Owner security

Elon Musk’s takeover of Twitter clouded by security concerns

The news that Tesla’s top billionaire CEO Elon Musk was buying popular social messaging platform Twitter for $44 billion has sparked widespread media coverage and food for thought since announcing his intentions.

Musk said part of his mission as new owner of Twitter will be to “authenticate all humans” and defeat spambots on the platform; only two of the security challenges it will face, plus the platform’s struggles to retain a CISO – the company has gone through three in quick succession – plus data breaches and poor adoption of the multi-factor authentication (MFA).

In Twitter’s own safety report released in January, the company revealed that a measly 2.5% of its users were deploying MFA, and admitted that the low numbers illustrated the continued need to encourage wider adoption of MFA, while also striving to improve the ease with which accounts can use 2FA.

“The problem with MFA is that it complicates the user experience and people don’t like it,” explained John Bambenek, principal threat hunter at Netenrich, a digital IT operations and security company. “If I got an MFA challenge for every tweet I wanted to post, I’d probably stop using Twitter. But MFA can be used for suspicious posts or from suspicious parts of the internet.

Mike Parkin, senior technical engineer at Vulcan Cyber, a SaaS provider for enterprise cybersecurity risk remediation, also noted that the average Twitter user probably isn’t willing to go the extra mile to use MFA in practice.

“There’s already some resistance from users when their banking apps want to implement it,” he said. “If people don’t want to use MFA for their banking apps, they sure would resist it for a social media app like Twitter.”

Bots and fake accounts, including massive swarms of bot accounts, have also plagued the social media service, with various reports estimating that Twitter’s fake profile level is between 5% and 15%, and could even be considerably higher.

“The tools are there; it was always the will that was lacking,” Bambenek said. “Many researchers have listed botnets; Twitter can just use the same techniques to bring down the ban hammer. They can also use IP reputation to find botnets, flag suspicious accounts, and find entities posting the same content on multiple accounts.

From Parkin’s point of view, there will be several challenges to eliminate bots from the platform: although there are “good” bots, there are many bad ones and their authors always try to find ways to circumvent any effort to eliminate them.

“The challenge for Twitter, going forward, will be to identify and weed out bad actors without removing legitimate users or tools, and to do so in a reliable and transparent way,” he said.

He explained that eliminating bots from a social media application like Twitter could have applications and repercussions for the rest of the social media landscape, as bots, spam and misinformation are serious problems on most. of these platforms.

“That will only happen, however, if the tools and techniques are made available and adopted by the rest of the industry,” he said.

Parkin added that adding end-to-end encryption to Twitter could prove problematic.

While the technical overhead is relatively minor, as other apps offering end-to-end encryption have shown, some areas of the world restrict cryptography, and Twitter may not want to lose access to those areas.

Bambenek pointed out that many social media companies are valued by the number of users, even when those users are synthetic.

“If Twitter can show that it’s profitable to throw out the trash while increasing real engagement, capitalism will kick in and other companies will follow,” he said. “The only way to get companies to do the right thing is to show them that it pays to do it.”

Parkin said the problem of misinformation is perhaps the biggest challenge and that it is difficult to find the balance between having an open platform for free expression and having one that is abused for misinformation. and propaganda.

“Bots play a big role in these, so eliminating them will help,” he said. “But, again, it can be difficult to weed out bots without affecting legitimate users as bot authors constantly evolve their tools.”

Regarding Musk’s statement that he plans to open up the platform’s algorithm, Bambenek said that if Twitter is successful and shows everyone how to do it, engineers can just take the same approach.

“If you can make it work at the scale of Twitter, it will work on a smaller scale,” he said.

Parkin pointed out that because Twitter is such a large and visible platform, if the company starts rolling out features like MFA and end-to-end encryption, other apps will follow to keep up.

“These would both be good things to see across the board, although there is user resistance to MFA and probably some state-level resistance to end-to-end encryption,” he said. -he adds.

Image: Katja Just
(Pixel Bay License)