One novel complaint after another about the state of Twitter’s cybersecurity Practice and policy Social media can create problems for platforms, raising the possibility of investigations and sanctions from regulatory authorities and governments.
The whistleblower, Peter “Moose” Jatko, was previously Twitter’s head of security and reported to CEO, Parag Agarwal. Zatko is a well-known ethical hacker and prominent figure in the cybersecurity community, having pioneered the early development of the sector as a member of groups including L0pht and Cult of the Dead Cow.
He joined Twitter during the tenure of Agarwal’s predecessor, platform founder Jack Dorsey, to help address the platform’s security issues. After the cyber attack of 2020 That saw cryptocurrency scammers gain access to the accounts of prominent figures including Jeff Bezos, Bill Gates and Elon Musk, but his job was shut down in early 2022.
Zatko claims he is now breaking his silence after trying unsuccessfully to resolve the issues on Twitter. He said he was prevented and discouraged from presenting accurate information to the company’s board of directors by Agarwal and others.
In the disclosure, which was also sent to the US Congress and other US federal government agencies in July, Jatco described an organization riddled with poor security practices and mismanagement, which allowed many insiders unfettered access to critical data and platform features. .
Jatco accused Twitter of covering up a litany of serious vulnerabilities, misleading its board and regulators, and effectively leaving the door open to malicious interference by cybercriminals and state intelligence services. Indeed, he suggested, it may currently have enemy spies on its payroll.
He went on to claim that the platform was misleading users who canceled their accounts into believing that their data had been deleted, when this was not necessarily the case.
From a technical perspective, Jatco also alleged that Twitter still runs on aging, outdated server infrastructure that lacks adequate security and is rarely patched, and has substandard safeguards and procedures to recover datacenters from unplanned outages.
He also said the company had failed to get to grips with the number of bots using the platform and was not particularly motivated to do so. This was a deciding factor in Elon Musk’s withdrawal from a bid to buy Twitter. Which is now the subject of legal action.
Responding to Jatco’s allegations in a widely circulated statement, Twitter said Jatco was fired in January 2022 for “ineffective leadership and poor performance”.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data protection practices that is riddled with inconsistencies and inaccuracies and lacks important context,” a spokesperson said.
“Mr. Jatko’s allegations and opportunistic timing are designed to attract attention and harm Twitter, its customers and shareholders. Security and privacy have long been a company-wide priority at Twitter and will continue to be so.”
In a notice to staff Shared via TwitterAgarwal echoed this statement, adding: “We will go all the way to protect our integrity as a company and set the record straight.”
U.S. Senators Dick Durbin of Illinois and Chuck Grassley of Iowa, who are seated Senate Judiciary Committee And as the report copied, Jatco’s allegations required further investigation to get to the bottom of the matter.
Grassley said CNN That combination of vast amounts of information, poor security infrastructure and the vulnerability of hostile nation state actors was a “recipe for disaster”. He said Jatco’s claims raised serious national security concerns for the United States.
A third senator, Richard Blumenthal of Connecticut, said he had written the letter Federal Trade Commission (FTC) called for an investigation. The FTC previously investigated Twitter for allegedly misleading customers about the security of its service, and in 2011 A settlement is reached That firm was barred from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of non-public consumer information.” Jatco’s complaint alleges that Twitter violated the settlement.
Meanwhile, members of the security community also came to Jatco’s defense and pushed back against Twitter’s denial. Among them was Aaron Turner, CTO of the threat detection specialist’s software-as-a-service (SaaS) product. Vectra.
“I’ve known Mudd since his days on Cult of the Dead Cow,” Turner said. “When I was at Microsoft, he and the Stake team helped fundamentally improve our security strategies and tactics. I have worked across government projects for the past 20 years, I must say that his work Darpa The US government has made a significant difference in the way it approaches cybersecurity.
“He always has the highest level of integrity and also adheres to the highest technical standards in systems development and management. If Mudge says Twitter has a cybersecurity problem, Twitter has some big problems.”
Turner, who coordinated research into the 2020 crypto scandal at Twitter, said he himself concluded that Twitter did not have appropriate privileged user management controls, or separation of responsibilities policies for developers and sysadmins.
“If Mudge’s revelation is correct, that Twitter has a significant system hygiene issue combined with user management controls and policies, then Twitter’s entire platform is at risk of being compromised,” he added.
Daniel Thanos, vice-president of research and development Arctic wolfJatkor also spoke in support: “Moose is a highly trusted and respected leader in the cyber security community and his comments should not be taken lightly.”
According to Thanos, the Twitter complaints show a similar pattern to what other social media companies are grappling with Security and privacy are demons. Unfortunately, he says, there are too many examples where social media companies brush these issues under the carpet and fail to address them transparently.
“All these incidents have proven that self-policing will no longer work,” he said. “These social media companies are now behaving as publishers, which requires a high level of public trust. With this comes certain security and transparency responsibilities that are clearly not being met.
“Twitter, like many other companies, has insider threats. As it becomes a vital source of information, it must ensure that its internal security controls are maintained Highest level of security and privacy. It’s fundamental because users trust it.”
Ed Hunter, CISO at Cloud Security Firm Infobloxadded: “These organizations are often faced with balancing an expansive security apparatus and a scalable revenue-generating product. Many of the flaws are easily remediable with a variety of integrated security technologies that grow with revenue-generating production environments, including visibility of all assets on the network and where they are communicating. .”
But such problems are not limited to social media. As any regular observer of the cybersecurity news cycle will be acutely aware, a lack of basic security hygiene, or even a willful disregard for best practices, is all too common.
For example, Julia O’Toole, CEO of Access Management Specialists Mycenae, said some of Zatko’s allegations will prompt others to realize they are badly out of step with data protection. He said: “Organisations must understand that they are responsible for their data and have a responsibility to keep it secure. However, by allowing employees to create their own passwords and passkeys to access critical data, they are losing that control.
“No organization would ever allow employees to generate their own keys to access a physical office, yet they allow employees to generate their digital keys to access their data, which is undoubtedly their most valuable asset today. We need to address this vulnerability to truly improve security.”
Thanos said the incident also showed how important open and honest reporting and governance is for security leaders in any organization. Relationship with the Board That internal stakeholders cannot compromise. Jatco’s allegations of interference by senior Twitter personalities should be cause for concern, he said.
“Mudge was hired by the previous CEO to do a job on this issue and the insider threat problem, but the interference patterns many transitioning CISOs face seem to be on display here,” he said. “Anyone who cares about the mission we’re on as a security community will want to see Mudz win for the good of the entire industry.”