Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

MongoDB database still suffering from several security flaws

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

May 3, 2016

System admins shouldn't expect to see any end to data security breaches caused by misconfigured instances of the MongoDB database soon, the company's strategy vice president has told us today.

To be fair, MongoDB is a fairly popular document store in the database segment, used by eBay, Foursquare and even The New York Times.

MongoDB is of course open source, available under the GNU APL v3.0 license, though a commercial version is also available, alongside the regular array of support and services available from the database's nominative developer, formerly known as 10Gen.

On April 25, 93 million Mexican voters's personal details an AWS-hosted MongoDB instance were exposed, as uncovered by security researcher Chris Vickery.

That instance had been configured without any security settings, but so was another when information was stolen from the unsecured test server of a dating site for “beautiful people”, while yet another one, this time containing 13 million MacKeeper users' information, was again found to be unsecured back in December 2015.

At the time, Shodan hacker John Matherly alleged that there was “a total of about 595.2 TB of data exposed on the internet via publicly accessible MongoDB instances that don't have any form of authentication.”

Kelly Stirman, the vice president of strategy at MongoDB told us that Vickery's blog post itself “claimed a user had not properly secured their instance of MongoDB and the instance was therefore at risk.

As the article explains, the potential issue is a result of how a user might configure their deployment without any security enabled. There is no security issue with MongoDB. Extensive security capabilities are included with MongoDB.

To be fair, Stirman did confess that the number of data security breaches occurring was “a little frustrating.” There are about 30,000 downloads of the open source software from MongoDB's site daily, but those implementing it aren't approaching their role as data controllers with appropriate care. Stirman suggested-- “It's not something you have to pay for to make secure.”

“It's literally as simple as creating a username and password. Frankly, if you go back to MongoDB 2.6 – over two years ago – since then our most popular installer, RPM, makes it so you cannot connect to MongoDB remotely without it,” she asserted.

So all of these servers out on the public internet, and wide open, are from versions of the software that are more than two years old, or someone deliberately removed these security mechanisms.

“Why would anyone ever not want better security? I think it really is simply a matter of convenience,” Stirman asserted.

MongoDB's open source version doesn't ship pre-secure, which is not unusual among database software. It also runs with the default TCP port 27012, and security researchers have been able to search this port-space to find a large number of servers running in publicly accessible space on the internet that were completely open on the internet.

While other databases have also been found to be regularly left open to the internet in the same manner, Stirman said that MongoDB is particularly popular.

“We've done an outreach to tens of thousands of users,” Stirman said before adding that “we have to expect there's going to be more of this in the near future. People don't always follow best practices,” she warned.

Developers in particular were too afflicted by myopia, focusing on developing their applications, while “security isn't something they focus on until the end, and that's IF they ever do it that is” according to Stirman.

She wasn't concerned about the publicity given to these data breaches damaging the reputation of MongoDB-- “The the media's been pretty good about pointing out the issue is not a defect in the product, or a lack of capability, but people needing to be more responsible with data in any system.”

“We have an ongoing series of campaigns to educate users and customers of best practices,” she asserted. “We can't force them to make these changes, but we can sure educate them the best way we can,” she added.

Source: MongoDB.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer