It is like in the movie Groundhog Day, same story different day. It is very often that with brand new technologies people forget completely all the IT security awareness and security routines they developed over the years.
In this actual case, as cybersecurity students from Saarbrücken in Germany published in a whitepaper, we are talking about approximately 40,000 MongoDB databases which are accessible to everyone without circumventing any security measures.
Let’s get into detail
MongoDB is actually the most commonly used NoSQL Database. By default it is tailored for running on a single machine but the documentation and guidelines for running it with Internet access are insufficient. This leads an inexperienced administrator to setup a Mongo DB Webserver without activating authentication, access control or transfer encryption.
Search and access
By simply portscanning the server for the default tcp port 27017, the students were able to find accessible databases. Another recon methodology mentioned using the search engine Shodan which has a database of IP addresses and lists the running services. The next step did not use any hacking tools to but rather the mongoshell client to directly connect to the identified IP addresses.
Where these Databases only quick and dirty test installations?
The students checked some of the identified databases and found frighteningly commercial applications with huge amounts of sensitive customer data. For example:
- A customer database which might belong to a French Internet service provider and mobile phone carrier containing the addresses and telephone numbers of roughly eight million French customers
- The database of a German online retailer, including payment information
Is this a surprise?
Looking at our “2015 Predictions” (4. The first Big Data-related breach), we were not expecting them to become true quite so quickly.
As practical applications for Big Data grow, and the amount of information managed by businesses of every size reaches astronomical proportions, the temptation for hackers to secure the prize of being the first to hack a Big Data installation will mount as well.
What are the lessons learned from this?
Poor administration and lack of security best practices in such installations, combined with advancements in server side attacks by hackers will result in hackers trying and successfully infiltrating this growing application platform.
Recommendations for protecting databases:
Classify Sensitive Information
- Identify the information contained within databases and measure risk and severity of unauthorized data access.
Persistent Security Policy
- A good security policy will allow you to put compensating controls in place while not disrupting business needs and maintaining security.
- Map your user’s rights. Understand who has access to what data and why, and remove dormant accounts.
Analyze, Alert and Audit on Activity
- By keeping track of data access and access patterns, it becomes much easier to understand who accessed your data, what was accessed and why.
Blog: NoSQL SSJI Authentication Bypass
Blog: More Data, More Problems: Part #2: Ignoring app security for Big Data doesn’t make the problem go away.
Blog: More Data, More Problems: Part #1: History is repeating itself (but what else did you expect?)