In a recent incident, Microsoft's AI research division faced a security vulnerability, as discovered by Wiz, resulting in the exposure of 38TB of private data. White hat hackers identified a shareable link using Azure Statistical Analysis System (SAS) tokens on June 22, 2023. The misconfiguration was swiftly reported to the Microsoft Security Response Center, leading to the invalidation of the SAS token by June 24 and subsequent token replacement on the GitHub page by July 7.
The vulnerability originated from a Shared Access Signature token for an internal storage account when an employee unintentionally shared a URL on a public GitHub repository. This allowed the ethical hackers at Wiz to gain unauthorized access to the entire storage account, revealing a vast 38TB of private data, including disk backups of two former employees' workstation profiles, internal Microsoft Teams messages, secrets, private keys, passwords, and open-source AI training data. Notably, SAS tokens, designed for Azure file-sharing, don't expire, making them less ideal for sharing critical data externally, as highlighted in a Microsoft security blog on September 7. It's important to note that, according to Microsoft, no customer data was compromised, and there was no risk of other Microsoft services being breached due to the nature of the exposed AI dataset.
While this incident is not exclusive to Microsoft's AI training efforts, it underscores the broader issue of securing very large open-source datasets. Wiz, in its blog post, emphasized the inherent security risks associated with high-scale data sharing in AI research and provided insights for organizations to avoid similar incidents.
Wiz suggests cautioning employees against oversharing data and recommends that organizations consider relocating public AI datasets to dedicated storage accounts. Additionally, the incident highlights the need for vigilance against supply chain attacks, where attackers may inject malicious code into files accessible to the public due to improper permissions.
This case underscores the broader challenge of securing large open-source datasets, emphasizing the need for caution in data sharing and considerations for relocating public AI datasets to dedicated storage accounts. Wiz advises organizations to be vigilant against supply chain attacks and stresses the importance of heightened awareness of security risks throughout the AI development process. As AI adoption rises, collaboration between security, data science, and research teams is crucial to establishing robust defenses against evolving threats.
Other Posts you might be interested in:
Explore essential cybersecurity practices for small and medium-sized businesses, covering employee training, password policies, multi-factor authentication, and more. Elevate your business's security with DeepBlue Computers, offering customized solutions and expertise to fortify against evolving cyber threats.
Read More
Amidst the proliferation of AI tools, Google has announced new features that allow users to protect themselves from threats, identify AI-generated images and further protect sensitive data.
Read More
New Studies from BitDefender and Arctic Wolf show that cybergroups are employing new tactics that exploit popular social channels such as Facebook and Youtube. The exploit uses DLLs, shared code libraries used by every operating system to hide malicious code by in the form of a legitimate DLL.
Read More