Twitter’s cybersecurity whistleblower: What it means for the community
The recent whistleblower complaint from Twitter’s former head of security “Mudge,” aka Peiter Zatko, may be one of the most concrete examples yet of the disconnect between cybersecurity experts and executives in organizations.
The complaint, obtained by the Washington Post last week, accuses Twitter of various “egregious” security issues, including servers running out of-of-date software, lack of control around employees’ access to core company software and intentionally misleading directors about the company’s true security posture.
The issue of executives versus internal cybersecurity professionals can be complex, but it’s a discussion that needs to happen. In the case of Twitter, many security experts likely reacted to the news by simply crossing their arms and saying, “I knew it,” or “I’m not surprised.”
Should you pay the ransom?
We regularly go into these environments as consultants or outside experts. We see the disbelief on the faces of the internal security and IT teams when we state something is a security problem, and it appears that management listens for the first time — but only because it’s coming from an outsider. I’m not saying management only responds to outside experts, but I am saying that many cybersecurity professionals feel that is the case.
Congressional investigation into Twitter
Congress is planning to investigate the Twitter complaint, and who knows what that will uncover, as they have subpoena power matched by only a few other bodies in the world.
If they have true subject matter experts helping draft subpoenas to ensure the correct information is requested, it might become a much bigger problem for Twitter. However, if these things being exposed turn out to be true, it could be an overall positive for the community.
First, as with several other social media platforms, Twitter has reached a point of distribution where there is undoubtedly cause for national security alarm — if the platform’s internal security posture is as immature as Mudge’s complaint states.
But what’s more troubling are the claims of management misleading the world. This reminds me of the Equifax data breach. To refresh the reader’s memory, Equifax had a data breach in 2017, which at the time was the largest in history. It was caused by exploiting a well-known vulnerability in an application named Apache Struts. The head slapper was that this very vulnerability was identified months earlier during a penetration test, but it wasn’t patched in time. How do we know this happened? It all came out in the congressional hearing that followed the massive data breach. And that was a good thing. It’s possible there was someone inside Equifax saying, “I knew it was going to happen,” when the breach occurred — and clearly, someone inside Equifax had reported the critical Struts vulnerability that was eventually exploited.
Given the high-profile data breaches related to Twitter, especially the compromised political and celebrity accounts, there is now the possibility that Twitter may have been more responsible for those celebrity hacks than we initially thought. Many people assumed those celebrities were just social engineered out of their Twitter accounts. Maybe not.
One of the most disturbing claims is that Twitter state-sponsored threat actors or foreign intelligence operatives infiltrated Twitter. It’s hard to imagine an executive wanting to ignore that possibility or sweep it under the rug. I realize Twitter was (and is) in the middle of negotiating a buyout, but overlooking foreign intelligence footholds in their environment would be a big deal. This could have a lasting impact if it turns out to be true.
Are Mudge’s Twitter claims true?
Let’s examine the other side. What if Mudge is overstating some things — or everything? What if he really is a disgruntled employee making inaccurate claims after being fired, as a Twitter spokesperson suggested? If he is, that will come out in any follow-up investigations and tarnish his legendary status in the cybersecurity community.
Some of my first hacking knowledge came from reading his stuff in Phrack as a youngster. I followed him for years and used to dream of becoming a member of L0pht Heavy Industries, the hacker group he helped start that bought us some of the best hacking and cracking tools at the time. We still teach about LOphtcrack as a password cracker.
I don’t know Mudge personally, but from the outside, looking at his public persona for over 20 years, it doesn’t fit that he would make this up as a slight for being fired from an organization.
What’s next for Twitter?
I once worked on a case where we were vigorously trying to decrypt traffic that would prove the exfiltration of customer data had occurred. I briefed a group of executives, and one of them told me to stop the decryption operation until he told us to resume. They wanted time to get their PR together to form a statement before we decrypted the traffic and confirmed any customer data exposure, which would automatically put them under more specific reporting guidelines in their country. Once I learned their reason for the delay, I instantly felt dirty.
ChatGPT training built for everyone
Most organizations have security problems. I’ve never been in one that doesn’t. But being alerted to foreign intelligence operatives in your organization and choosing to ignore it raises many questions, especially if you’re being alerted by one of the most respected experts in the industry. And especially if that expert was explicitly hired to protect you from such threats.
There are still pieces missing, but based on the information so far, it doesn’t look like it will be good for Twitter in the end. Is Twitter’s leadership actually getting rid of people who identify security problems? Let’s hope not.
Sources
- Former security chief claims Twitter buried ‘egregious deficiencies’, The Washington Post
ChatGPT training
In this Series
- Twitter’s cybersecurity whistleblower: What it means for the community
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization