Tag Archives: Mongo DB

Web Databases Under Attack

MongoDB, the free and open source NoSQL database (see Wikipedia entry here) that is used by hundreds of thousands of web sites is under attack.

A number of attackers are using search engines like Shodan to find Mongo databases that are exposed to the Internet and attempting to compromise them.  Apparently, a surprising number of these databases are set up either with no password or the default password.  Some of them are also unpatched.

The combination of all of these issues makes for easy pickings for hackers.

First find the database, then attack it.  If you get in, backup the database(s) and copy the data to a server in Ukraine or some place and delete all the data.  Then tell the users that if they pay up they will get there data back.  Pretty simple.

For users that do not have appropriate backups, paying the ransom may be the only possible option.

Whether users have a backup or not, this likely constitutes a breach under HIPAA, PCI or state privacy laws because the user has lost control of the data.  That could lead to fines and reputational damage.

What is surprising is how poorly protected these databases seem to be.

In one day, the number of compromised databases jumped from about 12,000 early yesterday to over 27,000 later in the day.  And, rapidly growing.

Researcher have identified at least 15 different attackers – apparently, they consider this a target rich environment.

The attackers are asking for around 1 Bitcoin or about $900.

Realistically, for most users, paying $900 to not have to deal with the mess is likely worthwhile and many are paying.

Apparently, security is not a priority for Mongo database administrators because attackers seem to be having a field day.

For those of you responsible for servers on the Internet, it would seem that making sure that the servers are secure would be a no brainer and a high priority, but apparently, not so for Mongo DB users.

Kind of like driving past a car wreck, it is impossible not to be fascinated by the carnage of all these database attacks at one time.

While I feel sorry for the businesses who are being affected, it is not like people did not know.  Secure your servers.  Patch them.  Monitor them.  IT 101.

So for those of you responsible for your servers, as you tuck those servers in for the night tonight, make sure that they are secure.  If they are not or you just think they may not be, put fixing that at the top of your todo list for tomorrow.


Information for this post came from The Register.

Mackeeper Database Breach Bigger Than Mackeeper – Much Bigger

When I read about the Mackeeper breach last week I didn’t quite grasp the implication of it.  Now I do and it is much bigger than I understood.

For those who have not seen the news, Mackeeper, which is an Apple Mac anti malware/clean up your machine kind of product that some people like and others hate, exposed their entire customer database to the Internet – 13 million customers.  One reason that I wasn’t too worried about this 21 gb data dump is that the company that makes Mackeeper said that they outsource credit card transactions (like a lot of companies do) so there was no financial data in the database.  What was in there was names, userids, passwords (hashed), product information and stuff like that.

The article I read first also said that the company patched it within hours of being notified (good for them!) and that THEY claimed that there was only one access from the Internet and that was the researcher.

Here is the bigger problem that I didn’t quite grasp.

Let’s say that everything above is no big deal.  Let’s do the rinse and repeat trick.  Let’s do what the researcher did.  Using the Shodan search engine, look for other MongoDB servers, a popular open source database, listening on the Internet.

Most people who understand this issue would say that a database server should NEVER be publicly exposed to the Internet and I agree.

Only problem is that a quick Shodan search by the founder of Shodan came up with 35,000 database servers representing more than 680 terabytes of data (that is the same as 680 million megabytes).  That is kind of a large number.

Apparently, the Mongo database at Mackeeper did not have require a userid or password to access it (bad boys and girls!).  What is unclear is how many of those 35,000 databases that John Matherly, the founder of Shodan, found also do not require a userid and password.  Let’s say that it is only 10%.  Well, then, no problem.  Only 68 terabytes of data exposed.  Of course we don’t know if the data is football scores or financial transactions, but you have to assume it is some of each.  And we don’t know if it is 10%, 50% or 90% that don’t require a userid and password.

Now lets take this one step further.  How about using the same tool to look for Microsoft databases or Oracle databases or a dozen other vendors.  SOME of those databases either don’t require a password for access or use the default password.

So this is a much bigger problem than either Mackeeper or Mongo.  Operations that expose database servers to the Internet beware.  Some of that can be fixed with a simple firewall rule as was the case with Mackeeper.  Other people will need to re-architect their software, which is a much bigger problem.

In any case, no one can say that they have not been warned.

Unfortunately, for you and me, we have no idea which companies have their act together and which ones do not.

But you can count on the fact that the hackers are looking.  With just 35,000 Mongo databases to check out, it is going to be a busy weekend for some people.


Information for this post came from eWeek and Betanews.