Wednesday, August 24, 2022

Whistleblower accuses Twitter of being 'grossly negligent' towards security


Mariella Moon
·Contributing Reporter
Tue, August 23, 2022 

Dado Ruvic / reuters


Peiter "Mudge" Zatko, Twitter's former head of security, says the company has misled regulators about its security measures in his whistleblower complaint that was obtained by The Washington Post. In his complaint filed with the Securities and Exchange Commission, the Department of Justice and the Federal Trade Commission, he accuses the company of violating the terms it had agreed to when it settled a privacy dispute with the FTC back in 2011. Twitter, he says, has "extreme, egregious deficiencies" when it comes to defending the website against attackers.

As part of that FTC settlement, Twitter had agreed to implement and monitor security safeguards to protect its users. However, Zatko says half of Twitter's servers are running out-of-date and vulnerable software and that thousands of employees still have wide-ranging internal access to core company software, which had previously led to huge breaches. If you'll recall, bad actors were able to commandeer the accounts of some of the most high-profile users on the website in 2020, including Barack Obama's and Elon Musk's, by targeting employees for their internal systems and tools using a social engineering attack.

It was after that incident that the company hired Zatko, who used to lead a program on detecting cyber espionage for DARPA, as head of security. He argues that security should be a bigger concern for the company, seeing as it has access to the email addresses and phone numbers of numerous public figures, including dissidents and activists whose lives may be in danger if they are doxxed.

The former security head wrote:

"Twitter is grossly negligent in several areas of information security. If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.

In addition, Zatko has accused Twitter of prioritizing user growth over reducing spam by distributing bonuses tied to increasing the number of daily users. The company isn't giving out any bonuses directly tied to reducing spam on the website, the complaint said. Zatko also claims that he could not get a direct answer from Twitter regarding the true number of bots on the platform. Twitter has only been counting the bots that can view and click on ads since 2019, and in its SEC reports since then, its bot estimates has always been less than 5 percent.

Zatko wanted to know the actual number of bots across the platform, not just the monetizable ones. He cites a source who allegedly said that Twitter was wary of determining the real number of bots on the website, because it "would harm the image and valuation of the company." Indeed his revelation could factor into Twitter's legal battle against Elon Musk after the executive started taking steps to back out of his $44 billion takeover. Musk accused Twitter of fraud for hiding the real number of fake accounts on the website and revealed that his analysts found a much higher bot count than Twitter claimed. As The Post notes, though, Zatko provided limited hard documentary evidence regarding spam and bots, so it remains unclear if it would help Musk's case.

When asked why he filed a whistleblower complaint — he's being represented by the nonprofit law firm Whistleblower Aid — Zatko replied that he "felt ethically bound" to do so as someone who works in cybersecurity. Twitter spokesperson Rebecca Hahn, however, denied that the company doesn't make security a priority. "Security and privacy have long been top companywide priorities at Twitter," she said, adding that Zatko's allegations are "riddled with inaccuracies." She also said that Twitter fired Zatko after 15 months "for poor performance and leadership" and that he now "appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders."

Shortly after the Post published its initial report, Senate and Congressional committee leaders announced they were already investigating Zatko's claims. The offices of Senate Judiciary Committee chair Dick Durbin the committee's ranking member Chuck Grassley said they've already had discussions with Zatko. "The whistleblower’s allegations of widespread security failures at Twitter, willful misrepresentations by top executives to government agencies and penetration of the company by foreign intelligence raise serious concerns," Durbin wrote earlier today on Twitter.

Update: 8/23/22, 12:10PM ET: This story has been updated with the news that members of Congress have already begun investigating Zatko's claims about Twitter.

5 takeaways from Twitter whistleblower Peiter Zatko


The logo for Twitter appears above a trading post on the floor of the New York Stock Exchange, Nov. 29, 2021. Startling new revelations from Twitter's former head of security, Peiter Zatko, have raised serious new questions about the security of the platform's service, its ability to identify and remove fake accounts, and the truthfulness of its statements to users, shareholders and federal regulators. 
(AP Photo/Richard Drew, File)


SAN FRANCISCO (AP) — Startling new revelations from Twitter’s former head of security, Peiter Zatko, have raised serious new questions about the security of the platform’s service, its ability to identify and remove fake accounts, and the truthfulness of its statements to users, shareholders and federal regulators.

Zatko — better known by his hacker handle “Mudge” — is a respected cybersecurity expert who first gained prominence in the 1990s and later worked in senior positions at the Pentagon’s Defense Advanced Research Agency and Google. Twitter fired him from the security job early this year for what the company called “ineffective leadership and poor performance.” Zatko’s attorneys say that claim is false.

In a whistleblower complaint made public Tuesday, Zatko documented his uphill 14-month effort to bolster Twitter security, boost the reliability of its service, repel intrusions by agents of foreign governments and both measure and take action against fake “bot” accounts that spammed the platform. In a statement, Twitter called Zatko’s description of events “a false narrative.”

Here are five takeaways from that whistleblower complaint.

TWITTER’S SECURITY AND PRIVACY SYSTEMS WERE GROSSLY INADEQUATE

TWITTER INC



In 2011, Twitter settled a Federal Trade Commission investigation into its privacy practices by agreeing to put stronger data security protections in place. Zatko’s complaint charges that Twitter’s problems grew worse over time instead.

For instance, the complaint states, Twitter’s internal systems allowed far too many employees access to personal user data they didn’t need for their jobs — a situation ripe for abuse. For years, Twitter also continued to mine user data such as phone numbers and email addresses — intended only for security purposes — for ad targeting and marketing campaigns, according to the complaint.

TWITTER’S ENTIRE SERVICE COULD HAVE COLLAPSED IRREPARABLY UNDER STRESS

One of the most striking revelations in Zatko’s complaint is the claim that Twitter’s internal data systems were so ramshackle — and the company’s contingency plans so insufficient — that any widespread crash or unplanned shutdown could have tanked the entire platform.

The concern was that a “cascading” data-center failure could quickly spread across Twitter’s fragile information systems. As the complaint put it: “That meant that if all the centers went offline simultaneously, even briefly, Twitter was unsure if they could bring the service back up. Downtime estimates ranged from weeks of round-the-clock work, to permanent irreparable failure.”

TWITTER MISLED REGULATORS, INVESTORS AND MUSK ABOUT FAKE “SPAM” BOTS

In essence, Zatko’s complaint states that Tesla CEO Elon Musk — whose $44 billion bid to acquire Twitter is headed for October trial in a Delaware court — is correct when he charges that Twitter executives have little incentive to accurately measure the prevalence of fake accounts on the system.

The complaint charges that the company’s executive leadership practiced “deliberate ignorance” on the subject of these so-called spam bots. “Senior management had no appetite to properly measure the prevalence of bot accounts,” the complaint states, adding that executives were concerned that accurate bot measurements would harm Twitter’s “image and valuation.”

ON JAN. 6, 2021, TWITTER COULD HAVE BEEN AT THE MERCY OF DISGRUNTLED EMPLOYEES

Zatko’s complaint states that as a mob assembled in front of the U.S. Capitol on Jan. 6, 2021, eventually storming the building, he began to worry that employees sympathetic to the rioters might try to sabotage Twitter. That concern spiked when he learned it was “impossible” to protect the platform’s core systems from a hypothetical rogue or disgruntled engineer aiming to wreak havoc.

“There were no logs, nobody knew where data lived or whether it was critical, and all engineers had some form of critical access” to Twitter’s core functions, the complaint states.

A PLAYGROUND FOR FOREIGN GOVERNMENTS

The Zatko complaint also highlights Twitter’s difficulty in identifying — much less resisting — the presence of foreign agents on its service. In one instance, the complaint alleges, the Indian government required Twitter to hire specific individuals alleged to be spies, and who would have had significant access to sensitive data thanks to Twitter’s own lax security controls. The complaint also alleges a murkier situation involving taking money from unidentified “Chinese entities” that then could access data that might endanger Twitter users in China.

No comments: