woody wrote:

I can’t verify this independently, but if it’s confirmed, we have one whale of a breach on our hands. vpnMentor’s blog says: The 24 GB database includ[See the full post at: vpnMentor reports a data breach identifying 80 million US households]

What missing in this post ? The data breach is on Microsoft cloud.

“…Hosted by a Microsoft cloud server…”

Oh, man.  I feared a day like this for years. Even with Chrome and Android Drive and a Google account, I try and minimize, scrub, disinfect, obfuscate and sanitize as far as I can, but….I hope this turns out to be less awful than it seems; an MSFT cloud server not secure? (“The Horror…The Horror…”)

Has this happened to MSFT in the past? Amazon, yes, some others, certainly.

Man, if true, someone needs to be taken to the Infosec shed, big time. And fined, and treble damages/fines if it’s shown to be through carelessness.

There’s an old book called “The Cloud of Unknowing”…someone needs to update it.

Nibbled To Death By Ducks wrote:

an MSFT cloud server not secure?

Remember when someone found 40,000 public MongoDB databases scattered around the Internet?

Or how about that thing earlier this month where Millions of Facebook records were exposed on public Amazon server?

Or that other thing earlier this month where A public database exposed medical records of 150,000 rehab patients in Pennsylvania?

Or that other thing earlier this year where Exactis exposed a database of 340 million records on the open internet?

There are hundreds of stories like this from the last 20 years.

Why?  One reason — because there are a lot of dumb and lazy programmers out there who leave ports exposed so they can work remotely without having to use a VPN or IPsec or whatever. That dumbness persists regardless of the technology stack.

Borrowed for the occasion: “The cloud is just someone else’s computer.”

wdburt1 wrote:

Borrowed for the occasion: “The cloud is just someone else’s computer.”

Aye, yer right…and I dredged the one below up from 9 years ago, which, aside from their email faux-pax on the 15th of this month, is the only outstanding MSFT cloud server flub I could get my hands on:

“Microsoft Cloud Data Breach Heralds Things to Come”

“What might be the first major cloud data breach happened Wednesday. Microsoft announced that data contained within its Business Productivity Online Suite (BPOS) has been downloaded by non-authorized users.”

https://www.pcworld.com/article/214775/microsoft_cloud_data_breach_sign_of_future.html”

It’s like riding a motorcycle in the city: it’s not a question of IF you’re going to have a crash, it’s when, and how bad it’s going to be.

If this turns out to be as bad as it looks…well, always wear your cyber-equivalent of your leathers and brain-bucket, everyone!

Quis custodiet ipsos custodes? (“Who will watch the guardians?”)

Sent an email to info@vpnmentor.com.  Requested they notify Microsoft, FCC, FTC, and DOJ as well as all 50 state’s attorneys general and secretaries of state to remove the database from the server.  The owner of the database will contact Microsoft pretty quickly once they find out they no longer have access to it.  At that point, the various agencies and states can deal with those owners.

Sounds to me like a DB perhaps related to reverse mortgages.  Either a DB for sales/marketing leads or a DB of all/most existing reverse mortgages.  The biggest clue is the age issue: ages for people in households are older and nobody < 40yrs.  You need to be at least 60 to get a reverse mortgage – and the age of the spouse (which can be < 60) is part of the info required to apply.  Address and geolocation data seem to hint at something real estate related.

Today I read several articles about this in several different pubs, so it’s real; MSFT has shut down access to this server, but questions remain (at least for me):

1. When one contracts/rents server space on “the cloud”, does not the provider (AWS, MSFT, etc) a) Have a duty to make sure that the server itself IS secure, in and of itself, or b) is that the sole responsibility of the renter, or c) do they share that responsibility? Does it depend on how that server space is marketed?

2. Is there not some incumbency under “a” above for the renter to encrypt the data before it’s transmitted to a server “the cloud”?

I’m a bit fuzzy on these points, but it seems that if you’re flogging server space for sensitive stuff, shouldn’t inherent security security be part of the implied warranty/agreement?

I’m no Cyberspace Lawyer, but from what I can find out, there are not a lot of regulations for this kind of thing; maybe there ought to be. Could there be some “Fitness for Use” in Europe, and “Implied Warranty” case law in the US for this sort of thing already on the books?

[Also, there’s a lot of difference between “someone else’s computer” and a co-located, backed up and fully mirrored system in at least three widely geographically spaced servers. There are all sorts of “Cloud Servers”, from the one in someone’s basement or closet, to the types I mentioned above. (Gee, I wish “Networking” magazine was still around.)]

But the philosophical point is still well taken.

BTW, go to Google News and search for “Data Breach”; it’s a good day’s reading.  Bring some Pepto. 🙁

In its present state of development, the “Cloud” management systems are not ready for preventing the largest risk to the safety to its voluntary or involuntary users: humans in the loop. That has clearly created an endless collection of points of catastrophic failure in those systems, and nothing will fix this in the near or medium term, I dare to predict. And truly catastrophic have been, and well continue to be, the failures, probably for years to come.

So the Cloud is another one of those brilliant ideas whose time has not come.

But tell that to the like of Satya Nadella and his investors.

Just reviewed some more info on CNET, and they seem to think “Securing the data is up to the organization that created the database, and not Microsoft itself.”

https://www.cnet.com/news/cloud-database-removed-after-exposing-details-on-80-million-us-households/

I don’t completely buy into this yet; how the service was sold to them is critical. If it was sold to the mysterious entity as “A Secure Server,” someone could take that to mean they didn’t have to encrypt the data first.

“The big print giveth, and the fine print taketh away.”

I want to see the fine print.

Jeez, what a can of worms.

Nibbled To Death By Ducks wrote:

Securing the data is up to the organization that created the database, and not Microsoft itself.

Data security is always up to the creator / storer of the data. The problem is that in the US data security is trumped by money – yes Facebook – so that is the default position.

cheers, Paul

The responsible, ideally, will pay a price for their failings. The likes of vpnMentor will continue to reveal to an astounded world the latest outrage. The legal professionals will endlessly pick nits between the pages of their legal tomes. However, not all the King’s lawyers, nor all the King’s laws will fix something that is, to put it mildly, a really big mistake: the idea of the Cloud itself, as presently conceived and implemented with the still inadequate means available.

And spectacularly bad things will continue to happen, until all those that fervently worship at the Church of the Cloud are running things no more and reason, some day, somehow, comes and takes over the show. Or something like that. In the meantime, I think I’ll just get on with my work and my life, and the very best of luck to us all.

lurks about wrote:

To fair to MS, they probably had nothing to do with the customer stupidity. This is sort of stupidity is bound to happen on any cloud service because too many think ‘the Cloud’ means you do not have to anything.

To be fair, when you rent and pay for a storage locker and the owner leaves the storage locker door open, it is not your fault but the owners.

This is a great discussion, and I learned a lot today from all here and elsewhere.

I think a breach Google involving Drive would “drive” a lot of people over the brink.  The Google+ breach of Dec 2018 was unpleasant, and they’re trying to bury THAT app real fast.

Methinks I’ll look into backing up/restoring your phone from your PC…

“Ad Hoc, ad Lock, and quid Pro Quo…so little time, so much to know.”

So if I’m reading this right, there was a data breach exposing information on over 80,000,000 families, but we don’t know who was breached? That’s the most surprising part about this for me, is that we don’t know whose database was breached.

Based on the information given about the database, it is apparent that most of these data elements are already available in public records from local, state, and federal agencies.

Info on property, criminal, court, birth, death,marriage, divorce records, licenses, deeds, mortgages, corporate records, business registration, and many other public record resources are all currently available through 3rd party search services, usually for a fee.

The shocking part is realizing that somebody has aggregated (data mined) much of this freely available data into one database, and that is has been been leaking.

There is really no additional risk compared to the info about you that is already out there, except that it’s easier to get access to an individual’s profile in this format. No social security numbers, no account numbers, or no medical records are included, so likely nothing illegal has taken place here.

Welcome to our digital lives. 🙂

JohnW wrote:

Based on the information given about the database, it is apparent that most of these data elements are already available in public records from local, state, and federal agencies.

Info on property, criminal, court, birth, death,marriage, divorce records, licenses, deeds, mortgages, corporate records, business registration, and many other public record resources are all currently available through 3rd party search services, usually for a fee.

The shocking part is realizing that somebody has aggregated (data mined) much of this freely available data into one database, and that is has been been leaking.

There is really no additional risk compared to the info about you that is already out there, except that it’s easier to get access to an individual’s profile in this format. No social security numbers, no account numbers, or no medical records are included, so likely nothing illegal has taken place here.

Welcome to our digital lives. 🙂

I call out your third paragraph, not in criticism, but for emphasis.

Why are you shocked?

This should not be a shock to any one, especially tech savvy readers of AskWoody. We are already cognizant of the Googles, Facebook models and of the data slurp of MS and nVidia, to name only a few. It is not like some blackhat penetrated secure data repositories and then aggregated the data. Data aggregation is an all too common business practice now.

Companies ask for and collect far, far more data than is necessary to make a sale, and with the woes of customer support that you hear, it is clearly not for that purpose, and the amorphous ‘user experience’ is not a valid reason either unless you disclose how the data you collect does that.

The sad part is that with all these reports, people still give it, and that companies are still permitted to ‘require’ such collection in order to use their product, without having to disclose such uses or tell who it is being shared with and how long it is retained. .

We should not be fooled. It is solely for selling to others (i.e., “business partners”, etc. or other legalese weasel words) to increase their bottom line. The public has been lied to and fooled by the chimera of “convenience” and the need to have everything “connected.” Do they monitor the ‘partners’? Then by using even commercial off the shelf (COTS) software pointed at the different data sources that have been ‘shared’ with you, it is easy to build profiles and uncover relationships.

The sad irony of it all is that if the governments were doing this to the degree as businesses, people would be up in arms.

Meanwhile in the US, the do nothings who take up space in our national legislature hold circus hearings with the great IT masters and other than making them publicly squirm and utter mea culpas and promises, NOTHING gets done. Does the question of WHY such data is collected ever get asked? And if it does, has it ever been answered with any kind of specificity? Rarely, so it appears the distribution of the Kool-Aid by the data slurpers has been successful.

These breaches need SIGNIFICANT hard prison time and even stronger fines that target the CEOs, CFOs, and CIOs of the organizations PERSONALLY (including their golden parachutes and stock options) as they are the ones who recommend, approve and allocate money for security, not the low level database administrator. Fines must also target and be commensurate with the corporate value and earnings. Additionally they should be monitored so such fines are not later written down.

Damages should be assessed based upon the number of people affected, starting at $500 / person / per day. Let them do a cost-benefit analysis of that and calculate its effect on the only master they truly care about, their Wall Street stock price.

It is time for a unified GDPR-type law with teeth.