Stories
Slash Boxes
Comments

SoylentNews is people

How to Secure MongoDB

posted by cmn32480 on Friday January 13 2017, @10:41PM   Printer-friendly
from the mongo-like-candy dept.

Phoenix666 writes:

The rise in ransomware attacks on MongoDB installations prompted the database maker last week to issue advice on how to avoid being victimized.

As of Sunday, security researcher and Microsoft developer Niall Merrigan identified more than 27,000 MongoDB databases seized by ransomware. By Tuesday afternoon Pacific Time, an online spreadsheet maintained by Merrigan and fellow security researcher Victor Gevers listed 32,643 victims.

The attacks involve hackers who copy data from insecure databases, delete the original, and ask for a ransom of a few hundred dollars worth of Bitcoin to return the stolen data back to the owner.

MongoDB, like other NoSQL databases, has suffered from security shortcomings for years. Trustwave called out MongoDB in 2013. Security researcher John Matherly did so again in 2015.

Where MySQL, PostgreSQL, and other relational databases tend to default to local installation and some form of authorization, MongoDB databases are exposed to the internet by default, and don't require credentials immediately by default.

MongoDB's security checklist is here. The company has stated it is the user's responsibility to make these changes to the default configuration.

Original Submission

 
This discussion has been archived. No new comments can be posted.
How to Secure MongoDB | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by requerdanos on Saturday January 14 2017, @12:49AM

    by requerdanos (5997) Subscriber Badge on Saturday January 14 2017, @12:49AM (#453639) Journal

    The company has stated it is the user's responsibility to make these changes to the default configuration

    Insecure by default == defective by design

    In the distant past I recall some OS vendors such as Microsoft actually took the position that their products were working properly, although they were being attacked by malicious persons whose fault the problems were (viruses and security problems). I remember reading a comparison about nothing being vulnerable from attack; for example, just because an arsonist can burn down a house doesn't mean it wasn't a well-built house. That may be true, but if an arsonist in Germany can burn down a house in, say, Hawaii, just by thinking about it and typing "make it so" is closer to what was happening.

    That positioning sounds a little like what's happening here. Secure design is important, whether vendors realize it "sooner" or whether they realize it "later". Defaults are powerful things that propagate. If your defaults suck, the overwhelming installed base of your application with likewise suck.

    But hey, it's web scale.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Saturday January 14 2017, @01:31AM

    by Anonymous Coward on Saturday January 14 2017, @01:31AM (#453658)

    They really need to be careful not to lose their reputation. Pretty soon, the higher ups at companies are going to keep seeing "MongoDB" show up in their reports and news about being insecure. MongoDB isn't the only document-oriented database on the block. The high levels will either get wooed away or the ops and admins will switch on their own.

  • (Score: 2) by darkfeline on Saturday January 14 2017, @10:30PM

    by darkfeline (1030) on Saturday January 14 2017, @10:30PM (#453936) Homepage

    Here's a list of some other things that are insecure by default:

    OpenSSH
    Apache
    nginx
    Postfix

    POODLE and LOGJAM are bitches.

    --
    Join the SDF Public Access UNIX System today!