Twitter whistleblower testifies to Senate of serious security holes

Twitter’s former security chief, Peter “Mudge” Zatko testified before a Senate committee on Tuesday that his former employer prioritized profits over addressing security concerns that he said put user information at risk of falling into the wrong hands.

“It is not out of the question to say that an employee within the company can take over the accounts of all the senators in this room,” Zatko told members of the Senate Judiciary Committee, less than a month after the whistleblower complaint was announced.

Zatko testified that Twitter lacks basic security measures and has a free approach to data access among employees, which opens the platform to significant risks. As he wrote in his complaint, Zatko said he believed an Indian government agent had managed to become an employee of the company, an example of the consequences of lax security practices.

Peter “Mudge” Zatko, former head of security at Twitter, testifies before the Senate Judiciary Committee on Twitter’s data security, on Capitol Hill, September 13, 2022 in Washington, DC.

Kevin Deitch | Getty Images

The certification adds fuel to lawmakers’ criticism that major tech platforms place revenue and growth targets over user protection. While many companies have flaws in their security systems, Twitter’s unique position as a de facto public square has amplified Zatko’s findings, which have taken on added significance given the legal dispute between Twitter and Elon Musk.

Musk sought to buy the company for $44 billion, but then tried to back out of the deal, claiming that Twitter should have been more willing to provide information on how the percentage of spam accounts was calculated. A judge in the case recently said that Musk could review his counterclaims to point to the issues raised by Zatko.

A Twitter spokesperson questioned Zatko’s testimony and said the company uses access controls, background checks, and monitoring and detection systems to control access to data.

“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with contradictions and inaccuracies,” the spokesperson said in a statement, adding that the company’s employment is independent of foreign influence.

Following are the main points of ZATCO certification

lack of control over data

The Twitter logo appears on the screen of a Redmi phone in this photo illustration in Warsaw, Poland on August 23, 2022.

Norfoto | Getty Images

According to Zatko, Twitter’s systems are so disorganized that the platform cannot be sure if users’ data has been completely deleted. That’s because Twitter hasn’t tracked where all this data is stored.

“They don’t know what data they have, where you live or where it came from, so, unsurprisingly, they can’t protect it,” Zatko said.

Karim Hegazy, CEO of cyber-intelligence company Previlion, said large organizations like Twitter often experience an “infrastructure drift,” when people come and go, and different systems are sometimes neglected.

“It tends to be a bit like someone’s garage over time,” said Hegazy, who previously served as director of intelligence at Mandiant, which is now owned by Google. “The problem now is, unlike a garage where you can go in and you can start to disassemble it systematically… you can’t simply scan the database because it’s a quilt of a jumble of new information and old information.”

Hegazy said that removing some parts without knowing if they were critical pieces would risk spoiling the broader system.

But security experts were surprised by Zatko’s testimony that Twitter didn’t even have a staging environment for testing updates, and engineers could take an intermediate step between development and production environments to solve problems with their code before activating it.

“It was very surprising for a big tech company like Twitter for not having the basics,” Hegazy said. Even the world’s smallest micro-startup that started seven and a half weeks ago has environments to develop, implement and produce.”

“It would be shocking to me” if it is true that Twitter does not have a staging environment, said Chris Lyman, CEO of SafeGuard Cyber ​​and former Vice President of FireEye.

He said that “more mature organizations” would take this step to prevent systems from crashing on the live website.

“Without a staged environment, you create more opportunities for errors and problems,” Lyman said.

Extensive employee access to user information

An employee silhouette appears below the Twitter Inc logo.

David Paul Morris | Bloomberg | Getty Images

Zatko said that a lack of understanding where the data lives means that employees also have far more access than they should to Twitter’s systems.

“It doesn’t matter who has the keys if you don’t have any locks on the doors,” Zatko said.

Zatko claimed that engineers, who make up a large part of the company, are given access to the Twitter live test environment by default. This kind of access, he said, should be restricted to a smaller group.

Hegazy and Lehman said that because there are a large number of employees who have access to critical information, the company is vulnerable to problematic activities such as bribery and hacking.

US regulators don’t scare companies into complying

The headquarters of the Federal Trade Commission in Washington, DC

Kenneth Kiznowski/CNBC

Zatko testified that the one-off fines that often result from settlements with US regulators such as the Federal Trade Commission are not enough to spur stronger security practices.

Zatko told Senator Richard Blumenthal, Democrat of Connection, that a $150 million settlement like the one reached on Twitter with the Federal Trade Commission in May over allegations that it misrepresented how it used contact information to target ads would not be enough to deter the company from poor security. . practices.

He said the company would be more concerned about European regulators who might impose more permanent treatments.

“While I was there, the concern was really about a lot more,” Zatko said. “Or if it would pose a greater corporate restructuring risk. But that amount wouldn’t have been a cause for concern while I was there.”

Peter “Mudge” Zatko, former head of security at Twitter, testifies before the Senate Judiciary Committee on Twitter’s data security, on Capitol Hill, September 13, 2022 in Washington, DC.

Kevin Deitch | Getty Images

Zatko and other security experts said that despite the flaws, users shouldn’t necessarily feel compelled to delete their account.

“People can always just choose to disconnect,” Lyman said. “But the reality is that social media platforms are platforms for dialogue. It is the new town square. This serves the public good. I think it would be bad if people stopped using them.”

Hegazy said there was no point in hiding.

“It is impossible in this day and age,” he said. “However, I think being naive to believe that these organizations actually have this under control and that your information is already secured is wrong.”

Subscribe to CNBC on YouTube.

Watch: The changing face of privacy in a pandemic

The changing face of privacy in a pandemic

Related Posts

Leave a Reply

Your email address will not be published.