One Petabyte of Data Exposed Via Insecure Big Data Systems

chicksdaddy writes: Behind every big data deployment is a range of supporting technologies like databases and memory caching systems that are used to store and analyze massive data sets at lightning speeds. A new report from security research firm Binaryedge suggests that many of the organizations using these powerful data storage and analysis tools are not taking adequate steps to secure them. The result is that more than a petabyte of stored data is accessible to anyone online with the knowledge of where and how to look for it.

In a blog post on Thursday, the firm reported the results of research that found close to 200,000 such systems that were publicly addressable. Binaryedge said it found 39,000 MongoDB servers that were publicly addressable and that "didn't have any type of authentication." In all, the exposed MongoDB systems contained more than 600 terabytes of data stored in databases with names like "local," "admin," and "db." Other platforms that were found to be publicly addressable and unsecured included the open source Redis key-value cache and store technology (35,000 publicly addressable instances holding 13TB of data) and 9,000 instances of ElasticSearch, a commonly used search engine based on Lucene, that exposed another 531 terabytes of data.

It's ok - it's webscale

MongoDB - webscale security

Re:It's ok - it's webscale

[Tablizer]

NoSql = NoSecurity

Re:It's ok - it's webscale

you're an idiot

Re:It's ok - it's webscale

[Tablizer]

Okay, that was over time top, I admit. How about "immature security"?

They !!!

[invictusvoyd]

They stole the data which I had stolen from the guys who stole it . Damn thieves !!

Re:They !!!

... starting download everything ...

Bad?

Exposed databases are certainly bad. and no password protection makes them even worse. But, I didn't see where they said what the nature of the data was. Petabytes of useless server logs or other crap is not something you can get me worked up about, just be citing massive data amounts.

Show me some personally identifiable information or something similar and I'll grab my pitchfork, otherwise, meh.

Re:Bad?

[garyisabusyguy]

Worthless server logs???

Sure, nothing that would aid an intruder in server logs...

Ha ha

Company I work at has what they call big data (5gb or so) on mongodb, it was fully accessible to the world until I was hired and noticed it.

Re:Ha ha

[garyisabusyguy]

I have worked at more than a couple of places where the Oracle database and application passwords were all the default from installation

It can take a lot of work to identify every dependency on the defaults once that they have been in use for a few years and way too many admins just do not want to deal with it

Oracle used to have a sense of humor about it with one of the key default passwords being 'change_on_install', now they force you into a password generation cycle at the end of any install

Moreover, never trust your users (consider admins as users), they can defeat any security scheme that you set up.

The only way to be certain is to consistently test for simple attack vectors before assuming that you have to deal with complex situations

Some admins want to spin far-out webs of security when their pants are down around their ankles, in many cases it is just so that they do not have to do their jobs

I am offended

How dare you refer to exposed servers run by idiots as MongoDB servers.

The term "Mongoloid" is an offensive term for people who Down's Syndrome. They may also be Asian.

I demand that this story be retracted and reworked to be less offensive. I also expect the submitter and slashdot to make a sizeable donation to my foundation, which helps people with Down's Syndrome. Only then can he or she be forgiven. Using the "m" word is similar to using the "n" word around African-Americans, and I am deeply offended.

I also expect slashdot and the submitter to publish an apology. I want at least $300,000.

Hey, if it works for Al Sharpton and Jesse Jackson, why can't it work for me?

This is not a shakedown. Unlike those other guys, I will actually use this money to help the people I claim to represent.

Re: I am offended

Yeah good thing nobody said that.
Take your fake outrage/bad joke and shove it up your urethra.

Re: I am offended

Lol

Re: I am offended

[CaptainDork]

Urethra Franklin is my fav.

No surprise here

Managers babble "Move to the Cloud! Move to the Cloud!" Half cocked developers, the majority of you, build half baked PIG script and load results into a noSql database. All of you have your "Mission Accomplished" air craft carrier moment.

Re: No surprise here

Well they did move it to the cloud, so that means the corporate secrets, correspondence, balance sheets, emails, customer PII, etc. Has been scrubbed out before being sent to a third party for storage and processing so there's no risk in it being exposed to the world. Right? ......right?

The irony

No doubt you ./ NSA haters are going to spew your vile. Consider the following http://www.pcworld.com/article/2060060/nsas-accumulo-nosql-store-offers-rolebased-data-access.html

Re: The irony

The truth hurts doesn't it ./'ears. Self righteous haters can't refute the truth.

This is what happens...

...when companies decide to pinch pennies by laying off all the sysadmins, DBA's, and network admins who have been with the company 5+ years. You lose experience, you lose institutional knowledge, and you lose the asset of a cohesive team of people who actually give a fuck.

Sure, with your salary savings you get to lease another corporate jet and create a $400K "VP of Creative" position for the CFO's brother in law. But in exchange, your freshly roasted peanut budget for worker-bees earns you a batch of young employees who have never seen enterprise tech, don't understand it, and are eager to rip it all out and replace it with whatever buzz they learned in last year's ITT Tech courses. Security? They didn't teach that in boot camp.

Reap what you sow, bitches!

No need to secure it

[JustAnotherOldGuy]

There's no need to secure mongoDB because it's webscale. That means it's invulnerable to hackers and bad programming.

Re:No need to secure it

There's no need to secure mongoDB because it's webscale. That means it's invulnerable to hackers and bad programming.

Was funny years ago.

https://www.youtube.com/watch?v=b2F-DItXtZs

Re:No need to secure it

[KGIII]

At this point in time I would like to submit, for evidence, the GPs user name and indicate that, as such, they are likely to be "old."

So, of course, it stands to reason that their joke would have been funny years ago.

Re:No need to secure it

Why would you even say anything? Wasn't what was said already enough?

I've been around since before slashdot. You think AC's are all just some new generation pussies who can't figure out how to "create an account"? I've had 5 digit and 6 digit accounts. What is the use of them? To show how uber or brand new your account number is? To turn it into Facebook likes with mod points?

You could have just said "hey, I'm a kid, I can count now". Or even just "yeah". Or.. even nothing.

Think about it. Nothing.

Some tool even gave you a +1. Earth is in trouble.

Re:No need to secure it

[KGIII]

There is a high probability of your being mentally unstable. I wish you luck.

Re:No need to secure it

You keep saying things just to say them. That's not stable. Think, then speak.

Re:No need to secure it

[KGIII]

Is your life that boring? They replied with gibberish. Sheesh. Gibberish. If you want you can actually review the whole thing just for taking the time. Look carefully at the usernames. Unless you are all of them, in that case, I pay a lot for your insurance - take advantage of it.

Re:No need to secure it

Let me take a wild guess. I'm not the first one to say you are stupid, right?

example:

If you want you can actually review the whole thing just for taking the time.

What in the actual fuck?

Look carefully at the usernames. Unless you are all of them, in that case, I pay a lot for your insurance - take advantage of it.

Are you drunk? This is called being a wild keyboard warrior faggot.

http://www.troll.me/images/ma/look-son-look-a-wild-keyboard-warrior-faggot-thumb.jpg

Think, then speak.

Re:No need to secure it

[KGIII]

Is your life that boring and meaningless? I know you think you're trolling and all but, no... I am afraid you don't get to rustle my jimmies because I can just point out that you're not that bright and be done or I can keep pointing it out and you keep coming back to amuse me. Which, really, has snared the other?

Re:No need to secure it

You are dumb a fuck. Do you think what you said makes sense?

If you want you can actually review the whole thing just for taking the time.

Do you know what trolling even means? You pay a lot for people's insurance? Is this somehow magically related to the story about One Petabyte of Data Exposed Via Insecure Big Data Systems?

You have a habit of speaking without thinking. It's a habit sort of like the stimulus response of birds.

Actual parrots are more interesting than you. Long live birds, but fuck you.

memcached

[manu0601]

Status of memcached is quite infortunate. We need it to share sessions across hosts, which is a requirement for load balancing, but it has no authentication feature

I read that latest versions support SASL, though.

Re:memcached

You shouldn't be publicly exposing such services at all. Access them via SSH tunneling, VPN, etc.

Gene sequencing data...

At least they didn't look for that, too. Would add an order of magnitude or two to thier numbers... Nothing like scientific instruments that store terabytes of data connected to petascale storage systems still using default passwords...

Clinton e-mails

So, how many of these databases contain Clinton's e-mail stash?

Gotta Feed It

You gotta feed the Machine and its more open and democratic competitors somehow, you know.

It's OK...

[tlambert]

It's OK... it puts most of the bad guys over their data caps when they attempt to download it all.

Re: It's OK...

Data caps? What kind of backwater-community connection are you raised on?

Re:Big data are for cows.

YOU BIG DATA COWS!!

And what cows the big data people are!

What about data corruption or sabotage?

[plopez]

Even one focuses on ID theft. But how about some one intentionally corrupting data such as the 'deleted_beacuse_you_didn't_password_protect_your_mongodb' entry.

By corrupting data you can create a 'Tuttle vs Buttle' event if those data are use for intelligence dragnets or throw a nice monkey wrench into someones high speed trading algorithm. Remember, your results are only as good as your data allow them to be.

cali drought.

[davell+logan]

its amazing they are havin an drought.

No, it's because the tools aren't user-friendly.

[Etherwalk]

The tools aren't user friendly.

Setting up authentication for a web api should be trivial. Right now it's not--you can figure it out, but it's substantially more complicated than Googling "what authentication model should I use for this" and adding a couple of lines to your source files. Many programmers outside of critical areas are not going to spend enough time on it to get it right so long as that is true.

Making it worse is bad auth implementations by third-party providers which consume programmer-hours in debugging. (I'm looking at you, Facebook, with your really unhelpful error messages.)

I'm lazy.

[grep+-v+'.*'+*]

more than a petabyte of stored data is accessible to anyone online with the knowledge of where and how to look for it.

(Readable sites and login-credentials) picts or it didn't happen.

On an on-topic item: I, too, worked for a company where the SOP was to run a NAS with over 12PB of storage and the default credentials were used "for support reasons." For the rounding-off-error area of 40TB I controlled I was finally able to extract a concession and change a single character of the password: an "o" to a "0".

At least it wasn't accessible on the internet. And that change kept anyone internally from logging into my section on the first try.

The Already Hacked

READ CAREFULLY
The Already Hacked, now await the "problem reaction solution" solution..

I believed I practiced my best comsec for past twenty years.
I was the anal dick bout this stuff
Many revelations lately.

One thing that I overlooked, was trusting my own government.
VA lost my data first. All I got was a letter - "we lost your data"
Then government became a fascist dictatorship with OBAMACARE
Last year boom: Anthem has lost my data. I ain't heard a fuckin thing this time.
This year boom: OPM lost my data. just what the fuck

I want a NEW SSN, a new NAME, I want the addresses on property changed, and anything else that fucking comes to my mind to mitigate this fucking horseshit. I want the rest of these fucking data centers shut the fuck down. They don't need all this shit to fix a broken ankle. You motherfuckers need to SEE I AM RIGHT. this obamacare shit has intruded on MY FUCKING GOD GIVEN RIGHTS, it's SPYING COMPONENT has disrupted my HEALTH, WEALTH and PROSPERITY, it misguided fucking medical advice (regardless of the source a internet quack or OFFICIAL POLICY) is also already BIG FUCKING PROBLEM.

the three worlds need to be separated again.

1. Public face
2. Family face
3. God/Spiritual face

SPYING DESTROYS THESE THREE WORLDS AND THIS IS WHY THE USA IS SICK, these oath breaking fucking scum MUST go to fort leavenworth.

Re:The Already Hacked

[KGIII]

Of course, seeing as the USA is sick, they can now afford to go to their doctor thanks to the ACA.

Re: No, it's because the tools aren't user-friendl

Actually, your solution is the problem. Secure by default not by configuration should be the solution.

Standard Joke

[Chris+Mattern]

Insert "MongoDB only pawn in game of life" reference here.

obligatory xkcd

[Etherwalk]

https://xkcd.com/1553/

open data

Maybe it is Open Data?

Re:No, it's because the tools aren't user-friendly

[gweihir]

I disagree. The problem is people that vastly over-estimate their own skills and insights and then proceed to mess it up. Authentication is never a trivial thing. Faking that triviality only makes things worse.

Re:No, it's because the tools aren't user-friendly

[Etherwalk]

Yes and no. Just because it's hard to do well doesn't mean you can't make it easier to implement. The easier you make good programming, the more likely people are to do it. The entire point of API documentation, for example, is to make it easier to do good programming.

On web app scecurity, right now there's a hodge-podge of solutions and no clear industry leader for a secure and efficient answer.