Researchers from security have said that Twitter’s source codes were being leaked online. They also suggested that this should act as an alarm to other companies about the need for better network protection. This should cover both the internal and external threats.
This case saw the Twitter base programming posted briefly to the GitHub collaborative programming platform. Although it was deleted the next day, the code was still available on the GitHub collaborative programming network. However, the code could easily have been duplicated and redistributed. Twitter asked the U.S. District Court in the Northern District of California for Github’s order to disclose the identity of Github’s original poster of the code and those who might have downloaded it.
It has been reported that Twitter executives suspect the code was stolen by a disgruntled employee who left the company around the time that billionaire tech entrepreneur Elon Musk acquired the platform for $44 billion – and then preceded to lay off a significant portion of the staff.
David Lindner (CISO of Contrast Security) stated via email that the leaked source code could have been the work of unhappy employees or people who don’t like Elon Musk.
Linder also raised concerns about Twitter’s response regarding the code leak. The security concern almost felt like an afterthought.
His explanation was that Twitter had initially thought to give the copyright infringement notice for GitHub. “While it is an important step – but really not that meaningful as the code is already out there – I would have immediately hired an outside forensics firm to make sure the malicious actor was not still in Twitter’s environments.”
Instead of the dangers that such a leak may pose for Twitter users, it was all about intellectual property (IP).
Linder added that “In many of these cases, nefarious agents use leaks’ such as this as a diversion to a greater attack.” “It will interesting to see Twitter handle the transparency in their findings.”
Inside Job – More Than Likely
Twitter executives are not the only ones who believe that an employee is responsible for this breach. It might even be surprising that it wasn’t an insider who was unhappy with the company’s direction.
Tim Mackey (principal security strategist at Synopsys Cybersecurity Research Center, CyRC) stated that finding out the source of the code leak should be top priority.
Multiple governance checks and reviews should be applied to the ability to post source code to a company’s GitHub repository. “Occurrences like the one Twitter experienced need to be handled by the same process that every organization uses to decide if they want to open source’ a project. Mackey stated via email.
While such safeguards would be beneficial for the organization’s source-code repository, developers who work on their particular branch of code likely have a personal account.
Mackey stated, “Ideally corporate users would have a ‘personal account’ that is part of a repository managed by the enterprise with adequate access controls to restrict access to authorized users.”
The Genie has left the bottle
Twitter, as noted, is trying to track down not only the source of leaked code but also those who downloaded it. It could prove to be quite a daunting task tracking every copy.
Mackey warned that “Officially, publication of source code doesn’t necessarily mean someone didn’t make copies while it was publicly available.” Anyone who had done it would be capable of analyzing the source code to identify any vulnerabilities. This is exactly the kind of scenario source code governance controls are intended to guard against.