Twitters former security head, Pieter Zatko, has alleged numerous serious cyber failures at the social media marketing platform, raising the spectre of investigations and sanctions
- Alex Scroxton,Security Editor
Published: 24 Aug 2022 14: 30
A number of damning allegations regarding the state of Twitters cyber security practices and policies could spell trouble ahead for the social media marketing platform, raising the chance of investigations and sanctions from regulatory authorities and governments.
The bombshell disclosures were manufactured in a filing to the united states Securities and Exchange Commission (SEC) that runs to over 80 pages, copies which were obtained by CNN and The Washington Post.
The whistleblower, Peiter Mudge Zatko, was formerly Twitters head of security and reported to the CEO, Parag Agrawal. Zatko is really a well-known ethical hacker and a prominent figure in the cyber security community, having played a pivotal role in a lot of the sectors early development as an associate of groups including L0pht and Cult of the Dead Cow.
He joined Twitter beneath the tenure of Agrawals predecessor, platform founder Jack Dorsey, to greatly help address the platforms security problems carrying out a 2020 cyber attack that saw cryptocurrency scammers access prominent accounts, including those of Jeff Bezos, Bill Gates and Elon Musk, but his employment was terminated in early 2022.
Zatko claims he could be breaking his silence now after having unsuccessfully tried to obtain Twitter to repair its problems. He said he was obstructed and discouraged from presenting accurate information to the organisations board of directors by Agrawal among others.
In the disclosure, that was also delivered to the united states Congress along with other agencies of the united states authorities in July, Zatko described an organisation riddled with bad security practices and mismanagement, one which allowed too many insiders unfettered usage of critical data and platform features.
Zatko accused Twitter of wanting to hide a litany of serious vulnerabilities, misleading its board and regulators and effectively leaving the entranceway available to malicious interference from cyber criminals and nation state intelligence services. Indeed, he suggested, there may currently be hostile spies on its payroll.
He continued to declare that the platform has been misleading users who’ve cancelled their accounts into believing their data have been deleted, when this is definitely not the case.
From the technical perspective, Zatko further alleged that Twitter still runs on ageing, outdated server infrastructure that lacks adequate protections and is rarely patched, and contains substandard protection and procedures set up to recuperate datacentres from unplanned outages.
He also said the organisation had didn’t reach grips with the amount of bots utilizing the platform and had not been particularly motivated to take action. This matter was a decisive element in Elon Musks withdrawal from his bid to get Twitter, that is now the main topic of legal action.
Giving an answer to Zatkos allegations in a widely circulated statement, Twitter said Zatko was fired in January 2022 for ineffective leadership and poor performance.
What weve seen up to now is really a false narrative about Twitter and our privacy and data security practices that’s riddled with inconsistencies and inaccuracies and lacks important context, said a spokesperson.
Mr Zatkos allegations and opportunistic timing appear made to capture attention and inflict harm on Twitter, its customers and its own shareholders. Security and privacy have always been company-wide priorities at Twitter and can continue being.
In a notice to staffers shared via Twitter itself, Agrawal echoed this statement, adding: We shall pursue all paths to guard our integrity as an organization and set the record straight.
US senators Dick Durbin of Illinois and Chuck Grassley of Iowa, who take a seat on the Senate Judiciary Committee and were copied in to the report, said Zatkos allegations warranted further investigation to access underneath of the problem.
Grassley told CNN that the mix of massive levels of data, weak security infrastructure and vulnerability to hostile nation state actors was a recipe for disaster. He said Zatkos claims raised serious national security concerns for the united states.
A third senator, Richard Blumenthal of Connecticut, said he previously written to the Federal Trade Commission (FTC) urging it to research. The FTC previously investigated Twitter over allegations that it misled consumers on the security of its service, and in 2011 reached funds with the firm where it had been barred from misleading consumers concerning the extent to which it protects the security, privacy and confidentiality of non-public consumer information. Zatkos complaint appears to be to suggest Twitter has breached this settlement.
Meanwhile, security community members also found Zatkos defence and pushed back against Twitters rebuttals. Included in this were Aaron Turner, CTO for software-as-a-service (SaaS) products atthreat detection specialist Vectra.
Ive known Mudge since his days at Cult of the Dead Cow, said Turner. When I was at Microsoft, he and the Stake team helped us fundamentally improve our security strategy and tactics. As Ive worked across government projects during the last 20 years, I’d say that his just work at Darpa made a big change in the manner that the government approached cyber security.
He’s got always had the best degree of integrity and in addition adheres to the best technical standards of development and operation of systems. If Mudge says that Twitter has cyber security problems, Twitter has some big problems.
Turner, who coordinated research in to the 2020 crypto scam incident at Twitter, said he himself had arrived at the final outcome that Twitter didn’t have appropriate privileged user management controls, or separation of duty policies for developers and sysadmins.
If Mudges disclosure is correct, that Twitter includes a significant system hygiene problem combined with user management controls and policies, then Twitters entire platform reaches threat of compromise, he added.
Daniel Thanos, vice-president of research and development at Arctic Wolf, also spoke to get Zatko, saying: Mudge is really a highly trusted and respected leader in the cyber security community and his comments shouldn’t be taken lightly.
In accordance with Thanos, the Twitter allegations showcase an identical pattern seen with other social media marketing companies battling their security and privacy demons. Unfortunately, he said, you can find way too many instances where social media marketing companies brush these issues beneath the carpet and neglect to address them transparently.
Most of these events have proven that self-policing isnt likely to work any longer, he said. These social media marketing entities are behaving as publishers now, which takes a advanced of public trust. With that comes certain security and transparency responsibilities which are clearly not being met.
Twitter gets the same insider threats as much other companies. Because it has turned into a vital way to obtain information, it must make certain its internal security controls maintain the best degree of security and privacy. That is absolutely fundamental because of the trust users are placing inside it.
Ed Hunter, CISO at cloud security firm Infoblox, added: These organisations tend to be confronted with balancing an expanded security apparatus and a scalablerevenue-generatingproduct.Most of the shortcomings are readily addressable through various integrated security technologies that growwiththe revenue-generating production environment, including visibility of most assets on the network and where theyre communicating.
But such issues aren’t just confined to the social media marketing sphere. As any regular observer of the cyber security news cycle will undoubtedly be keenly aware, too little basic security hygiene, and also willful neglect of best practice, is all too common.
For instance, Julia OToole, CEO of access management specialist MyCena, said a few of Zatkos allegations should prompt others to realise they are badly out of step with regards to data protection. She said: Organisations must commence to realise they are in charge of their data and also have a duty to help keep it safe. However, by allowing employees to generate their very own passwords and passkeys to gain access to critical data, they’re losing that control.
No organisation ever allows employees to create their owns keys to gain access to a physical office, yet they allow employees to generate their digital keys to gain access to their data, that is undoubtedly their most effective asset today. We have to address this vulnerability to seriously improve security.
Thanos said the incident also showed how important it really is for security leaders at any organisation with an open and honest reporting and governance relationship with the board that internal stakeholders cannot compromise. He said Zatkos allegations of interference for senior Twitter figures should give everyone cause for concern.
Mudge was hired to accomplish employment by the prior CEO with this issue and on the insider threat problem, however the patterns of interference that lots of transformational CISOs face appear to have all been exhibited here, he said. Anyone who cares concerning the mission we have been on as a security community would want to see Mudge prevail for the nice of the complete industry.