Twitter Insiders Allegedly Spied for Saudi Arabia
Credit to Author: Lily Hay Newman| Date: Thu, 07 Nov 2019 03:31:14 +0000
Hackers are one thing. But too few companies take the threat of an inside job seriously enough.
In charges released Wednesday, the Justice Department accused two former Twitter employees, Ahmad Abouammo and Ali Alzabarah, of abusing their internal system privileges to spy on target users and pass the information they collected to Saudi Arabia. The criminal complaint also alleges that it was trivial for them to do so—a chilling reminder of how much damage an insider can cause.
The court documents, first reported by The Washington Post, also reference a third suspect, Ahmed Almutairi, who allegedly worked as an intermediary between the Twitter insiders and the Saudi government. Alzabarah and Almutairi are both Saudi citizens, while Abouammo is a United States citizen. He was arrested in Seattle on Tuesday.
Alzabarah joined Twitter in August 2013 as a site reliability engineer, the complaint says, and gained more responsibility over time until he could access users accounts and personal data—like phone numbers and IP addresses—as part of his job. He also allegedly developed relationships with Saudi intelligence agents during this time, and is accused of looking up private information from more than 6,000 Twitter accounts, including those of dissidents and political activists, on Saudi Arabia's behalf over the course of a few months in 2015. Saudi Arabia is known for aggressively exerting influence and tracking detractors on social media. Crown Prince Mohammed bin Salman and his regime have also fostered close ties to Silicon Valley.
"Insiders can do major damage and often go undetected for large periods of time."
Dave Kennedy, TrustedSec
The Justice Department alleges that Abouammo accessed data from three user accounts, at least one of which was that of an outspoken critic of the Saudi royal family. But unlike Alzabarah, Abouammo's role as media partnerships manager at Twitter does not necessarily seem to necessitate access to private user data. The complaint asserts that the Saudi government wired at least $300,00 to Abouammo and his family. He left Twitter in May 2015, but allegedly still attempted to get information about users from some former Twitter colleagues. Abouammo worked for Amazon after leaving Twitter, but apparently left that job over a year ago.
Twitter said on Wednesday that it appreciated the work of the Justice Department and Federal Bureau of Investigation on the case. "We recognize the lengths bad actors will go to try and undermine our service," the social media giant said in a statement. "Our company limits access to sensitive account information to a limited group of trained and vetted employees. We’re committed to protecting those who use our service to advocate for equality, individual freedoms, and human rights."
But the fact that even a company with the resources of Twitter was unable to head off an insider threat speaks to just how difficult they are to defend against. Most organizations are woefully under-defended against those attempts, according to multiple cybersecurity professionals WIRED spoke with Wednesday. They emphasize that the risk can never be totally eliminated, but that there are necessary data access controls and siloing efforts that many organizations overlook or implement weakly.
For example, many companies aren't strict enough about limiting which employee accounts have "permission" or "privilege" to access sensitive data.
"Privileged access is one of the toughest things in any organization and especially in tech companies," says Dave Kennedy, founder of TrustedSec, a cybersecurity firm that conducts so-called penetration tests, the practice of probing a system for weaknesses. "Companies are not doing enough to protect sensitive consumer data. This is a great example with Twitter. Insiders can do major damage and often go undetected for large periods of time."
Many organizations find it difficult to prioritize the work it takes to stratify employee access to data based on specific need, a process often called provisioning. Uber infamously allowed employees access to a "God mode" that let them track users and view their account details—a feature staffers extensively abused. On the other end of the spectrum, making it more difficult for insiders to access and exfiltrate large amounts of sensitive data is possible but takes stringent, often frustrating rules. When companies grow from relaxed small businesses or startups into massive organizations, imposing those restrictive controls can be deeply unpopular among the people who work there.
"The corporate world is coming to realize the value of focusing on foundational security principles used in the military and finance worlds," says Kenn White, security principal at the database company MongoDB. "Insider threats and administrator privileged access are serious issues for any company, because at some point, you have to trust someone to manage your most trusted, confidential data. Encryption has a role, but only in a broader strategy of separation of duties and compartmentalization."
Another thing companies can do—but often don't—to minimize an insider threat is to implement logging and auditing procedures to trace potentially suspicious activity, or reconstruct accurate access histories. Even if you fail to stop someone from snooping where they shouldn't, you can at least keep a record of it.
"At many companies the problem is not just the provisioning, but also the almost total lack of auditing," says Jake Williams, founder of Rendition Infosec. "There's often a problem of 'we know something happened, but who did it?' And they lack the internal auditing capabilities to figure that out—they misunderstand their own logging. A big component of the incident response work we do today is accurately interpreting what the logs say."
Twitter says it has continuously improved its internal monitoring and protections, but the consequences of the Saudi exfiltration incident are still reverberating. One victim, the political dissident Omar Abdulaziz, is suing Twitter for allegedly failing to notify him about Alzabarah's intrusion in his account.
"It's a numbers game—as an organization grows, particularly a global enterprise, there will be insider threats," MongoDB's White says. "Mature organizations need to spend considerable time and resources thinking about and designing their systems to limit potential abuse."
Given how many companies large and small have all kinds of your data sitting in their servers, hopefully they're more attuned to that threat than ever.