Former Twitter security chief Peiter “Mudge” Zatko filed a whistleblower complaint with the Securities and Exchange Commission in July 2022, alleging that the microblogging platform company had serious security flaws. condemned.
The accusations have amplified the ongoing drama about Twitter’s potential sale to Elon Musk.
Zatko has spent decades as an ethical hacker, private researcher, government adviser, and executive at some of the most prominent Internet companies and government agencies.
He is practically a legend in the cybersecurity industry. Because of his reputation, people and governments usually listen when he speaks.
As a former cybersecurity industry expert and current cybersecurity researcher, Zatko’s most egregious accusation is that Twitter has deployed internal controls to protect user data and protect against insider threats, and the company’s I think it concentrates on the claim that ‘s systems were up to date and they didn’t have a solid cybersecurity plan to ensure they were up to date. updated appropriately.
Zatko also claimed that Twitter executives were less proactive about the cybersecurity incident on the platform when briefing both the regulator and the company’s board of directors.
He argued that Twitter prioritizes user growth over reducing spam and other unwanted content that pollutes the platform and undermines user experience.
His complaint also expressed concern about the company’s business practices.
Suspected security breach
Zatko’s allegations paint a disturbing picture not only of Twitter’s cybersecurity state as a social media platform, but also of Twitter’s security awareness as a company.
Both points are important given Twitter’s place in global communications and its continued fight against online extremism and disinformation.
Perhaps the most important of Zatko’s claims is that nearly half of Twitter’s employees have direct access to user data and Twitter’s source code.
Proven cybersecurity practices do not allow many people with this level of “root” or “privileged” privileges to access sensitive systems and data.
If this is true, it means that Twitter may be ripe for exploitation by external adversaries aided by insiders who may not have been properly vetted, or from within.
Zatko also claims that Twitter’s data centers may not be as secure, resilient or reliable as the company claims.
he estimated that close to half Of Twitter’s 500,000 servers worldwide, they lack basic security controls such as running modern vendor-supported software and encrypting user data stored on their servers.
He also said the company’s lack of a robust business continuity plan means it could lead to a “real company doomsday event” if some of its data centers fail due to a cyber incident or other disaster. said.
These are just some of the allegations made in Zatko’s complaint. If his claims are true, Twitter has failed his Cyber security 101.
Concern about foreign government interference
Zatko’s allegations may also point to national security concerns.
For example, Zatko’s report alleges that the Indian government forced Twitter to hire government agencies that had access to Twitter’s vast amounts of sensitive data.
In response, India’s then-hostile neighbor Pakistan accused India of trying to infiltrate Twitter’s security system “to restrict fundamental freedoms.”
Given Twitter’s global footprint as a communication platform, other countries such as Russia and China require companies to hire their own government agencies as a condition of allowing them to operate in their countries. There is a possibility.
Zatko’s claims about Twitter’s internal security raise the possibility that criminals, activists, hostile governments, or their supporters may seek to exploit Twitter’s systems and user data to recruit or blackmail employees. I am raising it.
Worse, Twitter’s proprietary information about you, your interests, and the people you follow and interact with on the platform could facilitate disinformation campaigns, blackmail, or the targeting of other malicious purposes. there is.
Such foreign targets of prominent companies and their employees have been a major counterintelligence concern in the national security community for decades.
Whatever the outcome of Zatko’s appeal in Congress, the SEC, or other federal agencies, it’s part of the latest legal papers in which Musk seeks to back out of its Twitter acquisition.
Ideally, in light of these disclosures, Twitter will take corrective action to improve our company’s cybersecurity systems and practices.
The first step the company should take is to review and limit who has root access to systems, source code, and user data to the bare minimum necessary.
The company also needs to keep its production systems up to date and effectively prepared to deal with emergencies of all kinds without significantly disrupting global operations.
From a broader perspective, Zatko’s complaint highlights the important and sometimes uncomfortable role cybersecurity plays in modern organizations.
Cybersecurity experts like Zatko understand that no business or government agency likes to publicize cybersecurity issues.
They tend to think long and hard about whether and how to raise such cybersecurity concerns, and what the potential implications are.
In this case, Zatko says the disclosure reflects “the job he was hired for” as the head of security for a social media platform he says is “important to democracy.”
For companies like Twitter, bad news about cybersecurity often creates a public relations nightmare that can affect their stock price and market position, not to mention attracting the attention of regulators and lawmakers. I have.
For governments, such exposures can lead to a lack of trust in institutions set up to serve society, and, moreover, can create distracting political noise.
Unfortunately, how cybersecurity issues are discovered, disclosed and handled remains a difficult and sometimes controversial process, with no easy solutions for both cybersecurity professionals and today’s organizations. .
Any thoughts on this?hand over the discussion to us twitter or facebook.
Editor’s Note: This article was written by Richard Forno. Senior Lecturer in Computer Science and Electrical Engineering, University of Maryland, Baltimore County, and republished by The Conversation under a Creative Commons license. Please read the original article.