The rise in ransomware attacks on MongoDB installations prompted the database maker last week to issue advice on how to avoid being victimized.
As of Sunday, security researcher and Microsoft developer Niall Merrigan identified more than 27,000 MongoDB databases seized by ransomware. By Tuesday afternoon Pacific Time, an online spreadsheet maintained by Merrigan and fellow security researcher Victor Gevers listed 32,643 victims.
The attacks involve hackers who copy data from insecure databases, delete the original, and ask for a ransom of a few hundred dollars worth of Bitcoin to return the stolen data back to the owner.
MongoDB, like other NoSQL databases, has suffered from security shortcomings for years. Trustwave called out MongoDB in 2013. Security researcher John Matherly did so again in 2015.
Where MySQL, PostgreSQL, and other relational databases tend to default to local installation and some form of authorization, MongoDB databases are exposed to the internet by default, and don't require credentials immediately by default.
MongoDB's security checklist is here. The company has stated it is the user's responsibility to make these changes to the default configuration.
(Score: 3, Insightful) by requerdanos on Saturday January 14 2017, @12:49AM
Insecure by default == defective by design
In the distant past I recall some OS vendors such as Microsoft actually took the position that their products were working properly, although they were being attacked by malicious persons whose fault the problems were (viruses and security problems). I remember reading a comparison about nothing being vulnerable from attack; for example, just because an arsonist can burn down a house doesn't mean it wasn't a well-built house. That may be true, but if an arsonist in Germany can burn down a house in, say, Hawaii, just by thinking about it and typing "make it so" is closer to what was happening.
That positioning sounds a little like what's happening here. Secure design is important, whether vendors realize it "sooner" or whether they realize it "later". Defaults are powerful things that propagate. If your defaults suck, the overwhelming installed base of your application with likewise suck.
But hey, it's web scale.
(Score: 0) by Anonymous Coward on Saturday January 14 2017, @01:31AM
They really need to be careful not to lose their reputation. Pretty soon, the higher ups at companies are going to keep seeing "MongoDB" show up in their reports and news about being insecure. MongoDB isn't the only document-oriented database on the block. The high levels will either get wooed away or the ops and admins will switch on their own.
(Score: 2) by darkfeline on Saturday January 14 2017, @10:30PM
Here's a list of some other things that are insecure by default:
OpenSSH
Apache
nginx
Postfix
POODLE and LOGJAM are bitches.
Join the SDF Public Access UNIX System today!