Application Security , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Decision Based on Assessment of How the Firm was Being Led Says Memo Quoted By NYT

Twitter Reportedly Fires Head of Security, CISO to Leave
Departures possibly related to Twitter’s recent embrace of web3 technologies? (Source: ISMG Files)

Twitter has said it is firing Peiter Zatko, the network security expert that it hired late 2020 as head of security.

See Also: Zero Trust Webinar: Research Insights Exploring the Actionable, Holistic & Integrative Approach to Security

The changes in the security team followed “an assessment of how the organization was being led,” according to a company memo shared with The New York Times.

Zatko, known by the handle “Mudge,” gained fame as a member of the “Cult of the Dead Cow” ethical hacking collective in the 1990s and later moved to top cybersecurity research positions at the Defense Advanced Research and Projects Agency, aka DAPRA, and Google.

Twitter’s chief executive Parag Agarwal, who took over from Jack Dorsey in November, also announced that industry veteran Rinki Sethi, the chief information security officer, will be departing in the coming weeks. However, the company did not specify if the departure is voluntary.

Sethi in a tweet confirmed her departure and said, “It is with a heavy heart that I announce my impending departure from Twitter. Thanks to all of you that have reached out to check in with me, I appreciate all the kind words, thoughts and love being sent my way.”

Neither Sethi nor Zatko responded to ISMG’s request for a comment.

A Twitter spokesperson told ISMG: “I can confirm that Mudge Zatko is no longer at Twitter and Rinki Sethi will be departing Twitter in the coming weeks. As with matters of employment and privacy, we have no further details to share at this time.”

Major Changes

The social media platform in a memo shared with the employees accessed by The New York Times reportedly said, “the changes followed an assessment of how the organization was being led and the impact on top priority work.”

Twitter’s head of privacy engineering, Lea Kissner, will become the company’s interim chief information security officer, according to the report.

Reportedly, after taking up the Twitter office, Agarwal also reorganized the management staff and dismissed Dantley Davis, the chief design officer, and Michael Montano, the head of engineering.

In a previous SEC filing, the company said that Agarwal is restructuring the leadership team to drive increased accountability, speed and operational efficiency, shifting to general manager model for consumer, revenue and core tech, which will be led by Kayvon Beykpour, Bruce Falck and Nick Caldwell, respectively.

“These GMs will lead all core teams across engineering, product management, design, and research. Lindsey Iannucci also joined the leadership team as chief of staff and vice president of operations to support Agrawal in strengthening operations across the leadership team, and the company. As part of these changes, Dantley Davis, design and research lead, will also be stepping down from his position at the company effective December 31, 2021, and will remain an advisor through the end of the first quarter of 2022 to ensure an orderly transition,” the filing said.

Zatko and Sethi joined Twitter in late 2020. Sethi was previously a VP of data safety at IBM, VP and CISO at Rubrik, Inc. and had undertaken various leadership roles in companies such as Palo Alto Network, Intuit and eBay.

Mudge’s Removal

Zatko was one of the first computer security researchers to gain a following for his hacking abilities and his understanding of cybersecurity. In one of his first papers in 1995, he described how a buffer overflow works and the threat this flaw posed to networks at the time (see: Twitter Hires Famed Hacker ‘Mudge’ as Security Head).

Later, Zatko joined the ethical hacking collective Cult of the Dead Cow and also began speaking at events such as DEF CON about a range of security issues. In 1998, he testified before a U.S. Senate hearing about internet vulnerabilities. Later, he briefed then-President Bill Clinton about the dangers of distributed denial-of-service and other nascent attacks, according to reports from the time.

Jake Williams, a former member of the National Security Agency’s elite hacking team xx tweeted, “I get that this is a meme (and a damn good one at that), but losing “a strong security team” significantly downplays the years of damage Twitter has done to its security program.”

In an email to ISMG, Williams added: “Zatko and Sethi are two of the most sought after security leaders in the entire cybersecurity industry. That any organization was ever lucky enough to have them at the same time was itself significant. To hear that they are both leaving the organization in what almost certainly are related circumstances should be concerning for anyone who is concerned with the security of the platform.

“It won’t surprise me to learn that their departure is related to security concerns over Twitter’s recent embrace of web3 technologies, as demonstrated by yesterday’s release of the NFT integrations. I would assess that being charged with the security of the Twitter platform while engineering teams are integrating with web3 frameworks would lead to conflict with the remainder of the leadership team. Of course there are likely many factors at play that we don’t yet know about publicly.”

(NFT profile pictures on iOS are as an option for Twitter Blue users. To verify ownership, users have to connect their crypto wallets to the Twitter Blue account).

Matthew Green, associate professor at Johns Hopkins University tweeted saying, “I don’t know what’s going on at Twitter. When CISOs leave social media companies unexpectedly it can mean all sorts of unpleasant things.”

Some Twitter user also suggested that they might be leaving the company to join their former boss Jack Dorsey at his digital payments firm Block.

High-Profile Security Incidents

The appointment of Zatko followed several high-profile security incidents at Twitter that led to criticism of the company’s security practices.

In July 2020, three suspects, including a Florida teenager, were charged in connection with hacking 130 high-profile Twitter accounts, including those of Bill Gates, Barak Obama and Joe Biden, to pull off a cryptocurrency scam (see: 3 Charged in Twitter Hack).

The hackers reportedly gained control of several high-profile Twitter accounts by using phone phishing and SIM-swapping techniques, and sent fake messages to steal about $120,000 in Bitcoin from victims. It’s also believed that the suspects gained access to some Twitter account user data, including information stored in the Direct Message feature (see: Twitter Hack: Suspects Left Easy Trail for Investigators).