Lack of Database and Password Security Leaves Millions of Users Exposed
Recently, a Mac antivirus provider, MacKeeper left 13 million users exposed due to poor database and password cryptography security practices.
Security researcher Chris Vickery found four IP addresses that led him to a MongoDB database that contained customers’ names, email addresses, usernames, password hashes, phone numbers, IP address, system information, software licenses and activation codes, according to Forbes.
According to KrebsonSecurity.com, Vickery found the open database via Shodan, a search engine that allows users to find devices connected the Internet, including routers and servers. While MacKeeper claims that the database was unsecured due to a server misconfiguration last week, the Shodan records date back to mid-November of this year.
Weak Password Hashing Algorithm
Not only was their customer database unprotected (no authentication required) and open to the public, their password security was lacking as well. Passwords were also hashed using an older, weak cryptography hashing algorithm, MD5 that allow password guessing tools to crack passwords in seconds. Best practices for password hashing include bcrypt, scrypt and PBKDF2 (Password-Based Key Derivation Function 2) algorithms.
Other Examples of Unsecured Databases
Earlier this year, German student researchers found that nearly 40,000 instances of MongoDB were open on the Internet, allowing them read and write access to databases that included sensitive customer data and live backends of e-commerce websites, according to SecurityWeek.com. The students also found that the databases could be identified using the Shodan search engine, same as Vickery when he found MacKeeper’s unsecured database.
VTech, a Hong Kong-based supplier of electronic learning products and apps, recently experienced a data breach affecting 6.3 million children and 235,708 parent accounts. According to eWeek.com, a criminal hacker accessed their database using SQL injection. SQL statements are entered into an application’s form entry field to execute the code and dump, read, and/or modify database data.
In an FAQ from VTech (PDF) on the breach, the company stated that “regretfully, our database was not as secure as it should have been,” in response to a question about how hackers could have hacked into their system so easily. BBC reported that the company was storing passwords hashed using the weak and outdated MD5 algorithm, as well as storing security questions and answers in plaintext.
Database Security Recommendations
MongoDB published a blog post in response to the security issues in February with security recommendations and resources for anyone concerned about database security. Their security checklist includes a list of security measures that should be implemented to protect any MongoDB installation, including:
Enable Access Control and Enforce Authentication
Authentication requires that all clients and servers provide valid credentials before they connect to the system. In clustered deployments, enable authentication for each server.
Configure Role-Based Access Control
Create a user administrator, then add additional users. Create roles and give users limited permissions, assigning them only what they need to perform their operations.
Use TLS/SSL for all incoming and outgoing connections, and encrypt communication between different client components, as well as between all apps and servers.
Limit Network Exposure
Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available. Limit the interfaces on which MongoDB instances listen for incoming connections.
Audit System Activity
Track any access and changes to database configurations and data. Logs allow for forensic analysis, and allow admins to verify proper controls.
Encrypt and Protect Data
Encrypt any data files, config files, audit logs and key files on each host using file-system, device or physical encryption, and protect data with file-system permissions.
Consider Security Standards Compliance
For any apps that require HIPAA or PCI DSS, MongoDB refers to their document, MongoDB Security Reference Architecture (PDF) on building a compliant app infrastructure.
Check out their security checklist for the full list of security recommendations.
Protecting access to your database administrative management account should also be an important aspect of database security. MongoDB offers Cloud Manager, software that allows for database management and monitoring. Enable two-factor authentication on your administrative account and any similar applications for an extra layer of security, and to protect against password guessing or phishing attempts.