A shocking whistleblower report from Peiter ‘Mudge’ Zatko, a well-known cybersecurity expert who served as Twitter’s head of security from mid-2020 to early 2022, asserts that the company is “grossly negligent” in “several areas” of information security and privacy protections.
The whistleblower report came in the form of a complaint filed with the Securities and Exchange Commission (SEC), Department of Justice and the Federal Trade Commission (FTC), with a redacted version also sent to a number of congressional committees (which has reached various news outlets). As part of 2011 settlement with the FTC over prior security and privacy violations, Twitter agreed to a security improvement plan that Mudge says it has not kept up with and is knowingly deceiving both authorities and the general public about.
Former head of security lays out endemic security and privacy issues at Twitter
The story begins over a decade ago, with Twitter being breached at least twice in 2009 in incidents where attackers took administrative control over the system and had the ability to issue tweets from any account. The 2011 settlement it reached with the FTC over that incident required it to make extensive security improvements, to be assessed by an auditor every two years, and to not mislead the public about its security and privacy protections for a period of 20 years. The company evaded a fine with this settlement, but could be fined up to $16,000 per incident for violations of its terms.
Twitter had a number of smaller security and privacy issues over the ensuing years, but the big one (which reflected what had happened in 2009) came in the summer of 2020. A group of teenage hackers managed to socially engineer their way into similar administrative control, issuing tweets from various high-profile accounts as part of a crypto scam.
Mudge was brought in as head of Twitter’s cybersecurity by former CEO Jack Dorsey in the wake of this embarrassing incident. His time in that position ended in January 2022 after he filed internal reports indicating that Twitter executives had misled the board of directors in a presentation regarding the security readiness of the company’s internal systems. Current CEO Parag Agrawal told the press at the time that Mudge’s firing was part of an internal shakeup and change of focus to “top priority work.”
The scope of Mudge’s allegations in the whistleblower report include how the company handles the security and privacy of user information, its knowledge of and ability to control spam bots, the level of internal access control, failures to routinely patch large amounts of company computers, and the infiltration of the company by foreign intelligence agents and assets from several different nations.
Aaron Turner, CTO, SaaS Protect at Vectra, expands on what this could mean if these security and privacy allegations are indeed accurate: “From research that I coordinated after the 2020 incident, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems. If Mudge’s disclosure is correct, that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitter’s entire platform is at risk of compromise.”
Patrick Dennis, CEO at ExtraHop, believes that this could touch off a massive regulatory storm for Twitter if the allegations are found to be credible: “In the Musk deal, Twitter’s refusal to provide relevant data regarding the prevalence of bots on the platform ultimately resulted in Musk pulling out, and for good reason. Bots are not only used by nation states for cyberespionage and digital Kompromat, they are also used for social engineering that conditions users to click on malicious links and engage in other unsafe online behavior. Given their refusal to acknowledge or deal with the bot problem in any material way, it should come as no surprise that Twitter also lacks the willingness to address other major security concerns regarding the privacy and safety of its users. In terms of what consequences Twitter will face, I expect that regulators in the EU will be very keen to understand how consumer data has been mismanaged for purposes of GDPR. I expect similar investigations in California under CCP. But I think the one to watch is how federal authorities will treat the allegations that Twitter employees are working for a foreign intelligence service. There has long been speculation about tech company employees being planted by nation state governments. If this is true, it could bring substantially more scrutiny around hiring practices.”
Whistleblower report includes laundry list of serious allegations
Mudge was brought in to deal with an access control incident that involved too many relatively low-level employees at the company having a direct reach into user accounts and tweets; his whistleblower report indicates that this situation may not have substantially improved since then. Mudge says that “thousands” of employees still have access to the company’s production environment without access logging and that there are fundamental security issues throughout the internal network that impact all employees, with some 30% of its computers set to reject security updates that include vital patching of known vulnerabilities.
This issue appears to have been at the center of his firing, at least according to the version presented in the whistleblower report. Sometime just prior, he alleges Twitter executives went before the board of directors and claimed that only 8% of company computers did not have up-to-date security software installed. He also appears to have come into conflict with executives in his inquiries into exactly how much spam was on the platform and how many accounts were bots, unable to get a “straight answer” from anyone and seeing evidence that executives were prioritizing user growth over filtering these types of accounts out. He says that the board ordered him to give an oral presentation to the board using “cherry-picked” data points and that a third-party consulting firm’s report on company security was “scrubbed” for one of these presentations.
The whistleblower report also alleges that the company does not properly delete the user data of closed accounts, in some cases because it is unable to keep track of it. This is another area in which Mudge claims the company has misled regulators. And about half of the company’s 500,000 servers are allegedly running on outdated software that does not allow for regular security updates and is not able to encrypt stored data. The platform is also allegedly highly vulnerable to crashes and denial of service attacks, with dysfunction in the established recovery process to the point that the simultaneous outage of several data centers could potentially knock the service offline permanently.
Mudge also believes that at least one Twitter employee, and possibly more, are working for a foreign government and engaged in espionage. It would not be the first incident of this nature, with a former manager recently convicted for spying for Saudi Arabia. The whistleblower report indicates that the government of India may have been directly involved in placing employees in the company for this purpose, and that the pursuit of revenue from China may have led to “Chinese entities” having access to sensitive information about Twitter users.
Twitter has responded to Mudge’s whistleblower report with a variety of attacks on his character: claiming that he was fired for poor performance, and intimating that he may be doing this for a financial reward from government whistleblower programs or for the benefit of Elon Musk.
The infosec community has almost universally rallied behind him, however, noting that he has been viewed as a luminary with an excellent track record since his work as a founder of seminal hackerspace and think tank “The L0pht” in the 1990s. Andrew Hay, COO at LARES Consulting, summed up the general sentiment: “Mudge has been a trusted name in security and privacy since the early 1990s when he was with L0pht. Those in the industry know Mudge know that his intentions have historically been honorable, non-partisan, and designed to benefit the world. Nothing that I have seen or heard would indicate otherwise.”
Casey Ellis, Founder and CTO at Bugcrowd, adds: “Mudge has a long and rock-solid reputation of putting integrity first. He’s also one of those infosec elders who rarely sticks their neck out to make a fuss, but when they do it’s almost certainly worth paying attention to – This dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before its time. Judging by the way the infosec community has closed ranks around him this morning, others clearly feel the same way. Infosec doesn’t suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves. I can’t speak to the specifics of the disclosures themselves, but I’m definitely pleased to see this prompting a discussion around the “critical infrastructure” characteristics of social media platforms and the implications this has on national security and privacy – especially as the midterms in the US get underway and sets itself up for the 2024 election. It seems clear that this categorization as critical infrastructure is something Twitter and other social platforms would probably rather avoid, but it is a conversation we need to have.”
Kevin Novak, Managing Director of Cybersecurity for Breakwater Solutions, observes that the position Mudge found himself in is not at all uncommon for CISOs nor are the alleged actions by company executives: “The role of the Chief Information Security Officer (CISO) has changed considerably over the last decade, as it has been thrust out of the back room and into the board room. CISOs today are challenged with wearing an array of differing functional hats that range from Legal to Marketing, to Technology, to Physical Security, to Privacy and Compliance, to Human Resources. They are required to speak the most technical language when managing in the trenches and shift on a dime to provide cyber risk and financial loss analysis to Board Members.”
“The fact is, most CISOs go out of their way to shine a light on those insecurities that threaten an organization and its clients, and good CISOs even craft their message in terms that business executives understand: the potential for Lawsuits, Financial Fraud, Damage to Reputation, Loss of Operations, Government Sanctions, and Regulatory Scrutiny to name a few. But bringing those messages to your manager, Sr. Executives, or the CEO is very different than answering openly and transparently to the Board of Directors; particularly when you’ve been discouraged from doing so by your management team. Speaking candidly, openly, and transparently to the board is often considered “career limiting” and you’ll often hear CISOs use language like: “I’m aligned with my manager, and we’re working through any challenges we’ve encountered”. So CISO’s often have to choose between evils when facing the dissonance of knowing that their firm is acting recklessly: They can quit, speak openly and honestly–then face termination for not being a team player or more likely for “poor performance”, or Whistle blow. None of these options is very appealing to the CISO, as each is profoundly impactful on their professional career, but they are issues that CISOs around the world face regularly. It’s the reason that many regulators and regulatory doctrine have begun encouraging more independence for the CISO, reporting to the Board or CEO directly and not though a litany of management that might change their message before it can be heard by those who hold a fiduciary duty for protecting not only their own firm, but that of the public at large,” added Novak.