Followers | 689 |
Posts | 143817 |
Boards Moderated | 35 |
Alias Born | 03/10/2004 |
Saturday, August 28, 2021 8:07:08 PM
By: Joseph Menn | August 28, 2021
(Reuters) - Researchers who discovered a massive flaw in the main databases stored in Microsoft Corp (NASDAQ:MSFT)'s Azure cloud platform on Saturday urged all users to change their digital access keys, not just the 3,300 it notified this week.
As first reported by Reuters https://www.reuters.com/technology/exclusive-microsoft-warns-thousands-cloud-customers-exposed-databases-emails-2021-08-26, researchers at a cloud security company called Wiz discovered this month they could have gained access to the primary digital keys for most users of the Cosmos DB database system, allowing them to steal, change or delete millions of records.
Alerted by Wiz, Microsoft rapidly fixed the configuration mistake that would have made it easy for any Cosmos user to get into other customers' databases, then notified some users Thursday to change their keys.
In a blog post Friday, Microsoft said it warned customers which had set up Cosmos access during the weeklong research period. It found no evidence that any attackers had used the same flaw to get into customer data, it noted.
"Our investigation shows no unauthorized access other than the researcher activity," Microsoft wrote. "Notifications have been sent to all customers that could be potentially affected due to researcher activity," it said, perhaps referring to the chance that the technique had leaked from Wiz.
"Though no customer data was accessed, it is recommended you regenerate your primary read-write keys," it said.
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency used stronger language in a bulletin Friday, making clear it was speaking not just to those notified.
"CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate key," the agency said https://us-cert.cisa.gov/ncas/current-activity/2021/08/27/microsoft-azure-cosmos-db-guidance.
Experts at Wiz, founded by four veterans of Azure's in-house security team, agreed.
"In my estimation, it's really hard for them, if not impossible, to completely rule out that someone used this before," said one of the four, Wiz Chief Technology Officer Ami Luttwak. At Microsoft he developed tools for logging cloud security incidents.
Microsoft did not give a direct answer when asked if it had comprehensive logs for the two years when the Jupyter Notebook feature was misconfigured, or had used another way to rule out access abuse.
"We expanded our search beyond the researcher's activities to look for all possible activity for current and similar events in the past," said spokesman Ross Richendrfer, declining to address other questions.
Wiz said Microsoft had worked closely with it on the research but had declined to say how it could be sure earlier customers were safe.
"It's terrifying. I really hope than no one besides us found this bug," said one of the lead researchers on the project at Wiz, Sagi Tzadik.
Read Full Story »»»
DiscoverGold
Information posted to this board is not meant to suggest any specific action, but to point out the technical signs that can help our readers make their own specific decisions. Caveat emptor!
• DiscoverGold
Recent MSFT News
- AIG names new CFO; Progyny Drops 24% After Losing Key 2025 Contract; Exicure Jumps 190% With Nasdaq Extension • IH Market News • 09/19/2024 10:26:48 AM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/18/2024 10:10:52 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/18/2024 10:10:24 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/18/2024 10:06:18 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/18/2024 10:05:47 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/18/2024 10:05:27 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/18/2024 10:05:04 PM
- Meta Strengthens Child Privacy on Instagram; Google Overturns $1.7 Billion Antitrust Fine; Snap Updates Spectacles • IH Market News • 09/18/2024 10:13:07 AM
- Blackbaud and Microsoft's Tech for Social Impact Team Collaborating to Bring Sophisticated Cloud Technology, AI and Analytics to Nonprofits • PR Newswire (US) • 09/17/2024 05:00:00 PM
- Microsoft Boosts Share Buyback, Raises Dividends by 10%, Intel Secures Chip Deal with Amazon • IH Market News • 09/17/2024 10:40:35 AM
- Microsoft announces quarterly dividend increase and new share repurchase program • PR Newswire (US) • 09/16/2024 09:56:00 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/13/2024 10:08:25 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/13/2024 10:08:03 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/13/2024 10:07:41 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/13/2024 10:07:15 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/13/2024 10:06:49 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/13/2024 10:06:17 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/13/2024 10:05:35 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/13/2024 10:05:04 PM
- OpenAI Unveils Strawberry AI Model Series; Boeing Stock Falls 4% Amid Strike; HR Surges 20% on Growth Forecast • IH Market News • 09/13/2024 10:12:55 AM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/11/2024 10:07:41 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/11/2024 10:07:05 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 09/11/2024 10:06:43 PM
- Form 144 - Report of proposed sale of securities • Edgar (US Regulatory) • 09/10/2024 06:40:53 PM
- Form 144 - Report of proposed sale of securities • Edgar (US Regulatory) • 09/10/2024 04:00:41 PM
VHAI - Vocodia Partners with Leading Political Super PACs to Revolutionize Fundraising Efforts • VHAI • Sep 19, 2024 11:48 AM
Dear Cashmere Group Holding Co. AKA Swifty Global Signs Binding Letter of Intent to be Acquired by Signing Day Sports • DRCR • Sep 19, 2024 10:26 AM
HealthLynked Launches Virtual Urgent Care Through Partnership with Lyric Health. • HLYK • Sep 19, 2024 8:00 AM
Element79 Gold Corp. Appoints Kevin Arias as Advisor to the Board of Directors, Strengthening Strategic Leadership • ELMGF • Sep 18, 2024 10:29 AM
Mawson Finland Limited Further Expands the Known Mineralized Zones at Rajapalot: Palokas step-out drills 7 metres @ 9.1 g/t gold & 706 ppm cobalt • MFL • Sep 17, 2024 9:02 AM
PickleJar Announces Integration With OptCulture to Deliver Holistic Fan Experiences at Venue Point of Sale • PKLE • Sep 17, 2024 8:00 AM