Whistleblower Report Slams Twitter Security and Privacy Practices, Asserts Company Deceived Public and Is Employing Foreign Agents

A shocking whistleblower report from Peiter ‘Mudge’ Zatko, a well-known cybersecurity expert who served as Twitter’s head of security from mid-2020 to early 2022, asserts that the company is “grossly negligent” in “several areas” of information security and privacy protections.

The whistleblower report came in the form of a complaint filed with the Securities and Exchange Commission (SEC), Department of Justice and the Federal Trade Commission (FTC), with a redacted version also sent to a number of congressional committees (which has reached various news outlets). As part of 2011 settlement with the FTC over prior security and privacy violations, Twitter agreed to a security improvement plan that Mudge says it has not kept up with and is knowingly deceiving both authorities and the general public about.

Former head of security lays out endemic security and privacy issues at Twitter

The story begins over a decade ago, with Twitter being breached at least twice in 2009 in incidents where attackers took administrative control over the system and had the ability to issue tweets from any account. The 2011 settlement it reached with the FTC over that incident required it to make extensive security improvements, to be assessed by an auditor every two years, and to not mislead the public about its security and privacy protections for a period of 20 years. The company evaded a fine with this settlement, but could be fined up to $16,000 per incident for violations of its terms.

Twitter had a number of smaller security and privacy issues over the ensuing years, but the big one (which reflected what had happened in 2009) came in the summer of 2020. A group of teenage hackers managed to socially engineer their way into similar administrative control, issuing tweets from various high-profile accounts as part of a crypto scam.

Mudge was brought in as head of Twitter’s cybersecurity by former CEO Jack Dorsey in the wake of this embarrassing incident. His time in that position ended in January 2022 after he filed internal reports indicating that Twitter executives had misled the board of directors in a presentation regarding the security readiness of the company’s internal systems. Current CEO Parag Agrawal told the press at the time that Mudge’s firing was part of an internal shakeup and change of focus to “top priority work.”

The scope of Mudge’s allegations in the whistleblower report include how the company handles the security and privacy of user information, its knowledge of and ability to control spam bots, the level of internal access control, failures to routinely patch large amounts of company computers, and the infiltration of the company by foreign intelligence agents and assets from several different nations.

Aaron Turner, CTO, SaaS Protect at Vectra, expands on what this could mean if these security and privacy allegations are indeed accurate: “From research that I coordinated after the 2020 incident, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems. If Mudge’s disclosure is correct, that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitter’s entire platform is at risk of compromise.”

Patrick Dennis, CEO at ExtraHop, believes that this could touch off a massive regulatory storm for Twitter if the allegations are found to be credible: “In the Musk deal, Twitter’s refusal to provide relevant data regarding the prevalence of bots on the platform ultimately resulted in Musk pulling out, and for good reason. Bots are not only used by nation states for cyberespionage and digital Kompromat, they are also used for social engineering that conditions users to click on malicious links and engage in other unsafe online behavior. Given their refusal to acknowledge or deal with the bot problem in any material way, it should come as no surprise that Twitter also lacks the willingness to address other major security concerns regarding the privacy and safety of its users. In terms of what consequences Twitter will face, I expect that regulators in the EU will be very keen to understand how consumer data has been mismanaged for purposes of GDPR. I expect similar investigations in California under CCP. But I think the one to watch is how federal authorities will treat the allegations that Twitter employees are working for a foreign intelligence service. There has long been speculation about tech company employees being planted by nation state governments. If this is true, it could bring substantially more scrutiny around hiring practices.”

Whistleblower report includes laundry list of serious allegations

Mudge was brought in to deal with an access control incident that involved too many relatively low-level employees at the company having a direct reach into user accounts and tweets; his whistleblower report indicates that this situation may not have substantially improved since then. Mudge says that “thousands” of employees still have access to the company’s production environment without access logging and that there are fundamental security issues throughout the internal network that impact all employees, with some 30% of its computers set to reject security updates that include vital patching of known vulnerabilities.

This issue appears to have been at the center of his firing, at least according to the version presented in the whistleblower report. Sometime just prior, he alleges Twitter executives went before the board of directors and claimed that only 8% of company computers did not have up-to-date security software installed. He also appears to have come into conflict with executives in his inquiries into exactly how much spam was on the platform and how many accounts were bots, unable to get a “straight answer” from anyone and seeing evidence that executives were prioritizing user growth over filtering these types of accounts out. He says that the board ordered him to give an oral presentation to the board using “cherry-picked” data points and that a third-party consulting firm’s report on company security was “scrubbed” for one of these presentations.

The whistleblower report also alleges that the company does not properly delete the user data of closed accounts, in some cases because it is unable to keep track of it. This is another area in which Mudge claims the company has misled regulators. And about half of the company’s 500,000 servers are allegedly running on outdated software that does not allow for regular security updates and is not able to encrypt stored data. The platform is also allegedly highly vulnerable to crashes and denial of service attacks, with dysfunction in the established recovery process to the point that the simultaneous outage of several data centers could potentially knock the service offline permanently.

Mudge also believes that at least one Twitter employee, and possibly more, are working for a foreign government and engaged in espionage. It would not be the first incident of this nature, with a former manager recently convicted for spying for Saudi Arabia. The whistleblower report indicates that the government of India may have been directly involved in placing employees in the company for this purpose, and that the pursuit of revenue from China may have led to “Chinese entities” having access to sensitive information about Twitter users.

Twitter has responded to Mudge’s whistleblower report with a variety of attacks on his character: claiming that he was fired for poor performance, and intimating that he may be doing this for a financial reward from government whistleblower programs or for the benefit of Elon Musk.

The infosec community has almost universally rallied behind him, however, noting that he has been viewed as a luminary with an excellent track record since his work as a founder of seminal hackerspace and think tank “The L0pht” in the 1990s. Andrew Hay, COO at LARES Consulting, summed up the general sentiment: “Mudge has been a trusted name in security and privacy since the early 1990s when he was with L0pht. Those in the industry know Mudge know that his intentions have historically been honorable, non-partisan, and designed to benefit the world. Nothing that I have seen or heard would indicate otherwise.”

Casey Ellis, Founder and CTO at Bugcrowd, adds: “Mudge has a long and rock-solid reputation of putting integrity first. He’s also one of those infosec elders who rarely sticks their neck out to make a fuss, but when they do it’s almost certainly worth paying attention to – This dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before its time. Judging by the way the infosec community has closed ranks around him this morning, others clearly feel the same way. Infosec doesn’t suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves. I can’t speak to the specifics of the disclosures themselves, but I’m definitely pleased to see this prompting a discussion around the “critical infrastructure” characteristics of social media platforms and the implications this has on national security and privacy – especially as the midterms in the US get underway and sets itself up for the 2024 election. It seems clear that this categorization as critical infrastructure is something Twitter and other social platforms would probably rather avoid, but it is a conversation we need to have.”

Kevin Novak, Managing Director of Cybersecurity for Breakwater Solutions, observes that the position Mudge found himself in is not at all uncommon for CISOs nor are the alleged actions by company executives: “The role of the Chief Information Security Officer (CISO) has changed considerably over the last decade, as it has been thrust out of the back room and into the board room.  CISOs today are challenged with wearing an array of differing functional hats that range from Legal to Marketing, to Technology, to Physical Security, to Privacy and Compliance, to Human Resources.  They are required to speak the most technical language when managing in the trenches and shift on a dime to provide cyber risk and financial loss analysis to Board Members.”

Shocking complaint filed with the SEC, DOJ and the FTC by Twitter’s former head of security, asserts that the company is ‘grossly negligent’ in ‘several areas’ of information #security and #privacy protections. #respectdataClick to Tweet

“The fact is, most CISOs go out of their way to shine a light on those insecurities that threaten an organization and its clients, and good CISOs even craft their message in terms that business executives understand: the potential for Lawsuits, Financial Fraud, Damage to Reputation, Loss of Operations, Government Sanctions, and Regulatory Scrutiny to name a few.  But bringing those messages to your manager, Sr. Executives, or the CEO is very different than answering openly and transparently to the Board of Directors; particularly when you’ve been discouraged from doing so by your management team.  Speaking candidly, openly, and transparently to the board is often considered “career limiting” and you’ll often hear CISOs use language like: “I’m aligned with my manager, and we’re working through any challenges we’ve encountered”.  So CISO’s often have to choose between evils when facing the dissonance of knowing that their firm is acting recklessly: They can quit, speak openly and honestly–then face termination for not being a team player or more likely for “poor performance”, or Whistle blow.  None of these options is very appealing to the CISO, as each is profoundly impactful on their professional career, but they are issues that CISOs around the world face regularly.  It’s the reason that many regulators and regulatory doctrine have begun encouraging more independence for the CISO, reporting to the Board or CEO directly and not though a litany of management that might change their message before it can be heard by those who hold a fiduciary duty for protecting not only their own firm, but that of the public at large,” added Novak.

UK Police Data Leaked to Dark Web; Russian Hackers Hold 13 Million Records to Ransom

After an apparent refusal to pay a ransom demand, Russian hackers have leaked a sampling of 13 million records of UK police data to the dark web in retaliation.

The records were stolen from a police contractor, and the Russian hackers released just a small portion of what they stole but have threatened to release more if their demands continue to be rebuffed. It remains unclear exactly what personal information has been breached, but the dark web samples contain indications that the data was stolen from a national traffic monitoring system and contains photos of drivers that were caught speeding.

UK police data taken from contractor, ransom refusal leads to partial leak

The hack is attributed to the Clop gang, a ransomware group that has been operating since 2019 and was particularly active into early 2021 (two of its largest prior breaches were of ExecuPharm and business collaboration firm Accellion). Some members of the gang were arrested in Ukraine over the past summer, but the group’s Russian hackers quickly got it back into business. The group had made tens of millions of dollars from some of its attacks and is considered a major player among cyber criminals.

The group is known to operate a dark web site through which it doxxes victims that do not pay. In this case, the victim was Scotland-based IT support firm Dacoll Group. Dacoll contracts with the UK government to service the Police National Computer (PNC), a shared system used by many of the country’s law enforcement agencies.

Dacoll was apparently phished successfully, giving the Russian hackers access to about 13 million records of UK police data. The firm then refused to pay a ransom demand, the amount of which is unknown. Not much is presently known about what information was compromised, but the group put hundreds of data samples on its dark web site as proof of the attack and threatened to release more if the contractor did not reconsider its position on the ransom.

The National Cyber Security Centre said that it is working with Dacoll and law enforcement agencies to investigate the incident. Dacoll recently issued a statement indicating that the breach happened on October 5. The sampling of UK police data has since been removed from the dark web site, and it is unclear if the Russian hackers intend to follow through with their threats of releasing more of it.

Russian hackers leak information indicating traffic camera data was stolen

Among the samples of the UK police data uploaded to the dark web were traffic camera pictures, of the sort that automatically trigger when a vehicle is detected breaking the speed limit. This indicates that the records were stolen from the Automatic Number Plate Recognition (ANPR) system. Some of the leaked samples show close-up images of the faces of drivers caught by the speed camera.

UK citizens would no doubt like much more detail about exactly what the Russian hackers had access to, but UK agencies and Dacoll are naturally being very quiet about the fine details of the attack. There is reason for concern given that Dacoll provides services to 90% of the UK’s law enforcement agencies through its subsidiary NDI Technologies. The company’s NDI Recognition Systems firm is the one that supports the ANPR systems; UK police data is shared with Highways England and DVLA through the company’s software products.

The Russian hackers have once again highlighted the fact that organizational cybersecurity is only as good as the weakest link in a supply chain of vendors with trusted access, but this time with potentially more serious consequences than usual.

As Saryu Nayyar, CEO of Gurucul, observes:  “It’s not clear that evidence released is valuable, although it seems possible that it can be used to identify and blackmail motorists and other individuals … In this case, the data, while it should have been treated as confidential, was easily phished and downloaded.  The police and their vendor Dacoll have little incentive to pay this particular ransom, so the identity burden is going to fall on those cited by the evidence. That’s unfortunate that a mistake by Dacoll causes a potential loss for others, so the police should shore up their own systems and do right by those whose evidence has leaked.”

The incident raises the question of what the average person can be expected to do when government agencies, trusted with the most sensitive of their personal information, have a security failing. Heading into the holiday season, it remains to be seen what the UK government will do to remedy the situation; UK citizens still need to know exactly what the Russian hackers made off with. The worst-case scenario would be access to their drivers license information, a key element for thieves to establish a change of address for the purposes of identity fraud.

Garret Grajek, CEO of YouAttest, points out that the impetus falls mostly on the government contractors that have access to this sensitive information: “The real question – is what do enterprises do with all the mayhem occurring? The key is to focus on solid security practices. The NIST guidelines on zero trust (SP 800-27) and cloud security (SP 800-210) are a good place to start. Identity is key to all of these directives and counter measures. This begins with an enterprise knowing what identities are given authorization to which resources and is imperative to cyber security.”

Baber Amin, COO of Veridium, has additional suggestions for securing UK police data at the root: “In this case both the IT firm and UK police should implement matching access control. Preventing successful phishing attacks, as usual requires a layered approach to security and access.

  1. Eliminate all unauthenticated access by requiring every connection to be authenticated.
  2. Eliminate all single factor authentication by enabling multiple factors.
  3. Depending on the information being accessed, assign different authentication factors based on their trust level.
  4. Create a multi-channel authentication strategy such that a single compromised channel does not compromise the system.
  5. Do not allow full access across all systems even if the user is authentication via some sort of MFA. Compartmentalize all access.
  6. Implement tools that look for unusual activity e.g. probing, multiple failures, large data ingestion or large data extraction.
  7. Implement tools that evaluate end point trust and can identify bots and automated processes.
  8. Implement behavioral biometrics to distinguish normal users from bots and bad actors.”

The victim was Scotland-based IT support firm Dacoll Group which services the UK Police National Computer (PNC), a shared system used by many of the country’s #lawenforcement agencies. #ransomware #cybersecurity #respectdataClick to Tweet

Given that the Russian hackers took down their teaser sample of the UK police data voluntarily, it is possible that the incident will end quietly as Clop worries that it might attract the same level of heat that REvil recently has (the group has already weathered one wave of arrests). But UK residents will have an extra worry going into the holiday season that they should not have to deal with, as the Home Office takes the tack of downplaying the incident and stalling on giving a public assessment of the potential damage.