Slashdot Mirror

← Back to Stories (view on slashdot.org)

Database Error Exposes Sensitive Information On 1,700 Kids (csoonline.com)

Posted by timothy on from the u-really-know-kids dept.

itwbennett writes: Researcher Chris Vickery discovered that the Arlington, Virginia based child monitoring service uKnowKids.com had a misconfigured MongoDB installation that left sensitive details on over 1,700 children exposed for months. UKnowKids helps parents monitor their child's activities online, by watching their mobile communications, social media activities, and their location. And so the database stored 6.8 million private text messages, 1.8 million images (many depicting children), Facebook, Twitter, and Instagram account details, in addition to the children's full names, email addresses, GPS coordinates, date of birth.

32 of 62 comments (clear)

  1. Is all this exposure to the internet worthwhile? by HeadSoft · · Score: 1

    Would it really hurt so bad if private information was you know, kept on a private network? It's not like everything in the world needs to be internet-facing.

  2. Stupidity... by Longjmp · · Score: 3, Insightful

    Summary:
    Stupidity of helicopter parents backfires.

    --
    There are fewer illiterates than people who can't read.
  3. O Nose! by Anonymous Coward · · Score: 1

    About whom shall we think?

  4. 1000's die daily from 100% preventable starvation by Anonymous Coward · · Score: 1, Insightful

    mostly kids... they could use some press?

  5. Re:Is all this exposure to the internet worthwhile by Dr_Barnowl · · Score: 3, Insightful

    Well, clearly the only way you can gather this much information is to install a monitor daemon on all their client appliances.

    Rather than having it talk to a single central server as it did in this case, why not run that server on a PC in the household and have it sync to that when it's on domestic wifi?

    Oh, right : because it wouldn't enable the corporation to collect a huge corpus of highly monetizable data about children for later analysis.

  6. Re:Stupid parents by Etherwalk · · Score: 1

    Anyone dumb enough to put information about their kids into a database on the internet deserves everything they get.

    I see you rolled a crit fail for wisdom.

  7. Not offtopic by Etherwalk · · Score: 2

    mostly kids... they could use some press?

    There's nothing wrong with putting a topic in perspective. Parent should not have been modded offtopic.

  8. It's not the database by aglider · · Score: 1

    It's been those idiotic DBA and system administrator. It's too easy to blame software and hardware. There's always a person behind these cases!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  9. Gj by Sax+Russell+5449D29A · · Score: 1

    Cool story bro, and nice SEO you got going on there. I can't stand people who post links to their own sites in this fashion. You could do it once or twice without causing a fuss, but acting like an organic RSS feed? No thanks.

    --
    -SR
  10. Re:Stupid parents by Mikkeles · · Score: 1

    I agree; but, here, it's unfortunately the kids who don't deserve everything they may get.

    --
    Great minds think alike; fools seldom differ.
  11. Re: Lack of own server makes this happen by johnsmithperson123 · · Score: 1

    Yeah, but it might be a hit with nerds who own their own servers.

  12. id10t by ole_timer · · Score: 1

    what idiot would put their kid's info here?

    --
    nothing to see here - move along
  13. easy DB setup by l3v1 · · Score: 1

    Well, this is the result that you get after years of advertising whatever db engines to be easy to setup and configure - idiots will actually believe it after a while and will think they know what they are doing, start puting db-professional into their CVs, some other idiot hires them, and so on and so forth.

    And, well, I'm sorry, but I just can't submit without the compulsory "Won't somebody please think of the children!" :P

    --
    I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
  14. Re:Is all this exposure to the internet worthwhile by Bengie · · Score: 3, Insightful

    Seems they misconfigured their Mongo DB, MongoDB server's firewall, inter-vlan firewall, and edge firewall. When the entire system is misconfigured, you use the word "inept".

  15. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  16. Re:Is all this exposure to the internet worthwhile by cayenne8 · · Score: 2
    Damn...I'm sure glad I grew up in a time when as a kid, I didn't have to worry about being monitored 24/7, and having a fucking helicopter parent hovering above my every move.

    Hell, I guess in todays Bizarro world, my folks would have been arrested for being neglectful parents, and I'd be in safe, loving foster care....

    I'm sad that kids can't grow to be kids like we did back in the day....actually having the freedom to fail and fuck up, and learn valuable life lessons from said mistakes.

    It also helped there wasn't a camera everywhere too, for obvious reasons.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  17. Re: Is all this exposure to the internet worthwhi by Anonymous Coward · · Score: 1

    Testing ? Hah.

  18. This is what happens with web corp on autopilot by evolutionary · · Score: 1

    There are so many organizations who get junior/intermediate developers who are told to build it fast, without a plan and without consideration of what they are storing. There are probably hundreds of companies who set up a system, make it big, and never do audits of their code, data or protection. Anyone storing sensitive data should be doing a periodic audit so the people "upstairs" know what is stored and how it is stored. It's not enough for it to "just work". It's not just the medical and psychology industries that keep sensitive data. US laws regarding the protection of such data are often vague, vary from state the state and are rather weak. We should probably be solidifying those laws a bit, and standardizing on a federal level. Then again, since the Federal government seems fixated on compromising data security (see recent "request" by the FBI to Apple), they may not in fact be that concerned and some of of them have actually spoken AGAINST encryption. They could hash things like names and date of birth of course, but they they couldn't do as much in market analysis. Parents should be more care who they trust with their data in my opinion. They can do monitoring themselves through various means or have a neighbourhood server employed rather than some big (and careless) corporation whose sole purpose is to make money and sell their data to marketing companies. That goes double for people like this who collect gigs of data on children and don't even audit the data they keep. I'd go as far as to recommend a government audit/lawsuit in a case this big.This was so easily prevented.

    --
    "Imagination is more important than knowledge" - Einstein
    1. Re:This is what happens with web corp on autopilot by Tablizer · · Score: 1

      From an entrepreneurial perspective, you have to take risks to win. You have to grow fast and beat your competitors because the "first to market" tends to have a big advantage.

      This encourages taking shortcuts. I'm not sure how to prevent such security-related risks other than perhaps criminal prosecution or huge fines. However, that would drive up the expense of IT work (think insurance) and result in offshoring. USA regulators will have a hard time dictating the laws of Timbuktu web servers and products.

      It would be somewhat similar to the Apple unlock issue: if you over-regulate and/or compromise the security of US tech companies, customers will buy elsewhere where the US gov't can't meddle.

      I'm not ranting against regulation in general, only saying you have to think globally when trying to solve security-related issues.

      --
      Table-ized A.I.
    2. Re:This is what happens with web corp on autopilot by sjames · · Score: 1

      If you attach the risks to the company itself, they would have to move themselves to the 3rd world to duck the enforcement. Off-shoring wouldn't help them at all, it would just put their contractors out of reach if they want help paying the huge fines.

    3. Re:This is what happens with web corp on autopilot by Tablizer · · Score: 1

      I'm not sure what you mean. How about a scenario.

      The US gov't can't order say a Singapore company to put in a back door or hack their own product. Such restrictions on a US company would give Singapore companies an advantage because they can say they are outside of US govt's control.

      I suppose the US gov't can tell Singapore co's that they can't sell products in the US unless they have a back door and unlock it somehow on request. But that's harder to verify and enforce than with a US-based co.

      --
      Table-ized A.I.
    4. Re:This is what happens with web corp on autopilot by sjames · · Score: 1

      They could actually block the import unless they have an unlocker in hand.

      I'm not saying they should (I don't believe they should have a back door at all), just that they could.

      More appropriately, they could enforce a fine for careless handling of customer data by instructing Visa/MC to claw back any funds sent to them and allow no more charges.

  19. Kids Monitoring Services :( by tibit · · Score: 1

    I think that all of these services are, in some capacity, ran by pedophiles, and the clueless parents are simply facilitators. This wouldn't be anything out of the ordinary, in fact: parents often, unwittingly, facilitate abuse of their children by family members or "friends". If you really need to use a service like that, your family relationships are already broken and you should be seeking counseling, not monitoring.

    --
    A successful API design takes a mixture of software design and pedagogy.
  20. Re: Is all this exposure to the internet worthwhil by Hognoxious · · Score: 1

    Somebody found it. That's testing, isn't it?

    (see also: ketchup).

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  21. Re:Is all this exposure to the internet worthwhile by tibit · · Score: 1

    There are these things called one-way gateways. You can only steal data from such a system if you catch it in-flight, via a MITM attack. Once the data enters such a system, it is not accessible from outside. At the most basic level, syslog over UDP is such a system: you can only send messages to it, but there's no way to access any of the data. You can use a hardware fixed-function firewall to guarantee the unidirectionality of the barrier. This is not hard to do, an FPGA dev board with two gigabit ethernet ports and a couple afternoons is all you need to implement it, if you know what you're doing. As long as the internal side of the gateway has no connection to internet, you're golden.

    --
    A successful API design takes a mixture of software design and pedagogy.
  22. Re:But ... by Tablizer · · Score: 1

    But It's webscale!

    as are the leaks

    --
    Table-ized A.I.
  23. Re:Is all this exposure to the internet worthwhile by KGIII · · Score: 1

    Hmm... I've seen you post before and I'm starting to have my doubts. You're not really a barn owl, are you?

    --
    "So long and thanks for all the fish."
  24. time for a comeback by mangamaster03 · · Score: 1

    This sounds like a job for Little Bobby Tables. Unprotected database? He can take care of it.

  25. Re:Is all this exposure to the internet worthwhile by sjames · · Score: 1

    But, but, but...Mongo DB is web scale!

  26. Re:Lack of own server makes this happen by mars-nl · · Score: 1

    Why don't we have out own servers? Why can non-nerds carry around and operate a complicated computer in their pocket but why they cannot own and operate a "server". People already have a modem/router which is perfectly capable of storing any personal information you want.

    The only reason we don't do it is, I guess, is that companies make money collecting our information and make it convenient enough for us to go along. If running your own server was as convenient/profitable, we would do it.

  27. Re:Is all this exposure to the internet worthwhile by Dr_Barnowl · · Score: 1

    It's a throwback to my earlier days online... I was playing a flight game where you could set your callsign at the time. I like barn owls, so that's what I set as a callsign.

    Then I started going online. That name was taken most places, but I was at med school - hence the prefix.

    I'm really a doctor! (In the sense that I have a medical degree - I no longer practice).

  28. Re:Is all this exposure to the internet worthwhile by KGIII · · Score: 1

    Heh! The goal was to make you chuckle and maybe go, "What the hell?" I was bored and you were there. Oddly, my handle comes from a game as well - but it's a table top RPG. I am also a Doctor but no... I'm not a medical doctor. It's always been a problem because I've been introduced as Dr. D. and had many, many people ask me about medical issues. Even after I point out that I'm not a medical doctor, they'll say, "Yeah, but you must be smart." No, I'm not even really all that smart and I have no idea if that mole is benign. I've often wondered if medical doctors get asked questions about applied mathematics.

    --
    "So long and thanks for all the fish."