Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Twitter Spy Case Highlights Risks for Big Tech Platforms

The allegations of spying by former Twitter employees for Saudi Arabia underscore the risks for Silicon Valley firms holding sensitive data which make the platforms ripe for espionage.

The allegations of spying by former Twitter employees for Saudi Arabia underscore the risks for Silicon Valley firms holding sensitive data which make the platforms ripe for espionage.

The two Saudis and one US citizen allegedly worked together to unmask the ownership details behind dissident Twitter accounts on behalf of the Riyadh government and royal family, according to a federal indictment.

Analysts say the incident shows how massive databases held by Silicon Valley giants can be juicy targets for intelligence agencies, which can often apply pressure to company insiders.

“The Twitter case shows how data is not only an asset but a liability for companies,” said Adrian Shahbaz, research director for technology and democracy at the human rights group Freedom House.

“For companies collecting massive amounts of data, the challenge is how to keep it secure not only from hackers, but from rogue employees.”

Shahbaz said platforms such as Twitter and Facebook remain important tools for human rights activists, but that users should be aware of potential for data leaks — both in their countries, and from insiders.

“It’s been alarming to see how governments using tactics to exploit the inherent weaknesses of the internet… go after people expressing dissent,” he said.

“It’s a constant cat-and-mouse game between users and very well-resourced governments.”

Advertisement. Scroll to continue reading.

Bruce Schneier, a security researcher and fellow at Harvard University’s Berkman Klein Center for Internet & Society, said it is not surprising to see governments targeting databases of tech platforms.

“We all assume it happens a lot. But this (prosecution) rarely comes up,” Schneier said.

– No match for Russia –

Schneier said there have long been fears about Chinese or Russian insiders pressured to introduce vulnerabilities in major software platforms, and that companies may be ill-equipped to thwart those efforts.

“The government of Russia versus Twitter is not a fair fight,” he said. “It’s hard to blame the tech companies.”

Because major tech firms have engineers from all over the world, Schneier said it enables intelligences services to seek out and pressure their expats for espionage purposes.

The case highlights the potential for insider threats, said James Lewis of the Center for Strategic and International Studies in Washington.

“Insider threats go back to biblical times,” he said, noting that the suspects were probably caught because they “did a terrible job of covering their tracks.”

– Background checks enough? –

According to an indictment unsealed Wednesday, US citizen Ahmad Abouammo and Saudi national Ali Alzabarah were recruited in 2014-2015 to use their positions in Twitter to gain access to private information related to accounts of critics of Riyadh.

Ahmed Almutairi, a marketing official with ties to the royal family, was a critical go-between who arranged contacts, prosecutors said.

Twitter said in a statement it restricts access to sensitive account information “to a limited group of trained and vetted employees.”

But John Dickson, a former US air force information warfare officer who is now with the security consultancy Denim Group, said private companies, even in Silicon Valley, are not equipped to for background checks needed to find potential spies.

“Most employers do cursory background checks for the most obvious stuff such as criminal records or bankruptcy,” he said.

“None of them does any semblance of a background check on nation-state threats.”

Dickson said it remains unclear if the tech platforms are cognizant of the sensitivity of the data they hold, and the draw of that information for intelligence services.

“They are still acting as social media companies,” he said.

“Their default is to get as many connections as possible, and the network effect enhances the platform.”

Shahbaz said the latest case illustrates a need for regulations to require tech platforms to limit how much data they collect and maintain.

“There might be a role for government to play in terms of data privacy legislation,” he said.

“There’s a case for collecting the bare minimum of data from users and allowing users to opt out” of certain kinds of data collection.

He said companies should also be required to inform victims if their data has been compromised “so they can take measures to protect themselves.”

Related: Saudi King Hosts CIA Chief for Talks

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...