In the wake of Peiter “Mudge” Zatko’s accusations against his former employer, a cybersecurity expert is calling for regulatory bodies to be given powers to inspect social media and other data-sensitive companies without prior notice.
- Twitter has been accused of violating the Federal Trade Commission Act by making false and misleading statements to users;
- breaching Securities and Exchange Commission regulations regarding public companies;
- making fraudulent and material misrepresentations to directors and shareholders; and
- turning a blind eye to efforts by foreign governments to censor, surveil, and infiltrate the platform and its employees.
Disappointing. That is one word Reuven Aronashvili, chief executive of cyber analyst CYE, uses to describe Twitter’s perceived response to concerns raised by infosecurity worker-turned-whistleblower Zatko over the integrity of its data protection.
Another cybersecurity professional, Ryan Slaney of SecurityScorecard, is withholding that kind of direct criticism until the Mudge case reaches a verdict – but his company’s examination of Twitter’s externally visible metrics have returned it a C-grade for overall cybersecurity, not the best of marks for such a prestigious platform.
Aronashvili believes the time has come for more rigorous auditing measures to be applied, not just to Twitter and other social media companies but any other organization that handles large amounts of sensitive client data. He is under no illusions about the difficulty that getting Big Tech to clean up its act will entail, but is reasonably optimistic it can be accomplished in the mid-term future with the right kind of regulations.
“Twitter has some major issues to deal with,” says Aronashvili. “It's very easy to think that those are basic things that can be fixed immediately – they are not. However, the one thing that I find disappointing is that instead of providing [Mudge] with all the capabilities, resources, and support that he needed to improve cybersecurity in Twitter, it seems like there was a continuous – I would say – avoidance in dealing with cybersecurity, putting it as a low-priority item in general.”
Twitter under fire
While the case lodged by Mudge’s lawyers with the Federal Trade Commission, the Department of Justice, and the Securities and Exchange Commission will not be heard until September 13, speculation is already rife about the claims made in his formal complaint. If just a fraction of them are proven true, Aronashvili’s statement about Twitter may well end up looking like an understatement.
Mudge alleges that under the leadership of former chief technology officer and current chief executive Parag Agrawal, Twitter deliberately misled the public about the platform’s “security, privacy and integrity.” It further accuses the social media company of engaging in “fraudulent and material misrepresentations in communications to the board of directors and investors,” and – perhaps most shockingly of all – “negligence and even complicity with respect to efforts by foreign governments to infiltrate, control, exploit, surveil, and censor the company’s staff, platform, and operations.”
“The privacy elements that are required from Twitter actually go against their business model,” says Aronashvili, echoing claims made in the Mudge complaint that allege the company lied about the number of bot or fake accounts on its platform to keep its valuation inflated beyond its actual worth.
“And that's an inherited problem,” he adds. “Looking at the CEO comments [from Agrawal], you understand immediately that really privacy is not what they care about. It goes against their revenue-generating model.”
"The privacy elements that are required from Twitter actually go against their business model."Reuven Aronashvili, CEO of cybersecurity firm CYE
Aronashvili believes this kind of blind spot is particularly worrying when found in a company such as Twitter, which has the potential to influence millions or even billions of people. “When you have this kind of power that's significant,” he says. “Like any other power in the world, it's something that should be supervised.”
He suggests that Mudge’s whistleblowing is probably an act of sheer frustration from a cybersecurity veteran whose concerns have, to all intents and purposes, been met with incompetence and complacency.
“I think it's a combination of some kind of personal incentive and frustration built over time – being a cybersecurity professional, you want things to work,” he says, adding that Twitter appears to have neglected the basics when it comes to protecting user data.
“We're talking about access to production, access control in general, patch management, privacy and sensitivity of data, deleting data after users left the platform,” he says. “Those are basic things – I'm not even talking about sophisticated items, like identification of active threats in the network, [or ensuring] data is not compromised and shifted to a third party or a nation-level attack. In these situations, being able to function as a security leader, it's very hard.”
More transparency needed
The tech industry as a whole is suffering for lack of what Aronashvili calls proper auditing or “visibility” – meaning the regulators are in effect fighting blindly against the problem of data security within organizations. “The industry in general is in a difficult situation, and with regulation and the federal government trying to put more and more pressure on those organizations, the one thing that they are missing is some kind of actual auditing,” he says.
Without unannounced spot-checks on firms that hold sensitive and personally identifiable information, he says, asking social media companies simply to submit checklists and threatening them with fines if they don’t comply will have little impact.
“Putting the pressure, threatening to fine organizations and make them pay and so on, it seems like it's not good enough – because you need some kind of mechanism to understand the situation and how to react accordingly,” he says, adding that the regulatory regime should be “fact- and not paperwork-based.”
"Threatening to fine organizations [...] it seems likes it's not good enough - because you need some kind of mechanism to understand the situation and how to react accordingly."Aronashvili
“If I'm sending you a paper and saying, ‘hey, I've done everything that you want, tick the box’ – that's not enough,” he says. “Show me proof. And there are multiple [sources of it] in this digital environment. If you are collecting several aspects, even randomly, coming once every three or six months and saying: ‘just give me those logs now, let me analyze them.’ [We need to do it] just like this – a surprise exercise.”
Slaney agrees that a health-inspection-style regime like that in the food industry – where inspectors arrive unannounced to monitor a data-sensitive organization’s compliance with cyber-hygiene regulations – would be a good idea, and that it should be applied not just to social media companies but to any organization that holds large amounts of sensitive data.
“I don't see why you would narrow the focus to a specific industry,” he says. “If it's a company that has sensitive information, it would be subject to this set of rules that could be followed in terms of collection, storage, processing, and retention.”
“You can ask the same questions about healthcare, how we can make sure hospitals are not attacked,” Aronashvili clarifies. “Every critical infrastructure, industrial control systems, those are risky to human lives. Every organization should be thinking that the report they provided can be put to the test at some point and verified. And then you can have fines, or any kind of sanctions, related to the results.”
Already found wanting
While Twitter may not be the sole offender, or perhaps even an offender at all, its cybersecurity regime has already been found wanting in some areas, if an external examination by Slaney’s company is anything to go by.
“Essentially, we scan for different categories of security, from an outside-in perspective,” he explains. “From what we can scan externally of Twitter's network, we can determine things. What we're seeing is that their DNS [domain name system] health is quite low – that's because of malformed or missing SBF [sender policy framework] records.”
What this means in layman’s terms is that Twitter could be vulnerable to social engineering campaigns, with threat actors spoofing legitimate company emails to trick the tech giant’s employees into giving up valuable information, or simply spamming them in an effort to get them to do likewise.
"Not enforcing encryption is a pretty big deal these days - some stuff that's associated with Twitter doesn't seem to be running it, or at least we're not detecting it."Ryan Slaney, cybersecurity analyst at SecurityScorecard
Endpoint security – the integrity of devices that are externally detectable on Twitter’s network – has also been flagged by SecurityScorecard as a potential hazard.
“Some of them are running outdated operating systems, web browsers, application security,” explains Slaney. “Not enforcing encryption is a pretty big deal these days – some stuff that's associated with Twitter doesn't seem to be running it, or at least we're not detecting it.”
Of course, this is only what Slaney and his team can legally observe without being given internal access, something Twitter and other tech firms will likely be chary of granting to outsiders.
“What Twitter's alleged of doing is more related to their internal security and data management policies, which is not something we can detect from the outside,” he says. “It basically goes to the culture and the data management strategy put in place within Twitter – that's something that you need internal access to get, which we don't have.”
Access privileges too liberal
Does Slaney think the claims made in the Mudge complaint are true? “The allegations are serious, but I don't think I'm in a position to say that they definitely did this based on one person coming forward,” he muses. “I know there was backing evidence, but again I'd have to really sit down and look at what that stuff was – [the complaint] was so heavily redacted, it's hard to say what exactly was in some of those emails. It is early days, in terms of investigation.”
But he concedes the Mudge case could be very bad news for Twitter indeed. “It would be a big issue to any company to have a whistleblower come forward, and, if those allegations are correct, it would be difficult for me as a cybersecurity practitioner to understand that an organization wouldn't take these things seriously, especially when it comes to data related to social media and how sensitive that could be: pictures, videos, locations, user data, stuff like that. But I don't want to hazard a guess until more investigative work is done.”
Another failing identified by Slaney that he believes could be solved by better regulation is a more nuanced system of access privileges granted by Twitter to its own employees.
"Engineers that have no need to get into sensitive data should not just have unfettered access."Slaney
“One of the main themes of the information that was leaked was that the engineers had unfettered access to sensitive information,” he says. “One of the best practices to defeat that – in any organization – is defining roles in technical terms and only allowing access to what is reasonably within their job description. Engineers that have no need to get into sensitive data should not just have unfettered access – your access would be based on what you need to do.”
Furthermore, he believes engineers and other Twitter staff with privileged access should be audited themselves, to ensure this regulation is followed to the letter. “You would log access to sensitive information,” he explains. “An administrator would see that in the log and query it: ‘what was that for, why were you there looking at that?’”
Aronashvili agrees. “If every developer has access in Twitter without getting into the technicalities, that's a big no,” he says. “And that's something that can be easily tested, if you look at the logs.” Nor does he believe this would impinge on a business or organization’s right to privacy if it were properly implemented.
“There is a very fine line that we don't need to cross,” he stresses. “Because it's still a company, no one needs to be in their details – but have them provide proof that they are doing what they are required to do. And the regulator needs to make sure that this is followed.”
Some room for optimism
Both experts are fairly confident that – whatever the outcome of the Mudge case – in time the regulatory framework will evolve to police social media and other data-sensitive companies more effectively.
“I think it's happening right now, and it's only going to get better,” asserts Slaney. “If there are other companies working as hard as we are to help cybersecurity, from simply scanning on the outside, I think companies are going to have unprecedented access to threat intelligence that will help them secure their networks. As long as you're following best practices on the internal side of things, they'll have a good chance of defending their networks.”
“I'm optimistic by nature, but I think it's a process,” says Aronashvili. “Now the whistleblowing, that's a story because for the first time we understand what the situation is, it's a way to get us this visibility. [But] do you know what the situation is in Facebook, TikTok, Instagram, even LinkedIn and others? We don't – how could you? Maybe we shouldn't know – but the regulator should.”
More from Cybernews:
Subscribe to our newsletter