New security attack identified: Denial of Responsibility (DoR)

by Andy Oram

A recent report from the National Association for Security and Trust
Evaluation warns of an increase in serious security breaches known as
Denial of Responsibility (DoR) attacks. "Each attack is much more
dangerous than traditional security flaws," says Warren N. Veighn of
the Association, "because the extent of the vulnerabilities is so
great, the time they affect deployed systems can stretch
out to decades, and getting the source of the problem to react appropriately is by definition very difficult."


DoR attacks used to be of a simple, garden-variety type where a
computer manufacturer obscures the fact it has shipped a system with bugs
(sometimes known to the company in advance). More recent DoR attacks
include the inclusion of "cool features" that benefit only a few
curious experimenters but open the door to serious intrusions.


"And the new crop of DoR is even worse," explains Veighn, "involving
requirements from governments or major service vendors that data be
stored in an insecure and easily targeted fashion. One never hears
them talk of the true effects of these decisions."
DoR attacks are viral, in the sense that they begin in a governmental directive or software company, but spread rapidly to major customers who wish to minimize the risks created by the software flaws.


When asked what software vendors are doing to control DoR attacks, industry
spokesperson Heidi Vadanduck responded, "Our industry is committed to
a secure and trustworthy experience in every format, as evidenced by
the upsurge in customer-offering-based solutions embodying tested
protections and proven, standards-based reliability."


Have you experienced a DoR attack where you worked?


4 Comments

cjsmith
2002-06-03 07:37:19
Andy's "DoR"?
Okay Andy where are these "resources" made available?
blaise1
2002-06-03 07:37:26
have I had DOR at work?
sure but it wasn't my fault.
justme
2002-06-03 14:25:10
Satire or real article?
Hmmm. This alleged industry contact "Heidi Vadanduck" sounds suspiciously like a fake name:
"Hide, Evade, and Duck," just right for a spokesperson from a software company that might be using the Security by Obscurity model (backed by the MPAA and SPA).
bushranger
2002-06-03 15:49:17
Satire or real article?
Naturally it's all fake. Warren N. Veighn (warn in Vain) from National Association for Security and Trust Evaluation (NASTE). Responded to by Heidi Vadenduck (Hide, Evade, and Duck)...Good for a laugh.
At least though it does point out a real threat - some 'solutions' that are shipped are really quite inferior in their security - take IIS as a prime example. How many times did I need to patch the company webserver last year...?