Twitter’s cybersecurity whistleblower: What it means for the community
The recent whistleblower complaint from Twitter’s former head of security “Mudge,” aka Peiter Zatko, may be one of the most concrete examples yet of the disconnect between cybersecurity experts and executives in organizations.
The complaint, obtained by the Washington Post last week, accuses Twitter of various “egregious” security issues, including servers running out of-of-date software, lack of control around employees’ access to core company software and intentionally misleading directors about the company’s true security posture.
The issue of executives versus internal cybersecurity professionals can be complex, but it’s a discussion that needs to happen. In the case of Twitter, many security experts likely reacted to the news by simply crossing their arms and saying, “I knew it,” or “I’m not surprised.”
We regularly go into these environments as consultants or outside experts. We see the disbelief on the faces of the internal security and IT teams when we state something is a security problem, and it appears that management listens for the first time — but only because it’s coming from an outsider. I’m not saying management only responds to outside experts, but I am saying that many cybersecurity professionals feel that is the case.
Congressional investigation into Twitter
Congress is planning to investigate the Twitter complaint, and who knows what that will uncover, as they have subpoena power matched by only a few other bodies in the world.
If they have true subject matter experts helping draft subpoenas to ensure the correct information is requested, it might become a much bigger problem for Twitter. However, if these things being exposed turn out to be true, it could be an overall positive for the community.
First, as with several other social media platforms, Twitter has reached a point of distribution where there is undoubtedly cause for national security alarm — if the platform’s internal security posture is as immature as Mudge’s complaint states.
But what’s more troubling are the claims of management misleading the world. This reminds me of the Equifax data breach. To refresh the reader’s memory, Equifax had a data breach in 2017, which at the time was the largest in history. It was caused by exploiting a well-known vulnerability in an application named Apache Struts. The head slapper was that this very vulnerability was identified months earlier during a penetration test, but it wasn’t patched in time. How do we know this happened? It all came out in the congressional hearing that followed the massive data breach. And that was a good thing. It’s possible there was someone inside Equifax saying, “I knew it was going to happen,” when the breach occurred — and clearly, someone inside Equifax had reported the critical Struts vulnerability that was eventually exploited.
Given the high-profile data breaches related to Twitter, especially the compromised political and celebrity accounts, there is now the possibility that Twitter may have been more responsible for those celebrity hacks than we initially thought. Many people assumed those celebrities were just social engineered out of their Twitter accounts. Maybe not.
One of the most disturbing claims is that Twitter state-sponsored threat actors or foreign intelligence operatives infiltrated Twitter. It’s hard to imagine an executive wanting to ignore that possibility or sweep it under the rug. I realize Twitter was (and is) in the middle of negotiating a buyout, but overlooking foreign intelligence footholds in their environment would be a big deal. This could have a lasting impact if it turns out to be true.
Are Mudge’s Twitter claims true?
Let’s examine the other side. What if Mudge is overstating some things — or everything? What if he really is a disgruntled employee making inaccurate claims after being fired, as a Twitter spokesperson suggested? If he is, that will come out in any follow-up investigations and tarnish his legendary status in the cybersecurity community.
Some of my first hacking knowledge came from reading his stuff in Phrack as a youngster. I followed him for years and used to dream of becoming a member of L0pht Heavy Industries, the hacker group he helped start that bought us some of the best hacking and cracking tools at the time. We still teach about LOphtcrack as a password cracker.
I don’t know Mudge personally, but from the outside, looking at his public persona for over 20 years, it doesn’t fit that he would make this up as a slight for being fired from an organization.
What’s next for Twitter?
I once worked on a case where we were vigorously trying to decrypt traffic that would prove the exfiltration of customer data had occurred. I briefed a group of executives, and one of them told me to stop the decryption operation until he told us to resume. They wanted time to get their PR together to form a statement before we decrypted the traffic and confirmed any customer data exposure, which would automatically put them under more specific reporting guidelines in their country. Once I learned their reason for the delay, I instantly felt dirty.
Most organizations have security problems. I’ve never been in one that doesn’t. But being alerted to foreign intelligence operatives in your organization and choosing to ignore it raises many questions, especially if you’re being alerted by one of the most respected experts in the industry. And especially if that expert was explicitly hired to protect you from such threats.
There are still pieces missing, but based on the information so far, it doesn’t look like it will be good for Twitter in the end. Is Twitter’s leadership actually getting rid of people who identify security problems? Let’s hope not.
- Former security chief claims Twitter buried ‘egregious deficiencies’, The Washington Post