Researchers, cybersecurity agency urge action by Microsoft cloud database users

The full version of the article, along with thousands like it, can be found here: Researchers, cybersecurity agency urge action by Microsoft cloud database users

Platform News: Software titan Microsoft building

Researchers who discovered a massive flaw in the main databases stored in Microsoft Corp's Azure cloud platform urged all users to change their digital access keys, not just the 3,300 it notified this week.

As first reported by journalists at our partner news agency Reuters, researchers at a cloud security company called Wiz discovered this month they could have gained access to the primary digital keys for most users of the Cosmos DB database system, allowing them to steal, change or delete millions of records.

Alerted by Wiz, Microsoft rapidly fixed the configuration mistake that would have made it easy for any Cosmos user to get into other customers' databases, then notified some users Thursday to change their keys.

In a blog post Friday, Microsoft said it warned customers which had set up Cosmos access during the weeklong research period. It found no evidence that any attackers had used the same flaw to get into customer data, it noted.

"Our investigation shows no unauthorized access other than the researcher activity," Microsoft wrote. "Notifications have been sent to all customers that could be potentially affected due to researcher activity," it said, perhaps referring to the chance that the technique had leaked from Wiz.

"Though no customer data was accessed, it is recommended you regenerate your primary read-write keys," it said.

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency used stronger language in a bulletin Friday, making clear it was speaking not just to those notified.

"CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate key," the agency said.

Experts at Wiz, founded by four veterans of Azure's in-house security team, agreed.

"In my estimation, it's really hard for them, if not impossible, to completely rule out that someone used this before," said one of the four, Wiz CTO Ami Luttwak. At Microsoft he developed tools for logging cloud security incidents.

Microsoft did not give a direct answer when asked if it had comprehensive logs for the two years when the Jupyter Notebook feature was misconfigured, or had used another way to rule out access abuse.

"We expanded our search beyond the researcher's activities to look for all possible activity for current and similar events in the past," said spokesman Ross Richendrfer, declining to address other questions.

Wiz said Microsoft had worked closely with it on the research but had declined to say how it could be sure earlier customers were safe.

"It's terrifying. I really hope than no one besides us found this bug," said one of the lead researchers on the project at Wiz, Sagi Tzadik.

The team at Platform Executive hope you have enjoyed this article. Automatic translation from English to a growing list of languages via Google AI Cloud Translation. Initial reporting via our official content partners at Thomson Reuters. Reporting by Joseph Menn in San Francisco. Editing by Richard Chang.

You can stay on top of all the latest developments across the platform economy, find solutions to your key challenges and gain access to our problem-solving toolkit and proprietary databases by becoming a member of our growing community. For a limited time, our subscription plans start from just $16 per month. What are you waiting for?

This news article was published by Platform Executive, the home of the platform economy.

If you enjoy the content then please post a link on your website, or share on social media to help us get the word out.



Researchers, cybersecurity agency urge action by Microsoft cloud database users posted first on https://www.platformexecutive.com/

Comments

Post a Comment

Popular posts from this blog

4 tips for bouncing back from a business hardship

Image
The full version of the article, along with thousands like it, can be found on the following page: 4 tips for bouncing back from a business hardship Hardships can affect even the most successful businesses. If you’ve recently suffered a major setback within your company, it’s okay to feel discouraged. While hardships can be tough, they shouldn’t stop you from bouncing back. If you’re ready to pull your business out of a rough patch, read on for four tips to help you get back on your feet! #1 GO BACK TO YOUR COMPANY'S ROOTS If your business has come this far, there’s bound to be something you’ve done right. Sometimes hardship comes when you’ve strayed away from your original concept. If you’ve been testing out some new ideas that seem to miss the mark, try going back to your first business model and rework a new plan from there. It’s important to remember where the heart of your company truly lies, and what sets you apart from rivals , such as: Your minimum viable product
Read more

The 6 best resources to learn about database management

The full version of this article, along with thousands like it, can be found here: The 6 best resources to learn about database management Database management is one of the most sought-after skills in the technology industry. Top companies such as Google and Amazon include it regularly in technical interviews. If you are new to database management or it’s been a while since you’ve practiced, you might want to brush up on your skills before your next job opportunity. […] This article was published by Platform Executive , the home of the platform economy. If you enjoy the content then please post a link on your website, or share on social media to help us get the word out. The 6 best resources to learn about database management posted first on https://www.platformexecutive.com/
Read more

Google, Facebook agreed to team up against possible antitrust action, draft lawsuit says

Image
The full version of the article, along with thousands like it, can be found on the following page: Google, Facebook agreed to team up against possible antitrust action, draft lawsuit says Facebook and Alphabet Inc's Google agreed to "cooperate and assist one another" in case of an investigation into their pact to work together in online advertising, the Wall Street Journal has reported. The WSJ report cited an unredacted version of a lawsuit filed by 10 countries against Google last week. The nations had accused Google of working with Facebook within an unlawful manner that violated antitrust law to improve its already-dominant online advertising business. According to the report, the lawsuit said that Google and Facebook were aware that their arrangement could trigger antitrust investigations and discussed how to cope with them. A Google spokesperson told the Journal that such agreements over antitrust threats are incredibly common. The unredacted draft edition
Read more