Peiter Zatko, commonly known throughout the cybersecurity community as “Mudge,” made headlines this week after alleging some egregiously lax cybersecurity practices at Twitter, where he was formerly employed as Head of Security. In the aftermath of the revelation, Twitter’s CEO reportedly penned an email to employees asserting the claims are “a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context.”
While many speculated that the news would serve as a “golden goose” in Elon Musk’s legal battles with Twitter, Reuters reported, “Elon Musk’s demands for Twitter Inc user details were rejected as ‘absurdly broad’ by a judge.”
Because of Zatko’s references to misleading practices related to compliance and data protection, the social media giant is now facing scrutiny from “two national data protection authorities in the EU,” according to a report from TechCrunch.
Still, of all the Twitter/Mudge stories I’ve read this week, I think Steven Levy at Wired hit the proverbial nail on the head when he wrote, “the story that really matters is poor security and why some companies are worse than others … the tension between Zatko and Agrawal is a familiar one between a CEO and a security specialist. But if we had a law that made it a crime to ignore best practices in security—making top executives and board members liable—I’d bet that tension would become more of a collaboration.”
Now let’s look at what else made cybersecurity headlines this week.
Aug. 26: Attackers reportedly targeted the development environment at LastPass and gained unauthorized access to source code and technical information.
Aug. 26: “Microsoft has warned that an Iranian state-based threat actor it calls Mercury is using the Log4Shell flaws in applications from IT vendor SysAid against organizations located in Israel,” ZDNET reported.
Aug. 25: Dark Reading reported, “The hackers who breached Twilio and Cloudflare earlier in August also infiltrated more than 130 other organizations in the same campaign, vacuuming up nearly 10,000 sets of Okta and two-factor authentication (2FA) credentials.”
Aug. 25: According to The Hill, the Israeli spyware firm NSO Group “has become a ‘cautionary tale,’ after allowing its flagship Pegasus spyware to become a high-profile threat to global security and human rights, with media outlets worldwide detailing how governments were abusing its tools.”
Aug. 24: California’s Attorney General announced a $1.2 million settlement, marking the first punitive action resulting from the California Consumer Privacy Act (CCPA).
Aug. 23: According to CyberScoop, researchers at Google identified malicious activity linked to the Iranian government’s cyber espionage unit that developed a software tool able to download emails from Gmail, Yahoo, and Microsoft Outlook accounts.
Aug. 23: The US Navy welcomed another unmanned surface vehicle, the Mariner, sailing in as the latest addition to its Ghost Fleet vessels.
Aug. 22: Security researchers at Proofpoint warned that the threat actors known as TA558 are again targeting the travel and hospitality industries after having been largely inactive through the pandemic.