
When asked what software vendors are doing to control DoR attacks, industry spokesperson Heidi Vadanduck responded, “Our industry is committed to a secure and trustworthy experience in every format, as evidenced by the upsurge in customer-offering-based solutions embodying tested protections and proven, standards-based reliability.”
This work is licensed under a Creative Commons Attribution 4.0 International License.