Axios Codebook

A massive Twitter staff exodus in the first month of Elon Musk's ownership is only exacerbating the company's long list of existing data security problems, experts tell Axios.

Why it matters: While Twitter's list of cybersecurity challenges hasn't appeared to change yet, dwindling staff numbers mean the company could struggle to fix security flaws or respond in the event of a massive hack.

• The departures of Twitter's chief information security officer and other top security employees have created a new layer of concern about the company's long-existing data-security issues.

The big picture: Twitter already had a troubled history of data breaches, account takeovers and poor internal cybersecurity hygiene.

• Earlier this year, former Twitter CISO Peiter "Mudge" Zatko filed a whistleblower complaint detailing the extent of Twitter's security problems, from a lack of employee access controls to a company culture that failed to take cybersecurity seriously.
• In 2020, a 22-year-old hacker broke into Twitter and took over accounts belonging to then-presidential candidate Joe Biden, former President Barack Obama and Musk himself.

Between the lines: Cybersecurity alarm bells in the last month mostly stem from reports of the company's quickly shrinking staff numbers rather than new and emerging threats.

• But without a full security team, it's hard to see how the company can respond quickly to patch vulnerabilities in its systems or a massive data breach of its systems, says Erick Galinkin, an analyst at cybersecurity company Rapid7.
• Glitches have already started at Twitter, presumably due to low staff levels, including a bug that broke Twitter's multifactor authentication tool shortly after the latest employee exodus.

Threat level: Experts have anticipated that ongoing turbulence at Twitter will only motivate more hackers and scammers to target the company and its users.

• Most data breaches would affect data that's likely already floating around on the dark web from past hacks, including email addresses, passwords and birthdates.
• Twitter doesn't collect someone's most sensitive information, such as their Social Security number, and it has financial information only for Twitter Blue subscribers.

Yes, but: Hackers and Twitter employees could potentially learn a lot from someone's private direct messages depending on what information is shared.

• Some users may have shared personal information in what they perceived as secure private messages, for example.
• It's likely more hackers will be newly motivated to "leak every Twitter DM" just to embarrass Musk's leadership, Galinkin says.

What's next: Musk appears to be trying to create a slightly more secure Twitter based on his reported plans to encrypt direct messages and support encrypted video and voice calling between accounts, as The Verge reports. But it's unclear how quickly those plans will come to fruition, especially with a smaller staff.

• Security could become an even bigger priority as Musk pushes to grow subscriber numbers and pursues projects to support in-app payments.
• Twitter is likely to face further regulatory pressure to improve its internal security practices as the Federal Trade Commission watches Musk's takeover unfold.
• Twitter did not respond to a request for comment.

Be smart: While the data security concerns at Twitter are nothing new, they do serve as a reminder to be mindful of what you share on the internet.

• "You don't need to be any more worried than you should have been a month ago," Galinkin says.

A pro-China Twitter-based disinformation campaign is actively targeting a human rights group that exposed a secret Beijing operation, researchers at NewsGuard first tell Axios.

Why it matters: Twitter is also struggling to grapple with an influx of Chinese-language accounts spreading disinformation following company staff reductions.

The big picture: Pro-China actors are known to rely on Twitter and other social media sites to push back on critical voices.

• Over the weekend, a group of previously dormant, suspected Chinese government-linked Twitter accounts spammed the site with adult content to drown out news about ongoing protests, per the Washington Post.
• Last month, Google-owned threat intelligence firm Mandiant uncovered a pro-China disinformation campaign targeting the U.S. elections across social media.

Details: NewsGuard analyst Macrina Wang identified 127 inauthentic Twitter accounts as of Nov. 17 pushing false narratives about nongovernmental organization Safeguard Defenders.

• In September, Safeguard Defenders published a report detailing how police in China, in coordination with Chinese Communist Party-run entities, had set up a network of overseas police "service stations" across Europe and the rest of the world.
• Now, a network of English- and Chinese-language Twitter accounts is spreading false information about the Madrid-based NGO, claiming that Safeguard Defenders is working on behalf of the U.S. government “to mess up other countries” and that the organization falsely identifies alleged criminals as political dissidents.

The intrigue: NewsGuard cannot definitively say if the new campaign is directly tied to the Chinese government.

• However, NewsGuard says the involved Twitter accounts are inauthentic given each one was created only recently, has a low follower count, and almost exclusively posts content about Safeguard Defenders.

Between the lines: Experts worry that nation-state actors — and the groups that work on their behalf — will increasingly turn to Twitter to spread disinformation after Elon Musk drastically reduced the company's content moderation teams.

Researchers at software company Forescout added two technology vendors this morning to its list of manufacturers with widespread software flaws affecting critical infrastructure.

The big picture: In late June, Forescout uncovered a set of 56 critical security vulnerabilities found in 10 operational technology (OT) vendors whose products are popular with critical infrastructure organizations.

• This morning's report adds three security flaws from two German automation tech vendors — Festo and CODESYS — to that list.

Why it matters: The additional vendors add to the long tail of the initial set of critical security flaws, known collectively as OT:ICEFALL, and highlight just how widespread any vulnerability in critical infrastructure can be.

Details: Each of the three flaws could allow hackers to manipulate encrypted code, cause a brief shutdown of operational web applications, or gain remote access to an OT network.

• The newly affected devices are found in a wide range of industries, including manufacturing, energy automation and retail.

Between the lines: Researchers said the new flaws, like the rest of the OT:ICEFALL set, are the result of popular yet insecure design choices that the manufacturers made when building the affected products.

• This practice, known as "insecure-by-design," is where "manufacturers include dangerous functions that can be accessed with no authentication or a subpar implementation of security controls, such as cryptography," per the latest report.

The intrigue: Patching flaws in OT, which powers the physical component of critical infrastructure, is notoriously difficult, making mitigation tricky.

• Unlike cellphones, which can run a software update in under a minute with minimal disruption, running a system update on OT requires an hourslong shutdown of a pipeline, water system or other utility that isn't feasible.

What’s next: Forescout recommends critical infrastructure operators instead take inventory of which assets are affected, monitor them closely for signs of intrusion, and ensure their OT networks are separated from any connected and easily hackable IT systems.

@ D.C.

❌ The FCC banned U.S. sales and imports of new Huawei and ZTE equipment due to national security concerns. (Axios)

📲 Google gave FBI investigators the location data for more than 5,000 devices as part of its investigation into the Jan. 6 insurrection. (Wired)

🤷🏻‍♂️ A Biden administration review of whether to have the U.S. Cyber Command and the National Security Agency continue to share a leader ended without making any formal recommendations. (The Record)

@ Industry

📉 Microsoft's newest cybersecurity executive is struggling to change the company's approach to security and how quickly the company responds to software vulnerabilities. (The Information)

⏳ The cyber insurance industry is still struggling to figure out how its business will be impacted when the next "catastrophic" cyberattack hits. (Wall Street Journal)

@ Hackers and hacks

👾 Hackers are selling access to a fake TikTok feature that would actually download malware onto users' devices and steal their files, passwords and Discord account. (BleepingComputer)

👀 Australia's financial services regulator says it is intensifying supervision of Medibank after a hack that affected 9.7 million customers. (ZDNet)

This tweet really hit different after spending a week with family trying to figure out their TV setups. How about y'all?