Whistleblower: Twitter’s former security chief raises serious allegations

0
15
whistleblower twitters former security chief raises serious allegations.jpg
whistleblower twitters former security chief raises serious allegations.jpg

In a complaint to the supervisory authorities, Peiter “Mudge” Zatko paints the picture of a divided company with a catastrophic safety culture.​

 

Twitter’s former head of security, Peiter Zatko, made serious allegations against the company in a complaint to the supervisory authorities. The hacker, known under the name “Mudge”, criticizes the security culture at Twitter and accuses the social network of always putting the company’s economic success and growth ahead of user security and data protection.

 

As a whistleblower, Zatko turned his complaint to the U.S. Securities Exchange Commission (SEC), the Federal Trade Commission (FTC) and the U.S. Department of Justice in July. A partially redacted version of the complaint for the committees of the US Congress is available to the capital’s Washington Post newspaper.

Zatko’s complaint paints a picture of a management less company with chaotic structures, internal trench warfare and a security culture that neither meets the requirements of the authorities nor the need for protection of around 230 million active users.

According to the Washington Post report, Zatko’s detailed accounts from the engine room of the global network largely contradict what the company’s management presented to its own board of directors – and what Twitter explained to the regulators about advances in securing user data and fighting spam.

The company could also have violated FTC requirements. In 2011, Twitter and Facebook reached an agreement with the FTC over privacy violations that went into effect in 2011. Twitter was then subject to stricter supervision for ten years.

Twitter has not yet denied this in general. A spokeswoman for the Washington Post said the allegations were “riddled with inaccuracies”. The former security chief was fired for “poor performance and poor leadership” and is now stepping down. “Security and privacy has long been a top priority across the organization at Twitter.”

SEE ALSO  Your computer will not be able to continue using Windows 11 if it does not meet this new requirement

Twitter CEO and founder Jack Dorsey, who has since resigned, brought Peiter “Mudge” Zatko on board in late 2020 to strengthen the network’s security structures. Previously, numerous celebrity and corporate accounts had been hacked and misused for Bitcoin fraud attempts. The accounts of Elon Musk, Bill Gates and Barack Obama as well as Apple and Uber were affected.

As a result, it became known that a person who claims to have had access to internal functions was apparently involved in the hack. The former head of security now also criticizes the fact that too many employees have access to critical systems and data. According to the report, when he took office, he found a company that had not made any significant progress since the agreement with the FTC.

With Dorsey’s resignation, Zatko’s days at the company were numbered. In early 2022, new CEO Parag Agrawal filled the posts of Chief of Security and Chief Information Officer (CIO). A final inventory of the security situation, which Zatko last changed in February, is attached to the complaint.

In it, Zatko accuses the new CEO, among other things, of deliberately misleading the board of directors’ committee set up for risk assessment about the security situation and of having allowed false information there. Zatko raised this internally, which led to an internal investigation that ended in his dismissal.

Contrary to what was presented to the board of directors, the situation is much more dramatic. “Twitter is grossly negligent in several areas of information security,” summarizes Zatko, pointing to four main areas of work that the board of directors was denied: outdated and poorly configured software, negligent access rules for data and productive systems, inadequate internal processes and too many serious security incidents .

SEE ALSO  We tested message summary in Android Auto with AI: a small step for communication, a huge leap in security

Zatko criticizes that by the end of 2021, around half of all full-time employees would have had access to the productive systems and data. The number of employees grew from over 5,900 to over 7,700 over the course of the year. In 2021, more and more people would have been given access to security-sensitive areas.

According to Zatko, this is due to the fact that the internal processes are inadequate: developers work on the live system with real customer data, there are no test and staging environments. The easy access to data increases the risk that former employees tap it. In this context, Zatko speaks of 30 layoffs a week – in new German “offboardings”.

Operating systems with outdated kernels, some of which are no longer supported, run on around 60 percent of the approximately 500,000 servers in data centers around the world, writes Zatko. The software on around 10,000 employees’ computers is also out of date in 40 percent of cases and is not being provided with the necessary updates. The board of directors was only told that the computers were equipped with security software.

Earlier in his tenure, Zatko hired a consulting firm to assess Twitter’s efforts to combat propaganda and misinformation. The conclusion of the consultants: Twitter suffers from isolated internal structures and a lack of investment in critical infrastructure. Due to the purely reactive corporate culture, the company is in a permanent state of crisis: “As a result, Twitter is constantly lagging behind with its measures against false and disinformation.”

SEE ALSO  This is how I added one more layer of security to my Samsung Galaxy: how to hide the password and unlock pattern completely