A recent report from the National Association for Security and Trust
Evaluation warns of an increase in serious security breaches known as
Denial of Responsibility (DoR) attacks. “Each attack is much more
dangerous than traditional security flaws,” says Warren N. Veighn of
the Association, “because the extent of the vulnerabilities is so
great, the time they affect deployed systems can stretch
out to decades, and getting the source of the problem to react appropriately is by definition very difficult.”
DoR attacks used to be of a simple, garden-variety type where a
computer manufacturer obscures the fact it has shipped a system with bugs
(sometimes known to the company in advance). More recent DoR attacks
include the inclusion of “cool features” that benefit only a few
curious experimenters but open the door to serious intrusions.
“And the new crop of DoR is even worse,” explains Veighn, “involving
requirements from governments or major service vendors that data be
stored in an insecure and easily targeted fashion. One never hears
them talk of the true effects of these decisions.”
DoR attacks are viral, in the sense that they begin in a governmental directive or software company, but spread rapidly to major customers who wish to minimize the risks created by the software flaws.
When asked what software vendors are doing to control DoR attacks, industry
spokesperson Heidi Vadanduck responded, “Our industry is committed to
a secure and trustworthy experience in every format, as evidenced by
the upsurge in customer-offering-based solutions embodying tested
protections and proven, standards-based reliability.”
Have you experienced a DoR attack where you worked?