Twitter CISO whistleblower, LastPass security incident and PayPal phishing- Newsletter #5

Plus: the silence of risk management victory and free web security resources.

Sep 17, 2022

With a small delay, here’s this month’s newsletter, looking at what happened in August. As I got some positive feedback about the new format, I'll keep it this way.

This was a month marked by the Twitter whistleblower that claimed less than appropriate security measures at the company. The complaint was done to the FTC by the former head of security Peiter Zatko, a respected security researcher known as “Mudge”.

Here’s some of his claims, according to the Washington Post:

(…) thousands of employees still had wide-ranging and poorly tracked internal access to core company software, a situation that for years had led to embarrassing hacks, including the commandeering of accounts held by such high-profile users as Elon Musk and former presidents Barack Obama and Donald Trump.

and it continues with a:

(…) the company prioritized user growth over reducing spam, though unwanted content made the user experience worse. Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users, the complaint asserts, and nothing explicitly for cutting spam.

These allegations come very handy for the Elon Musk vs. Twitter case as they support Musk’s claims of excessive bots and spammers on the platform. To be followed.

What I read last month

What’s going on with security at PayPal (christianvarga.com)
Notice of Recent Security Incident (LastPass)
Study Finds Apple Collects the Least Amount of User Data Among Top Five Tech Giants (Mac Observer)
Your online identity is owned by your email provider (Ctrl.blog)
PayPal Phishing Scam Uses Invoices Sent Via PayPal (Krebs on Security)
Freedom and Privacy (Dergigi)

On Substack

This is an excellent article about Risk Management. Strongly recommended:

Risk Musings

The Silence of Risk Management Victory

Sometimes risk mitigation works. It doesn’t feel that way because when risk mitigation works, nothing happens. But not all risks lead to catastrophe, as long as people tasked with mitigating those risks keep their eyes on the goal. For example, it’s possible that the Y2K computer bug actually…

10 months ago · 4 likes · 5 comments · Stephanie Losi

On Twitter

Javarevisited @javarevisited

How to securely store passwords in the database?

A great technical article about storing passwords in databases. In a time where more and more developers use external services to take care of user authentication (Auth0, Okta, etc.), a bit of knowledge about how it’s done doesn’t hurt.

Eric Lawrence 🎻 @ericlaw

BigCorp: You should recognize a phishing attack. BigCorp: This is a legitimate and mandatory URL.

This is something that grinds my gears. I would totally fail this test.

Lukasz Olejnik @lukOlejnik

Emojis can be used to deliver malicious payloads (i.e. to hack systems). Clever. î.fr/defcon/DEF%20C…

Very interesting one.

Marko ⚡ Denic @denicmarko

Stanford University offers this free course on Web Security. The course covers: 1. HTTP, Cookies, Sessions 2. Same Origin Policy 3. Cross-Site Scripting (XSS) 4. Denial-of-service, Phishing, Side Channels 5. WebAuthn 6. Server security and more... Link:

stanford.ioCS253 - Web SecurityPrinciples of web security. The fundamentals and state-of-the-art in web security. Attacks and countermeasures. Topics include: the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentic…

There’s a ton of useful Cybersecurity resources online and from reputable resources. This is a great example of a course taught by Standford University called “Principles of web security.”