Trusting the cloud after OMIGOD and Azurescape - interview
Security researchers revealed two major vulnerabilities at a top cloud service provider in recent months. How can businesses and the general public continue trusting companies responsible for keeping their data?
It's no surprise that hackers gravitate toward big tech names. After all, there's much to gain from breaching Microsoft, Amazon, or Google. That, however, does raise some questions for businesses whose livelihood depends on those companies providing services with a strong attention to security.
One service provider, Microsoft's Azure, ran into some significant problems in recent months. First, researchers at Palo Alto found that the Azure containers used code that had not been updated to patch a known vulnerability, allowing the researchers to get complete control of other users' data.
The good thing is companies are spending a ton of their own money to support those open-source projects and make them as safe as humanly possible,Chris Doman.
Later, a vulnerability dubbed OMIGOD was discovered by researchers at Wiz. The researchers found a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.
These vulnerabilities can be concerning for executives who poured millions to adopt cloud during the recent pandemic. According to Chris Doman, co-founder and CTO of Cado Security, vulnerabilities show the strength of a self-correcting ecosystem, not an unsafe cloud.
"The reason these vulnerabilities are coming out right now is because customers that are adopting Kubernetes, as well as companies, invested a ton of money into cyber security companies and paid for a bunch of researchers like myself, who investigate the issues," Doman told CyberNews.
We fired up a virtual call to discuss what Azurescape and OMIGOD mean to the cloud ecosystem and whether disclosed vulnerabilities were as terrible as headlines put it.
Recent headlines called the Azurescape vulnerability scenario 'worst imaginable.' Do you agree with that?
I guess that's a bit dramatic. I mean, whenever you want to get in the news, you got to get a cool name like Azurescape. It's not a worst-case in terms of potential damage, necessarily. But it is the worst-case in how scary it is.
Because the main thing cloud providers want to prevent is anyone being able to touch other people's data in the cloud. And this one is a really rare instance where it is possible.
The way that this particular exploit works, it could have been a lot worse. You can't just get anyone's data. Only whoever you happen to be sitting next to on that server.
What's your view on cross-account vulnerabilities in public cloud systems such as Azurescape? It seems like it's a disaster waiting to happen, given an unknown zero-day exploit lurking within the Kubernetes assets.
Cross-account vulnerabilities definitely sound like a worst-case scenario. It's hard to think back to the last time we saw something like this. I mean, AWS, the oldest cloud, had some issues really early on. I haven't seen anything like this there.
And this particular vulnerability stems from the faculty of using open-source code that had not been updated in a long time. And it's stacking of code that they didn't necessarily write themselves ended up causing this problem.
If an attacker can do cross-account stuff, that would definitely be the worst-case. And some of these new cloud architectures are keeping those containers. There are some more risks there because container management is complicated. I think that's the root of many of these problems, and we'll see what else comes out.
Recently another vulnerability targeting Azure services, OMIGOD, popped up. While with the Azurescape, Microsoft issued a patch pretty quick, in OMIGODs case, the company kind of left its customers to fend for themselves. Why do you think the company abandoned the 'shared responsibility model in this case?
Shared responsibility is the most controversial topic in the cloud business. I mean, where does the responsibility lie between cloud companies and the customers. And last month, there were interesting examples when it is not as clear where the red line is as you'd think it be.
For example, Microsoft always tells its customers to keep their systems up to date. That's part of the shared responsibility model. But at the same time, they were not patching Kubernetes for five years on their side.
The situation was also really interesting with OMIGOD because it was an open-source code. And Microsoft almost put a distance between them and the open-source code even though it was all written by Microsoft employees as Microsoft open-source code.
These vulnerabilities are coming out right now because customers who are adopting Kubernetes invested a ton of money into cyber security companies and paid for a bunch of researchers like myself who investigate the issues,Chris Doman.
And then the question around whether or not they patch that is a really interesting one too. Whereas with Azurescape, they patched the vulnerability internally. It was Microsoft systems. It was clearly behind that red line of shared responsibility. It made sense to patch that, and they did eventually find it later.
They usually wouldn't because you're impacting a system if you're patching it since these are customer systems that they have to go out and patch.
They're actually talking about patching the OMIGOD-affected systems, which is really interesting. Cause I think maybe it happened before, but I haven't heard of them actually going in and deploying those kinds of things before.
Since OMIGOD vulnerability was not patched automatically, attackers scanned the net for possible victims. As CADO's blog mentions, the Mirai botnet is involved in exploiting the vulnerability. I wondered whether you see any responsibility on Microsoft side that what is or abused the vulnerability, these sort of refuse to badges with as possible?
To Microsoft's credit, they have been aggressive against botnets, historically. So, they will actually go to take them down. They've been the most active company I know of in taking on botnets and blocking stuff.
They also took that approach with trustworthy computing memos. So, there's been a real voice at Microsoft since about 20 years ago when they said, 'right, security is our problem, it's not just the customers' problem. We own the ecosystem, and we control the physics. We have to do something.'
And following from that on, they've been targeting botnet operators, being really successful about it.
This particular Mirai botnet, the first one I saw at least, is a little bit hard to take down since it wasn't a domain name, it's an IP address. So, it's a bit hard to block there. I'm sure they will block it pretty quickly as well. But yes, they didn't take it down, and it's still up because I'm seeing the files coming in, but it's not that it is spreading so much.
It's been a couple of rough months for Azure, with two significant issues with the service reaching the headlines. Do you think Azurescape and OMIGOD are related in any way, or is it a pure coincidence?
These vulnerabilities are coming out right now because customers who are adopting Kubernetes invested a ton of money into cyber security companies and paid for a bunch of researchers like myself who investigate the issues.
So, if you look at OMIGOD, that was found by a researcher from Wiz. They're mostly former Azure. And if you look at Azurescape vulnerability, this was discovered by Palo Alto people. I think it's just more people looking at this now, and that's why we're going to see some more, a bit.
As a system, it works pretty well overall. People are incentivized to spend their time researching vulnerabilities in exchange for getting press. Most importantly, that means these vulnerabilities are being found.
The recent issues were quite significant and potentially damaging from an everyday user's perspective. I mean, if major cloud service providers can leave gaping security holes like that, what does that say about cloud security in general?
Overall, I agree that you will not do a better job running security than Microsoft, AWS, or Amazon. They do employ good people to do that, and typically, they do it very well.
And they do a pretty good job of monitoring things. I, personally, trust the cloud quite a bit. I worked for cloud companies, and I'm biased, but I think the safety is there.
Of course, vulnerabilities can rock people's confidence in some cloud services. Particularly seeing there's that five-year-old vulnerability they didn't find on Kubernetes, that was surprising.
When you go behind the scenes and see how the sausage is made, sometimes it is a bunch of open-source stuff stuck together. But the good thing is companies are spending a ton of their own money to support those open-source projects and make them as safe as humanly possible.
More from CyberNews:
Subscribe to our newsletter