惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Vulnerabilities – Threatpost
U
Unit 42
F
Fortinet All Blogs
aimingoo的专栏
aimingoo的专栏
P
Proofpoint News Feed
F
Full Disclosure
月光博客
月光博客
Engineering at Meta
Engineering at Meta
博客园_首页
The Register - Security
The Register - Security
G
Google Developers Blog
The Cloudflare Blog
博客园 - Franky
K
Kaspersky official blog
A
Arctic Wolf
Scott Helme
Scott Helme
C
Cisco Blogs
Hugging Face - Blog
Hugging Face - Blog
C
Check Point Blog
NISL@THU
NISL@THU
AI
AI
D
DataBreaches.Net
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Stack Overflow Blog
Stack Overflow Blog
Project Zero
Project Zero
The GitHub Blog
The GitHub Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
量子位
Vercel News
Vercel News
T
Tor Project blog
P
Privacy International News Feed
D
Docker
I
Intezer
L
LangChain Blog
P
Proofpoint News Feed
Security Latest
Security Latest
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threatpost
博客园 - 聂微东
AWS News Blog
AWS News Blog
Martin Fowler
Martin Fowler
P
Privacy & Cybersecurity Law Blog
V
V2EX
Last Week in AI
Last Week in AI
C
Cybersecurity and Infrastructure Security Agency CISA
The Hacker News
The Hacker News
T
Tenable Blog
Blog — PlanetScale
Blog — PlanetScale
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tailwind CSS Blog

Threatpost

Student Loan Breach Exposes 2.5M Records Watering Hole Attacks Push ScanBox Keylogger Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms Ransomware Attacks are on the Rise Cybercriminals Are Selling Access to Chinese Surveillance Cameras Firewall Bug Under Active Attack Triggers CISA Warning Fake Reservation Links Prey on Weary Travelers iPhone Users Urged to Update to Patch 2 Zero-Days Google Patches Chrome’s Fifth Zero-Day of the Year
Twitter Whistleblower Complaint: The TL;DR Version
Threatpost · 2022-08-24 · via Threatpost

Twitter is blasted for security and privacy lapses by the company’s former head of security who alleges the social media giant’s actions amount to a national security risk.

A recently surfaced 84-page whistleblower report filed with the US government by Twitter’s former head of security Peiter “Mudge” Zatko last month blasts his former employer for its alleged shoddy security practices and being out of compliance with an FTC order to protect user data.

Twitter has responded alleging that Zatko is a “disgruntled employee” who was fired for poor performance and leadership. In a letter to employees Twitter’s CEO Parag Agrawal asserts that Zatko’s claims are a “false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context.”

Here is an abbreviated overview of the allegations and Twitter’s reaction.

Allegations

Zatko, a respected white-hat hacker who served as Twitter’s head of security for roughly 15 months between 2020 and 2022, accused Twitter of a litany of poor security and privacy practices that together constituted a national security risk.

Top accusations include:

  • Twitter is a mismanaged company and gives too many of its staff access to sensitive security and privacy controls without adequate oversight.
  • One or more Twitter employees may be working for undisclosed foreign intelligence services. This, according to Zatko, elevates his concerns to a matter of national security.
  • Nearly half of Twitter’s servers lack basic security features, such as data encryption, because software running on them is either outdated or unpatched.
  • Twitter executives have prioritized growth over security as they have personally pursued massive bonuses, as high as $10 million, as incentives for the company’s rapid expansion.
  • The company is out of compliance with a 2010 FTC order to protect users’ personal information. Additionally, the company has lied to independent auditors of an FTC mandated “comprehensive information security program” tied to the 2010 order.
  • Twitter does not honor user requests to delete their personal data, because of technical limitations.
  • When Zatko attempted to bring these and many other security and privacy issues to Twitter’s board, company management misrepresented his finding and/or tried to hide the report.
  • Twitter allowed some foreign governments “… to infiltrate, control, exploit, surveil and/or censor the ‘company’s platform, staff, and operations,” according to the redacted whistleblower report submitted to congress.
  • Twitter does not have the resources or capacity to accurately determine the true number of fake (or bot) accounts on its platform. This question is central to a Elon Musk’s attempt to back out of buying the company for $44 billion.

Twitter’s Muted Response 

The thrust of Twitter’s response to Zatko is that he is a disgruntled employee, bad at his job and scapegoating Twitter for his failures. It points out that it has addressed and continues to aggressively address many of the IT security issues pointed out by Zatko.

An alleged response by Twitter’s CEO Parag Agrawal sent internally to Twitter employees was posted online.

NEW: First time Twitter CEO @paraga weighs in on whistleblower story.

Sending this message to staff this morning. pic.twitter.com/WY4TCqbA5q

— Donie O'Sullivan (@donie) August 23, 2022

Meanwhile top Democrats and Republicans in Congress have reacted by promising to investigate the claims. Sen. Richard Durbin (D-IL), chair of the Senate Judiciary Committee, confirmed he was investigating the whistleblower disclosure.

The whistleblower’s allegations of widespread security failures at Twitter, willful misrepresentations by top executives to government agencies, and penetration of the company by foreign intelligence raise serious concerns. https://t.co/9QQtlDSogr

— Senator Dick Durbin (@SenatorDurbin) August 23, 2022