Application security, fraud management and cybercrime, next generation technologies and secure development
Decision based on assessment of how company was run, says memo, quoted by NYT
Prajeet Nair (@prajeetspeaks) •
January 22, 2022
Twitter has announced it will fire Peiter Zatko, the network security expert it hired as head of security in late 2020.
The security team changes followed “an assessment of how the organization was run,” according to a company memo given to the New York Times.
Known as “Mudge”, Zatko rose to fame in the 1990s as a member of the ethical hacking collective “Cult of the Dead Cow” and later moved to senior cybersecurity research positions at the Defense Advanced Research and Projects Agency, aka DAPRA. and Google.
Twitter chief executive Parag Agarwal, who succeeded Jack Dorsey in November, also announced that industry veteran Rinki Sethi, the chief information security officer, will depart in the coming weeks. However, the company did not say whether the exit is voluntary.
Sethi in a tweet confirmed her departure and said: “It is with a heavy heart that I announce my forthcoming departure from Twitter. Thank you to everyone who has reached out to me on the way.”
Neither Sethi nor Zatko responded to ISMG’s request for comment.
A Twitter spokesperson told ISMG: “I can confirm that Mudge Zatko is no longer on Twitter and Rinki Sethi will be leaving Twitter in the coming weeks. As in relation to employment and data protection, we have no further details to share at this time.”
The social media platform reportedly said in a memo shared with employees, accessed by The New York Times, “The changes followed an assessment of how the organization was being run and the impact on the work with the highest priority.”
According to the report, Twitter’s head of privacy engineering, Lea Kissner, will become the company’s interim chief information security officer.
Agarwal also reportedly reorganized management staff after taking over the Twitter office, firing Dantley Davis, the chief design officer, and Michael Montano, the head of engineering.
In a previous SEC filing, the company said Agarwal is restructuring its leadership team to encourage greater accountability, speed and operational efficiencies, moving to the general manager model for consumer, revenue and core technology led by Kayvon Beykpour, Bruce Falck and is directed by Nick Caldwell and
“These GMs will lead all core engineering, product management, design and research teams. Lindsey Iannucci also joined the leadership team as Chief of Staff and Vice President of Operations to help Agrawal strengthen operations across the leadership team and the company. As part of these changes, Dantley Davis, director of design and research, will also step down from his position with the company effective December 31, 2021 and will remain an advisor through the end of Q1 2022 to ensure an orderly transition,” the filing reads .
Zatko and Sethi joined Twitter in late 2020. Sethi was previously VP of Data Safety at IBM, VP and CISO at Rubrik, Inc. and has held various leadership roles at companies including Palo Alto Network, Intuit and eBay.
Zatko was one of the first computer security researchers to gain a following due to his hacking skills and understanding of cybersecurity. In one of his first papers from 1995, he described how a buffer overflow works and what threat this bug posed to the networks of the time (see: Twitter hires famed hacker “Mudge” as head of security).
Zatko later joined the ethical hacking collective Cult of the Dead Cow and also began speaking about a range of security topics at events such as DEF CON. In 1998, he testified before a US Senate hearing on Internet security vulnerabilities. He later briefed then-President Bill Clinton on the dangers of distributed denial of service and other emerging attacks, according to reports at the time.
Jake Williams, a former member of the National Security Agency’s elite hacking team xx tweeted, “I understand this is a meme (and a damn good one at that) but the loss of “a strong security team” greatly downplays the years of damage Twitter has done to its security program.”
I get that this is a meme (and a damn good one at that), but the loss of “a strong security team” greatly downplays the years of damage Twitter has done to its security program. https://t.co/IJpJEPYUap
– Jake Williams (@MalwareJake) January 22, 2022
In an email to ISMG, Williams added, “Zatko and Sethi are two of the most in-demand security leaders in the entire cybersecurity industry. That an organization was ever lucky enough to have them at the same time was significant in itself. Hearing this, they’re both leaving the company in what are most likely related circumstances, which should worry anyone concerned about the security of the platform.
“It will not surprise me to learn that her departure is related to security concerns related to Twitter’s recent launch of Web3 technologies, as demonstrated by yesterday’s release of NFT integrations. I would estimate that being tasked with the security of the Twitter platform during development teams integrating with Web3 frameworks would create conflict with the rest of the leadership team. Of course, there are likely a lot of factors at play that we don’t yet publicly know about.”
(NFT profile pictures on iOS are as an option for Twitter Blue users. To verify ownership, users must do so connect their crypto wallets to the Twitter Blue account).
Matthew Green, associate professor at Johns Hopkins University, tweeted: “I don’t know what’s going on on Twitter. When CISOs leave social media companies unexpectedly, it can mean all sorts of uncomfortable things.”
I don’t know what’s going on on Twitter. When CISOs leave social media companies unexpectedly, it can mean all sorts of uncomfortable things. https://t.co/CbzlAvJy1K
— Matthew Green (@matthew_d_green) January 21, 2022
Some Twitter users also suggested leaving the company to join their former boss, Jack Dorsey, at his digital payments company, Block.
High profile security incidents
Zatko’s appointment was followed by several high-profile security incidents at Twitter, leading to criticism of the company’s security practices.
In July 2020, three suspects, including a Florida teenager, were charged in connection with hacking 130 high-profile Twitter accounts, including those of Bill Gates, Barak Obama and Joe Biden, to conduct a cryptocurrency scam (see: 3 Charged in Twitter Hack).
The hackers reportedly gained control of several high-profile Twitter accounts using phone phishing and SIM-swapping techniques, and sent fake messages to steal about $120,000 worth of bitcoin from the victims. It is also believed that the suspects gained access to some Twitter account user data, including information stored in the direct message feature (see: Twitter hack: Suspects left investigators a light trail).