Security

Twitter whistleblower reveals security issues on site

Allegedly lying about numbers and international influence

Published

on

Twitter

Compared to rivaling social media networks, Twitter has — or had — successfully navigated away from controversy, leaving everyone else in a mire of privacy issues. However, the platform might have finally run out of luck. This week, an ex-executive has turned into a whistleblower to reveal a litany of issues surrounding the platform.

The story so far

Back in 2020, Twitter suffered one of its biggest attacks in its storied history. The list of victims included major names in American politics, industry, and entertainment like Barack Obama, Joe Biden, Apple, and Kanye West. All of the hacks invited users to deposit money into a Bitcoin wallet for the promise of doubled returns. Though innocuous, the attack represented a critical failure in Twitter’s infrastructure.

To address what happened, Jack Dorsey’s Twitter hired Peiter “Mudge” Zatko, a white-hat hacker, as its new head of security. While he quickly ascended through the company’s ranks, Zatko didn’t stay long in the position. He was fired back in January this year. Of note, Dorsey already left Twitter at this point, leaving the company to now-CEO Parag Agrawal.

Fast forward to a few months later, billionaire Elon Musk made a bold claim that he was going to purchase and privatize Twitter. The deal, sparkling with promise, is currently stuck in limbo, owing to both parties’ issues with the other. Musk, for one, claimed that the company lied about how many bots were on the platform, among other security-focused issues. Now, his concerns do have some precedence: Musk was one of the big names affected during the 2020 hack.

Connecting the dots

What does a Bitcoin scam, a fired executive, and Elon Musk have in common? It sounds like the start of a bad joke, but they’re all connected.

For one, the eventual whistleblower is Zatko. According to the extensive report, obtained by CNN and The Washington Post, the ex-chief discovered a list of security issues during his tenure. However, Agrawal reportedly forced Zatko to stay silent and not provide a full account to the company’s board of directors. Zatko believes that his firing stems from this issue.

Months after his firing, Zatko decided to act as a whistleblower, fulfilling the responsibility initially entrusted to him by Jack Dorsey.

A litany of issues

Most of Zatko’s issues revolve around how lax the company is with security and information. According to the whistleblower, all of the company’s engineers have access to the website’s source code. Further, anyone can easily make changes to the code without logging in what changed. Even worse, an astounding 4 out of 10 devices with this access have poor security standards. If an engineer (or someone close to them) wanted to, they can easily change the website to favor more of their views over others.

Additionally, Twitter allegedly fails to delete a user’s data if they chose to shut their Twitter account down. By regulation, the platform is required to delete all data and not keep a cache for themselves.

Thirdly, Zatko says that the platform does not accurately measure exactly how many bots are on the site. Twitter claims that less than 5 percent of users are verifiably bots. Though Zatko doesn’t estimate how many there actually are, one can easily argue that there are more. In fact, Musk himself argues that there are more. The lack of transparency as to the exact number is actually one reason why the sale hasn’t pushed through yet.

Finally, and arguably most critically, Zatko says that the platform is easily swayable by foreign actors. It’s no secret that some countries are forcing platforms to open up local offices in their home turf. The United States, for example, is pushing TikTok to open an American office to prevent data transfer from the country to China.

While national security presents a good side to opening a local office, others can also use the tactic to further national goals. For example, the report alleges that Agrawal asked Zatko to hire a Russian agent to comply with censorship demands during the early stages of the conflict with Ukraine. Another instance alleges that Twitter hired an agent from the Indian government who had access to a vast amount of user data.

What happens now

Currently, the Securities and Exchange Commission, which received Zatko’s complaint, is investigating the extent of the whistleblower’s claims. If found guilty, Twitter is liable for billions of dollars’ worth in fines.

Twitter is denying the allegations, claiming that the platform maintains the best modicum of security for its users. “While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context,” a spokesperson said to CNN.

On the other hand, the whistleblower has likely piqued Elon Musk’s claim to Twitter. With security concerns part of his original argument, the billionaire might be interested to see what the SEC finds.

News

DuckDuckGo has a new way to protect your emails

Enjoy more private emails

Published

on

The days of zillionaire Nigerian princes are long gone. Instead of blatant scams, malicious (or even non-malicious) emailers have grown savvier, sneakily peppering emails with unseen trackers. If you’re keen to prevent emails from scraping information from you, DuckDuckGo has a new tool to keep your private communiques safe.

Now rolling out in open beta, DuckDuckGo’s Email Protection scrubs trackers from emails and forwards the clean version to a private address set up through the tool. Besides cleaning emails, the tool is also capable of telling users which trackers were detected. According to the company, about 85 percent of trackers were discovered in previous beta tests.

Through clean emails, the tool’s Link Tracking Protection removes trackers from links attached to an email. Additionally, Smarter Encryption replaces the same attached links to HTTPS, adding another layer of security.

Users can easily set up an unlimited number of @duck.com email addresses. They can then reply to any email using any of the created addresses, rather than their personal accounts. Besides unlimited access, users can also easily delete their addresses.

To make use of the new tool, DuckDuckGo users need to install the Privacy Essential extensions on desktop. It is also available through the service’s mobile browser on Android and iOS.

SEE ALSO: Why should you use a VPN?

Continue Reading

News

Half of Android users think Apple is more secure

According to survey

Published

on

As the demand for more smartphones shrinks by the day, the two major sides in the smartphone world — Apple and Android — have looked towards each other to keep their respective growths alive. In particular, both parties have released easy-to-use tools to help converting users switch to their side. Now, despite the lack of coercive energy from either side, it looks like it’s working.

According to a survey from Beyond Identity (via BGR), almost half of Android users are considering a switch to iOS. Specifically, 49 percent of Android users are perceiving better security over on Apple’s side, resulting in a potential switch.

Of course, the argument is not unheard of. For more than a decade, Apple has celebrated its security over its rivals. Remember the iconic string of Mac versus PC ads featuring John Hodgman and Justin Long? Now, the brand is running ads to both proclaim how easy it is to switch and how secure the platform is.

To dig deeper, the survey also explains how Apple users do feel more secure on the platform. Users have reported fewer digital attacks and data loss on iOS, compared to Android. (Although, to be clear, the difference between the two platforms isn’t that great.)

If you’re worried what this might mean for Android users, there is an important caveat: The survey talks about perceived improvement. This is about what users think safety on each platform is. Therefore, the debate between Apple and Android continues to broil. At most, the survey might spell ups and downs for people switching between brands.

SEE ALSO: Apple might soon display ads on your iPhone

Continue Reading

News

Apple, Google, and Microsoft are getting rid of the password

It’s an ultra-rare partnership

Published

on

A partnership between two of the biggest tech companies comes once in a blue moon. A joint project between three companies, though, is even rarer. Yet, here we are, on World Password Day, staring at three of those companies — Apple, Google, and Microsoft — as they take on their biggest challenge together: the password.

Announced through the FIDO Alliance (an organization building better security), the three companies have committed to bringing password-less sign-ins to their respective platforms. In lieu of a single password, the new standard will use a device’s locking method — PINs, fingerprint readers, and face unlocking — as the user input to access the account. Additionally, it will also authenticate the log-in attempt using credentials stored inside the device.

Though a staple of today’s internet culture, passwords have turned into huge hassles for ordinary users. Almost every service today requires users to create an account and, therefore, new passwords. Remembering dozens of different passwords is nigh impossible, forcing users to reuse passwords. Not everyone uses a password manager either.

In the past few years, companies have started to use other methods to supplement the measly password. Some accounts require users to input a timed authenticator code or answer a prompt on another device.

With the FIDO Alliance’s efforts, logging in might become simpler but more secure. As of yet, there is no timetable as to when Apple, Google, and Microsoft will completely transition into the new standard. If anything, Microsoft already announced their transition last year.

SEE ALSO: Microsoft is going password-less

Continue Reading

Trending