Twitter insiders are out of control, SecOps alumni allege

Richi Jennings Your humble blogwatcher, dba RJA

After last week’s appalling Twitter hack, questions remain over the permissions given to Twitter support staff. Allegedly, thousands of contractors can access DMs and other private data, with no effective oversight.

Twitter was repeatedly warned about the problem, say ex-insiders. They also say management never gave it the attention it deserved.

They also allege some of the blame lies with contractors working for Cognizant. In this week’s Security Blogwatch, we lay a trail of birdseed.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: King-Pop.

Fix it, or bluebird gets it

What’s the craic?Alex Hern and Mark Sweney report—Twitter hackers accessed direct messages of up to 36 accounts:

The accounts include that of an unnamed “elected official in the Netherlands,” believed be far-right legislator Geert Wilders. … During the hack, Wilders’ profile picture was replaced with a racist caricature of a black man, and his account was used to retweet conspiracy theories.

[The] 36 accounts are in addition to eight accounts that Twitter had earlier confirmed had had the entirety of their Twitter activity downloaded. … Another 45 accounts had tweets sent by the attackers, including those of Elon Musk, Kanye West and the Apple chief executive, Tim Cook. [But] Twitter said [last week] that the impact was greater than was publicly visible..

The social network has been tight-lipped about how the hack came about, saying only that it was “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

And then the other shoe dropped. Jordan Robertson, Kartikay Mehrotra, and Kurt Wagner add—Twitter’s Security Woes Included Broad Access to User Accounts:

Twitter’s oversight over the 1,500 workers who reset accounts, review user breaches and respond to potential content violations for the service’s 186 million daily users have been a source of recurring concern … four former Twitter security employees [said]. The controls were so porous that … some contractors made a kind of game out of [peeking] into celebrity accounts … to track the stars’ personal data … two of the former employees said.

Some of Twitter’s contractors that became proficient in snooping on Beyonce’s and other celebrity accounts were employed by Cognizant Technology Solutions Corp. in as many as a half-dozen locations, the two former former employees said. Cognizant, which continues to work with Twitter, declined to comment.

According to two of the former [employees] security programs … were, at times, shelved for engineering products designed to enhance revenue, according to two of the former employees. … Concerns over insider access to Twitter accounts were brought to Twitter’s board of directors almost annually during a period from 2015 to 2019, only to be deferred for other priorities.

Snooping on accounts wasn’t considered a major security concern among Twitter executives. [It] happened so often that members of Twitter’s full-time security team … struggled to keep track …  according to the two former employees.

A Twitter spokeswoman … disputed the former employees’ characterization of the company’s oversight of user accounts. … This account is [also] based on interviews with … more than a half dozen other people close to Twitter.

Ouch. Jay Peters narrates thuswise—Twitter contractors reportedly spied on celebs, including Beyoncé:

Twitter’s internal tools … typically allow certain Twitter staffers to do things like reset accounts or respond to content violations, but they could apparently also be used to spy on or hack an account. … Twitter has already shared that its own tools were compromised in the July 15th hack [but] it’s still unclear exactly how the attackers got access to [the] tools.

The penalty for abusing Twitter’s internal tools can include termination of employment, the company tells [me].

Or worse. As The Sunshine State OG points out:

These stupid kids are playing with fire. … Sentences for federal conspiracy charges differ depending on the nature of the crime. [If] a felony, individuals may be sentenced to up to life in prison [plus] a very large fine.

Federal prosecutors often charge conspiracies that require 5, 10 or 20-year mandatory minimum prison sentences. However, federal prosecutors often reduce the sentencing range of this charge if an individual provides testimony against his or her co-defendants.

Twitter! Better security—now! Steve Gibson spins a Hack Update rite: [You’re fired—Ed.]

It's obvious in retrospect that if high profile accounts were compromised so that attackers were able to obtain login access, they would or could have also nosed around in the normally private DM channels of those accounts. … So not surprisingly the news that some of the world's most influential people probably had their personal messages read by hackers who are still unknown … will put additional pressure on Twitter to better protect its users.

From Twitter's standpoint, it would be a big feather in its cap if it could boast true end-to-end encryption for private DMs. The idea would be that neither Twitter nor anyone else except the tweets' intended recipients would be able to read the tweets. … If anyone out there at Twitter is listening and if you have any interest in … end-to-end encryption … please please please don't roll your own brand new ad hoc solution.

But it’s not only Twitter. Or so says Brian Bixby:

At one time I was hired at Microsoft as a short-term contractor to aid a project to migrate some NT4 domains into the larger Active Directory infrastructure. New guy with almost no references, just off the street, and my first day I had Enterprise Administrator and Schema Administrator permissions and was working in an office where there wasn't anyone else for most of the day.

When the project was finished and there was still several months left in my contract I was moved to a new group where no one, including the woman who had been working in MS network security for 10 years, had those permissions. When they needed to do things that they didn't have rights for they would come to me and tell me what to do rather than go through the laborious process of getting the groups that did have permissions to do them.

Cool story, bro. Give ἐλευθερία liberty, or give them feta:

We need absolute security and privacy from people in companies … who will abuse their secret power.

I hope new business models – that are not surveillance capitalism – arise that provide robust privacy and security to product users, and safe ways to allow tech support access in a way that can’t be abused. e.g., open-source pre-Internet encryption as the default when tech support isn’t needed.

That way, DMs truly remain private between sender and receiver. How many and how much people care about this will determine whether that happens.

What we need is radical transparency, argues Patrick Walsh—just the most recent reminder of how broken the cloud remains:

Software companies need to start rethinking employee access completely. … It’s extremely common for employees of SaaS companies to have access to sensitive customer data. … Where I’ve worked … most of customer support, ops, devops, engineering, and professional services had the ability to access customer data or to act in the context of a particular customer.

We had systems to gate the access that logged whenever an employee looked at customer data and what they looked at. … But the question is: Who was looking at those logs? I don’t think they were regularly monitored. … And those logs certainly weren’t published to the customer.

With great power comes great temptation. … Without transparency, there’s no accountability. Without accountability, there can be no trust.

When customers can see how their data is accessed, they can react to that information. And when cloud vendor employees know that a customer will see them accessing their data, they act more responsibly.

Meanwhile, mschaffer is the product:

Twitter's new motto: You get what you paid for.

The moral of the story?

Are your support and DevOps teams accountable? Would you consider radical transparency?

And finally

King of Pop vs. K-Pop

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Krzysztof Niewolny (via Pixabay)

Read more articles about: SecurityInformation Security

More from Information Security