The Limited Times

Now you can see non-English news...

Twitter is vulnerable to Russian and Chinese influence, says an informant

2022-08-24T10:32:16.617Z


In response to the disclosure, the top Republican on the Senate Intelligence Committee, Marco Rubio, promised to further investigate the allegations.


Former Twitter security chief denounces serious network failures 5:54

Washington (CNN Business) --

Twitter is uniquely vulnerable to exploitation by foreign governments in ways that threaten US national security and may even have foreign spies currently active on their payroll, according to Peiter "Mudge" Zatko. the whistleblower at the center of a massive public disclosure effort reported Tuesday by CNN and The Washington Post.

A combination of weak cybersecurity controls and poor judgment has repeatedly exposed Twitter to numerous risks of foreign intelligence intervention, according to Zatko, who was Twitter's chief security officer from November 2020 until he was fired in January.

  • Former Twitter executive denounces reckless and negligent cybersecurity policies

From taking money from untrusted Chinese sources to proposing that the company bow to Russian censorship and surveillance demands, Twitter executives, including now-CEO Parag Agrawal, have put Twitter users and employees at risk. Twitter in pursuit of short-term growth, Zatko alleges.

Peiter Zatko, known as Mudge in the hacker community, poses for a portrait on August 22.

CNN sought Twitter comments on more than 50 separate questions in response to the general disclosure, along with specific questions about the allegations outlined in this story.

Twitter did not respond to CNN's questions about foreign intelligence risks, but a company spokesman said Zatko's allegations are generally "riddled with inconsistencies and inaccuracies, and lack significant context."

The national security allegations are part of a nearly 200-page explosive disclosure to Congress, the Justice Department and federal regulators that accuses Twitter leadership of covering up critical company vulnerabilities and defrauding the public.

Zatko, a longtime cybersecurity expert who has held top positions at Google, Stripe and the Department of Defense, submitted his disclosure to authorities last month after what he described as months of unsuccessfully trying to sound the alarm. into Twitter about the dangers he faced.

While the disclosure to Congress is edited to omit sensitive details related to national security claims,

Among its allegations, the whistleblower disclosure claims that the US government provided specific evidence to Twitter shortly before Zatko's firing that at least one of its employees, perhaps more, worked for another government's intelligence service.

The disclosure does not say whether Twitter acted on US government advice or whether the advice was credible.

advertising

The whistleblower revelation could further inflame bipartisan concerns in Washington about foreign adversaries and the cybersecurity threat they pose to Americans.

In recent years, lawmakers have worried about authoritarian governments siphoning American citizen data from hacked or flex companies, leveraging technology platforms to subtly influence or sow disinformation among American voters, or exploiting unauthorized access to collect information about human rights critics and other perceived threats to non-democratic regimes.

The alleged Twitter flaws could potentially open the door to all three possibilities.

In response to the disclosure, the top Republican on the Senate Intelligence Committee, Marco Rubio, promised to further investigate the allegations.

"Twitter has a long history of making really bad decisions on everything from censorship to security practices. That's a huge concern given the company's ability to influence national discourse and global events," Rubio said.

"We are treating the complaint with the seriousness it deserves and look forward to learning more."

In the months before Russia invaded Ukraine, Agrawal — then Twitter's chief technology officer — seemed poised to make significant concessions to the Kremlin, according to Zatko's disclosure.

Agrawal proposed to Zatko that Twitter comply with Russian demands that could result in extensive censorship or surveillance, Zatko alleges, recalling an interaction he had with Agrawal at the time.

The disclosure does not provide details on what exactly Agrawal suggested.

But last summer, Russia passed a law pressuring tech platforms to open local offices in the country or face possible advertising bans, a move Western security experts say could give Russia greater leverage over American technology companies.

Agrawal's suggestion was framed as a way to grow users in Russia, the disclosure says, and while the idea was eventually scrapped, Zatko still saw it as an alarming sign of how far Twitter was willing to go in pursuit of growth. , according to disclosure

"The fact that Twitter's current CEO suggests that Twitter become complicit with the Putin regime is cause for concern about Twitter's effects on US national security," Zatko's disclosure reads.

Twitter is also in a compromised position in China, the disclosure to Congress claims.

The company has allegedly accepted funding from anonymous "Chinese entities" who now have access to information that could ultimately unmask people in China who illegally circumvent government censorship to view and use Twitter.

"Twitter executives knew that accepting Chinese money put users in China at risk," the disclosure says.

"Mr. Zatko was told that Twitter was too dependent on the revenue stream at this point to do more than try to increase it."

Zatko's 80-page disclosure outlining his allegations, along with nearly two dozen additional supporting documents, is being made public just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia.

The former employee had allegedly abused his access to Twitter data to collect information on suspected Saudi dissidents, including their phone numbers and email addresses, and allegedly provided that information to the Saudi government.

A feminist activist in Saudi Arabia is sentenced to 34 years 1:11

That security breach, first discovered in 2019, underscores the seriousness of Zatko's allegations, which describe Twitter as an extremely porous organization with alarmingly lax cybersecurity controls compared to its corporate peers.

To do their jobs, about half of Twitter employees have excessive permissions that grant access to live user data and active Twitter product, according to the disclosure, a practice that Zatko says is a significant departure from standards. from other major tech companies where access is tightly controlled and employees largely work in special sandboxes isolated from the consumer-facing product.

"All the engineers" at the company, Zatko alleges, "

Twitter told CNN that its handling of source code is not outside of industry practice, and that Twitter's product and engineering teams are authorized to access the company's live platform if they have a specific business justification for doing so. do it.

The company also said it uses automated checks to ensure that laptops running outdated software can't access the production environment, and that employees can only make changes to the Twitter Live product after the code meets certain requirements. record keeping and review.

The disclosure alleges that Twitter has trouble reducing its cybersecurity risks because it can't control, and often doesn't know, what employees may be doing on their work computers.

Data Zatko revealed from Twitter's internal cybersecurity dashboards shows that four in 10 employee devices, representing thousands of laptops, don't have basic protections enabled, such as firewalls and automatic software updates.

Employees can also install third-party software on their computers with few technical restrictions, the disclosure says, which has allegedly resulted in multiple instances of employees installing unauthorized spyware on their devices at the behest of outside organizations.

In its responses to CNN, Twitter said that employees use devices monitored by other IT and security teams with the power to prevent a device from connecting to sensitive internal systems if it runs outdated software.

Twitter has internal security tools that the company tests regularly and every two years by outside auditors, according to a person familiar with Zatko's tenure with the company.

The person added that some of Zatko's statistics on device security lacked credibility and were derived by a small team that didn't properly take into account Twitter's existing security procedures.

John Tye, founder of Whistleblower Aid and an attorney for Zatko, told CNN that "we absolutely stand by the substance of Mudge's disclosure."

Improper access and limited monitoring of employee behavior create opportunities for insider threats like the Saudi raid, but the Saudi government wasn't alone in seeking greater access to Twitter's internal systems, Zatko alleges.

The Indian government has successfully "forced" Twitter to hire agents to work on its behalf, the disclosure says, "who (due to Twitter's basic architectural flaws) would have access to large amounts of sensitive Twitter data."

Twitter has withheld that fact from its public transparency reports, the disclosure adds.

Last year, the Indian government pushed to expand its control over social media within its borders, clashing with Twitter over content removal, forcing tech platforms to hire legal and police liaisons in the country, and even conducting raids on social networks. local Twitter offices.

The person familiar with Zatko's work said the Indian government agents referred to in the disclosure were in fact the legal and police liaisons required by Indian law.

Many tech platforms are global companies, and in some cases, as with Russia's attempt to force tech companies to open local headquarters, their employees may unwittingly become points of influence for governments who want to put pressure on the companies.

Corporate and user data stored on or accessible to employee computers may be at risk of being accessed or seized by local authorities.

Employees themselves, or their families, may be at risk of being threatened or coerced.

But Twitter's unique cybersecurity vulnerabilities have meant that its local offices have become particularly sensitive targets, Zatko alleges.

India, Nigeria and Russia have "seeked, with varying success, to force Twitter to hire local [full-time employees] who could be used as leverage," the disclosure says.

Twitter's business practices not only undermine the interests of the United States but also those of all democratic nations, the disclosure alleges, citing the company's handling of a Nigerian government decision to block Twitter for months last year over a presidential tweet. which was widely interpreted as a threat against some Nigerian citizens and subsequently removed by Twitter.

Nigeria lifted its ban on Twitter in January, after the government said the social media platform had agreed to all of its conditions.

Conditions include adhering to Nigerian "prohibited publication" laws.

Despite Twitter's claims to have been in negotiations with Nigeria after it suspended the company, those talks never actually happened, Zatko alleges.

Twitter's alleged misrepresentations about the Nigerian government's involvement not only hurt the company's investors, the disclosure says, but also gave Nigerian officials cover to demand much larger concessions from Twitter than the company would otherwise have given. way.

The concessions, according to Zatko's disclosure, have "harmed the free speech rights and democratic accountability of Nigerian citizens."

Twitter

Source: cnnespanol

All news articles on 2022-08-24

You may like

Trends 24h

News/Politics 2024-03-28T06:04:53.137Z

Latest

© Communities 2019 - Privacy

The information on this site is from external sources that are not under our control.
The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.