Users using old versions of software are vulnerable to old bugs
News at 11.
Shodan hacker John Matherly says system administrators have exposed some 595.2 terabytes of data by using poorly-configured or un-patched versions of the popular MongoDB database. eBay, Foursquare, and The New York Times are some of the prominent users of the open source MongoDB which is the most popular NoSQL database. …
Most exposed instances run on cloud servers including Digital Ocean, Amazon, Linode, and OVH and do so without authorisation enabled, in what Matherly says is a trend in which cloud instances are more vulnerable than datacenter hosting.
I don't know about the others but at Amazon you have to explicitly punch holes into the Internet-facing packetfilter (which is separate from any packetfilter that may be active on the VM) to let through traffic, and why would anyone do that?
It's all too common unfortunately with cloud systems. A scary amount of Cloud servers have any port used by a service open to the entire internet, assuming someone has even bothered to put specific ports and not just all ports.
Too much Kool-Aid and people without any background in Ops/Architect/Security believe they can do devops without an ops person because it's just a few clicks in a browser or a cli command to get a server running.
It's only going to get worse as the number of people with a cloud ops/architect/security experience decrease. Especially amongst dev driven teams and startups who believe ops/architects/security is a roadblock and they can do it themselves because they are 'devops' experts. Until they are shown all the issues and then suddenly it's the companies fault for not hiring an ops person for their 'devops' world.
I laughed out loud at that. Sadly, its all too true.
Every web designer I come across seems particularly clueless when it comes to databases, as do their bosses. Almost all the time NoSQL = No data architecture (or consistency). = another generation hairless statisticians. (Note to web designers - the ORM does nor obviate the need for Data analysis and design - if you don't understand that, read Joe Celko)
Even today's CIO types rarely understand the need for proper Data Analysis and Design.
I can see real world use cases for MongoDB type architectures, but if it matters, it calls for one of the RDBMS heavyweights.
In passing, I'll add that CIOs would make life easier if they didn't hire Oracle DBAs to run non Oracle DBMS, that only ever ends in tears.
I thought the same, the default firewall rules would have prevented this. iptables defaults to allow localhost/loopback traffic and just because it's bound to all interfaces, someone must still have opened the port(s) on the firewall for it to be Internet accessible.
"Matherly says the near 30,000 databases are exposed through the use of older versions of the platform that fail to bind to localhost."
Personally I'm of the view that unless customers need to directly connect to a service, it should be behind a VPN (i.e. if they had it open to the 'net to integrate with another system, those two systems should be VPN'd if they can't be physically located together).
if you configure MongoDB, properly, as set out in the documentation for the configuration file (parameters), it is possible to explicitly control access to the database, without difficulty.
However, DB access is almost always better controlled (when operating at scale), by using an intermediate tier that the front end connects to, and the intermediate connects to the DB using persistent connections and, in Relational-speak, stored procedures. This type of architecture allows for all sorts of arcane security, authorisation and audit features, transparent non-stop operations and huge per second transaction rates
Oooooooooh, looky here! It's Mr Let's-Stop-Innovating-At-The-Speed-Of-Thought come to lecture us on his grandpaw's best practices and testing and documentation and probably on wearing braces with his seersucker pants. Dontcha know that all the cool kids now break-before-make? Dare to fail, not fail to dare!
As Oskar WildeXploit wisely put it: the only thing worse than having your users' data scarfed via a trivially detectable cockup is not having a high enough user growth accelerator to get bought out by Googbook.
[dropping my snark for a moment ... in the evergreen "Up the Organization" Robert Townsend recommended that senior bods should try phoning themselves to learn just how their fiefdom appears to the outside world]
so these admins don't keep the default local firewall on their boxes? if they did, the daemon wouldn't be available to the outside world even if it bound to all addresses. this is basic system admin stuff. :/
(obviously with REQUIRED holes punched through) - reminds me of admins that just turn off SELinux etc :(