Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Whistle-blower. Show all posts

Whistleblower Charged Twitter for Cybersecurity Misconduct

As per a whistleblower complaint submitted to U.S. officials, Twitter's former head of security claimed that the firm deceived regulators about its inadequate cybersecurity defenses and its recklessness in seeking to filter out fake accounts that promote misinformation. 

Peiter Zatko, who managed security at Twitter before his dismissal at the beginning of the year, filed the allegations with the Department of Justice, the Federal Trade Commission, and the Securities and Exchange Commission last month. A revised version of the complaint published online by the Washington Post was authenticated by the legal group Whistleblower Aid, which is collaborating with Zatko.

While alarming for anyone using Twitter, the revelation could be especially problematic for individuals who use it to engage with constituents, disseminate information in times of crisis, and political dissidents and activists targeted by hackers or their own governments.

Prateek Waghre, policy director at the Internet Freedom Foundation, a digital rights NGO in India, said, "We tend to look at these businesses as enormous, well-resourced institutions who know how to operate — but you realize that a lot of their actions are ad hoc and reactionary, driven by crises." In essence, chewing gum or cello tape are frequently used to hold them together.

One of Zatko's most severe allegations is that Twitter broke the terms of a 2011 FTC settlement by misrepresenting the extent of its security and privacy protections for its users.

The claims in the case about India, stating that Twitter intentionally permitted the Indian government to hire its agents, giving them direct unsupervised access to the company's servers and user data, are very concerning. It also mentioned a recent incident in which a former Twitter employee was found guilty of providing private user information to Saudi Arabian royal family members in exchange for bribery.

Allegations by whistelblower

Setback and disgrace may be the results of privacy and security breaches, as was the case earlier this year when the Indiana State Police account was hacked. 

A Saudi humanitarian relief worker was given a 20-year prison sentence in October 2021 as a result of what the kingdom claims were the operation of an anonymous, satirical Twitter account. The men accused of spying for the kingdom while employed at Twitter may be related to this case.

Bethany Al-Haidari has been worried about Twitter's user privacy safeguards for years as an advocate for dissidents and others held in Saudi Arabia. 

"According to what we learn about how social media is utilized globally," said Al-Haidari, "a representative of the American human rights organization The Freedom Initiative. It is quite disturbing to me, because hackers or governments may leverage the alleged cybersecurity flaws at Twitter to obtain users' identities, private conversations, or other sensitive information."

The Chinese-Australian artist and activist Badiucao expressed concern about the whistleblower's claims, adding that many users give their phone numbers and email addresses to Twitter. Badiucao frequently publishes artwork that opposes the Chinese Communist Party. He warned that once your personal information is exposed, it might be exploited to track you down. Badiucao claimed that he frequently gets propaganda and death threats from what appears to be a botnet or spam. 

Twitter claims that the whistleblower alleges a lack of context and offers a false narrative about the business and its privacy and data security protocols. Twitter stated in response that "security and privacy have always been, and will continue to be company-wide priorities."

Despite the disturbing nature of the whistleblower's allegations, security experts say there is no justification for individual users to deactivate their accounts. 

Professor of communications at Syracuse University Jennifer Grygiel, who closely monitors Twitter, was alarmed by yet another security breach. On their last day of work in 2017, a Twitter customer service representative briefly canceled then-President Donald Trump's account. Grygiel claimed that although the account was swiftly restored, the incident demonstrated Twitter's vulnerability of being used by governments, heads of state, and military branches.

However, the administration must balance that risk against how crucial Twitter has become for informing the public about emergencies. Real-time information on fires, the resulting road closures, injuries, and retweets from other agencies alerting the public to threats like flash floods are all available on the department's Twitter feed.

US Based, Ubiquiti Inc. covers up a Catastrophic Data Breach, Claims a Whistle-blower

 

Ubiquiti Inc., a major provider of cloud-enabled Internet of Things (IoT) equipment such as routers, network video recorders, and surveillance cameras, announced on the 11th of January that their customer account information had been compromised due to a breach involving a third-party cloud service provider. According to a whistle-blower involved, in the response to the breach, Ubiquiti significantly downplayed a "catastrophic" incident in order to mitigate the stock price, and the third-party cloud provider assertion was a hoax. 

Ubiquiti, whose consumer-grade routers have now been associated with security and manageability, is accused of concealing a "catastrophic" security breach. The company said that someone gained "unauthorized access" to the company's servers, which were operated by a "third-party cloud provider" and where data for the ui.com web portal, was stored. 

The vendor claimed that the intrusion contained names, email addresses, and likely hashed password credentials, as well as residential addresses and phone numbers of customers. But they did not indicate how many customers were affected. 

Since Ubiquiti reportedly left root administrator logins in a LastPass account, hackers had complete access to the company's AWS servers, and they could have accessed any Ubiquiti networking hardware that customers had installed up to monitor through the company's cloud service. 

When Ubiquiti eventually released a statement, it was far from reassuring — in truth, it was woefully inadequate. The company stated again that there was no proof that any user data had been hacked or stolen. 

However, as the security specialist, Krebs points out, the whistle-blower claimed clearly that the organization does not keep logs on who accessed or did not access the compromised servers, which would serve as evidence. The statement from Ubiquiti also states that the hacker tried to extort money from the company. However, the whistle-blower who "participated" in the security breach investigation told security specialist Brian Krebs a few months later that the event was even worse than it appeared and could be characterized as "catastrophic." The source reported to KrebsOnSecurity that perhaps the third-party cloud provider justification was a "fabrication” and that the security breach was "massively downplayed" in an effort to preserve the company's stock value.

The whistle-blower wrote, "It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk,” in the letter penned to the European regulators. 

According to Krebs, Ubiquiti IT workers discovered a vulnerability planted by threat actors in late December, which was eliminated in the first week of January. Employee passwords were reportedly rotated until the public was fully informed of the violation when a second vulnerability was found. The cybercriminals approached Ubiquiti and requested 50 Bitcoin (roughly $3 million) in exchange for silence. The seller, on the other hand, remained unresponsive.