Peiter “Mudge” Zatko (pictured) was grilled by U.S. senators this week. Twitter’s former head of security has some damning things to say about the service’s DevOps security — or lack of it.
In his testimony, we learned that 50% of Twitter staff had full access to the sensitive, personal and private data of users. As if that access proliferation wasn’t bad enough, he said there was little oversight and auditing of what people did with that powerful access.
Is your shop any better? If a bad actor insider abused their power, would you be able to quickly identify it and lock down access? In this week’s Secure Software Blogwatch, we get real.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mudge’s opening statement.
No locks on the doors
What’s the craic? Shannon Bond and Raquel Maria Dillon consider all the things — “Takeaways from the Senate hearing”:
“Half the employees at Twitter have access”
Twitter executives put profits ahead of security … the company's former head of security told Congress on Tuesday. [Peiter] Zatko, who's also known by his hacker name, Mudge, was hired to lead security at Twitter in 2020, after teenaged hackers took over high-profile verified accounts.
…Zatko painted a portrait of a company plagued by widespread security issues and unable to control the data it collects:
[He] alleged the company is highly vulnerable to abuse by foreign intelligence agents … within its ranks.
[He] described a company culture that avoided negativity and alleged executives presented selectively favorable information to the board.
[He said] Twitter doesn't understand how much data it collects, why it collects it, and how it's supposed to be used. …
He said around half the employees at Twitter have access to that [PII] data.
Half? Good grief. Cat Zakrzewski, Joseph Menn, Faiz Siddiqui and Cristiano Lima — “Security failures cause ‘real harm to real people’”:
“Foreign government operatives”
Zatko’s Senate testimony — which expanded on an 84-page complaint shared with regulators … this summer — said that Twitter executives misled the public, regulators and the company’s own board about its systemically broken defenses against hackers. [His] testimony could also factor into Twitter’s ongoing litigation with [Elon] Musk.
He described an executive team that was financially incentivized to ignore root problems, such as employees having too much access to data [and] the company wasn’t properly tracking data access: … “It doesn’t matter who has keys if you don’t have any locks on the doors. … It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room.”
Regarding Twitter’s employment of suspected foreign government operatives who may have had access to sensitive data because of the company’s lack of internal controls, he said agents for the Indian government and the Chinese government were on the company’s payroll.
Did someone mention Elon? Mike Masnick might have — “Musk Tries, Tries Again”:
“$7 million settlement”
Mudge’s report … actually confirmed Twitter’s legal argument: … While the media and a bunch of Musk’s fans bought into the claim that Mudge’s report helped him on the spam issue, Musk’s very expensive lawyers knew better. Instead, they [argued] that his claims about security problems, fraud, and some other stuff represented a material averse event that allows Musk to escape the deal.
Last week … it came out that the company had agreed to a $7 million settlement with Mudge, after he claimed that his firing violated his contract with the company. [And so] Musk … claims that the merger agreement would not allow any severance packages other than those in “the normal course of business,” and that the Mudge agreement violated that.
Who is this Mudge guy, anyway? Robert Graham knows what — or whom — he’s talking about:
“Disgruntled over cybersecurity”
Mudge is a technical expert going back decades. He was there at the beginning … and his work helped shape today’s infosec industry. He’s got a lot of credibility in the industry, and it’s all justified.
Twitter would certainly like to discredit him as being disgruntled for being fired. But that’s stupid. [He’s] disgruntled over cybersecurity (not … disgruntled over being fired). This has been the case for pretty much his entire career.
Anyway, back to the allegations. MattPalmer1086 is worried:
“It's a huge red flag”
What I heard I found worrying. For example, half the company had prod access to user accounts. And there was no way to find out who accessed what.
I've worked in multiple sectors for nearly 2 decades: government, energy, transport, retail, finance and software. So I've got a pretty good read on what is a normal level of access. Very small companies and start ups … often don't have this kind of separation.
But if they grow into one of the worlds biggest brands, I would not expect it to be run like a 50 man startup. … This is not normal — it's a huge red flag.
But youngone seems to say that’s old-fashioned thinking:
I'm going to go right ahead and assume … Facebook and Tik-Tok and every other social media company are going similar things, or worse. They don't care because nobody is going to punish them in any meaningful way.
Will anyone snark up the hearing on Twitter? If so, who will? @WillOremus will:
Sad that I don't have a newsletter previewing the week's big tech stories so I could title it Musk, Merge, Mudge.
Reaction from Twitter's prospective owner to testimony that users' security was dangerously compromised and foreign governments had covert agents inside the company: “🍿”
Periodic reminder that Sen. Kennedy of Louisiana attended Vanderbilt, UVA Law, and Oxford (not the one in Mississippi). [He] seems to enjoy the sound of himself pronouncing the word "porn."
[I] keep coming back to the same two thoughts:
- Wow, Twitter security is a clown show.
- There's absolutely no way Twitter is alone in this — online data security in general is a clown show and Twitter just happens to be the one taking the fall right now.
What should Twitter do? Here’s vinay_ys:
If Twitter implemented the following, it would take much of the steam out of this case:
1. Restricted/conditional/temporary access to production systems with extensive centralised audit logging.
2. Handled phone# and geo-location data as sensitive personally identifiable information (SPII) – kept this data in one centralized place (a micro service with well-defined access controlled apis).
Likely it wouldn't impact the velocity of their revenue features too much.
But jhuebel disagrees on that last point:
It will require a significant outlay of cash to independently assess the current vulnerabilities (can't let them do it themselves), secure the data behind fine-grained access controls (RBAC), audit the controls that are implemented periodically and monitor the privacy and security of Twitter user data in the long-term.
Meanwhile, how did we get here? spoonjim proffers a perfect pragmatic precis:
What happened was that Twitter hired a famous name to run their security for the clout. Then it turned out that was a big misfire.
- Learn more about Secure Dev & DevSecOps
- Get up to speed on the SBOM's evolution
- Download report: NVD Analysis 2022 — A Call to Action on Supply Chain Security
- See survey report: Tampering top of mind for dev — but detection lags
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: U.S. Department of Defense