It is one of those ‘I told you so moments’. I am not happy or proud, but the profound sadness that hits me when I see the way it is reported on is just staggering. A few are reporting on it, but the larger stage is likely to be found in places like the Verge soon enough. The people who get it will soon understand that it will be worse and that my 90% of cloud transgressions was no joke. Yet to see part of that nightmare, you need to realise that the Microsoft Azure cloud has been in existence since October 2008, almost 13 years. Now it took the business to grow its customer base. Yet consider that the article at Reuters ‘Microsoft warns thousands of cloud customers of exposed databases’ (at https://www.reuters.com/technology/exclusive-microsoft-warns-thousands-cloud-customers-exposed-databases-emails-2021-08-26/) gives us “A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies” Now we can only speculate how long that flaw was there, or perhaps that design error. Yet the damage is enormous. With “Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz” we might think it is trivial because it only costed $40,000, but it is not. Thousands of firms with BILLIONS in IP values and other values have been in danger for years, at the most 3 years, yet the article does not really reflect on that (which is not the fault of the BBC or Reuters). And when we are told “We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure”, I wonder just how bad it is. Now, I get it, it might be fixed but if that was an easy fix, it might equally mean that it could have been easily prevented.
So when we get to “This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted.” We get to see that Wiz Chief Technology Officer Ami Luttwak (a former Microsoft employee) now working at Adallom LTD and Wiz. Now we get it bugs happen, yet one would think that proper testing would be done and this bug whilst not proven to be transgressed upon went undetected for no one nows how long until an external group decided to test Microsoft access (optionally on Microsoft orders). So whilst some might think that “Microsoft only told customers whose keys were visible this month, when Wiz was working on the issue” passes the mustard, but it does not, mainly because the length of the transgression enabled time is still unknown, and that is not all. When we consider “The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds”, as well as “a wide number of hackers broke into Exchange email servers while a patch was being developed” with the cherry on top of “A recent fix for a printer flaw that allowed computer takeovers had to be redone repeatedly” a well as “Another Exchange flaw last week prompted an urgent U.S. government warning that customers need to install patches issued months ago because ransomware gangs are now exploiting it”, as such one might speculate that they need to adjust their marketing vision, with the first optional change being “We advertise the most powerful console because the other stuff is buggered” and it seems that Microsoft has all kinds of testing and investigation flaws, that is merely my speculated view, yet for the customers who feel threatened by this, consider looking at Open office (at https://www.openoffice.org), I cannot guarantee it is more secure, but it is free and you are now paying for all the transgressions in a multitude of ways (including an annual fee) so you can at least negate one factor.
So whilst some feel sorry for that multibillion company and how sad things are, consider that Azure is an issue, especially when you realise “Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security”, when that comes to the surface, we see that Microsoft seemingly embraces ‘sharing is caring’ and with everything people have in that cloud sharing everything with EVERYONE, we might see Microsoft as the most caring behemoth in the universe, but I reckon the customers who pay a pretty penny for that ‘privilege’ will see this differently. But there is light at the end of the tunnel (well not really). Compare the logos of Microsoft and the olympics, now consider that only the black elements (the hackers) were not yet represented, but it seems that Microsoft gave them an internal challenge and so far the hackers are leading three to nil, which is the larger danger.
And that larger danger is given to us at the very end with “But though cloud attacks are more rare, they can be more devastating when they occur. What’s more, some are never publicised. A federally contracted research lab tracks all known security flaws in software and rates them by severity. But there is no equivalent system for holes in cloud architecture, so many critical vulnerabilities remain undisclosed to users, Luttwak said”.
So it is here that some might realise that
- Some cloud transgressions are never shown the light of day.
- Many critical vulnerabilities remain undisclosed.
- (Speculated) The makers might not even be aware of some vulnerabilities.
That is the stage that cloud customers are exposing themselves to and in this, with too many corporations reducing their IT security staff and relying on the security of the cloud, how much is this costing the Fortune 500 who created that erroneous overly simple mindset? It was never a mystery to me, I have written about these kind of dangers since 2017, so if people are just now waking up, good morning and enjoy the coffee you have, you’ll need it.
Lawrence van Rijn - Law Lord to be 