Security Industry Rallies Behind Twitter Whistleblower
It probably isn’t a surprise to any skeptics of the security practices of social media platforms—or who specifically remember Twitter’s previous security mishaps, including the hack of high-profile blue-check accounts—that Twitter’s cybersecurity practices are less than stellar and may even leave the platform open to attacks by nation-states. This, according to a former Twitter security executive who decided to blow the whistle on the firm recently courted by Elon Musk.
Peiter Zatko, famously known in hacker circles as Mudge, outed his former employer in an 84-page whistleblower complaint to the SEC, the Federal Trade Commission (FTC) and the Justice Department that detailed Twitter’s security shortcomings and alleged that employees could access core software. Zatko, who was fired in January, accused the social media platform of deceiving regulators about the strength of its security measures against both hackers and spam.
“The news is unsurprising given the size of Twitter and the source of the complaint. The larger an organization is, the more difficult it is to address technical debt and security issues,” said Andrew Hay, COO at LARES Consulting. “Unfortunately, with such a highly visible and prolific platform like Twitter, it sounds as though the executive risk tolerance for security and privacy issues was so artificially inflated that even critical security issues were not raised to the necessary visibility required.”
Sen. Chuck Grassley, R-Iowa, a member of the Senate Judiciary Committee, expressed concern over what he said are the national security implications of the allegations. “Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Grassley said in a statement.
Musk, who is embroiled in a battle of lawsuits with Twitter after rescinding an offer to buy the company, seemed to take delight in the revelations, which might strengthen his case that the social media company was not forthcoming about certain details like the number of spam accounts hosted on the platform. As news of the whistleblower complaint came to light, Musk tweeted a meme featuring Jiminy Cricket and the words “Give a Little Whistle.”
Twitter has taken issue with the complaint, casting Mudge as ineffective and with an ax to grind after he was ousted earlier this year.
“We are reviewing the redacted claims that have been published but what we have seen so far is a false narrative that is riddled with inconsistencies and inaccuracies,” Twitter CEO Parag Agrawal wrote in a memo to employees.
But Bugcrowd founder and CTO Casey Ellis and LARES Consulting’s Hay, like many other security experts, cited Zatko’s storied history and character as a reason to take his claims seriously. “Mudge has a long and rock-solid reputation of putting integrity first. He’s also one of those infosec elders who rarely stick their neck out to make a fuss, but when they do it’s almost certainly worth paying attention to—this dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before it’s time,” said Ellis.
“Mudge has been a trusted name in security and privacy since the early 1990s when he was with L0pht,” said Hay. “Those in the industry know Mudge know that his intentions have historically been honorable, non-partisan and designed to benefit the world. Nothing that I have seen or heard would indicate otherwise.”
Aaron Turner, CTO, SaaS Protect at Vectra, said he’s “known Mudge since his days at Cult of the Dead Cow.” When Turner was at Microsoft, Mudge “and the @stake team helped [the company] fundamentally improve [its] security strategy and tactics,” Turner said.
“As I’ve worked across government projects over the last 20 years, I would say that his work at DARPA made a significant difference in the way that the U.S. government approached cybersecurity,” he explained. “He has always had the highest level of integrity and also adheres to the highest technical standards of development and operation of systems. If Mudge says that Twitter has cybersecurity problems, Twitter has some big problems.”
Mudge’s impressive past has many in the security industry on his side or at least paying attention. “Judging by the way the infosec community has closed ranks around him this morning, others clearly feel the same way,” said Ellis. “Infosec doesn’t suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves.”
Drawing from research he coordinated after the 2020 Twitter incident, Turner said, “it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems. If Mudge’s disclosure is correct that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitter’s entire platform is at risk of compromise,” he said.
Companies using Twitter “should audit their security settings,” require 2FA, limit access and the like, ESET Chief Security Evangelist Tony Anscombe said, adding that the complaint could be a blessing. “When a whistleblower makes a statement such as this, you could view it as a positive moment for cybersecurity,” he said. “If the claims are unfounded, the company will likely enlist an external audit team to validate this, which always leads to the company identifying areas for improvement.”
If the claims are true, Anscombe said, it could be a “win-win for Twitter users” as the company rushes “to resolve the issue to show compliance.”
And while Ellis “can’t speak to the specifics of the disclosures,” he is pleased to see this incident prompting a discussion around the critical infrastructure characteristics of social media platforms and the implications this has on national security and privacy—especially as the midterms in the U.S. get underway and sets itself up for the 2024 election.”
Acknowledging that “this categorization as critical infrastructure is something Twitter and other social platforms would probably rather avoid,” Ellis said, “it is a conversation we need to have.”
Of course, a big downside “is that disclosure, such as [Twitter’s] servers running out-of-date software, will have many hackers attempting to take advantage of this, thus causing a storm of potential attacks,” Anscombe added.
Pixabay image courtesy of Katja Just
https://pixabay.com/photos/bird-death-die-pain-nature-1683655/
(Pixabay license)
