Kategorie

The global outage that last month prevented McDonald’s from accepting payments prompted the company to release a lengthy statement that should serve as a master  class in how not to report an IT problem. It was vague, misleading and yet the company used language that still allowed many of the technical details to be figured out. 

(You know you’ve moved far from home base when Burger King UK makes fun of you— in response to news of the McDonald’s outage, Burger King played off its own slogan by posting on LinkedIn: “Not Loving I.T.”)

The McDonald’s statement was vague about what happened, but it did opt to throw the chain’s point-of-sale (POS) vendor under the bus — while not identifying which vendor it meant. Classy.

The statement, issued shortly after the outage began — but before it had ended — said: “Notably, this issue was not caused by a cybersecurity event; rather, it was caused by a third-party provider during a configuration change.” A few hours later, it quietly changed that sentence by adding the word “directly,” as in “was not directly caused by a cybersecurity event.”

That insert raised all kinds of issues. Technically, it meant that there absolutely was a “cybersecurity event” somewhere — presumably not affecting McDonald’s or its POS provider — that somehow played a role in the outage. The most likely scenario is that either McDonald’s or the POS provider learned of an attack elsewhere (quite possibly multiple attacks) that leveraged a POS hole that also existed in the McDonald’s environment.

One of the two then decided to implement an emergency fix. And due to insufficient or non-existent testing of the patch, the company’s systems crashed. That would explain how the outage could have been indirectly caused by a cybersecurity event.

Let’s go back to the statement, where we find more breadcrumbs about what likely happened. In it, McDonald’s Global CIO Brian Rice said: “At approximately midnight CDT on Friday, McDonald’s experienced a global technology system outage, which was quickly identified and corrected. Many markets are back online, and the rest are in the process of coming back online. We are closely working with those markets that are still experiencing issues.”

Initially, those sentences would appear to have a contradiction. One sentence said the outage was “quickly identified and corrected” and the next says that many markets are still offline. If it had actually been quickly corrected, why were so many systems still offline at the time of the statement? 

The answer that seems to explain the contradiction is DNS. That would explain how the problem could have been “corrected,” but the correction had not reached everyone yet. DNS needs time to propagate and given the far-flung geographies affected (including the United States, Germany, Australia, Canada, China, Taiwan, South Korea and Japan), the one- to two-day delay that hit some areas is just about what would be expected with a DNS issue.

As for throwing a vendor under the bus, consider the chain’s second update, which said: “In the coming days, we will be analyzing the issue and pushing for accountability across our teams and third-party vendors.” That’s fine. But the day before, the statement said that the outage “was caused by a third-party provider during a configuration change.”

The incident was only hours-old and the company wanted to be clear that it was the vendor’s fault. Methinks, Ronald, thou doth protest too much. Who hired the vendor? Whose IT team was managing that vendor? Did the McDonald’s IT team tell the vendor to fix it immediately? Was there an implication that if they cut a few procedural corners to make it happen, no one would ask questions? 

This line might be warranted if the third-party went renegade and made changes itself without asking McDonald’s. But that seems highly unlikely. And if it were true, wouldn’t McDonald’s have said so directly? Also, there’s a certain oddness to throwing someone under the bus while keeping the company’s identity secret. You don’t get points for blaming someone and then not saying who is being blamed. 

Then there is the franchisee factor at play here. McDonald’s doesn’t own many of its restaurants, but it does impose strict requirements, which includes that they have to use McDonald’s chosen POS system. (♩ ♪ ♫ ♬You deserve a break today, so we broke our POS, you can’t pay!♩ ♪ ♫ ♬)

Note: Computerworld reached out to McDonalds for comment hours after the initial statement was issued. No one replied. 

Mike Wilkes, director of cyber operations at The Security Agency, was one of several security people who saw DNS as the most likely culprit. 

“This looks like it was a DNS failure that turned into a global outage, a configuration error,” he said. “It was probably an insufficiently tested patch or a fat-fingered patch.” Wilkes noted that the outage did not impact the McDonald’s mobile app, which — if true — is another clue to what happened. 

Part of the delay was not merely that DNS needs time to propagate, but that McDonald’s would have needed to send the change via different DNS resolvers. “This was likely a DNSSEC (Domain Name System Security Extensions) change intended to improve their security.”

Wilkes also suspected that a TTL (time to live) setting played a role. “No one likely had time to lower the TTL to have a recovery time of five minutes,” he said, which would further explain the lengthy delays.  

Terry Dunlap, co-founder and managing partner of Gray Hat Academy, also believed the McDonald’s outage appeared to be an attempt to quickly block a potentially imminent attack. “They were saying ‘Give me a life vest. I don’t want to be drowned by the wave that is coming.’”

More strategically, Dunlap was not a fan of the statements McDonald’s issued.

“It’s much better to be proactive and as detailed as possible upfront,” he said. “I don’t think that the statements conveyed the level of warm and fuzzies needed. I would recommend going into more details. How did you respond to it? Why did it happen? What impacts have occurred that you are not telling me? (The McDonald’s statements) create more questions than answers.”

This appropriately raises yet again the enterprise risk coming from third-parties — especially those who, as might be the case with McDonald’s, act on their own and cause problems for the enterprise IT team. 

“Every company is being flyspecked for their third-party risk management right now,” said Brian Levine, a managing director with Ernst & Young (EY). “Third-party risk management is increasingly being put under the microscope today by courts, regulators and companies.”

McDonald’s did not initially file an SEC report on the incident. Given that Wall Street did not react in any serious way to the McDonald’s outage, it’s unlikely McDonald’s would consider the outage material. As for the third-party POS provider, it’s unclear whether it filed a report as its identity has yet to be confirmed. 

Among the important lessons here for all enterprise IT, is to give careful thought to outage statements. Anything beyond, “Something happened. We are investigating and will report more once facts are known and verified” is going to leave clues. 

Vague implications are not your friend. If you are ready to say something, say it. If you are not, say nothing. Splitting the middle as McDonald’s did won’t likely serve your long-term interests (not unlike eating McDonald’s food). But at least a quarter-pounder tastes good and is filling.

The McDonald’s outage statement was neither.

Data Center, Mobile Payment, Networking, Security

1. Mở đầu Bài viết này là phần mô tả sơ lược và bình luận bài báo "Spoiled Onions: Exposing Malicious Tor Exit Relays"[1]. Tor exit relay là nút cuối dùng trong hành trình vận chuyển của các gói tin trọng mạng Tor, gói tin từ đây sẽ đi đến địa chỉ ...

Nhaccuatui vừa nâng cấp trình chơi nhạc trên web của mình có thể hiển thị lời nhạc theo thời gian khá tốt. Bài viết này sẽ trình bày các bước để lấy lời nhạc đó và cung cấp một công cụ để thực hiện trong 1 cú enter ;) (*). Lấy ...

Challenge was getting 0x1000 bytes from socket, and executing it following these rules (all shellcodes and codes are at the end of this writeup): [code] - all general purpose registers are 0 - stack is at 0x42000000 - pc    is at 0x41000000 [/code] All binaries: x86 : polyglot_9d64fa98df6ee55e1a5baf0a170d3367 armel : polyglot_6a3875ce36a55889427542903cd43893 armeb : polyglot_c0e7a26d7ce539efbecc970c154de844 PowerPC: polyglot_5b78585342a3c116aebb5a9b45e88836 Our shellcode ...

Lưu ý: các phân tích trong bài viết này được dựa trên phiên bản Btalk 1.0.6 tải về từ PlayStore. Các vấn đề được nêu trong bài viết này BKAV đã được gửi email thông báo từ trước. (pdah - cb_ - k9) Cơ chế đăng ký và kích hoạt Quá trình xác ...

In previous post, we analyzed and exploited stack based buffer overflow vulnerability in chunked encoding parsing of nginx-1.3.9 - 1.4.0. We mentioned that there was another attack vector which was more practical, more reliable. I talked about this attack vector at SECUINSIDE 2013 in July (btw, a great conference and ...

Challenge itself is very interesting, as we have typical use-after-free problem. It's running on Ubuntu 13.04 with NX + ASLR. When we run challenge it gives us message as : [code] ###################################### #                                    # #   Welcome to the movie talk show   # #                                    # ###################################### 1. movie addition 2. movie deletion 3. my movie list 4. quit : [/code] movie addition is very straight ...

Description: http://war.secuinside.com/files/reader ip : 59.9.131.155 port : 8282 (SSH) account : guest / guest We have obtained a program designed for giving orders to criminals. Our investigators haven't yet analyzed the file format this program reads. Please help us analyze the file format this program uses, find a vulnerability, and take a shell. From the description we can ...

Challenge summary: Binary : http://war.secuinside.com/files/pwnme Source : http://war.secuinside.com/files/pwnme.c =================================== OS : Ubuntu 13.04 with PIE+ASLR+NX md5 of libc-2.17.so : 45be45152ad28841ddabc5c875f8e6e4 IP : 54.214.248.68 PORT : 8181,8282,8383 This is the only exploit challenge comes with source. The bug is simple: buffer overflow with only 16-bytes at pwnme.c:67, just enough to control EIP. The goal is to bypass PIE+ASLR+NX. We ...

Description: IP : 59.9.131.155 port : 18562 (SSH) account :  control  / control porsche binary : http://war.secuinside.com/files/firmware data : http://war.secuinside.com/files/car.bin (To prevent meaningless waste of time on certain analysis, car.bin is open to public.) hint : root@ubuntu:~# uname -a Linux ubuntu 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:19:42 UTC 2013 i686 i686 i686 GNU/Linux The evil group is running ...

A few days after the release of nginx advisory (CVE-2013-2028), we managed to successfully exploit the vulnerability with a full control over the program flow. However, in order to make it more reliable and useful in real world environment, we still explored several program paths and found some other ...

Latest M$ tuesday patch kill one of my 0day in Microsoft Internet Explorer 9/10. So I decided release Proof Of Concept code and writeup some analyze about this bug. Hope it helpful. Here is the PoC: [sourcecode language="html"] ...

Nhận lời mời từ IDG, VNSecurity đồng ý đứng ra phối hợp tổ chức cuộc thi "Snatching the h@t" như một sự kiện trong khuôn khổ hội thảo CSO Asean năm 2012 với mong muốn giới thiệu và phát triển CTF như một hình thức học tập và thể hiện ...

The famous zombie researcher “Donn Beach” almost created an immunization against the dipsomanie virus. This severe disease leads to the inability to defend against Zombies, later causes a complete loss of memory and finally turns you into one of them. Inexplicably Donn forgot where he put the license key for his centrifuge. Provide him ...

I did not solve this during CTF and my mistake is not using IDA to decompile since it has some obfuscate. After CTF end, i use gdb to dump running process to binary file and analyze it again, try to finish it. gdb --pid [PID] gdb>info proc process 4660 gdb>shell cat /proc/4660/maps 08048000-0804a000 rwxp 00000000 08:03 7213513 gdb>dump ...

19 - Zombie Reminder Zombies love brains. But zombies forget, so they have a tool where they can enter the location of brains they found. In a heroic mission someone managed to obtain both the source code and the information that a critical file can be found at '/var/www/flag'. Your mission ...

1. Mở đầu Bài viết này là phần mô tả sơ lược và bình luận bài báo "Spoiled Onions: Exposing Malicious Tor Exit Relays"[1]. Tor exit relay là nút cuối dùng trong hành trình vận chuyển của các gói tin trọng mạng Tor, gói tin từ đây sẽ đi đến địa chỉ ...

Solved by w00d @ clgt Thanks g4mm4 for giving many suggestions and draft the first version of the exploit 13 - The Sandboxed Terminal (400) Since the zombie apocalypse started people did not stop to ask themselves how the whole thing began. An abandoned military base may lead to answers but after infiltrating ...

Nhaccuatui vừa nâng cấp trình chơi nhạc trên web của mình có thể hiển thị lời nhạc theo thời gian khá tốt. Bài viết này sẽ trình bày các bước để lấy lời nhạc đó và cung cấp một công cụ để thực hiện trong 1 cú enter ;) (*). Lấy ...