Consumer Data Leaked; Finance Startup Lacks Database Security
Kreditech, a Germany-based consumer finance startup that lends money to consumers with little or no credit rating, was the target of the latest financial breach, as Brian Krebs reported.
Malicious hackers posted Kreditech’s applicants’ personal and financial data online on a website accessible only via the Tor network. Krebs posted a screenshot of links to documents, scanned passports, drivers licenses, credit agreements and more that were taken from the startup’s servers. While Kreditech operates in nine different countries, the U.S. is not one of them.
A group of hackers found configuration files from the company’s Intranet and internal servers, subsequently posting the personal data online. They included a message about the startup’s state of security - which they claim is nonexistent, ruminating on the fact that despite receiving multimillion investments, they were not spending any of it on securing their clients’ data.
Hipster Tech & Security
Several KrebsonSecurity.com commenters seem to agree with the hacker’s sentiments about the startup’s lack of security investment, and also appear to label Kreditech and similar startups as hipster tech:
Another hipster-tech bites the dust… - B_Brodie
Justice can only be served if governments got off their a** and criminalized the behavior of these hipsters and other who don’t view IT security seriously. My gut feeling is that if we researched the expenditures of this company we would find out that security was in the last place. - Sotiris
I had an idea but still wanted to research the term ‘hipster tech.’ I found that people of Quora are reeally into this topic. The response with the greatest amount of upvotes was:
It may be a response to the company’s rather uncommon approach to assessing a person’s suitability as a loan candidate - they use unique algorithms (big data) that include behavioral information culled from social networks, such as the candidate’s interactions with websites, mobile usage, e-commerce data, etc.
But it looks like it's working for them - Kreditech recently received $200 million in funding, as reported in January by TechCrunch, and was reported to receive another round of $750 million.
Linked to MongoDB’s Access Control Problem?
A security researcher that Krebs consulted with found that the leaked data included raw logs from a system running MongoDB, an open source database that is commonly used as the backend for many major websites and services.
One commenter suggested that the breach was linked to security research released earlier this year by several German students, titled Several thousand MongoDBs without access control on the Internet, that reported on 40,000 MongoDB databases at risk.
The researchers were able to get read and write access to thousands of databases, including sensitive customer data and access to the live backends of e-commerce sites.
What allowed them to get access? According to their research, the defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances. In addition, they believe the guidelines for setting up MongoDB servers with Internet access may not address the need to use access controls, authentication and transfer encryption mechanisms.
The German researchers demonstrated how easy it is to identify and take advantage of vulnerable databases - since, by default, MongoDB runs on TCP port 27017, an attacker could run a port scene on the Internet to find any open ports and databases, which takes just a few hours.
An even easier way to find these open databases is by using an IoT search engine, Shodan, which supplies a database of IP addresses with a list of associated services.
During their research, they found thousands of open databases, including one that belonged to a French telecommunications company containing eight million customers’ phone numbers and addresses, according to TheHackerNews.com.
The German researchers also included a worldwide map of openly accessible MongoDBs:
Authentication Mechanisms for MongoDB
Seems pretty standard, to set up the authentication and access controls for a database that may be housing millions of clients’ personal and financial data, but it appears that more than just a few organizations have failed to do so.
If you’re looking to set up authentication for your MongoDB, their documentation page explains more about their different supported authentication mechanisms, including:
- MONGODB-CR (challenge-response mechanism that authenticates w/passwords)
- x.509 Certificate Authentication (a certificate auth for use with a secure SSL connection)
- Kerberos Authentication (an industry standard for auth protocol for large client/server systems)
- LDAP Proxy Authority (supports proxy auth through a Lightweight Directory Access Protocol (LDAP))
Beyond using only a username and password for authenticating to a database containing sensitive data, companies concerned with security may want to also integrate a two-factor authentication solution to add another layer of security to their login process. Duo Security’s two-factor authentication integrates with almost any device or system that supports using LDAP for authentication, which you can read more about in our LDAP Documentation page.