McVirus – Attack on McDonald’s Cyber Supply Chain

mccMcDonald’s & Coca-Cola –– two of the most well known and respected brands in the world – do a promotion in Japan. They give away 10,000 USB-stick MP 3 players. It’s loaded with 10 free songs and 1 free virus,the QQPass Trojan. Plug it into your computer and it starts logging keystrokes, collecting passwords, gathering personal data other goodies.

Yes,it happened almost 10 years ago.  But a lot has changed since then…its gotten even more dangerous.

Ever heard off CAPEC? The Common Attack Pattern Enumeration & Classification (CAPEC)  is a publicly available catalog of common cyber attack patterns

capec_logoclassified in an intuitive manner, along with a comprehensive schema for describing related attacks and sharing information about them. CAPEC was established by the U.S. Department of Homeland Security as part of the Software Assurance (SwA) strategic initiative of the Office of Cybersecurity and Communications (CS&C). It is maintained by MITRE Corporation, a not-for-profit organization that maintains Federally Funded Research Facilities, e.g. NIST Centers of Excellence.

In the case of McVirus, the “Domain of Attack” was the Supply Chain, CAPEC-438: Integrity Modification During Manufacture as the attacker modifies a technology, product, or component during a stage in its manufacture to carry out an attack against some entity in the supply chain life-cycle. In this case it was directed against the end-user of the MP 3.

There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.”

New Way of Thinking – Differentiation & Integration

Let me point out an limitation of the CAPEC. An essential part of any taxonomy is differentiation, i.e. drawing distinctions among, in this case, domains of attack and mechanisms of attack.  And that’s fine as an analytical mechanism, but life is more complex than that. In short, domains of attack blend with mechanisms of attack  – they work together and often do so in unpredictable and messy ways.  That’s integration – remember from the calculus, differentiation and integration?

The more connected, the more software/hardware sophisticated we become, the more vulnerable we become- because there are more combinations and permutations of ways to prosecute an attack – more domains and more mechanisms. Take the most recent car hacking incident reported by Wired.

jeep-cherokee-hacked-featured-560x420Jeep Cherokee in A Ditch? I’m watching the news clip in my living room and I see the Jeep go into the ditch! Yikes, if that was not bad enough the driver loses control of steering, brakes, and transmission too. And all of this is done via the vehicle entertainment system. The reporter for Wired also mentioned that the two hackers received a grant from DARPA, as I recall it was $100,000, to fund the research.  At any rate, whatever these guys got was peanuts compared to the damage a car hack can cause.  Let’s see…of course there was a recall…

The recall includes 1.4 million vehicles equipped with 8.4-inch touchscreens including according to The Detroit News the following models:

  • 2013-2015 Dodge Vipers
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger sports coupes

An analysis of the Grand Cherokee Rally Edition by The HerdProject detected 27 “potentially unwanted programs” using their freeware assessment software.

Do We Need A HAL Switch? 37faed631a15d6b6948f5619c0c55fe7

“All of a sudden I lost RPMs in my Ford Escape! But I didn’t completely lose power. The vehicle went into a “limp home mode” a way of retaining a minimum functionality when a throttle valve fails.”

When things go wrong…I mean really wrong….we need we need the option to revert to the lowest level of functionality that stills ensures our safety and survivability.  Dave, the astronaut in 2001 A Space Odyssey ultimately needed a way to shut down HAL the homicidal computer that controlled the space ship and the mission.






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s