In a recent incident, Microsoft's AI research division faced a security vulnerability, as discovered by Wiz, resulting in the exposure of 38TB of private data. White hat hackers identified a shareable link using Azure Statistical Analysis System (SAS) tokens on June 22, 2023. The misconfiguration was swiftly reported to the Microsoft Security Response Center, leading to the invalidation of the SAS token by June 24 and subsequent token replacement on the GitHub page by July 7.
The vulnerability originated from a Shared Access Signature token for an internal storage account when an employee unintentionally shared a URL on a public GitHub repository. This allowed the ethical hackers at Wiz to gain unauthorized access to the entire storage account, revealing a vast 38TB of private data, including disk backups of two former employees' workstation profiles, internal Microsoft Teams messages, secrets, private keys, passwords, and open-source AI training data. Notably, SAS tokens, designed for Azure file-sharing, don't expire, making them less ideal for sharing critical data externally, as highlighted in a Microsoft security blog on September 7. It's important to note that, according to Microsoft, no customer data was compromised, and there was no risk of other Microsoft services being breached due to the nature of the exposed AI dataset.
While this incident is not exclusive to Microsoft's AI training efforts, it underscores the broader issue of securing very large open-source datasets. Wiz, in its blog post, emphasized the inherent security risks associated with high-scale data sharing in AI research and provided insights for organizations to avoid similar incidents.
Wiz suggests cautioning employees against oversharing data and recommends that organizations consider relocating public AI datasets to dedicated storage accounts. Additionally, the incident highlights the need for vigilance against supply chain attacks, where attackers may inject malicious code into files accessible to the public due to improper permissions.
This case underscores the broader challenge of securing large open-source datasets, emphasizing the need for caution in data sharing and considerations for relocating public AI datasets to dedicated storage accounts. Wiz advises organizations to be vigilant against supply chain attacks and stresses the importance of heightened awareness of security risks throughout the AI development process. As AI adoption rises, collaboration between security, data science, and research teams is crucial to establishing robust defenses against evolving threats.
Other Posts you might be interested in:
IBM X-Force research led by Stephanie "Snow" Carruthers finds human-crafted phishing emails perform 3% better than AI-generated ones. The study, conducted in the healthcare sector, emphasizes the need for businesses to focus on human-centric email security
Read More
Microsoft has uncovered Chinese state-backed hackers engaged in cyberespionage activities targeting critical infrastructure organizations in Guam, a U.S. territory. The campaign, codenamed Volt Typhoon, aims to develop capabilities that could disrupt communications infrastructure between the U.S. and Asia during future crises.
Read More
Following statements made by the White House in May regarding the dangerous uses of AI, the biggest companies spearheading AI development including Google, Meta, Microsoft, OpenAI and Inflection have agreed on a list of eight voluntary commitments, with the ultimate goal of meliorating safety and usage of AI tools.
Read More