Did Twitter ignore basic security measures? | Kiowa County Press

Peiter “Mudge” Zatko was Twitter’s chief security officer. What he claims to have found there is a security nightmare. Photo by Matt McClain/The Washington Post via Getty Images

Richard Fornon, University of Maryland, Baltimore County

Former Twitter security chief Peiter “Mudge” Zatko filed a whistleblower complaint with the Securities and Exchange Commission in July 2022, accusing the microblogging platform company of serious security flaws. The accusations amplified the ongoing Twitter drama potential sale to Elon Musk.

Zatko spent decades as ethical hacker, private researcher, government adviser and executive in some of the most important internet companies and government offices. He is practically a legend in the cybersecurity industry. Due to his reputationwhen he speaks, people and governments normally listen – underscoring the seriousness of his complaint against Twitter.

As a former cybersecurity industry practitioner and current cybersecurity researcherI think Zatko’s most damning accusations relate to Twitter’s alleged failure to have a strong cybersecurity plan to protect user data, deploy internal controls to guard against insider threats, and ensure that company systems were up-to-date and properly maintained.

Zatko also alleged that Twitter executives weren’t very forthcoming about cybersecurity incidents on the platform when briefing regulators and the company’s board. He claimed that Twitter prioritized user growth over spam reduction and other unwanted content that poisoned the platform and harmed the user experience. His complaint also expressed concerns about the company’s business practices.

CNN interviewed Twitter whistleblower Peiter “Mudge” Zatko.

Alleged security flaws

Zatko’s allegations paint a disturbing picture not only of the cybersecurity state of Twitter as a social media platform, but also of Twitter’s security awareness as a company. Both of these points are relevant given Twitter’s position in global communications and the ongoing fight against online extremism and disinformation.

Perhaps the most significant of Zatko’s allegations is his claim that nearly half of Twitter employees have direct access to Twitter user data and source code. Proven cybersecurity practices do not allow as many people with this level of “root” or “privileged” permission to access sensitive systems and data. If true, it means that Twitter could be exploited either from the inside or by outside adversaries aided by insiders who may not have been properly vetted.

Zatko also alleges that Twitter’s data centers may not be as secure, resilient or reliable as the company claims. He felt that almost half of Twitter’s 500,000 servers worldwide lack basic security controls such as running up-to-date, vendor-supported software or encrypting user data stored there. He also noted that the company’s lack of a robust business continuity plan means that if several of its data centers fail due to a cyber incident or other disaster, it could lead to “existential business end event.”

These are just some of the claims made in Zatko’s complaint. If its claims are true, Twitter has failed Cybersecurity 101.

Concerns about foreign government interference

Zatko’s allegations could also present a national security concern. Twitter has been used to spread misinformation and propaganda in recent years at global events like the pandemic and national elections.

For example, Zatko’s report said that the Indian government forced Twitter to hire government agents, who would have access to large amounts of Twitter’s sensitive data. In response, India’s sometimes hostile neighbor pakistan accused India to attempt to infiltrate Twitter’s security system “with the aim of restricting fundamental freedoms”.

Given Twitter’s global footprint as a communications platform, other countries such as Russia and China may require the company to hire its own government officials as a condition of allowing the company to operate in their country. Zatko’s allegations regarding Twitter’s internal security raise the possibility that criminals, activists, hostile governments or their supporters may seek to exploit Twitter’s systems and user data by recruiting or blackmailing its employees. national security concern.

Worse, Twitter’s own information about its users, their interests, and the people they follow and interact with on the platform could make it easier to target users. disinformation campaigns, blackmail or other nefarious purposes. Such foreign targeting of major corporations and their employees has been a major counterintelligence concern in the national security community for decades.

a line of men wearing beige berets in the foreground hold back a crowd of young men shouting and waving banners
Members of opposition parties in India are protesting their leader’s temporary Twitter ban. The whistleblower’s allegations include Twitter’s acquiescence to Indian government demands that the company employ government agents. Anadolu Agency via Getty Images

To fall

Regardless of the outcome of Zatko’s complaint to Congress, the SEC, or other federal agencies, it is already is among Musk’s latest legal documents as he tries to back out of his purchase of Twitter.

Ideally, in light of these disclosures, Twitter will take corrective action to improve the company’s cybersecurity systems and practices. A good first step the company could take is to review and limit root access to its systems, source code, and user data to the minimum necessary. The company must also ensure that its production systems are kept up to date and that it is effectively prepared to deal with any type of emergency without significantly disrupting its global operations.

From a broader perspective, Zatko’s complaint underscores the critical and sometimes uncomfortable role that cybersecurity plays in modern organizations. Cybersecurity professionals like Zatko understand that no company or government agency likes publicity for cybersecurity issues. They tend to think long and hard about whether and how to raise cybersecurity issues like these – and what the potential ramifications might be. In this case, Zatko says his revelations reflect “the job he was hired to do” as head of security for a social media platform that he says “is essential to democracy.”

For companies like Twitter, bad cybersecurity news often translates into a public relations nightmare that could affect stock prices and market standing, not to mention attract the interest of regulators and lawmakers. For governments, such revelations can lead to a lack of trust in the institutions created to serve society, in addition to potentially creating distracting political noise.

Unfortunately, how cybersecurity issues are discovered, disclosed, and addressed remains a difficult and sometimes contentious process with no easy solution for both cybersecurity professionals and organizations today.

The conversation

Richard Fornonlecturer in computer science and electrical engineering, University of Maryland, Baltimore County

This article is republished from The conversation under Creative Commons license. Read it original article.

About Florence M. Sorensen

Check Also

Curious Kids: How do ants crawl on walls? | Kiowa County Press

Walking upright – or even upside down – is child’s play for ants. Pecchio/iStock via …