推特’s 网络安全 troubles continue with ‘serious risk of breach’

推特的安全人员大批出走, including a surprising departure from the company's Chief Information Security Officer Lea Kissner, has proven detrimental thus far - with security experts warning that a massively reduced 网络安全 team would allow for potential bad actors to take advantage of growing security vulnerabilities.

by | 2022年11月16日 | 科技的见解

The chaos continues at Elon Musk’s 推特, with 网络安全 troubles mounting. Security experts and whistleblowers have warned of a new company environment that is severely undercutting defenses, leading to potential consequences for both 推特 HQ and the millions of daily active users that use the giant social media platform.

推特的安全人员大批出走, including a surprising departure from the company’s Chief Information Security Officer Lea Kissner, has proven detrimental thus far – with security experts warning that a massively reduced 网络安全 team would allow for potential bad actors to take advantage of growing security vulnerabilities. 华盛顿邮报证实了这一点 ,“several other members of the site’s privacy and security unit also had resigned,“, on top of massive layoffs conducted by Musk after taking over 推特. Among the other former employees who resigned include the company’s chief privacy officer, chief 合规 还有节制与安全部门的负责人约尔·罗斯.

网络安全专家和主任 斯坦福互联网天文台 亚历克斯Stamos 在推特上 ,“there is a serious risk of breach with drastically reduced staff.” The former Yahoo CISO warned of ‘real-life harm’ from the dismantling of the 推特 security team, as well as warning the company of potential action from 监管机构 including the FTC and SEC, 以及一些欧洲监管机构.

推特安全团队的混乱解散 引发了一项罕见的声明 联邦贸易委员会, with the agency saying it is “tracking the developments at 推特 with deep concern”, 并且准备采取行动.

“没有任何CEO或公司可以凌驾于法律之上, 公司必须遵守新时代赌场主頁欢迎您的同意法令,道格拉斯·法勒说, 联邦贸易委员会的公共事务主任.

与此同时,马斯克的律师亚历克斯·斯皮罗 他在Slack上发布的全公司帖子中宣称 “埃隆把火箭送入太空,而且他不怕联邦贸易委员会.”

因为大批的移民, 未透露姓名的消息来源证实 that 推特’s legal department is asking engineers to “self-certify” 合规 with FTC rules and other privacy laws, 这会导致更灾难性的结果吗.

网络安全和隐私专家Riana Pfefferkorn 在推特上 上周四,他说:“事情不是这样的. 这一切都不是这样的,” in response to the news of 推特’s legal team asking engineers to “self-certify”. “Per the order, a small team of senior execs is on the hook for making privacy & 安全决定,对公司具有法律约束力. And a senior officer has to certify 合规 with the order annually to the FTC. 这种“每个人都必须自我证明”的说法是无稽之谈.”

Pfefferkorn 继续, explaining that any engineer who self-certifies to the FTC risks an FTC invoked complaint, 这会导致对伪证的调查吗. 她, 为什么低级别员工要为马斯克冒险呢, 他显然不在乎来自联邦贸易委员会和证券交易委员会的威胁?

All of this raises serious questions about the integrity of the company’s 安全协议以及该公司抵御黑客攻击的能力. 推特 存储大量的用户数据, 包括电话号码, 互联网协议地址, 还有直接的信息, 是未加密的, 尽管 网络安全专家的呼吁. 剩下的推特团队怎么能做到呢, 还有马斯克, 为广大用户提供安全保障?

甚至在马斯克接管之前,一个推特 举报人在国会作证 9月, claiming that the company’s failure to secure sensitive data could cause “real harm to real people.” The whistleblower, the company’s former head of security, Peiter Zatko, 在他的证词中声称 员工接触了太多的数据, 该公司没有正确跟踪数据访问, 高管们误导了公众, 监管机构, and the company’s own board about its broken defenses against hackers, 还有许多其他可信的指控.

The two weeks of chaos at 推特 was intensified by Musk’s first product at the company, 推特 Blue的验证徽章, an idea that was intensely crucified by security experts before a very messy implementation. 验证徽章, 以前只由著名的公众人物和组织持有, 现在每月要8美元, 允许推特上的任何用户为验证付费. 不出所料,这导致了许多冒名顶替的账户, appearing to be legitimate since they donned a blue checkmark badge.

Parody tweets from accounts impersonating brands and public figures ended up costing the social media giant millions in advertising revenue, after companies like Eli Lilly’s stock tanked because of viral parody tweets. As a result, the pharmaceutical giant pulled all advertising from 推特. Other companies followed suit, falling to pressure from human right activist groups.

其他假冒账户的行为恶意得多. 用户报告了普遍存在的虚假加密交易所账户, 佩戴验证徽章, soliciting login information from crypto users requesting assistance through 推特’s Direct Messages (DMs). Other bad actors impersonated other prevalent companies including Apple, Tesla, and others, 试图招揽客户 来自毫无戒心的受害者的信息.

Researchers also found a fake McDonald’s account donning the paid verification badge, apparently 试图通过平台传播恶意软件. The thread had generated more than 400,000 likes and millions of interactions.

“It took me less than 25 minutes to set up a fake anonymous Apple ID using a VPN and disposable email, attach a masked debit card to it (with the address being 推特’s HQ), 给知名人士申请一个认证账户,” 一位用户发推称,病毒式传播. “想想一个民族国家或坏人会做什么……”

Unsurprisingly, the new 推特 Blue feature was revoked by the company days after implementation. 这个想法给公司带来了灾难性的后果 网络安全收入和声誉. 尽管如此,马斯克还是做到了 他说他计划恢复剥削功能 到11月29日.

与此同时,有迹象显示 公司的安全 是破解. 首先由WIRED报道, some users have reported that 推特’s SMS two-factor authentication system is starting to malfunction. 认证码要么不发送, 或者延误数小时, 阻止用户访问他们的帐户, 并可能导致失去与他们的联系. This is among one of the first signs that troubles in 推特’s infrastructure are ‘bubbling to surface’, 因为该公司的IT团队越来越分散.

推特’s increasingly destabilized infrastructure is very worrying, 主要是针对那些数据在线的用户. 一些专家甚至开始呼吁人们这样做 删除他们的直接邮件, or even their accounts altogether, in preparation for a possible data breach.