In a recent incident, Microsoft's AI research division faced a security vulnerability, as discovered by Wiz, resulting in the exposure of 38TB of private data. White hat hackers identified a shareable link using Azure Statistical Analysis System (SAS) tokens on June 22, 2023. The misconfiguration was swiftly reported to the Microsoft Security Response Center, leading to the invalidation of the SAS token by June 24 and subsequent token replacement on the GitHub page by July 7.
The vulnerability originated from a Shared Access Signature token for an internal storage account when an employee unintentionally shared a URL on a public GitHub repository. This allowed the ethical hackers at Wiz to gain unauthorized access to the entire storage account, revealing a vast 38TB of private data, including disk backups of two former employees' workstation profiles, internal Microsoft Teams messages, secrets, private keys, passwords, and open-source AI training data. Notably, SAS tokens, designed for Azure file-sharing, don't expire, making them less ideal for sharing critical data externally, as highlighted in a Microsoft security blog on September 7. It's important to note that, according to Microsoft, no customer data was compromised, and there was no risk of other Microsoft services being breached due to the nature of the exposed AI dataset.
While this incident is not exclusive to Microsoft's AI training efforts, it underscores the broader issue of securing very large open-source datasets. Wiz, in its blog post, emphasized the inherent security risks associated with high-scale data sharing in AI research and provided insights for organizations to avoid similar incidents.
Wiz suggests cautioning employees against oversharing data and recommends that organizations consider relocating public AI datasets to dedicated storage accounts. Additionally, the incident highlights the need for vigilance against supply chain attacks, where attackers may inject malicious code into files accessible to the public due to improper permissions.
This case underscores the broader challenge of securing large open-source datasets, emphasizing the need for caution in data sharing and considerations for relocating public AI datasets to dedicated storage accounts. Wiz advises organizations to be vigilant against supply chain attacks and stresses the importance of heightened awareness of security risks throughout the AI development process. As AI adoption rises, collaboration between security, data science, and research teams is crucial to establishing robust defenses against evolving threats.
Other Posts you might be interested in:
Following statements made by the White House in May regarding the dangerous uses of AI, the biggest companies spearheading AI development including Google, Meta, Microsoft, OpenAI and Inflection have agreed on a list of eight voluntary commitments, with the ultimate goal of meliorating safety and usage of AI tools.
Read More
Microsoft and HPE faced separate breaches by the state-sponsored threat group Midnight Blizzard, with the latter's attack involving data theft from HPE's cloud-based email environment. Both incidents were initiated through password spray attacks, emphasizing the need for organizations to implement multifactor authentication and robust security measures. The challenges posed by nation-state actors underscore the importance of thorough incident response plans and heightened security standards to adapt to the evolving threat landscape.
Read More
Explore the prevalent cybersecurity threats businesses face, including phishing attacks, ransomware, and insider threats. Discover the importance of partnering with a cybersecurity firm for tailored defense strategies, and why DeepBlue Computers is a good choice for your cybersecurity needs.
Read More