There is a chance that regulatory agencies and governments will look into and impose sanctions on Twitter as a result of a number of damning revelations about the company’s cybersecurity methods and regulations.
What are the claims regarding Twitter cybersecurity issues?
Peiter “Mudge” Zatko, the whistleblower, previously served as Twitter’s head of security and reported to CEO Parag Agrawal. Zatko is a well-known ethical hacker and a leading player in the cybersecurity field. As a member of organizations like L0pht and Cult of the Dead Cow, he helped shape much of the early development of the industry.
He joined Twitter during the administration of Agrawal’s predecessor, platform creator Jack Dorsey, to assist in addressing the platform’s security issues in the wake of a 2020 cyberattack in which prominent accounts, including those of Jeff Bezos, Bill Gates, and Elon Musk, were compromised by cryptocurrency scammers. However, his employment was terminated in early 2022.
After trying in vain to convince Twitter to address its issues, Zatko claims he is now speaking up. He said that Agrawal and others prevented him from providing the organization’s board of directors with accurate facts and discouraged him from doing so.
Zatko described an organization plagued with poor security practices and mismanagement, one that gave way too many insiders unrestricted access to crucial data and platform features, in the disclosure, which was also forwarded to the US Congress and other agencies of the US federal government in July.
Twitter was charged by Zatko with trying to hide a number of significant weaknesses, deceiving its board and regulators, and thus opening the door for hostile activity from cybercriminals and nation-state spy agencies. In fact, he asserted, there might be adversarial spies working for it right now.
He continued by asserting that the site had been deceiving customers into thinking their data had been wiped after canceling their accounts when this was not necessarily the case.
Technically speaking, Zatko further asserted that Twitter continues to function on aging, obsolete server architecture that is not patched, lacks proper security, and has shoddy mechanisms in place to restore data centers from unanticipated outages.
Additionally, he claimed that the organization lacked the motivation to control a large number of bots using the site. Elon Musk’s decision to back out of his attempt to acquire Twitter, which is currently the subject of legal action, was influenced by this issue.
Twitter responded to Zatko’s charges by claiming that Zatko was terminated in January 2022 due to “ineffective leadership and poor performance.”
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” stated a Twitter spokesperson.
“Mr Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Agrawal reaffirmed this in a message to employees distributed via Twitter, adding: “We will pursue all paths to defend our integrity as a company and set the record straight.”
US senators from Illinois and Iowa, Dick Durbin and Chuck Grassley, who are members of the Senate Judiciary Committee and were copied on the report, said Zatko’s charges required more research to determine the truth.
Massive data sets, poor security measures, and exposure to adversarial nation-state actors, according to Grassley, are a “recipe for disaster.” He said that Zatko’s assertions caused the US to seriously question its national security.
Richard Blumenthal of Connecticut, a third senator, claimed he had written to the Federal Trade Commission (FTC) pleading for it to look into the matter. In 2011, after the FTC settled with the company, Twitter was forbidden from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of non-public consumer information.” The FTC had previously looked into claims that Twitter had misled customers about the security of its service. According to Zatko’s allegation, Twitter appears to have violated this agreement.
Zatko was also defended by members of the security community, who fought back against Twitter’s denials. Aaron Turner, the CTO for software-as-a-service (SaaS) solutions at threat detection expert Vectra, was one of them.
“I’ve known Mudge since his days at Cult of the Dead Cow. When I was at Microsoft, he and the Stake team helped us fundamentally improve our security strategy and tactics. As I’ve worked across government projects over the last 20 years, I would say that his work at Darpa made a significant difference in the way that the US government approached cybersecurity,” stated Turner.
“He has always had the highest level of integrity and also adheres to the highest technical standards of development and operation of systems. If Mudge says that Twitter has cybersecurity problems, Twitter has some big problems,” he added.
Turner, who oversaw Twitter’s investigation into the 2020 crypto hoax, claimed that he had personally arrived to the conclusion that Twitter lacked the necessary privileged user management safeguards and procedures governing the division of duties between sysadmins and developers.
“If Mudge’s disclosure is correct, that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitter’s entire platform is at risk of compromise,” he added.
The vice president of research and development at Arctic Wolf, Daniel Thanos, also defended Zatko, stating that Mudge is a well-known and respected pioneer in the field of cybersecurity and that his remarks should not be dismissed.
Thanos claims that the allegations against Twitter indicate a pattern common to other social media businesses experiencing security and privacy issues. He lamented the fact that social media corporations far too frequently fail to confront these problems openly and sweep them under the rug.
“All of these events have proven that self-policing isn’t going to work anymore. These social media entities are behaving as publishers now, which requires a high level of public trust. With that comes certain security and transparency responsibilities that are clearly not being met,” he said.
“Twitter has the same insider threats as many other companies. Since it has become a vital source of information, it must make sure its internal security controls maintain the highest level of security and privacy. This is absolutely fundamental due to the trust users are placing in it,” he added.
“These organizations are often faced with balancing an expanded security apparatus and a scalable revenue-generating product. Many of the shortcomings are readily addressable through various integrated security technologies that grow with the revenue-generating production environment, including visibility of all assets on the network and where they’re communicating,” explained Ed Hunter, CISO at cloud security firm Infoblox.
However, these problems are not limited to the world of social media. Anyone who regularly follows the cybersecurity news cycle is well aware that poor security hygiene, and sometimes even purposeful disregard for best practices, are all too common.
For instance, according to Julia O’Toole, CEO of access management expert MyCena, some of Zatko’s accusations should make people realize how out of touch they are with data protection. “Organisations must begin to realize that they are responsible for their data and have a duty to keep it safe. However, by allowing employees to create their own passwords and passkeys to access critical data, they are losing that control,” she said.
“No organization ever allows employees to make their owns keys to access a physical office, yet they allow employees to create their digital keys to access their data, which is undoubtedly their most valuable asset today. We need to address this vulnerability to truly improve security,” she added.
The incident, according to Thanos, also demonstrated how crucial it is for security leaders at any organization to maintain a direct line of communication with the board that internal stakeholders cannot cross. He asserted that everyone should be concerned by Zatko’s claims of interference on the part of senior Twitter figures.
“Mudge was hired to do a job by the previous CEO on this issue and on the insider threat problem, but the patterns of interference that many transformational CISOs face seem to have all been exhibited here. Anyone who cares about the mission we are on as a security community will want to see Mudge prevail for the good of the entire industry,” explained Thanos.