Infosec's Thanksgiving turkey triumvirate: Tesla, Tumblr, Trump (as in Ivanka)... and tons more
It's like a turducken of screw-ups
Roundup As America prepares for Thursday's Thanksgiving rituals of turkey, football, and awkward conversations with extended family, three organisations are going to have admins working overtime to clean up security messes.
White House staffer Ivanka Trump joins tech icons Tesla and Tumblr in reporting embarrassing security-related-ish gaffes this week.
Good guy Elon Musk gifts user access to 1.5 million Tesla customer accounts
Leccy car firm Tesla is already getting into the giving spirit of the holidays by providing one of its forum users with access to the email accounts 1.5 million customers.
Dan Eleff, owner of coupon site DansDeals, wrote that after filing a complaint with Tesla regarding his Model 3 purchase, he was mistakenly made a moderator on the company's forum with access to all user accounts.
In a post to his site, Eleff described how an apparent cock-up from Tesla's customer service department resulted in him being registered on Tesla's site as a customer service agent rather than a car owner.
TalkTalk hackhack duoduo thrownthrown in the coolercooler: 'Talented' pair sentenced for ransacking ISPREAD MORE
With that role, Eleff said he was able to look up things like the customer profiles of friends and family, and look at Tesla employee
"Incredibly, the website allows Customer Service agents to assign any roles they want anyone to take on," Eleff noted. "That is an incredibly bad security flaw."
The dealmonger was not quite a benevolent dictator, either. At one point Dan says he tried to take down one of his posts, and instead inadvertently deleted thousands of previous threads from the forum.
Needless to say, this was a bad look for everyone involved. The issue has since been remedied, and Dan no longer enjoys God Mode on the forum.
"Our bug bounty program is set up specifically to encourage this type of reporting, as well as more in-depth research from the security community. In this case, the customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum, which is not connected to our vehicles, main website, or other digital channels," Tesla said in a statement to El Reg.
"We revoked the access as soon as it was reported, and made other changes to adjust privileges accordingly following a full audit. We have no reason to believe that there was any abuse of accounts or content on our forums, and we have taken steps to ensure this does not happen again. Any customer reporting a potential security vulnerability is encouraged to apply for an award through our bug bounty program."
Tumblr app goes dark amidst child exploitation crackdown
The mobile edition of moody teen haven Tumblr has been missing from Apple's iOS App Store for several days now, as the blog site has been working to crack down on illegal content. After keeping fairly quiet about the outage for four days, Tumblr finally shed light on Tuesday as to why it has been off the iOS app service, and the reason was pretty grim.
It turns out that some users had been abusing the site to post images of child sex abuse, requiring Tumblr to update the app in order to be able to filter out the vile illegal content going forward. This also meant that Tumblr has had to pull the app from the iOS App Store.
"Every image uploaded to Tumblr is scanned against an industry database of known child sexual abuse material, and images that are detected never reach the platform," Tumblr said. "A routine audit discovered content on our platform that had not yet been included in the industry database."
Tumblr did not say when it would return to the App Store.
But… HER emails?
For those who enjoy a good bit of irony: Trump administration resident and Presidential daughter Ivanka Trump has been caught using a private email server to conduct official administration business.
The Washington Post reports that Ivanka used a private email account on a domain owned by her and husband Jared Kushner to send emails to aides, cabinet members, and personal assistants.
The report, citing US administration officials, claims that Ivanka used the personal account for "much of" the 2017 calendar year, and her attorney says that no classified materials were sent from the account.
Perhaps most amusingly, the report claims that the Trump administration official did not know that using a personal email for official government business was a violation of federal record-keeping laws:
"Some aides were startled by the volume of Ivanka Trump’s personal emails — and taken aback by her response when questioned about the practice. She said she was not familiar with some details of the rules, according to people with knowledge of her reaction."
That makes perfect sense: it's not like the Trump campaign made a similar situation the focal point of its White House run in 2016 or anything. How would Ivanka ever know that using a personal email account for government business would get a person into trouble?
Surely the congressional hearings and criminal charges for this incident will be kicking off any minute now.
Bonus T: Tether investigated for alleged Bitcoin pump & dump
Get your shocked face ready: last year's completely random Bitcoin price surge and subsequent plummet may have been maliciously and artificially engineered to line someone's pockets.
Bloomberg reports that Tether, a company that operates both its own cryptocurrency and the Bitfinex exchange, is the focus of a US Department of Justice probe over price-fixing.
Apparently, the DOJ suspects that Bitfinex and Tether were involved in a scheme to manipulate the price of Bitcoin that culminated with last year's surge to almost $20k per coin. Since then, Bitcoin has been in a slow decline with its price now sitting at around or just under $5,000 on most exchanges.
While it is easy to joke about internet funbux, a number of people have had their lives profoundly impacted by money lost on cryptocurrency investments, and if the markets were being manipulated illegally, whoever was behind it should be brought to justice. ®
But wait – there's more! Here's a quick roundup of other interesting infosec links
- If you use Microchip's software suite on Linux, and have the Microchip Technology XC License Manager installed, bear in mind this management code runs setuid root with easy-to-exploit vulnerabilities, allowing a malicious logged-in user, or malware already on your system, to gain admin privileges. A zero-day exploit was dropped online this week after attempts by Matthew "Hacker Fantastic" Hickey, cofounder of British security shop Hacker House, to get the flaws fixed up went nowhere. Microchip told us it's looking into the matter.
- Watch out for spam, phishing messages, and other malicious emails exploiting a Gmail weakness that allows the "From" field in an email to appear blank. A similar shortcoming allows miscreants to direct emails straight into people's sent boxes. We're pretty sure this is close to a previously reported Gmail security headache. In any case, mind how you go with suspicious-looking messages in Google's webmail.
- Sticking to the T theme, Recorded Future has tracked down and outed who they think is the notorious hacker tessa88, who has touted databases swiped in the past from Myspace, Dropbox, LinkedIn, Twitter, and others.
- And more T news: Duo Labs has probed Apple's T2 security chip that enforces Cupertino-flavored Secure Boot in modern Macs, and documented its weaknesses. Chiefly, it may be possible to modify the chip's firmware over the wire using hardware implanted on the motherboard and get away with it. (Remind you of anything?)
- And one final T: Thirteen Android games have been fingered by ESET as malicious, downloading extra dodgy code after installation. They've been installed 560,000-plus times, and two of them are trending...