ISMG Editors: Twitter Breach May Be Worse Than AdvertisedAlso: India's Revised Data Protection Bill; How to Avoid Common Zero Trust Errors Anna Delaney (annamadeline) • December 2, 2022
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including insights from the creator of zero trust on where organizations commonly founder when implementing the strategy, what the latest version of India's digital data protection bill means for CISOs, and how a data breach confirmed earlier this year by Twitter may be worse than initially thought.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Suparna Goswami, associate editor, ISMG Asia; and Tom Field, senior vice president, editorial - discuss:
- Highlights from an interview with the creator of zero trust, John Kindervag, who describes where enterprises stumble most often in their zero trust journeys;
- What the latest version of India's data protection bill means for CISOs and the impact on security practitioners;
- How information amassed on 5.4 million Twitter users by an attacker who abused a social network API is available online for free.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Nov. 11 edition discussing how a $3 billion crypto seizure demonstrates blockchain's security and the Nov. 25 edition discussing the rise of info-stealing malware.
Anna Delaney: Hello, I'm Anna Delaney, and this is the ISMG Editors' Panel where colleagues on the editorial team join me to break down and discuss some of the top cybersecurity news stories of the week. The stars of this week's episode are Tom Field, senior vice president of editorial; Suparna Goswami, associate editor at ISMG Asia; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Wonderful to see you all. Tom, as we approach New Year, you've been conducting some excellent interviews with some of our global ISMG contributors, one of whom is the creator, of course, of zero trust - John Kindervag. How did that conversation go?
Tom Field: Indeed. We talk to John a couple times a year. And we always sort of talk about the state of the union in terms of zero trust, where are organizations challenged? What progress are you seeing? So we had that conversation recently, and will be up on our sites before long. And John made the point that because of sort of the wake of President Biden's executive order in 2021, and further guidance to come out this year, the zero trust has emerged. He always used to like to say that zero trust was like the Fight Club. And the first rule of Fight Club is you don't talk about Fight Club. That was zero trust. That's changed. But more than just people talking about it, organizations are embracing it. They've got measurable goals, and making measurable progress. And so I asked him the usual question, what's the state of the union with zero trust? And he told me about that. And I said, where are organizations challenged now? We know they're making progress. We know that they are working ahead, where are they challenged then? I'll share with you just a clip of this interview where he talks about what he's seeing as he travels globally now.
John Kindervag: The biggest problem is that they think they have to do it all at once. The same thing that I just mentioned. They think, in the old days, you used to have to do everything all at once. And zero trust changes the paradigm. It inverts everything that you ever thought. And so it was designed. So you do one protect surfaces at a time. I need to protect this credit card database. That's one project. The next project is my HR system. The next project is about the elevators of a hospital, I found out that's an important thing. And it's controlled by computers and needs to be protected. So you do each one of those things as a zero trust project. And eventually you're done. And then, of course, everybody thinks that everything has to be protected in the same way. And I tell people all the time, there's a lot of things that you have, that don't need very much protection, if any. I see people spending millions of dollars to protect, say websites that the only thing on it is information that they're trying to give away to customers.
Delaney: Yes, it's been a positive year for zero trust. I think we've seen this week that the DoD is working on a full transition to zero trust by end of fiscal year to 2027; however, what I'm still hearing is that many organizations are still stalling at implementation level so that the awareness is there. They know it's a good idea, but there's just a lack of cybersecurity skills as well as IT skills. Is that what you're hearing, Tom?
Field: There are no resources as well. But I think we've made a key transition from organization becoming aware of exactly what zero trust is. And we've gone through the phase of vendors knocking at the door, wearing zero trust clothing and saying, trust us, we've got your zero trust solution. The organizations have gotten wise to that. And I think that they've set realistic objectives for themselves. And as John says, they're starting to realize what exactly their protect surface is, and how to approach in meaningful, practical ways. So I think it has become a turning point. And I think 2023 will be a significant year because there are lots of different regulatory regimes now that are promoting zero trust as a strategy. And I suspect that the cyber insurance industry is going to get behind that as well. So I think we will see measurable progress in 2023.
Delaney: That's great news. Well, we look forward to watching the interview. That's not been published yet.
Field: Very soon.
Delaney: We look forward to that. Suparna, India's parliament has finally released its Digital Personal Data Protection Bill. So what does the latest version of the bill mean for CISOs?
Suparna Goswami: Yes, Anna. As you said, after much deliberation and wait, India finally came out with a fresh draft of Data Protection Bill, which terms as Digital Data Protection Bill, so not sure the aim behind the change of name, if the law will be applicable to businesses, which are not digital. So not sure of that logic, but coming back to some of the highlights of the bill and its impact on CISOs. So, I did this interview with advocate of Supreme Court and she gave a very nice, elaborate answer on what impact the draft will have on CISOs. First, the draft has proposed to do away with the distinction between personal data and sensitive personal data. So everything comes under personal data now. Will it make life simple for CISOs or complicated is a question. Earlier in the draft it was defined what is personal data and what is sensitive personal data, and how do you have to compartmentalize and store it. So essentially, the person data could move out of the country, sensitive person data had to be kept in India. Now everything comes in the person data. So any personal information available online, will come under that purview. In a way it will make life easy for CISOs. But she thinks and I've spoken to a few of the CISOs where it can be bad for businesses because everything is personal data now, and you have to have top notch security for everything. In terms of compliance, it can be good for CISOs to implement it, because it just makes things simple. The second point is the draft has also done away with data localization. Now, this was such a big issue in the previous draft bill. There were protests by global companies and I think the current draft is probably aiming to please the global giants. There is no such requirement now, at least in the present draft bill. However, multiple data centers have been set up in India for the past few years. So not sure if they will protest now and force the company to change the requirements. So we have to wait and watch. Also, there is no surety whether this rule will overpower individual sectoral rules of storing data in a certain way. So now they have done away with data localization, but will it also be applicable to the banking sector? For example, the RBI mandates banks to store sensitive data on-prem and not on the cloud. So will this new rule overpower that? So we have to again wait and watch. And another interesting thing that they have added is now you can transfer data easily to some of the friendly states. Friendly states as a few countries so the government will enlist where data can be transferred easily. Now, this again, makes things easy for CISOs who have companies across the globe. So, this makes life simple for them. Data erasure - now, individuals can ask companies to raise data once the purpose is fulfilled. In a way I think GDPR as well as CCPA also talks about it. Now data principle will have the rights of data erasure, and I asked the advocate what CISOs need to do now. So for companies, this essentially means that they have to have this in the design phase itself, where they are aware which data they have to be erased - as a request comes in. They have to keep a record of that. So tomorrow if a person probably says, "my record has not been deleted," you can showcase. So they have to keep a record, and this has to come in the design phase itself. And finally, there is deemed consent. So it has been said that once you take consent to use the data, you don't have to go back to the person again to use it for a different purpose. So once you have taken consent, that's it. You don't have to go back to the person again and again, to take consent to use the data. And I think this again, will make life easy for the CISOs. So overall, I think, if you look from a privacy point of view, there are a lot of levies that have been given. But from CISOs and organizations point of view, it has made life simpler. But the privacy practitioners or the people who were there in the previous committee, they are not very happy with the number of levies that have been given to the companies.
Delaney: Great! Thorough overview, Suparna. So what's next? Is this set in stone or there likely to be further changes in the coming year?
Goswami: So yes, they have asked the public to comment on it, and suggest changes, but hopefully because we have been waiting for the past so many years for this draft bill. So hopefully it will pass the parliament and form into law soon. But yes, there is a lot of protest by the privacy practitioners out there. So let's see. But by December, they are saying they'll come out with a new version of the bill.
Delaney: The court is speaking about that, then. Thanks, Suparna. Matt, Twitter is in the news again this week. What's the latest?
Mathew Schwartz: I know, are we having Twitter news fatigue yet? Show of hands, I think probably everybody right? We can go around the room. Two hands from here. But on the cybersecurity front, some interesting news - new news - that doesn't have to do with anyone's management style or layoffs, although the layoffs could have an impact. We'll maybe get back to that in a second. So last week, a security researcher said that he had learned about a new breach or new to him, new to us breach involving 17 million Twitter account holders' details. So for a bit of background - this seems to relate to a breach that Twitter acknowledged in July. It warned that a feature that would allow you to find other users using their email or their phone number had been abused by attackers. So this was an opt-in feature, where if you said "okay, yes, let other people find me using my email or phone, no problem." They could do so. Twitter learned in January that this was a bug. So what happened was researcher came in and filed a bug bounty with Twitter's bug bounty program. So far, so good. And said, "Did you know that if I want, I can use the API that you've created to force match a whole bunch of different user accounts?" So they got this heads up in January, they didn't make a public notification, though, because they had that typical kind of kluge of, "we had no indication that feature had been abused." While the feature was abused, and somebody was selling 5.4 million account holders' details. This came to light in July, which led Twitter to unroll the timeline. It said, it seems like this attack happened last December, we learned about the bug in January, there was no indication that anyone had abused this. So we didn't tell anybody. But we're telling you now, because especially for owners of synonymous accounts, who were trying to hide their identity, this would have been a great way not their words, for nation state attackers or others to unmask them. So if there's some account that's deeply critical of a certain government, and they want to figure out who this person is, if they're inside the country or otherwise reachable, this feature would have been useful to them. So we have these 5.4 million plus another million in change of suspended accounts, although that was sold privately with this 5.4 million person database getting sold in July. And kudos to Bleeping Computer. They've done some reporting on this. They spoke to the administrator of Breach Forums where this information was for sale. And the administrator said that about three people bought it for less than the asking price, which wasn't all that much. And also said that there was this other suspended list that got circulated privately. But the admin came forward to speak to them again to say this other breach of 17 million, that wasn't me. So what we have here is a breach from last December, but we also have one or more breaches by other attackers, who also seem to be abusing this API feature to amass account information on Twitter users. So fascinating breach story - data breaches don't seem to be going away, do they? Happened to Twitter before the change in management, and I think it begs the question of who's steering the security ship right now? Could there be more of these types of things happening? How long will it take for them to come to light? Also a cautionary lesson - for any social network or anybody else, building these types of features, be able to find me using a certain type of detail is that maybe revealing more than you should be? And finally, when these sorts of bug reports come to light, it would have been nice to have seen Twitter be a bit more proactive, because anybody who was affected by this was affected. Well, it could have been from June 2021, because that is when Twitter added this feature that it later came to call a flaw. So it could have been a long time that somebody was unmasked more than a year before Twitter gave them the heads up that they may have been unmasked in this manner.
Delaney: Excellent. And, Matt, do we know how big Twitter's security team is at the moment? Following the resignations and firings.
Field: Count out on a hand.
Schwartz: I have no facts to offer to you, Anna. I did reach out to Twitter and using an email address that used to work for the press department. I received no response. Think that as you will.
Delaney: So how harmful could this potentially be to Musk and Twitter?
Schwartz: That's a great question. I think Twitter is potentially facing a world of regulatory pain. They have some consent decrees in place, they need to be doing certain things, and they need to be showing that their security program is robust. There have been a lot of people exiting the company, have they been hiring replacements in a timely manner and ensuring that they are treating things with responsibility that they should be treated? We know this week that they have stopped attempting to combat misinformation or disinformation about COVID-19, for example. Is this just the first of many cracks that we were seeing publicly that indicate that things are going haywire inside the company? I couldn't possibly say.
Field: Now, you spent a lot of time on Twitter personally. Do you see a lot of people leaving the platform?
Schwartz: It feels a lot thinner in terms of content than it used to. I know a lot of people going to Mastodon. I think a lot of journalists are waiting to see what happens. Mastodon is not as usable as Twitter. There's no obvious Twitter killer yet. I'm sure that Silicon Valley is attempting to turn one out. I don't know if Twitter will turn the corner. I've worked with online communities for all my career, and they're very, very easy to tear down. They're very hard to build up. And it's just such a shame. I think that that's happened because it has been a good resource for a lot of people.
Goswami: In fact, I asked a local cop here who is into fraud investigation, financial crime investigation, and we asked him whether they are to move away from WhatsApp and Twitter and in India, we have a Indian version of Twitter by the government called Coup. But they said it has become de facto - WhatsApp and Twitter - there's no way we can do away with them. Because that's where we find the maximum fruition.
Schwartz: Exactly. Maximum uptake. Many communities say that as well. If a town has a flood warning, Twitter has been their biggest channel for getting that sort of information out. But of course, it's run by a private company, they can do whatever they want. Again, it's just a shame, I think.
Delaney: And Matt, have you been using Mastodon? Have you jumped ship? I know you're waiting to see what happens. But have you been exploring what that platform is like?
Schwartz: I've been exploring, only so many hours in the day. A lot of the cybersecurity community seems to have gone to it, but they tend to be more technically astute, more technically able and interested. They don't mind being early adopters. Whereas I'd count myself in the other group, which thinks how much frustration is this going to cause? If I wait a month or so, might there be a nicer front end that makes all of this a lot easier to use? So we will see.
Delaney: It's the dwell time advent calendar. I think it's one that can shrink every year. That's the goal anyway.
Delaney: Very true, well said. And finally then, I am aware that not everybody celebrates Christmas but as it's December this week, and many will be opening their advent calendars. What would your cybersecurity-themed advent calendar be?
Field: I like that. Suparna?
Goswami: Yes, I am not that creative. But yes, I'd look each day expecting to find a new way hackers have discovered to carry out fraud. And I also hope I find the name of financial institutions that have discovered a normal way to effectively secure itself and its customers by doing a proper patch management game and have figured out all. So we all know how basic cybersecurity hygiene is sorely lacking. So maybe that.
Field: Here's your two-year calendar, it's not one month.
Schwartz: Nothing beats chocolate. But with that caveat, I was thinking along the lines of an incident response calendar or a tabletop exercise calendar, I don't know that you need 24 different disaster recovery plans, but thinking about the things that could happen, and making sure that you have a plan in place that you've hopefully practiced for dealing with it. So you can pull that binder off the shelf, if the worst happens - a ransomware attack, for example - or some kind of disaster recovery scenario where your servers have gone down because of a tornado or a hurricane or something like that. So I don't know, maybe that's a little disaster focused. But if you need 24 disaster recovery plans, have them, practice them, and keep them refined.
Field: If Diehard can be a Christmas movie, then that can be an advent calendar.
Schwartz: Thank you very much. I completely agree. Diehard is one of my favorite Christmas films.
Delaney: Well, as I'm in Stockholm, it would have to be an ABBA-themed calendar, I think. And at each door, you'd have a cybersecurity privacy quote, taken from one of our interviews this year, and they'd have to be sung to the music of ABBA.
Field: Do I understand you're right next door to the ABBA museum?
Delaney: Yes, I think it's part of the hotel. So I'll be checking that out later. Be prepared for a background next week.
Schwartz: I'll prepare for a karaoke Christmas next week, Anna.
Delaney: In time, maybe. Tom, Suparna, Matt - this has been an absolute pleasure. Thank you so much. Thanks so much for watching. Until next time.