الأربعاء، 24 أغسطس 2022

NEWS TECHNOLOGIE

(Photo: Joshua Hoehne/Unsplash)
Peiter “Mudge” Zatko served as Twitter’s head of security for approximately two years. Now, just months after being ousted, he’s blowing the whistle on the popular social network’s insufficient—and often negligent—cybersecurity practices.

Twitter regularly loses track of users’ information after they’ve deleted their accounts, allows virtually unfettered staff access to its internal controls, and fails to address the increasing population of bots using the site, according to a 200-page disclosure obtained by CNN and The Washington Post. Zatko originally sent the disclosure to Congress and a handful of enforcement agencies last month in an attempt to bring federal attention to Twitter’s wrongdoings, which he alleges impact user safety and even threaten national security.

Zatko was originally recruited by ex-CEO Jack Dorsey for his experience at Stripe, Google, and the Department of Defense, as well as his “ethical hacking” skills. Upon joining the company, however, he discovered an atmosphere riddled with “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.” Thousands of Twitter employees had unnecessary access to the site’s most sensitive controls. There was no log of who entered the site’s “production environment” (the internal access point in which one can change the public platform), when they entered, or what changes they made. Less than half of Twitter’s workforce used computers that met basic cybersecurity standards, and half of its 500,000 servers ran on outdated software that couldn’t support encryption or vendor security updates.

This was only the beginning. When Dorsey stepped down and Parag Agrawal filled in, Agrawal supposedly discouraged Zatko from escalating the aforementioned security vulnerabilities to Twitter’s board of directors. According to Zatko, executives eventually ordered him to share these vulnerabilities orally instead of by written means, and to “cherry-pick” and “misrepresent” data that would make it appear as though the company had made strides to improve its site’s security. Afterward, executives covertly covered up a third-party consulting firm’s report that confirmed many of Zatko’s original suspicions.

(Photo: Jeremy Bezanger/Unsplash)

Before being terminated for what Twitter claims was underperformance in January 2022, Zatko reviewed evidence from the US government that at least one Twitter employee was working for a foreign intelligence service. (Sure enough, this month a Twitter employee was convicted of having spied for Saudi Arabia for financial gain.) Concerns regarding international tensions rose when Agrawal—Twitter’s chief technology officer at the time—told Zatko the platform should comply with Russian censorship and surveillance demands. This suggestion was ultimately tossed to the wayside.

Agrawal responded to the disclosure in a memo to employees on Tuesday. “We are reviewing the redacted claims that have been published, but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context,” he wrote. Agrawal went on to imply that Zatko’s disclosure was the product of retaliation, saying “Mudge was accountable for many aspects of this work that he is now inaccurately portraying more than six months after his termination.”

Spokesperson Rachel Cohen told CNN the Senate Intelligence Committee is taking the disclosure seriously and planning to meet to discuss the allegations soon. The Senate Judiciary Committee and House Energy and Commerce Committee are also investigating or planning to investigate Zatko’s disclosure. The document was additionally sent to the U.S. Securities and Exchange Commission, the Bureau of Consumer Protection at the Federal Trade Commission, and the Justice Department.

“If these problems are not corrected, regulators, media, and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics,” Zatko wrote in a separate document cited within the disclosure.

Now Read:



from ExtremeTechExtremeTech https://ift.tt/hLXr9Fg

ليست هناك تعليقات:

إرسال تعليق