720-891-1663

Return to list of client alerts

Is Twitter Security a National Security Threat?

You have probably heard that Twitter’s former security Chief blew the whistle on them to the feds and that was leaked either to or by the Washington Post and CNN.

The former security chief, Peiter “Mudge” Zatko, is extremely well known in security circles. Still there is a lot of “swirl” around the story.

The complaint claims that Twitter has “extreme, egregious deficiencies” in security and user privacy.

Mudge, who claims he was offered the job of Federal CIO but turned it down, says that senior executives misrepresented the efficacy of the company’s security program to Twitter’s board and allowed foreign government agents to infiltrate its ranks, among other things.

Mudge worked at the DoD’s DARPA and also at Google, after being a member of one of the early, high profile hacking rings, L0pht.

Twitter says the complaint lacks “context”, meaning that it is likely accurate, but they have excuses as to why.

Until he was hired in late 2020, Twitter never had a head of security. That probably says a lot all by itself.

Mudge claims that numerous security problems remained unresolved when he was fired.

In his final report, Mudge claimed that “inaccurate and misleading” information concerning “Twitter’s information security posture” had been sent to the company’s board. For example, the report forgot to mention that of about 10,000 systems, 40% were not in compliance with basic security settings and 30% do not have automatic update enabled.

The report also alleges that there is overly broad access to information by insiders and that the company has a limited ability to effectively control insider risk. He also says they are likely not in compliance with their consent decree with the FTC.

Many security pros support Mudge, Twitter, of course, went on the offensive. Their current CEO said, in a letter to employees, claimed he was fired for “ineffective leadership and poor performance”. I suspect, whether that is accurate or not, publicly disclosing that probably broke some laws. Some other Twitter engineers also say that Mudge deprioritized some fixes and that is certainly possible. If the house is on fire, do you worry about whether the lawn is mowed?

The foreign agent conversation may be related to the Indian government’s requirement to appoint a local representative, likely a government snitch/mole/spy. That is required in order to do business in India, but it is unclear what access this person had.

This may help Musk’s case as one of his claims is that Twitter has no clue about how many bots there are. One outsider asks why is he worrying about bots – what harm could they do? I guess the guy does not understand the concept of a disinformation campaign.

Mudge also claims that Twitter prioritized user growth over reducing spam because some executives stood to win bonuses of up to $10 million tied to increases in daily users.

Mudge claims that Agrawal, the CTO at the time and now the CEO, told Mudge to give the Board an oral report on the state of security rather than a written one and order him to knowingly cherry-pick and misrepresent data to create a false impression of progress on the security front.

Twitter also says that security and privacy are top priorities and now that everyone from the SEC to the Senate are investigating it, it probably is. As long as it doesn’t impact user count or stock price.

Mudge’s attorneys say that he tried to get management’s attention before using the whistleblower law to talk to the feds. That law give him both legal protection and potentially part of any fine the feds levy on Twitter.

The complaint also says that more than half of the company’s servers in data centers have non-compliant operating systems/kernels and many of them cannot support encryption.

As if Twitter’s reputation and stock price were not already in the toilet, Mudge is now giving media interviews and, I suspect, he knows where at least some of the bodies are buried.

Not to mention, some people are saying this is a national security issue given the possibility of election disinformation and other forms of digital terrorism.

This is going to get very ugly and it MAY help Musk’s case in trying to bail on the buyout agreement. What is likely sure is that this is not going to fade into the darkness. Unfortunately for Twitter and its stock price, which is down 7% over the last 5 days.

Credits:

Metacurity

Data Breach Today

Metacurity

Data Breach Today

Motherboard by Vice