Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Security

Microsoft Warns Thousands of Cloud Customers of Exposed Databases (reuters.com) 43

Microsoft has warned thousands of its cloud computing customers, including some of the world's largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher. From a report: The vulnerability is in Microsoft Azure's flagship Cosmos database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft's Cloud Security Group. Because Microsoft cannot change those keys by itself, it emailed the customers Thursday telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz. Microsoft's email to customers said it has fixed the vulnerability and that there was no evidence the flaw had been exploited. "We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key," according to a copy of the email seen by Reuters.
This discussion has been archived. No new comments can be posted.

Microsoft Warns Thousands of Cloud Customers of Exposed Databases

Comments Filter:
  • by Oligonicella ( 659917 ) on Friday August 27, 2021 @11:13AM (#61735759)
    If your data isn't on your devices, it ain't your data.
    • One of the major benefits is speed. If you need to servers and space quickly, you do not have to build out a data center, order servers, build and configure servers, etc. The con includes loss of total control.
      • One of the major benefits is speed. If you need to servers and space quickly, you do not have to build out a data center, order servers, build and configure servers, etc. The con includes loss of total control.

        Kind of a big con, if the bad guys can simply delete your data. Quickly.

      • Major benefit, you get to fire people, business love that, let's be honest
    • Remind me of ths +s and -s of the cloud again.

      Create vuln on-prem yourself vs have someone else create vuln off-prem.

      • by Tablizer ( 95088 )

        That way nobody notices you are breached as long as the hackers don't break something. If MS cloud is breached, everybody knows. Insecurity thru Obscurity.

    • unless you encrypt it yourself. At the very least that should establish an expectation of privacy and trigger the 4th amendment to require a search warrant
    • The issue I have is Cloud for Large Companies.
      Cloud computing for a large organization who has the resources for their own data center and IT Staff doesn't make too much sense as the organization can have control of their data, and manage its safety and security without having to rely on say Microsoft, Amazon or Google who may see you as a small customer.

      However if you are a small organization, where your "Data Center" is a SQL server on a PC under someones desk, connected with Insecure Wi-FI then you may b

    • And you think on-premise servers are MORE secure??? Have you ever noticed what kind of "security professionals" companies usually hire to make sure their servers are secure? They aren't exactly paying top dollar.

      Hackers, given enough financial motivation, will find ways past any defenses. Personally, I'd rather trust my data to a cloud provider that is motivated financially to pour millions into beefing up security, than to a corporate IT department that chokes on paying $100K for a guy who knows something

    • by tlhIngan ( 30335 )

      You're assuming that the companies using the cloud would do a better job of protecting the data.

      So even if they did it all inhouse, chances are it'll become a long-forgotten server running ancient software in short order open to vulnerabilities.

      There's no real solution, in the end...

  • cloud DB vs DB in an VM in the cloud?

    Why cloud DB when you can run it in an VM and give your app full control over it's own DB's

  • With the whole JEDI contract with Microsoft.

  • This is not possible - the Cloud offers perfect security, as we have been told over and over and over again.

    That old Eurythmics song "Would I lie to you?" Keeps running through my noggin.

    • by Tablizer ( 95088 )

      You forgot to get it in writing.

      • by znrt ( 2424692 )

        so he could store it on the cloud? oh wait ...

      • You forgot to get it in writing.

        I Don't do cloud. I have multiple backups stored in a couple places in case of a problem. Not nuclear hardened, but if that happens, my data is the least of my problems.

        The cloud is a bill of goods, sold to management as a way to get rid of employees and equipment, and by foolish IT people who convinced them that it was 100 percent safe for reasons.

        It sounded too good to be true. That's because it was and is. As others have noted, if you can't put your hands on the devices your data is stored on, it's

    • No security is perfect. But you can bet Microsoft spends more money on security, than your average corporate IT department does.

      • No security is perfect. But you can bet Microsoft spends more money on security, than your average corporate IT department does.

        We spent a lot of money on Afghanistan as well.

        • You are correct. The difference is, the survival of the United States as a going concern, doesn't rest on the success of it's Afghan mission. The survival of Azure and AWS do depend on their ability to remain secure.

          • You are correct. The difference is, the survival of the United States as a going concern, doesn't rest on the success of it's Afghan mission. The survival of Azure and AWS do depend on their ability to remain secure.

            I have bad news for them both.

    • by znrt ( 2424692 )

      That old Eurythmics song "Would I lie to you?"

      thank you!

    • Of course it's perfect security. Haven't you been listening to the open-sourcers. The entire internet runs on open-source. There's a thousand eyes ensuring your cloud is secure.

  • by TomGreenhaw ( 929233 ) on Friday August 27, 2021 @11:38AM (#61735845)
    We don't applaud white hat burglars who prove they can break into your business, we throw them in jail unless they are shot first.

    Trusted computing is nearly impossible. Running your own servers doesn't shield you from vulnerabilities in CPUs, motherboards, memory, storage, any attached peripherals and drivers, BIOS, operation systems, application programs, any and all networking connecting you to anything, or ignorant authorized users.

    With cloud computing you are outsourcing security in the hopes they do a better job than you. In this case the vulnerability was addressed whereas with on-premise it likely would have been compromised for years.

    In the majority of cases based upon my experience, even Microsoft does a far better job than the standard admins out there.
  • Mickeysoft does it again
    • by znrt ( 2424692 )

      actually ... a database program got pwned. nothing about this is neither intrinsic nor exclusive to microsoft or cloud computing (but i enjoy making fun of both more than the next one!). (cloud computing interfaces are just more exposed but it is essentially the same thing).

      the statement that made me grin though was: "We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key" ... of course, of course, what else would they say to their customers, right

      • It's the cloud, so you get to pay for Request Units (RUs). Customers would probably see a large exfiltration of data appear in their bills, or in any alerts they might have set up. This would especially be the case if large numbers of mods were being done.

        The above depends on a number of factors, but my guess is this would be the first warning a customer would get that would indicate a problem.
  • The problem with the Cloud (aka someone else server) is the attack surface is the entire world. When you self-host your databases and other criticals servers, they are NOT exposed on the internet like in "the Cloud". They are not "near or on the same physical servers" like the Cloud (Spectre/Melt attacks). The Cloud is also a big target for hackers to have a big impact on MANY businesses in one attack.

    If your data is REALLY critical for your business, keep it on YOUR servers. It's that simple. And like a p

    • Servers not in some way connected to the internet have pretty limited utility
      • Servers not in some way connected to the internet have pretty limited utility

        Well, an on-prem ERP system has very little need to be connected to the internet, but it has massive utility to a company.

        Admittedly, certain connections add to that utility, but they should be highly controlled and securable. For example, shippings costs being retrieved and written to the database for a sales order.

  • until you open up remote connections
  • Isn't it possible for these innovators to design a system that's locked-down by default.

To stay youthful, stay useful.

Working...