Whistleblower says there's a Chinese government spy working at Twitter

Twitter’s former security chief Peiter “Mudge” Zatko testified to a Senate panel on Tuesday that his former employer prioritized profits over addressing security concerns that he said put user information at risk of falling into the wrong hands.

“It’s not far-fetched to say that an employee inside the company could take over the accounts of all of the senators in this room,” Zatko told members of the Senate Judiciary Committee, less than a month after his whistleblower complaint was publicly reported.

Zatko testified that Twitter lacked basic security measures and had a freewheeling approach to data access among employees, opening the platform to major risks. As he wrote in his complaint, Zatko said he believed an agent of the Indian government managed to become an employee at the company, an example of the consequences of lax security practices.

Peiter “Mudge” Zatko, former head of security at Twitter, testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC. 

Kevin Dietsch | Getty Images

The testimony adds fuel to the criticism by legislators that major tech platforms put revenue and growth goals over user protection. While many companies have flaws in their security systems, Twitter’s unique position as a de facto public square has amplified Zatko’s revelations, which took on extra significance given Twitter’s legal spat with Elon Musk.

Musk sought to buy the company for $44 billion but then tried to back out of the deal, claiming Twitter should have been more forthcoming with information about how it calculates its percentage of spam accounts. A judge in the case recently said Musk could revise his counterclaims to reference issues Zatko raised.

A Twitter spokesperson disputed Zatko’s testimony and said the company uses access controls, background checks and monitoring and detection systems to control access to data.

“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” the spokesperson said in a statement, adding that the company’s hiring is independent from foreign influence.

Here are the key takeaways from Zatko’s testimony

Lack of control over data

The Twitter logo is seen on a Redmi phone screen in this photo illustration in Warsaw, Poland on 23 August, 2022.

Nurphoto | Getty Images

According to Zatko, Twitter’s systems are so disorganized that the platform can’t say for sure if it’s deleted a users’ data entirely. That’s because Twitter hasn’t tracked where all that data is stored.

“They don’t know what data they have, where it lives or where it came from, and so, unsurprisingly, they can’t protect it,” Zatko said.

Karim Hijazi, CEO of cyber intelligence firm Prevailion, said large organizations like Twitter often experience “infrastructure drift,” when people come and go, and different systems are sometimes neglected.

“It tends to be a little bit like someone’s garage over time,” said Hijazi, who previously served as director of intelligence at Mandiant, now owned by Google. “Now the problem is, unlike a garage where you can go in and you can start pulling it all apart sort of methodically … you can’t simply wipe away the database because it’s a patchwork quilt of new information and old information.”

Taking down some parts without knowing for sure whether they’re critical pieces could risk bringing down the broader system, Hijazi said.

But security experts expressed surprise by Zatko’s testimony that Twitter didn’t even have a staging environment to test updates, an intermediate step engineers can take between the development and production environments to work out issues with their code before setting it live.

“That was quite surprising for a big tech firm like Twitter to not have the basics,” Hijazi said. Even the smallest little startups in the world that have started seven and a half weeks ago have a dev, staging and production environments.”

Chris Lehman, CEO of SafeGuard Cyber and a former FireEye vice president, said “that would be shocking to me” if it’s true Twitter doesn’t have a staging environment.

He said “most mature organizations” would have this step to prevent systems from breaking on the live website.

“Without a staging environment, you create more opportunities for bugs and for problems,” Lehman said.

Broad employee access to user information

The silhouette of an employee is seen beneath the Twitter Inc. logo

David Paul Morris | Bloomberg | Getty Images

Zatko said the lack of understanding of where data lives means employees also have far more access than they should to Twitter’s systems.

“It doesn’t matter who has keys if you don’t have any locks on the doors,” Zatko said.

Engineers, who make up a large portion of the company, are given access to Twitter’s live testing environment by default, Zatko claimed. He said that type of access should be restricted to a smaller group.

With so many employees having access to important information, the company is vulnerable to problematic activities like bribes and hacks, Hijazi and Lehman said.

U.S. regulators don’t scare companies into compliance

The changing face of privacy in a pandemic



Source link

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.