Infosec's Thanksgiving turkey triumvirate: Tesla, Tumblr, Trump (as in Ivanka)... and tons more

It's like a turducken of screw-ups

Roundup As America prepares for Thursday's Thanksgiving rituals of turkey, football, and awkward conversations with extended family, three organisations are going to have admins working overtime to clean up security messes.

White House staffer Ivanka Trump joins tech icons Tesla and Tumblr in reporting embarrassing security-related-ish gaffes this week.

Good guy Elon Musk gifts user access to 1.5 million Tesla customer accounts

Leccy car firm Tesla is already getting into the giving spirit of the holidays by providing one of its forum users with access to the email accounts 1.5 million customers.

Dan Eleff, owner of coupon site DansDeals, wrote that after filing a complaint with Tesla regarding his Model 3 purchase, he was mistakenly made a moderator on the company's forum with access to all user accounts.

In a post to his site, Eleff described how an apparent cock-up from Tesla's customer service department resulted in him being registered on Tesla's site as a customer service agent rather than a car owner.

hands through the jail bars. Photo by shutterstock

TalkTalk hackhack duoduo thrownthrown in the coolercooler: 'Talented' pair sentenced for ransacking ISP


With that role, Eleff said he was able to look up things like the customer profiles of friends and family, and look at Tesla employee

"Incredibly, the website allows Customer Service agents to assign any roles they want anyone to take on," Eleff noted. "That is an incredibly bad security flaw."

The dealmonger was not quite a benevolent dictator, either. At one point Dan says he tried to take down one of his posts, and instead inadvertently deleted thousands of previous threads from the forum.

Needless to say, this was a bad look for everyone involved. The issue has since been remedied, and Dan no longer enjoys God Mode on the forum.

"Our bug bounty program is set up specifically to encourage this type of reporting, as well as more in-depth research from the security community. In this case, the customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum, which is not connected to our vehicles, main website, or other digital channels," Tesla said in a statement to El Reg.

"We revoked the access as soon as it was reported, and made other changes to adjust privileges accordingly following a full audit. We have no reason to believe that there was any abuse of accounts or content on our forums, and we have taken steps to ensure this does not happen again. Any customer reporting a potential security vulnerability is encouraged to apply for an award through our bug bounty program."

Tumblr app goes dark amidst child exploitation crackdown

The mobile edition of moody teen haven Tumblr has been missing from Apple's iOS App Store for several days now, as the blog site has been working to crack down on illegal content. After keeping fairly quiet about the outage for four days, Tumblr finally shed light on Tuesday as to why it has been off the iOS app service, and the reason was pretty grim.

It turns out that some users had been abusing the site to post images of child sex abuse, requiring Tumblr to update the app in order to be able to filter out the vile illegal content going forward. This also meant that Tumblr has had to pull the app from the iOS App Store.

"Every image uploaded to Tumblr is scanned against an industry database of known child sexual abuse material, and images that are detected never reach the platform," Tumblr said. "A routine audit discovered content on our platform that had not yet been included in the industry database."

Tumblr did not say when it would return to the App Store.

But… HER emails?

For those who enjoy a good bit of irony: Trump administration resident and Presidential daughter Ivanka Trump has been caught using a private email server to conduct official administration business.

The Washington Post reports that Ivanka used a private email account on a domain owned by her and husband Jared Kushner to send emails to aides, cabinet members, and personal assistants.

The report, citing US administration officials, claims that Ivanka used the personal account for "much of" the 2017 calendar year, and her attorney says that no classified materials were sent from the account.

Perhaps most amusingly, the report claims that the Trump administration official did not know that using a personal email for official government business was a violation of federal record-keeping laws:

"Some aides were startled by the volume of Ivanka Trump’s personal emails — and taken aback by her response when questioned about the practice. She said she was not familiar with some details of the rules, according to people with knowledge of her reaction."

That makes perfect sense: it's not like the Trump campaign made a similar situation the focal point of its White House run in 2016 or anything. How would Ivanka ever know that using a personal email account for government business would get a person into trouble?

Surely the congressional hearings and criminal charges for this incident will be kicking off any minute now.

Bonus T: Tether investigated for alleged Bitcoin pump & dump

Get your shocked face ready: last year's completely random Bitcoin price surge and subsequent plummet may have been maliciously and artificially engineered to line someone's pockets.

Bloomberg reports that Tether, a company that operates both its own cryptocurrency and the Bitfinex exchange, is the focus of a US Department of Justice probe over price-fixing.

Apparently, the DOJ suspects that Bitfinex and Tether were involved in a scheme to manipulate the price of Bitcoin that culminated with last year's surge to almost $20k per coin. Since then, Bitcoin has been in a slow decline with its price now sitting at around or just under $5,000 on most exchanges.

While it is easy to joke about internet funbux, a number of people have had their lives profoundly impacted by money lost on cryptocurrency investments, and if the markets were being manipulated illegally, whoever was behind it should be brought to justice. ®

But wait – there's more! Here's a quick roundup of other interesting infosec links

  • If you use Microchip's software suite on Linux, and have the Microchip Technology XC License Manager installed, bear in mind this management code runs setuid root with easy-to-exploit vulnerabilities, allowing a malicious logged-in user, or malware already on your system, to gain admin privileges. A zero-day exploit was dropped online this week after attempts by Matthew "Hacker Fantastic" Hickey, cofounder of British security shop Hacker House, to get the flaws fixed up went nowhere. Microchip told us it's looking into the matter.
  • Watch out for spam, phishing messages, and other malicious emails exploiting a Gmail weakness that allows the "From" field in an email to appear blank. A similar shortcoming allows miscreants to direct emails straight into people's sent boxes. We're pretty sure this is close to a previously reported Gmail security headache. In any case, mind how you go with suspicious-looking messages in Google's webmail.
  • Sticking to the T theme, Recorded Future has tracked down and outed who they think is the notorious hacker tessa88, who has touted databases swiped in the past from Myspace, Dropbox, LinkedIn, Twitter, and others.
  • And more T news: Duo Labs has probed Apple's T2 security chip that enforces Cupertino-flavored Secure Boot in modern Macs, and documented its weaknesses. Chiefly, it may be possible to modify the chip's firmware over the wire using hardware implanted on the motherboard and get away with it. (Remind you of anything?)
  • And one final T: Thirteen Android games have been fingered by ESET as malicious, downloading extra dodgy code after installation. They've been installed 560,000-plus times, and two of them are trending...

Broader topics

Narrower topics

Other stories you might like

  • Musk can't tweet about Tesla without lawyer approval – and he's still fighting to end that
    By free speech, he means freedom to flip the bird at the SEC

    Elon Musk still hopes to quash a 2018 settlement agreement with the SEC requiring Tesla-related tweets to be approved by a lawyer before he can post them: on Wednesday, he took his case to the US Court of Appeals after a lower court denied this request.

    The Tesla CEO landed himself in hot water with the watchdog when he tweeted he was thinking of taking the company private at $420 a share, and claimed to have already secured the necessary funding (sound familiar?) In reality, however, Musk did not have the funding or approval to do so. Investors, however, took him seriously and they started buying more shares, bumping up the stock price over 10 per cent.

    The SEC accused Musk of fraud, saying his tweets were false and misled the public and caused disruption in the market. Musk was sued by the US regulator; he later settled the lawsuit by agreeing to pay $40 million in penalties, step down as chairman of the automaker's board, and accepted that any tweets discussing Tesla would have to be screened from now on.

    Continue reading
  • Toyota battles Tesla, Ford with own residential energy storage battery
    Another assault in the battery market as automakers race to translate EV tech to the home

    Japanese automaker Toyota has become the latest car company to repurpose its electric vehicle batteries for home energy storage. 

    The O-Uchi Kyuden System, which is on presale now and will roll out in August in Japan only, mainly consists of a trunk-sized battery and two-way vehicle charger. O-Uchi Kyuden is also able to store power generated by solar panels. 

    Toyota said the system uses proprietary technology from its vehicle batteries, and can scale electricity based on need, including using Toyota EVs to supply backup power in the event of an outage or other emergency. 

    Continue reading
  • Musk repeats threat to end $46.5bn Twitter deal – with lawyers, not just tweets
    Right as Texas AG sticks his oar in

    Elon Musk is prepared to terminate his takeover of Twitter, reiterating his claim that the social media biz is covering up the number of spam and fake bot accounts on the site, lawyers representing the Tesla CEO said on Monday.

    Musk offered to acquire Twitter for $54.20 per share in an all-cash deal worth over $44 billion in April. Twitter's board members resisted his attempt to take the company private but eventually accepted the deal. Musk then sold $8.4 billion worth of his Tesla shares, secured another $7.14 billion from investors to try and collect the $21 billion he promised to front himself. Tesla's stock price has been falling since this saga began while Twitter shares gained and then tailed downward.

    Morgan Stanley, Bank of America, Barclays, and others promised to loan the remaining $25.5 billion from via debt financing. The takeover appeared imminent as rumors swirled over how Musk wanted to make Twitter profitable and take it public again in a future IPO. But the tech billionaire got cold feet and started backing away from the deal last month, claiming it couldn't go forward unless Twitter proved fake accounts make up less than five per cent of all users – a stat Twitter claimed and Musk believes is higher.

    Continue reading
  • SpaceX reportedly fires staffers behind open letter criticising Elon Musk
    Asked for equitable treatment and a boss that doesn't embarrass them

    SpaceX has reportedly reacted to an open letter requesting accountability for Elon Musk by firing those involved.

    The alleged dismissals come just two days after an open letter to SpaceX president and COO Gwynne Shotwell began circulating in a SpaceX Teams channel. The missive from employees said Musk's recent actions have been a source of distraction and embarrassment for SpaceX staff.

    The letter asked for the company to "swiftly and explicitly separate itself" from Musk's personal brand, hold all leadership accountable for their actions, and asked that SpaceX clearly define what behaviors it considers unacceptable. The authors also said the company failed to apply its stated diversity, equity, and inclusion goals, "resulting in a workplace culture that remains firmly rooted in the status quo."

    Continue reading

Biting the hand that feeds IT © 1998–2022