Twitter’s Former Head of Security Turns Whistleblower
Twitter regularly loses track of users’ information after they’ve deleted their accounts, allows virtually unfettered staff access to its internal controls, and fails to address the increasing population of bots using the site, according to a 200-page disclosure obtained by CNN and The Washington Post. Zatko originally sent the disclosure to Congress and a handful of enforcement agencies last month in an attempt to bring federal attention to Twitter’s wrongdoings, which he alleges impact user safety and even threaten national security.
Zatko was originally recruited by ex-CEO Jack Dorsey for his experience at Stripe, Google, and the Department of Defense, as well as his “ethical hacking” skills. Upon joining the company, however, he discovered an atmosphere riddled with “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.” Thousands of Twitter employees had unnecessary access to the site’s most sensitive controls. There was no log of who entered the site’s “production environment” (the internal access point in which one can change the public platform), when they entered, or what changes they made. Less than half of Twitter’s workforce used computers that met basic cybersecurity standards, and half of its 500,000 servers ran on outdated software that couldn’t support encryption or vendor security updates.
This was only the beginning. When Dorsey stepped down and Parag Agrawal filled in, Agrawal supposedly discouraged Zatko from escalating the aforementioned security vulnerabilities to Twitter’s board of directors. According to Zatko, executives eventually ordered him to share these vulnerabilities orally instead of by written means, and to “cherry-pick” and “misrepresent” data that would make it appear as though the company had made strides to improve its site’s security. Afterward, executives covertly covered up a third-party consulting firm’s report that confirmed many of Zatko’s original suspicions.
Before being terminated for what Twitter claims was underperformance in January 2022, Zatko reviewed evidence from the US government that at least one Twitter employee was working for a foreign intelligence service. (Sure enough, this month a Twitter employee was convicted of having spied for Saudi Arabia for financial gain.) Concerns regarding international tensions rose when Agrawal—Twitter’s chief technology officer at the time—told Zatko the platform should comply with Russian censorship and surveillance demands. This suggestion was ultimately tossed to the wayside.
Agrawal responded to the disclosure in a memo to employees on Tuesday. “We are reviewing the redacted claims that have been published, but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context,” he wrote. Agrawal went on to imply that Zatko’s disclosure was the product of retaliation, saying “Mudge was accountable for many aspects of this work that he is now inaccurately portraying more than six months after his termination.”
Spokesperson Rachel Cohen told CNN the Senate Intelligence Committee is taking the disclosure seriously and planning to meet to discuss the allegations soon. The Senate Judiciary Committee and House Energy and Commerce Committee are also investigating or planning to investigate Zatko’s disclosure. The document was additionally sent to the U.S. Securities and Exchange Commission, the Bureau of Consumer Protection at the Federal Trade Commission, and the Justice Department.
“If these problems are not corrected, regulators, media, and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics,” Zatko wrote in a separate document cited within the disclosure.
Continue reading
The Best Smart Home Security Systems
Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.
A File Sharing App With 1 Billion Downloads Has a Major Security Flaw
Trend Micro says SHAREit is a security nightmare that could allow intruders to sneak a peek at your data or even install malware. Perhaps most troublingly, the developers have not responded to Trend Micro's warnings.