All Discussion re: Tesla Motors Website & Forums

[bonnie]

You can't have an objective discussion about information security threats and mitigations without considering that people and their actions and assets are the most common attack vector, willing or unwilling. And staff transitions open lots of transient physical, digital, social and logistics windows of opportunity for bad stuff to happen. Many of those are not the fault of the transitioning party.

You, however, can have that discussion without targeting specific people. It's fair to ask 'how many people should have access'. It is potentially career-damaging to imply it is a specific person.

I'm sure you can see the difference.

 

[EchoDelta]

You, however, can have that discussion without targeting specific people. It's fair to ask 'how many people should have access'. It is potentially career-damaging to imply it is a specific person.

I'm sure you can see the difference.

Yes, I see the difference. Maybe I see a hypothetical exploration of specific issues as a fair conversation even if the hypothesis rests on damaging implications of specific individuals---> as long as it is carefully labeled as such.

 

[napabill]

You, however, can have that discussion without targeting specific people. It's fair to ask 'how many people should have access'. It is potentially career-damaging to imply it is a specific person.

I'm sure you can see the difference.

Any chance we can get an update on where things stand as of right now? And what we are supposed to be doing and/or looking for? My app logs in, no problem. But still can't access the website. Thanks.

 

[uselesslogin]

Any chance we can get an update on where things stand as of right now? And what we are supposed to be doing and/or looking for? My app logs in, no problem. But still can't access the website. Thanks.

You might want to try 'www.teslamotors.com' or 'my.teslamotors.com.'

 

[UberEV1]

As of 8:45am here in Silicon Valley, no app access to car and "My Tesla" page still redirecting to "isis.camp"

 

[pgiralt]

Any chance we can get an update on where things stand as of right now? And what we are supposed to be doing and/or looking for? My app logs in, no problem. But still can't access the website. Thanks.

Not sure if you're on Windows or Mac, but if you bring up a CMD window on Windows or a Terminal window on Mac, what do you get when you issue the command 'nslookup www.teslamotors.com'? You should see something like this:

Non-authoritative answer:
my.teslamotors.com    canonical name = wildcard.teslamotors.com.edgekey.net.
wildcard.teslamotors.com.edgekey.net    canonical name = wildcard.teslamotors.com.edgekey.net.globalredir.akadns.net.
wildcard.teslamotors.com.edgekey.net.globalredir.akadns.net    canonical name = e7797.x.akamaiedge.net.
Name:    e7797.x.akamaiedge.net
Address: 23.6.25.112

Also try to ping it like this:

$ ping [URL="http://www.teslamotors.com"]w[/URL]ww.teslamotors.com
PING e7797.x.akamaiedge.net (23.6.25.112): 56 data bytes
64 bytes from 23.6.25.112: icmp_seq=0 ttl=55 time=32.675 ms
64 bytes from 23.6.25.112: icmp_seq=1 ttl=55 time=29.890 ms

If you get different addresses for the two, it means your local DNS cache still has the old address. A simple solution is just reboot your PC. (there are commands you can use to clear the cache as well).

If you're getting back a different address than what's above, but you get the same wrong address for both, your service provider's DNS server may still be cacheing the bad address.


EDIT: Thinking about this a bit more, the fact that they're using akamai means you'll likely get a different address anyway because you'll probably get DNS load-balanced to something on the West coast. Still - do the above to see if the address is the same or different and if the nslookup points to something on akamai's network or not.

 

[thegruf]

@UberEV1 unless there is a new attack, probably just cached DNS records.
It might be local to your network...

if on a PC try
ipconfig /flushdns from a command prompt (or a reboot)


Can also be your ISP or external DNS records that are yet to update, you just have to wait (or your could try changing DNS forwarder if you are familiar with such things)

 

[uselesslogin]

You, however, can have that discussion without targeting specific people. It's fair to ask 'how many people should have access'. It is potentially career-damaging to imply it is a specific person.

I'm sure you can see the difference.

I meant no implication and went ahead and deleted those posts on my own. I don't understand the concern for what is said on this forum myself, especially by non-senior members like myself, but I could be wrong and I will also state there is no reason for Salesforce.com to have any concern. It is highly unlikely she even had the password to begin with. For some reason I wasn't thinking about it but after seeing other posts I would agree there is a high chance this is social engineering against Network Solutions. Although that is fairly pathetic if true - they charge 3 times more than anyone else and they can't even prevent this type of thing from happening? What do they do with all that extra margin? In any event I'm sure whatever happened Tesla is implementing policies to prevent it from happening again and reviewing everything overall as well.

 

[thegruf]

hey we all say stuff that we would have said differently at another time.

- - - Updated - - -

not exactly relevant to the current discussion (which is a DNS related hack) but I do observe that the main Tesla website is not SSL.

Given the general pressure in that direction and Google's in particular, it could be fair to say that Tesla not a the forefront in this respect.

 

[HankLloydRight]

I would agree there is a high chance this is social engineering against Network Solutions. Although that is fairly pathetic if true - they charge 3 times more than anyone else and they can't even prevent this type of thing from happening? What do they do with all that extra margin? .

It wasn't Network Solutions.. It was UltraDNS (actually Neustar Neustar | Real-Time Information Services Analytics) that controls the DNS records for Tesla, and which was likely social engineered or brute force attacked to gain access to their account and DNS records.

If the hackers gained access to the NetSol account, they could have done much worse damage by deleting or transferring the domain to another registrar (although that would be been pretty difficult to do undetected).

 

[jkliu47]

Tesla's website, Elon's tweeter account hacked

Hackers temporarily take control of Tesla’s website, Elon Musks Twitter account | The Verge

BREAKING: Elon Musk, Tesla Motors Twitter Account, Website Hacked in Embarassing Security Breach - Transport Evolved

 

[uselesslogin]

It wasn't Network Solutions.. It was UltraDNS (actually Neustar Neustar | Real-Time Information Services Analytics) that controls the DNS records for Tesla, and which was likely social engineered or brute force attacked to gain access to their account and DNS records.

If the hackers gained access to the NetSol account, they could have done much worse damage by deleting or transferring the domain to another registrar (although that would be been pretty difficult to do undetected).

Edit: Nevermind
Here is the link:
All Discussion re: Tesla Motors Website Forums - Page 78


I was looking for more evidence and this makes me think you are right. The UltraDNS IP is incorrect in this post. Tesla possibly switched to clouddns.net in an effort to stop it quickly. In that case a few points for their IT team for quick, creative thinking.


Here is my original, probably incorrect assertion:

No, it wasn't UltraDNS. I checked and during the "hack" the DNS servers were changed to clouddns.net. The only way you could change the DNS servers is through the NetSol account. As to why they didn't try transferring the domain my best guess is they figured they wouldn't be able to get away with that. They have a good chance at getting away with this one. As a matter of fact I even checked the record at the UltraDNS servers and it was unaltered. I didn't save any screen captures though, but I think other posters did show the same thing.

 

[thegruf]

hi, you're a bit late to the party

threads on this merged here:

http://www.teslamotorsclub.com/show...cussion-re-Tesla-Motors-Website-Forums/page85

 

[HankLloydRight]

Good analysis.

 

[UberEV1]

@thegruf: Flush and reboot did not fix, so will wait. Thanks for the advice!

 

[thegruf]

@uber - you could try reboot your router too, unlikely as these are generally just forwarders but can be a possibility if it is caching entries.
Out of interest what IP address do you get if you
ping Tesla Motors | Premium Electric Vehicles

 

[UberEV1]

@uber - you could try reboot your router too, unlikely as these are generally just forwarders but can be a possibility if it is caching entries.
Out of interest what IP address do you get if you
ping Tesla Motors | Premium Electric Vehicles

Name: Tesla Motors | Premium Electric Vehicles
Address: 208.91.197.27

Pinging Tesla Motors | Premium Electric Vehicles [208.91.197.27] with 32 bytes ofdata:Reply from 208.91.197.27: bytes=32 time=65ms TTL=242
Reply from 208.91.197.27: bytes=32 time=74ms TTL=242
Reply from 208.91.197.27: bytes=32 time=57ms TTL=242
Reply from 208.91.197.27: bytes=32 time=58ms TTL=242

Ping statistics for 208.91.197.27:
Packets: Sent = 4,Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 57ms,Maximum = 74ms, Average = 63ms

 

[uselesslogin]

Good analysis.

Well I might take it back. I just put the IP that was on UltraDNS in my hosts file and got a timeout. The ClouDNS IPs still redirect to isis.camp if you change your hosts file to point the DNS name to that IP. So, I wouldn't think Tesla would be pointing there as a stopgap and they probably put the UltraDNS IP in place to redirect people away from their website until they could figure out what was going on. So it could have still been Network Solutions. But I'll end my own speculation here without concluding anything.

 

[chickensevil]

Interestingly on my phone everything works fine except the order page. On my PC it all works just fine. Note both were done from my WiFi connection. When I tried this morning it was the first time I had been to the website since all this started... So I find it odd that both devices going through the same DNS server is getting two different results. In either case, glad all signs point to bad DNS. This is a pretty old school attack that I didn't think was happening much anymore these days because people had taken steps to prevent it. Shame that Tesla's DNS provider didn't take these steps. I won't say my employer's network is hack proof against those kinds of attacks, but it has been MANY years since any one of our thousands of websites had suffered from that kind of attack.

 

[wk057]

I'll recap a bit of what I mentioned previously since my original post is a little buried now.

• Most importantly, as of this writing the hackers have never setup anything to accept HTTPS/SSL/port 443 connections (I've been monitoring). Additionally, their port 80/HTTP acceptance didn't seem to care about input and simply redirected to that stupid page they setup on another server. Potentially logged, but no passwords on non-SSL with Tesla. (Good thing)
  • Layman's terms: Your passwords are safe. They didn't intercept any mobile app, website logins, forum logins, etc.
• Backtracking, this was a DNS server swap attack. Tesla's servers were not actually hacked.
  • Layman's terms: The hackers took Tesla's internet phone book record (DNS) and essentially whited it out to put in a new number. Anyone looking for Tesla would have seen only the new number.
• The hacker's DNS servers had a time-to-live setting of two days. Any DNS servers with the bad entries cached will likely retain them until sometime Monday.
  • Layman's terms: It takes a while to fix all of the phone books. Tesla has no control over this.
• The weak point in security appears to be Network Solutions. The DNS servers were changed there.
  • Layman's terms: Not necessarily Tesla's fault... unless their password with Network Solutions sucked.
• Remaining concern: The hackers setup MX records to redirect mail sent to *@teslamotors.com while they were in control of the DNS. It is also possible that cached DNS entries could allow this to continue randomly until sometime tomorrow.
  • Layman's terms: Any emails sent to [email protected] while the attack was happening would likely have gone to the hackers instead of Tesla.
• The hacks of the twitter accounts were most likely a result of the email redirect. Go to twitter, request a password reset, intercept the email, and go to town.
  • Layman's terms: Twitter wasn't hacked. Elon Musk wasn't hacked. Tesla wasn't actually hacked.

Bottom line: Tesla wasn't actually hacked. Network Solutions was. This certainly had repercussions for Tesla, as we all see, but Tesla themselves doesn't appear to have ever been compromised. I personally would suggest moving from Network Solutions to a new registrar...