Home Markets Twitter whistleblower testifies to serious Senate security flaws

Twitter whistleblower testifies to serious Senate security flaws

by SuperiorInvest

Peiter “Mudge” Zatko, Twitter’s former security chief, testifies before the Senate Judiciary Committee on Twitter’s data security on Capitol Hill, September 13, 2022 in Washington, DC.

Kevin Dietsch | Getty Images

Twitter Former security chief Peiter “Mudge” Zaťko testified before a Senate panel Tuesday that his former employer put profits ahead of solving security problems that he says put users’ information at risk of falling into the wrong hands.

“It’s not far-fetched to say that an employee inside a company could take over the accounts of every senator in this room,” Zaťko told members of the Senate Judiciary Committee less than a month after his the whistleblower’s complaint has been made public.

Zaťko testified that Twitter lacked basic security measures and had free access to data among employees, opening the platform to major risks. As he wrote in his complaint, Zaťko said he believed an agent of the Indian government managed to become an employee of the company, an example of the consequences of lax security practices.

The testimony adds fuel to criticism from lawmakers that major tech platforms are putting revenue and growth goals ahead of user protection. While many companies have flaws in their security systems, Twitter’s unique position as a de facto public square amplified Zatko’s revelations, which took on particular significance given Twitter’s legal battles with Elon Musk.

Musk sought to buy the company for $44 billion, but then tried to back out of the deal, arguing that Twitter should have been more forthcoming about how it calculates its percentage of spam accounts. The judge in the case recently said Musk could revise his counterclaims to address the issues Zatko raised.

A Twitter spokesperson disputed Zaťka’s testimony, saying the company uses access controls, background checks, and monitoring and detection systems to control access to data.

“Today’s hearing only confirms that Mr. Zaťek’s allegations are full of inconsistencies and inaccuracies,” the spokeswoman said in a statement, adding that the company’s hiring is independent of foreign influence.

Here are the key takeaways from Zaťek’s testimony

Lack of control over data

The Twitter logo is seen on the screen of a Redmi phone in this Aug. 23, 2022, photo illustration in Warsaw, Poland.

Nurphoto | Getty Images

According to Zaťek, Twitter’s systems are so disorganized that the platform cannot say with certainty whether it has completely deleted users’ data. That’s because Twitter hasn’t tracked where all that data is stored.

“They don’t know what data they have, where they live or where they come from, and so, unsurprisingly, they can’t protect it,” Zaťko said.

Karim Hijazi, CEO of cyber intelligence company Prevailion, said large organizations like Twitter often experience “infrastructure drift” as people come and go, and various systems are sometimes neglected.

“Over time it becomes a little bit like somebody’s garage,” said Hijazi, who previously served as director of intelligence at Mandiant, which he now owns Google. “The problem now is that unlike a garage where you can go in and start taking it all apart in a sort of methodical way … you can’t just delete the database because it’s a patchwork of new and old information.”

Taking down some parts without being sure if they are critical parts could risk destroying the wider system, Hijazi said.

But security experts expressed surprise at Zatka’s testimony that Twitter didn’t even have a working environment for testing updates, a step that engineers can take between development and production environments to fix problems with their code before it goes live.

“That was pretty surprising for a big tech company like Twitter to not have a foundation,” Hijazi said. Even the tiniest little startups in the world that started seven and a half weeks ago have a development, work and production environment.”

Chris Lehman, CEO of the company SafeGuard Cyber and a former FireEye VP said that “it would be shocking to me” if it’s true, Twitter doesn’t have a work environment.

He said “most mature organizations” would take this step to avoid breaking systems on a live website.

“Without a work environment, you create more opportunities for mistakes and problems,” Lehman said.

Broad employee access to user information

A silhouette of the employee can be seen below the Twitter Inc. logo

David Paul Morris | Bloomberg | Getty Images

Zaťko said the lack of understanding of where data lives means employees also have far more access to Twitter’s systems than they should.

“It doesn’t matter who has the keys if you don’t have any locks on the doors,” Zaťko said.

Engineers, who make up a large part of the company, have access to Twitter’s live testing environment by default, Zaťko claimed. He said the type of approach should be limited to a smaller group.

With so many employees having access to sensitive information, the company is vulnerable to problematic activities such as bribery and hackers, Hijazi and Lehman said.

US regulators don’t scare companies into compliance

Federal Trade Commission headquarters in Washington, DC

Kenneth Kiesnoski/CNBC

One-time fines, which often result from settlements with U.S. regulators such as the Federal Trade Commission, are not enough to incentivize stronger security practices, Zaťko testified.

said Zatko Senator Richard BlumenthalD-Conn. that a $150 million settlement like this one Twitter reached with the FTC in May despite allegations that it misrepresented the way it used contact information to target ads would not be enough to dissuade the company from poor security practices.

According to him, the company would be much more concerned about European regulators, who could impose a more permanent remedy.

“While I was there, it was really only a significantly higher amount,” said Zaťko. “Or if it would be more of an institutional restructuring risk. But when I was there, I wouldn’t care too much about that amount.”

Peiter “Mudge” Zatko, Twitter’s former security chief, testifies before the Senate Judiciary Committee on Twitter’s data security on Capitol Hill, September 13, 2022 in Washington, DC.

Kevin Dietsch | Getty Images

Despite these flaws, users shouldn’t necessarily feel compelled to delete their accounts, Zaťko and other security experts said.

“People can always choose to just disconnect,” Lehman said. “But the reality is that social media platforms are platforms for dialogue. And they are the new square. That serves the public good. I think it would be wrong if people stopped using them.”

Hijazi said there was no point in hiding.

“That’s impossible these days,” he said. “However, I think being naive to believe that these organizations are really in control and really secure your information is a mistake.”

Subscribe to CNBC on YouTube.

WATCHES: The changing face of privacy during the pandemic

Source Link

Related Posts

%d bloggers like this: