Security
Twitter whistleblower reveals security issues on site
Allegedly lying about numbers and international influence
Compared to rivaling social media networks, Twitter has — or had — successfully navigated away from controversy, leaving everyone else in a mire of privacy issues. However, the platform might have finally run out of luck. This week, an ex-executive has turned into a whistleblower to reveal a litany of issues surrounding the platform.
The story so far
Back in 2020, Twitter suffered one of its biggest attacks in its storied history. The list of victims included major names in American politics, industry, and entertainment like Barack Obama, Joe Biden, Apple, and Kanye West. All of the hacks invited users to deposit money into a Bitcoin wallet for the promise of doubled returns. Though innocuous, the attack represented a critical failure in Twitter’s infrastructure.
To address what happened, Jack Dorsey’s Twitter hired Peiter “Mudge” Zatko, a white-hat hacker, as its new head of security. While he quickly ascended through the company’s ranks, Zatko didn’t stay long in the position. He was fired back in January this year. Of note, Dorsey already left Twitter at this point, leaving the company to now-CEO Parag Agrawal.
Fast forward to a few months later, billionaire Elon Musk made a bold claim that he was going to purchase and privatize Twitter. The deal, sparkling with promise, is currently stuck in limbo, owing to both parties’ issues with the other. Musk, for one, claimed that the company lied about how many bots were on the platform, among other security-focused issues. Now, his concerns do have some precedence: Musk was one of the big names affected during the 2020 hack.
Connecting the dots
What does a Bitcoin scam, a fired executive, and Elon Musk have in common? It sounds like the start of a bad joke, but they’re all connected.
For one, the eventual whistleblower is Zatko. According to the extensive report, obtained by CNN and The Washington Post, the ex-chief discovered a list of security issues during his tenure. However, Agrawal reportedly forced Zatko to stay silent and not provide a full account to the company’s board of directors. Zatko believes that his firing stems from this issue.
Months after his firing, Zatko decided to act as a whistleblower, fulfilling the responsibility initially entrusted to him by Jack Dorsey.
A litany of issues
Most of Zatko’s issues revolve around how lax the company is with security and information. According to the whistleblower, all of the company’s engineers have access to the website’s source code. Further, anyone can easily make changes to the code without logging in what changed. Even worse, an astounding 4 out of 10 devices with this access have poor security standards. If an engineer (or someone close to them) wanted to, they can easily change the website to favor more of their views over others.
Additionally, Twitter allegedly fails to delete a user’s data if they chose to shut their Twitter account down. By regulation, the platform is required to delete all data and not keep a cache for themselves.
Thirdly, Zatko says that the platform does not accurately measure exactly how many bots are on the site. Twitter claims that less than 5 percent of users are verifiably bots. Though Zatko doesn’t estimate how many there actually are, one can easily argue that there are more. In fact, Musk himself argues that there are more. The lack of transparency as to the exact number is actually one reason why the sale hasn’t pushed through yet.
Finally, and arguably most critically, Zatko says that the platform is easily swayable by foreign actors. It’s no secret that some countries are forcing platforms to open up local offices in their home turf. The United States, for example, is pushing TikTok to open an American office to prevent data transfer from the country to China.
While national security presents a good side to opening a local office, others can also use the tactic to further national goals. For example, the report alleges that Agrawal asked Zatko to hire a Russian agent to comply with censorship demands during the early stages of the conflict with Ukraine. Another instance alleges that Twitter hired an agent from the Indian government who had access to a vast amount of user data.
What happens now
Currently, the Securities and Exchange Commission, which received Zatko’s complaint, is investigating the extent of the whistleblower’s claims. If found guilty, Twitter is liable for billions of dollars’ worth in fines.
Twitter is denying the allegations, claiming that the platform maintains the best modicum of security for its users. “While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context,” a spokesperson said to CNN.
On the other hand, the whistleblower has likely piqued Elon Musk’s claim to Twitter. With security concerns part of his original argument, the billionaire might be interested to see what the SEC finds.
Finding new vulnerabilities is part and parcel of a device’s lifecycle. Cybersecurity firms discover new holes in a device’s security regularly. Thankfully, a firm’s discovery quickly leads to a patch from the affected brand. A newly discovered one, however, is defying common practices. Apple has recently uncovered a hardware vulnerability that’s impossible to patch.
Recently, a team of researchers sprinkled throughout the United States brought the vulnerability to everyone’s attention. The potential exploit is present in Apple’s M-series, a recent lineup of chipsets for newer Macs.
The vulnerability works by exploiting a feature that complements the chipset’s memory called the data memory-dependent prefetcher (or DMP). The DMP can predict where a piece of code is based on previous behavior. It reduces the chipset’s latency, ensuring better performance.
Now, the exploit, which the researchers have named GoFetch, disguises itself as a “pointer,” which tells the DMP which data to fetch. GoFetch can effectively point at data it wants to steal, and the feature will hand the data over willingly.
In more practical terms, malicious parties can hide this exploit inside innocent-seeming apps. Though the exploit still needs a significant amount of time to work, it’s not impossible to trick users into having an illicit app open for an extended length of time.
The other catch is how impossible it is to patch. Because the exploit is a hardware-based vulnerability, Apple cannot patch it out without re-engineering the silicon. There are software-based patches; however, doing so will reportedly compromise the performance of the chipset. The team is still researching for the effects of other software patches.
At this point, the only way to protect against the vulnerability is the same piece of advice for all hacks: Be careful of what you install.
SEE ALSO: Apple M3 MacBook Air Review
According to Google, Filipino netizens had a higher interest in cybersecurity last year.
The Philippines ranked among the top in the world in keyword searches for the following terms:
- malinformation
- cybercrime
- phishing
- malware
- fraud
- scam
- one-time password
- password strength
The word “fraud” particularly reached a 13-year high in search volume. Meanwhile, searches for “scam” increased by 40% from 2022.
These keyword search trends are a reflection of the Filipino netizen’s better interest in internet safety practices.
To help more Filipinos maintain safe browsing online, here are eight tips from Google.
Install the latest OS, updates
Turn on auto-updates on your device and web browser. Don’t ignore warnings or notifications. It’s also crucial to run the latest updates for security enhancements and protection against new threats.
For Android device users, Google Play Protect should be automatically turned on to provide protection against malicious apps and more.
Use password manager
Google’s Password Manager is a free, built-in tool to help users create, store, and manage secure passwords for all accounts.
Aside from the convenience it gives, the service also analyzes saves passwords for weaknesses or if they’ve been exposed for breaches.
Secure accounts with passkeys
Speaking of passwords, Passkeys like fingerprints or face IDs provide an extra layer.
They can keep your accounts safe against phishing since they are stored on your device.
Run regular security checkups
Google Security Checkup is a simple tool within one’s Google Account that reviews and improves their online security.
This helps users identify and fix potential vulnerablities across digital properties from connected devices and third party apps.
Review your data settings
Run a deeper checkup to see whether your apps and accounts are above-board.
Make sure you’re not sharing any data, especially sensitive information. Look through each app and site as well to see if you agree with their terms and conditions, and settings.
Avoid suspicious links
Take a moment before clicking any online or SMS links. These are usually links that can steal your sensitive information.
If a link does not look legitimate, report them immediately and block the source.
Don’t give in to pressure
Scams and frauds, whether online, over the phone, or in person, rely on pressuring someone or getting them nervous and careless.
When you are rushed to make a decision and it feels unusual, take a moment to stop, think, and assess the situation. If you’re not allowed to pause, something is not right.
Check the facts
Before posting or sharing, verify information first. See if the information is from a trusted source. Using Google Search, check the way it is written or said, who shared it, and other details.
Over the years, Chrome’s Incognito Mode accumulated quite the reputation. For most users, the alternative browsing mode was a quick way to browse dubious websites away from prying eyes. However, the mode isn’t as incognito as the name implies, as evidenced by a lawsuit from years ago. Now, Google has caved in and admitted the shortcomings of Incognito Mode.
Back in 2020, Google faced a lawsuit against the purported security of Chrome’s Incognito Mode. The lawsuit alleges that the private mode still lets websites track a user’s data.
At the time, Google themselves confirmed that websites can do that. Now, almost four years after the lawsuit, the company has agreed to settle the US$ 5 billion lawsuit.
Now, Chrome is adding a new disclaimer (spotted via MSPowerUser) to hopefully keep users from expecting complete privacy while using Incognito Mode. Besides alerting users that the device still saves downloads and bookmarks, the disclaimer that shows up whenever Incognito Mode is opened now also reads: “This won’t change how data is collected by websites you visit and the services they use, including Google.”
Unfortunately, the disclaimer isn’t meant to change how websites process your data. It’s just a way to reduce Google’s liability whenever someone complains about the security of their data.
Now, if you’re looking for a more secure way to browse the internet, other methods will serve your purposes more. For example, VPNs and Tor offer more anonymity online. Some browsers — Brave, for instance — offer those services built into the software already.
SEE ALSO: Google sued for tracking Chrome users in Incognito Mode
Challengers review: A thrilling drama wrapped as a tennis anime
Catch it in Ayala Cinemas starting April 24th
JBL Soundgear Sense review: Make every run magical
Stay consistent with a dash of music
realme 12+ 5G review: One month later
What is it like to spend a month with a midrange smartphone?
Limited time only: PMC offers free shipping nationwide
Transformers One trailer: Get to know Optimus Prime, Megatron’s origin stories
Logitech introduces a dedicated shortcut for ChatGPT
Challengers review: A thrilling drama wrapped as a tennis anime
New Insta360 X4 delivers 8K 360 videos
-
Accessories2 weeks agoApple Vision Pro Review: Two Months Later
-
Features5 days agoFortify your home office or business setup with these devices
-
Gaming1 week agoThe Rogue Prince of Persia looks like an ultra-colorful roguelite
-
Events1 week agoStellar Blade: PlayStation taps cosplayers to play Eve for game’s launch
-
Gaming1 week agoStar Wars Outlaws release date revealed
-
Accessories1 week agoLogitech unveils G Pro X 60 gaming keyboard: Price, details
-
Philippines2 weeks agovivo Y100 to release in Philippines on April 27
-
Deals2 weeks agoSamsung Awesome April: Deals on Galaxy A series