Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Over 1,800 MongoDB Databases Held For Ransom By Mysterious Attacker (bleepingcomputer.com)

Posted by BeauHD on Wednesday January 4, 2017 @10:50AM from the give-me-your-money-or-else dept.

An anonymous reader writes: "An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a 0.2 Bitcoin ($200) ransom to return the data," reports Bleeping Computer. According to John Matherly, Shodan founder, over 1,800 MongoDB databases have had their content replaced with a table called WARNING that contains the ransom note. Spotted by security researcher Victor Gevers, these databases are MongoDB instances that feature no administrator password and are exposed to external connections from the internet. Database owners in China have been hit, while Bleeping Computer and MacKeeper have confirmed other infections, one which hit a prominent U.S. healthcare organization and blocked access to over 200,000 user records. These attacks are somewhat similar to attacks on Redis servers in 2016, when an unknown attacker had hijacked and installed the Fairware ransomware on hundreds of Linux servers running Redis DB. The two series of attacks don't appear to be related.

115 comments

Min score:

Reason:

Sort:

lol by Anonymous Coward · 2017-01-04 10:54 · Score: 4, Insightful

a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier
1. Re:lol by Mr+D+from+63 · 2017-01-04 11:54 · Score: 3, Funny
  
  a passwordless admin interface exposed to the internet?
  It had to be the Russians, according to federal officials they are the only one's smart enough to pull this off.
2. Re: lol by Anonymous Coward · 2017-01-04 11:54 · Score: 0
  
  Let's be honest, it's an open secret that the Linux kernel contains large sections of copyrighted code from SCO UNIX. For those familiar with both collections of source code, it was generally assumed that SCO would win their lawsuit, and simply a question of what the fallout would be. Although dismissed out of hand by IBM and members of the open source community who were constantly moving the goalposts, SCO did provide a comprehensive list of source files and line numbers in Linux that matched portions of SCO UNIX. The fact is, SCO's claims of copyright violations by Linux developers and users were valid, factual, and completely legal. To this day, the Linux kernel contains large sections of copyrighted code that came straight from SCO UNIX. The open source community generally is vocal in favoring the "little guy" against large corporations like Microsoft and Google, whose motives and actions are frequently called into question. It's bemoaned that the so-called little guy is unlikely to stand a chance against the massive and well-funded legal teams retained by large corporations. This is for good reason, that everyone should be entitled to the same rights, regardless of their ability to afford top notch legal teams. SCO was the little guy compared to IBM, a small company with limited resources simply trying to ensure their copyrights were protected. IBM squashed them like a bug, not because the lawsuit was invalid. In fact, SCO's claims of copyright infringement are generally accepted as mostly correct. Rather, IBM had the legal resources to draw out legal battles and win a war of attrition against SCO, no matter the validity of the claims. If the open source community truly cares about ensuring the little guy has the same rights as large corporations, they should have been supporting SCO against a behemoth like IBM. To this day, I fail to understand the hypocrisy in supporting the little guy against giants like Apple and Microsoft, but rooting for another giant, IBM, to decimate SCO.
  Can someone please help this lad back to his village? Their idiot has wandered off and found Slashdot.
3. Re: lol by Anonymous Coward · 2017-01-04 17:30 · Score: 0
  
  > SCO did provide a comprehensive list of source files and line numbers in Linux that matched portions of SCO UNIX.
  It was not 'SCO' (Santa Cruz Operation) but was 'The SCO Group', which was Caldera renamed. Caldera distributed 'Caldera Linux' under the GPL prior to, and after, buying the Unix business and name from SCO.
  The courts found that Novell was correct in claiming that they did not sell any Unix copyrights to SCO. Thus TSCOG did not have standing in claiming anything about copyrights. Whether there were matching lines of code in Linux is irrelevant because those lines may be from BSD (under BSD licence) or may have been copied from Linux into SCO Unix when SCO implemented their Linux Compatibility Layer, or it may have been trivially similar code with no copyright implications.
  Your claims are uninformed, completely untrue, and have been settled years ago by the courts. Go and read the transcripts, or at least a summary and inform yourself.
  > a small company with limited resources simply trying to ensure their copyrights were protected.
  They were resourced by Microsoft to the tune of 50 million or more.
4. Re:lol by ls671 · 2017-01-04 19:49 · Score: 1
  
  a passwordless admin interface exposed to the internet? the only story here is why it didn't happen earlier
  Irrelevant, the important thing is that it scales.
  
  --
  Everything I write is lies, read between the lines.
5. Re:lol by gtall · 2017-01-04 22:26 · Score: 1
  
  Hey Vlad, things getting a bit boring around Thug Central and yer former KGB buddies?
6. Re:lol by Anonymous Coward · 2017-01-04 22:47 · Score: 0
  
  Irrelevant, the important thing is that it scales.
  But are we talking about web scale?
7. Re:lol by fbobraga · 2017-01-05 01:27 · Score: 1
  
  one which hit a prominent U.S. healthcare organization
  passwordless access to medical records? OMFG!
8. Re:lol by fbobraga · 2017-01-05 01:33 · Score: 1
  
  one which hit a prominent U.S. healthcare organization
  passwordless access to medical records? OMFG!
  
  * fixing my own post
9. Re: lol by Insanity+Defense · 2017-01-05 02:48 · Score: 1
  
  Let's be honest, it's an open secret that the Linux kernel contains large sections of copyrighted code from SCO UNIX. For those familiar with both collections of source code, it was generally assumed that SCO would win their lawsuit, and simply a question of what the fallout would be. Although dismissed out of hand by IBM and members of the open source community who were constantly moving the goalposts, SCO did provide a comprehensive list of source files and line numbers in Linux that matched portions of SCO UNIX. The fact is, SCO's claims of copyright violations by Linux developers and users were valid, factual, and completely legal. To this day, the Linux kernel contains large sections of copyrighted code that came straight from SCO UNIX. The open source community generally is vocal in favoring the "little guy" against large corporations like Microsoft and Google, whose motives and actions are frequently called into question. It's bemoaned that the so-called little guy is unlikely to stand a chance against the massive and well-funded legal teams retained by large corporations. This is for good reason, that everyone should be entitled to the same rights, regardless of their ability to afford top notch legal teams. SCO was the little guy compared to IBM, a small company with limited resources simply trying to ensure their copyrights were protected. IBM squashed them like a bug, not because the lawsuit was invalid. In fact, SCO's claims of copyright infringement are generally accepted as mostly correct. Rather, IBM had the legal resources to draw out legal battles and win a war of attrition against SCO, no matter the validity of the claims. If the open source community truly cares about ensuring the little guy has the same rights as large corporations, they should have been supporting SCO against a behemoth like IBM. To this day, I fail to understand the hypocrisy in supporting the little guy against giants like Apple and Microsoft, but rooting for another giant, IBM, to decimate SCO.
  Sorry Jeff but you must have missed the memo. The SCO Group lost all that in court. They didn't have a legal leg to stand on. They are bankrupt with no assets. Have a nice day.
10. Re:lol by EndlessNameless · 2017-01-05 06:47 · Score: 1
  
  I don't usually say people deserve to have bad things happen to them, but this is going to be an exception.
  An admin leaving a database with direct connectivity to the internet is bad enough---borderline negligence, in my opinion. But a blank admin password?
  That's like walking down the street with $100 bills bulging out of your pockets on the bad side of town.
  It's not just stupidity---most stupid people don't even do things that stupid.
  It's too bad IT doesn't require professional licenses like doctors and lawyers, so we can kick these people out of the profession before they hurt somebody else.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
11. Re: lol by gweihir · 2017-01-05 09:17 · Score: 1
  
  Behold people, the "big lie" technique at work.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Managed by morons by rossz · 2017-01-04 10:55 · Score: 3, Interesting

Your database is exposed to the internet and doesn't have a password? How is it you are still employed?

--
-- Will program for bandwidth
1. Re:Managed by morons by Anonymous Coward · 2017-01-04 11:03 · Score: 0
  
  Your comment seems to implicate that exposing it to the internet even with a password is OK.
2. Re:Managed by morons by anchovy_chekov · 2017-01-04 11:17 · Score: 3, Interesting
  
  Your database is exposed to the internet and doesn't have a password? How is it you are still employed?
  This is what Mongoworld looks like. A bunch of people who never understood SQL try to solve a problem they thought they had by moving to a NoSQL DB.
  
  Mongo's security model has improved with recent releases, but the earlier approach of leaving the door wide open should never have been allowed in the first place. Compare and contrast pretty much any traditional RDBMS that is secured by default - at least minimally - because we learned our lessons the hard way years ago.
3. Re:Managed by morons by thegarbz · 2017-01-04 11:17 · Score: 2
  
  Either a) 1800 people are about to be unemployed, or more likely b) Many of these databases aren't critical in the first place.
  If they were the price would be set higher.
4. Re:Managed by morons by Anonymous Coward · 2017-01-04 11:20 · Score: 0
  
  I equally blame the MongoDB developers themselves. They made a conscious design decision that a default MongoDB installation has no authentication whatsoever. You have to go out of your way to enable even the most basic password or credentialing. This is completely opposite to how any other modern database engine works.
  For a product that the developers know is frequently going to be exposed to the internet, it's unconscionably negligent to make "no security" the default security model. It would be like car dealerships selling cars whose doors have no locks.
5. Re:Managed by morons by Anonymous Coward · 2017-01-04 11:26 · Score: 0
  
  This isn't just MongoDB, it's every other simple to set-up Open Source project that touches the web.
6. Re:Managed by morons by Anonymous Coward · 2017-01-04 11:28 · Score: 0
  
  To be fair, the default security setup during MySQL wasn't too hot either until the recent version 5.7 and it still does not default to secure connections.
7. Re:Managed by morons by tomhath · 2017-01-04 11:36 · Score: 4, Interesting
  
  I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.
  If that's what actually happened, the Mongo project has some explaining to do
8. Re:Managed by morons by plopez · 2017-01-04 12:18 · Score: 1
  
  As many breaches are inside jobs exposure to the internet is not even a valid criteria. No DB should ever have open security by default. See Postgresql for a much better model.
  
  --
  putting the 'B' in LGBTQ+
9. Re:Managed by morons by Anonymous Coward · 2017-01-04 12:24 · Score: 0
  
  This isn't just MongoDB, it's every other simple to set-up Open Source project that touches the web.
  Not at all confined to Open Source
10. Re: Managed by morons by Anonymous Coward · 2017-01-04 12:30 · Score: 0
  
  What? Only recently does MongoDB create a password protected admin account when it installs? I find this impossible to believe because MongoDB is open source. Open source means people quickly see the bugs and post code fixes which the project maintainers gladly and quickly apply! This is what the open source experts keep telling me. Take your anti-free software diatribes elsewhere; I will enjoy my freedoms!
11. Re:Managed by morons by anchovy_chekov · 2017-01-04 12:49 · Score: 2
  
  I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.
  If that's what actually happened, the Mongo project has some explaining to do
  Wow. If that's true that's the most mindblowingly insane thing I've ever heard about Mongo. I avoid it because of a host of other issues, but if they actively screwed installs - and any of those users have support contracts with MongoDB Inc - it could well spell the end of the company. Can't find anything on the webs about it, so if you do stumble across any details I'd be interested to see them.
12. Re:Managed by morons by Solandri · 2017-01-04 13:03 · Score: 2
  
  Either a) 1800 people are about to be unemployed, or more likely b) Many of these databases aren't critical in the first place.
  There's a third possibility: c) database is (semi)critical, but the person/manager who made/approved it was too cheap to pay a real database administrator to help with the original setup and configuration.
  
  Most engineering professions where lives or large dollar amounts are at risk (civil engineering, structural engineering, many forms of mechanical engineering) require the person designing the system to have some sort of outside certification that s/he knows what s/he is doing. But software is still the Wild West where you can get your 13 year old nephew to set up that database for you.
13. Re:Managed by morons by Dr.Saeuerlich · 2017-01-04 13:06 · Score: 1
  
  It's China. Really, regular IT people (not the government's hackers) here are notoriously clueless about security. I've encountered various systems in the last years here in China that ran with no passwords or default passwords, because some underpaid drone didn't care to do some extra work. Favorite Chinese passwords? qwerty, 12345, companynameCURRENTYEAR, some patterns you can type on your keyboard like 147896. Security through obscurity is also a favorite concept.
14. Re:Managed by morons by niff · 2017-01-04 14:42 · Score: 0
  
  If you've set up proper backups, this shouldn't make anyone sweat too much.
15. Re: Managed by morons by guruevi · 2017-01-04 15:19 · Score: 2
  
  Just because a project is open source doesn't mean everyone can contribute to it. MongoDB has been rife with issues since the beginning, the company behind it is only interested in selling its subscription technical service and has a culture that doesn't accept anything that isn't the "Mongo" way or would interfere in the commercialization of its platform kind of like Poettering on steroids.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
16. Re: Managed by morons by Anonymous Coward · 2017-01-04 15:30 · Score: 0
  
  I've used mongodb before and I was shocked at the default install that both opens up your machine to the whole world and provides no Admin password. At the very least it could limit connections from the localhost. It's a terrible choice for a "modern" tool and I immediately searched shodan for open mongodb instances. There are thousands. I'm just really surprised it took this long.
  As far as working with it, it has its place, but it's no gem and forces any application with sql to rewrite basic queries in their custom API. Which means for thousands of visualization tools, its not plug n play. If you're not doing extremely high volume data, or extremely inconsistent data, it's probably worth just using traditional storage mechanisms.
17. Re:Managed by morons by JoeMerchant · 2017-01-04 16:26 · Score: 1
  
  200,000 patient records sounds like they might be important to somebody...
18. Re:Managed by morons by JoeMerchant · 2017-01-04 16:31 · Score: 1
  
  I worked in software/electrical engineering for 10 years, then took a look at maybe getting my PE license in electrical - it's a whole different mindset in the PE world, one that software would benefit from, but will take decades to adapt. The people who should be PEs in software are too valuable to industry right now to be bothered with such things. Industry would really be serving itself if they pushed for a PE type of licensing to be instituted, but "learn Java in 21 days" software schools don't even come close to preparing their students for the rigor of a PE licensing process.
  On the flip side, a PE software specialization test would be necessarily ludicrous, as are the electrical and mechanical tests today.
19. Re:Managed by morons by Anonymous Coward · 2017-01-04 16:55 · Score: 0
  
  > a PE software specialization test would be necessarily ludicrous, as are the electrical and mechanical tests
  Finer words have never been spoken, oh ye of goth precure.. imagine that! validation, verification, proof!! ... the scientific method!!
20. Re: Managed by morons by Anonymous Coward · 2017-01-04 17:50 · Score: 0
  
  > I've used mongodb before and I was shocked at the default install that both opens up your machine to the whole world and provides no Admin password.
  That sounds like your server is directly connected to the internet without benefit of gateway, router or firewall. Or do you think that I can try to connect to 192.168.1.1 (or similar) and that is your machine ?
  (hint: it isn't)
  Captcha: safeties
21. Re: Managed by morons by Anonymous Coward · 2017-01-04 19:23 · Score: 0
  
  Fuck open source!
22. Re:Managed by morons by Anonymous Coward · 2017-01-04 19:51 · Score: 0
  
  I may be mistaken (don't administer any Mongo databases), but as I understand it, many databases were exposed by an upgrade. Even if you had a password set the upgrade wiped it out and quietly left you exposed.
  If that's what actually happened, the Mongo project has some explaining to do
  Other tools can lead to surprises there, too. Bind a container on 0.0.0.0 and port instead of the system's address and port with docker and see your firewall bypassed if it is a standalone vserver you rented. We don't need simpler ways to install things, we need more knowledge why systems aren't that simple in the first place.
23. Re:Managed by morons by ls671 · 2017-01-04 19:57 · Score: 1
  
  Yep, in 2017, we expose stuff to the Internet and it is perfectly safe to do so as long as you know what you are doing. In the old days, dedicated physical pipes were viewed as much safer and were commonly used. Then came "virtual physical pipes". Nowadays, very few outfits use real physical dedicated pipes.
  
  --
  Everything I write is lies, read between the lines.
24. Re:Managed by morons by Anne+Thwacks · 2017-01-04 20:37 · Score: 1
  
  virtual physical pipes
  The problem here is that the "virtual idiots" responsible for systems administration have been replaced by "complete idiots". Not having a password on a database, even if it is not exposed to anything is extremely foolish, and comparable to leaving fivers lying around on the floor. Sure leaving them on you bedroom floor is more secure than leaving them on the pavement in the high street, but if you wish to keep them, "on the floor" is not the place for banknotes. If you don't know this, you are not a fit person to handle money of any denomination. Same logic applies to sysadmins.
  we expose stuff to the Internet and it is perfectly safe to do so as long as you know what you are doing
  How is a PHB expected to employ someone who knows what he is doing, when he can't tie his own shoelaces? This problem is society wide, and not a computer specific problem. Idiots are unfit to hold high^H^H^H^H any office. More news at 10.
  
  --
  Sent from my ASR33 using ASCII
25. Re:Managed by morons by Anne+Thwacks · 2017-01-04 20:40 · Score: 1
  
  you can get your 13 year old nephew
  My 13 year old nephews know full well what they can do with a database that is not secured, thank you.
  Beware: We may not be the only family to teach 11 year olds SQL.
  
  --
  Sent from my ASR33 using ASCII
26. Re: Managed by morons by Anne+Thwacks · 2017-01-04 20:42 · Score: 1
  
  I can try to connect to 192.168.1.1 (or similar) and that is your machine ?
  Yes, my machine IS 192.168.1.1 you insensitive clod!
  
  --
  Sent from my ASR33 using ASCII
27. Re:Managed by morons by ls671 · 2017-01-04 20:51 · Score: 1
  
  Nice to meet you Anne.
  
  --
  Everything I write is lies, read between the lines.
28. Re:Managed by morons by AlphaBro · 2017-01-04 21:27 · Score: 1
  
  The solution is simple, and the onus is on software developers.
  
  First, secure by default is a requirement. Always prompt for a strong user specified password by default. Most people take the path of least resistance when installing and configuring software, so this will drastically reduce instances of network exposed services that lack creds or have documented default creds. Second, if insecure features must be enabled e.g. anonymous access is required in some legitimate use cases, bury such settings deep in configuration files and UI-based advanced configuration settings. This too will deter people from using bad security configurations, unless the truly feel they must.
  
  This is a solved problem, and that's why we see this type of issue in a small subset of domain specific programs. It's always the shitty IoT devices and hipster databases. Blame devs that lack security consciousness, if you want somebody to point a finger at.
29. Re:Managed by morons by thegarbz · 2017-01-05 00:20 · Score: 1
  
  Except this clearly wasn't a targetted attack. So we're down to 1 person losing their job and 1799 people going *sigh* followed by *meh* followed by just nuking their crappy database from orbit.
30. Re:Managed by morons by thegarbz · 2017-01-05 00:21 · Score: 1
  
  Beware: We may not be the only family to teach 11 year olds SQL.
  Harsh. Back in my day we got a spanking and were sent to our room.
31. Re:Managed by morons by Anonymous Coward · 2017-01-05 00:32 · Score: 0
  
  So you expect someone who doesn't understand the need for an admin password to a database to also understand the concept of backups?
32. Re:Managed by morons by mlts · 2017-01-05 01:14 · Score: 1
  
  I wouldn't blame the devs. They know where the money is buttered, and that is placating people who scream the loudest, which tends to be marketing and sales. A sales guy clenches a new contract, but told the customer the product has "xxx" feature. It really doesn't, so dev has to cough that feature up ASAP or else the sale gets lost. Management looks at security and the time it takes to do it right versus cur corners, sees that it doesn't bring any revenue, and tells the dev staff that security can be strapped on later after the sale is made.
  In a number of places, the devs are in an offshore sweatshop, and really don't know any better. Tell them to code a widget, they do that. They will not know, nor care about defensive programming because it takes time away from doing code quantity.
  The person to blame are the PMs who pooh-pooh security because they think it has no ROI.
33. Re: Managed by morons by mlts · 2017-01-05 01:16 · Score: 1
  
  The ironic thing is that you don't have to run MongoDB to get MongoDB functionality. PostgreSQL can do the same thing, except it has a proven track record of security.
  The real question... why bother with MongoDB at all, unless something like Splunk requires it? There are better solutions available, both F/OSS and non.
34. Re:Managed by morons by coofercat · 2017-01-05 01:29 · Score: 1
  
  I can't confirm if this is true, as I have a Mongodb with no password (and so upgrades didn't remove anything). My difference is that (a) it's only accessible through localhost, and (b) if any remote clients ever want to use it, they'll do so through an stunnel, which will only accept connections from the known IPs of the clients that should be connecting. In my book, even opening up a properly secured database to the Internet is unnecessary - just open it up to the IPs that need it.
  If you're wondering, we use it for Errbit - if we ever did get p0wned, I'd just blow it away and re-install (hence my somewhat rough-shod approach to security in this case).
35. Re:Managed by morons by Whorhay · 2017-01-05 04:37 · Score: 1
  
  Some years ago I had a customer passed to me that wanted to know what kind of hoops they needed to jump through to get a Mongo DB approved for our network. No one I knew had ever even heard of it and after about 45 minutes of googling we had to just tell them it would likely never get approved. Getting a big name RDBMS that is actually engineered towards being secure approved is enough of a headache once the developers have had their way with it, Mongo was basically out of the question.
36. Re:Managed by morons by Anonymous Coward · 2017-01-05 04:46 · Score: 0
  
  If you are managing systems please get some education on best practise from someone with experience. Exposing a database to the internet is a fucking retarded thing to do, especially if it is only protected by a password - if you think you "know what you are doing" by doing this, you are a fucking imbecile and there is no hope for you. This idiotic know-it-all cowboy attitude to security is why things get hacked and PII ends up for sale on the dark web.
37. Re:Managed by morons by gweihir · 2017-01-05 09:17 · Score: 1
  
  Simple: Morons in IT are far-cheaper salary-wise than people with a clue. And morons in management are too stupid to see that these people cost extremely much more overall than people with a clue. This is why such gross stupidity happens all the time in modern IT.
  I imagine this is how things were done in the Roman Empire, right before it collapsed...
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
38. Re:Managed by morons by gweihir · 2017-01-05 09:20 · Score: 1
  
  No traditional RDBMS is "secured by default". You have absolutely no clue what you are talking about. That said, in my experience the only people even more arrogant and stupid in the DB world than the "No SQL" crowd are the traditional RDBMS people.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
39. Re:Managed by morons by AlphaBro · 2017-01-05 10:13 · Score: 1
  
  Actually, you're right in many cases. As a dev that has shipped software with poor security at the behest of ignorant management that didn't care to understand the problems, I shouldn't be so shortsighted. Open source software is another matter, however; somebody should step up, and do things the right way.
40. Re:Managed by morons by anchovy_chekov · 2017-01-05 22:42 · Score: 1
  
  Our experiences may differ here. Depending on the package manager you're using, Postgres (as an example) typically won't even allow remote access until you explicitly enable it. And usually the user associated with the base schema has at least a password. There are exceptions I realise. I guess it's part of the culture. If you've grown up with old school database systems it's almost second nature to check the security model, whereas NoSQL fans I've worked with seem to be happy that things have installed (and configuring apps to connect is simple if there's no actual password).
  
  But I take your point. Any system needs to be hardened, and there's nothing worse than being complacent.
41. Re:Managed by morons by gweihir · 2017-01-06 00:22 · Score: 1
  
  Well, I agree that good security habits may be far less known and followed in the NoSQL-crowd, because they are "hip" and "dynamic" and often inexperienced in server system configuration and management. Also, because all these mistakes _have_ been made with RDBM Systems in the past, they are less likely to be insecure by default, but it still is a risk and you need to check.
  In the best case, hardening just involves checks and you find everything is fine. It still needs to be done and sometimes you find insecure things were you least expect them.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
42. Re:Managed by morons by mlts · 2017-01-07 09:55 · Score: 1
  
  I would agree here. F/OSS tends to be about "scratching an itch", but I would say developers of a lot of projects have pride in their work and go above and beyond the call of duty. One example is Borg Backup, which I've been following. Even though nobody is funding the project, it is active and has matured a lot from the Attic fork it once was. This type of code quality where even attacks in theory are fixed is pretty much nonexistent in the private sector for the most part.
$200 by ShanghaiBill · 2017-01-04 10:56 · Score: 2

... asking for 0.2 Bitcoin ($200) ransom
That seems like a modest ransom. At least he isn't greedy.
1. Re:$200 by thegarbz · 2017-01-04 11:16 · Score: 3, Interesting
  
  Let's face it. If this attack is automated it would be a reasonable assumption that you're dealing with complete idiots on the other end and not people storing valuable data. The fact that he hit a healthcare organisation sounds more like a fluke than a targeted attack. If it were then it would be more than $200.
2. Re:$200 by plopez · 2017-01-04 12:21 · Score: 1
  
  How do he get rich! Volume! As well as the attitude of "let's just pay it it's so small". Factor in that it might even be a misdemeanor in some places. And we do not even know how many places were hit. Overall a clever strategy.
  
  --
  putting the 'B' in LGBTQ+
3. Re:$200 by coofercat · 2017-01-05 01:31 · Score: 1
  
  We also don't know what the healthcare organisation used it for. It could just be an admin's experimental project, and contain literally nothing of interest to anyone. Less likely is that it contains any actual medical information for identifiable people.
Clearly... by QRDeNameland · 2017-01-04 10:56 · Score: 5, Funny

MongoDB attacks are Web Scale.

--
Momentarily, the need for the construction of new light will no longer exist.
1. Re:Clearly... by plopez · 2017-01-04 12:23 · Score: 3, Funny
  
  The lack of admin password is the secret sauce.
  
  --
  putting the 'B' in LGBTQ+
2. Re:Clearly... by Hognoxious · 2017-01-05 10:42 · Score: 1
  
  It does have a password, but it stores it in /dev/null for higher performance.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Too bad there's no CVE for retarded admins by Anonymous Coward · 2017-01-04 10:56 · Score: 1

If there was a CVE assigned for every stupid mongodb admin, they'd have blown Android out of the water.
You do NOT put your database on the internet! Opening your mongodb to the internet does NOT make it webscale!
1. Re:Too bad there's no CVE for retarded admins by Anonymous Coward · 2017-01-04 11:38 · Score: 0
  
  You do NOT put your database on the internet! Opening your mongodb to the internet does NOT make it webscale!
  But it's not on the internet, it's on the cloud!
2. Re:Too bad there's no CVE for retarded admins by Anonymous Coward · 2017-01-04 13:55 · Score: 0
  
  You do NOT put your database on the internet! Opening your mongodb to the internet does NOT make it webscale!
  But it's not on the internet, it's on the cloud!
  Sadly, some CIOs don't understand this...
3. Re:Too bad there's no CVE for retarded admins by K.+S.+Kyosuke · 2017-01-04 17:05 · Score: 1
  
  Opening your mongodb to the internet does NOT make it webscale!
  True, 1800 attacks isn't quite webscale yet! I'd add two more zeros.
  
  --
  Ezekiel 23:20
4. Re:Too bad there's no CVE for retarded admins by Anonymous Coward · 2017-01-04 20:02 · Score: 0
  
  It's far too easy for some random dev to rent a server and deploy a mongo docker container. DevOps ftw!
Mysterious you say? by Anonymous Coward · 2017-01-04 10:59 · Score: 0

Hm. You'd think he would drop his wallet or something, wouldn't you?
Russians by Ant2 · 2017-01-04 11:15 · Score: 2, Funny

Those pesky Russians are at it again.
1. Re:Russians by mwvdlee · 2017-01-04 20:23 · Score: 1
  
  That's what he said.
  Who do you think the "and friends" are?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
You are much more sure than SCO is by raymorris · 2017-01-04 11:21 · Score: 4, Informative

> To this day, I fail to understand the hypocrisy in supporting the little guy against giants like Apple and Microsoft, but rooting for another giant, IBM, to decimate SCO.
Some of us pay attention to who is right and wrong, rather than deciding absolutely everything based on "big mean corporation."
SCO originally filed for misappropriation of trade secrets and unfair competition. Later, they decided breach of contract might be better. Still later, they decided maybe copyright infringement. Obviously, SCO wasn't so sure exactly what they were complaining about - not nearly as sure as you are.
They claimed that up to 0.0001% of the Linux kernel might have been derived from Unix, but refused to say which parts. As the judge began to strike down their claims unless they identified which code they were talking about, they pointed to some BSD licensed code written by Thompson - code they clearly had no copyright rights to.
When it was pointed out that Novell, not SCO, owned the Unix copyright, SCO tried to buy the copyrights from Novell. Again, Novell clearly wasn't too sure they owned the copyrights, they were trying to buy them from Novell, yet you're sure that they already owned them.
SCO then claimed that the GPL itself is illegal and unconstitutional! Which would of course mean that SCO were themselves unlawfully distributing GPL code! Yeah that annoyed some people.
SCO didn't just lose a case, they were laughed out of court repeatedly. "We're suing you for violating the copyright on Unix, but we're still trying to buy that copyright so can we have a short delay?" What!?!? It was one of the most ridiculous cases ever. That's why people didn't root for SCO, it was because SCO was engaging in ridiculous trolling that made no sense. They argued that the "offending code" was part of the Linux kernel, then argued that it wasn't. They couldn't even make up their mind.
1. Re:You are much more sure than SCO is by Anonymous Coward · 2017-01-04 11:58 · Score: 1
  
  YHBT. And rather obviously so.
2. Re:You are much more sure than SCO is by JoeMerchant · 2017-01-04 16:24 · Score: 1
  
  Are we sure that this wasn't a master stroke by SCO to establish some case law in favor of all the things they appeared to be attempting to tear down?
3. Re: You are much more sure than SCO is by Anonymous Coward · 2017-01-04 17:41 · Score: 0
  
  > SCO vs IBM. If IBM wins, AIX becomes the standard Unix instead of ... Linux
  The SCO vs IBM case has no implications for Linux at all. AIX _is_ standard System V Unix, IBM has an irrevocable licence for Unix from Novell.
  Please inform yourself of the facts before ranting irrationally.
  https://en.wikipedia.org/wiki/IBM_AIX
4. Re:You are much more sure than SCO is by Bongo · 2017-01-04 22:12 · Score: 1
  
  That reminds me of cases in the Good Wife, except they wisely limited their law humour scripts to half retard, whereas what you describe goes full retard.
5. Re: You are much more sure than SCO is by mlts · 2017-01-05 01:05 · Score: 1
  
  From what I've seen, IBM wants to pull away from AIX because they know that the POWER8 market is shrinking, and so is AIX. This isn't to say that AIX is bad -- it is arguably extremely secure and mature, just like Solaris. However, the market in general is moving from Big Iron to x86-64, to VMs, to cloud based VMs, to serverless services (AWS Lambda), and from pets to cattle, where backups basic redundancy are viewed as a bother [1] and not an official need.
  IBM isn't dumb. Softlayer OpenStack will be an effective competitor to AWS in a few revs, and for some tasks, it is effective now. They know that a lot of businesses want only one piece of server hardware locally, and that's the edge switch/router to connect their workstations to the cloud provider.
  This is not to say AIX is dead by any means. However, IBM is following the money, and that is to be a cloud provider, guaranteeing income monthly.
  [1]: A few months, during a job interview, I was told by one of the interviewers, "asking a cloud based startup about backups and uptime is like asking Tesla about what length and material their buggy whips are made from." Needless to say I went elsewhere.
6. Re: You are much more sure than SCO is by Insanity+Defense · 2017-01-05 02:53 · Score: 1
  
  it's pretty simple, poors want free stuff and they want to be recognized for their frugality
  so, the poors that can only use Linux because they can't afford PCs or macs now have a vested interest in Linux succeeding because a) they want the free ride to continue and b) they can claim some level of expertise for a nice computer janitor job
  now you get to SCO vs IBM. If IBM wins, AIX becomes the standard Unix instead of smelly hippie free "as in beer and speech!!!!" Linux. poor Linux "admins" can't have that, it takes away the gravy train in favor of professionals so... it all makes sense when you think about the idiot poors that are trying hard to be real IT pros.
  this also explains why stories like databases with no admin password exposed to the internet getting hacked become news.
  Bullshit. If you are poor the machines you can buy come with Windows in the price tag. Linux machines are virtually always higher priced because the manufacturers don't get paid to install all the crapware/trial ware on the system. People who use Linux do so because they WANT to. They use Windows because it comes with the system and it is what they know already.
7. Re: You are much more sure than SCO is by jwhyche · 2017-01-05 02:57 · Score: 0
  
  This is not to say AIX is dead by any means
  It's not dead yet but when it is I will be the first in line with the shovel to bury it. I made a lot of money off AIX but I'm glad that I no longer have to suffer it.
  
  --
  I read at +2. If your post doesn't reach that level I will not see or respond to it.
8. Re:You are much more sure than SCO is by kriston · 2017-01-05 04:25 · Score: 1
  
  What, exactly, does this have to do with TFA?
  
  --
  Kriston
9. Re: You are much more sure than SCO is by kimvette · 2017-01-05 04:54 · Score: 1
  
  > so, the poors that can only use Linux because they can't afford PCs or macs now have a vested interest in Linux succeeding because a) they want the free ride to continue and b) they can claim some level of expertise for a nice computer janitor job
  For a "janitor job" it pays extremely well - certainly better than your mop janitor job. ;)
  > now you get to SCO vs IBM. If IBM wins, AIX becomes the standard Unix instead of smelly hippie free "as in beer and speech!!!!" Linux
  Linux != UNIX. It never was, and was never intended to be. It was intended to work just like Linux, but free of UNIX licensing constraints. It is a UNIX clone. That it usurped UNIX's throne everywhere from appliances to big iron, from lowly tablets to the largest supercomputers only serves as a testimony to its relative stability and extensibility. Is it the perfect UNIX-like OS? Certainly not... but it is a very solidly competent jack of all trades.
  Regarding your use of the term "the poors": I'm assuming you're a white trash Trump supporter living in a red state who benefits from the wealthy blue states' paying more taxes.
  American politics are truly fucked up: the blue states pay the highest taxes because they are the wealthiest. The blue states basically vote to tax themselves more so the red states can get more assistance.. and the red states are voting against it... and based on your post, I'm assuming you're one of those idiots voting against their own best interest.
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
10. Re: You are much more sure than SCO is by HornWumpus · 2017-01-05 05:28 · Score: 1
  
  I really enjoyed shooting old hard drives containing Netmare 2 back in the day.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Wow! by Anonymous Coward · 2017-01-04 11:21 · Score: 0

"..these databases are MongoDB instances that feature no administrator password..."
"..one which hit a prominent U.S. healthcare organization.."
Wow great going guys! Way to conform to HIPAA!
1. Re:Wow! by Anonymous Coward · 2017-01-05 01:21 · Score: 0
  
  HIPAA - is that some sort of artificial hip assistant?
Nuke, upgrade, and restore from backups by PeeAitchPee · 2017-01-04 11:25 · Score: 1

Fuck these ransom guys. Keeping good backups is a little bit of extra work, but at least you have the option to restore, even if you've been hacked because of gross negligence / shameful ignorance / plain stupidity like this.
1. Re:Nuke, upgrade, and restore from backups by supremebob · 2017-01-04 12:12 · Score: 4, Insightful
  
  You think that someone who didn't bother setting an admin password for an Internet facing database bothered to configure backups for it?
2. Re:Nuke, upgrade, and restore from backups by Anonymous Coward · 2017-01-04 12:14 · Score: 0
  
  Assuming that the admins that allowed the database to be compromised were making backups.
  I can't even ;)
3. Re:Nuke, upgrade, and restore from backups by plopez · 2017-01-04 12:24 · Score: 4, Interesting
  
  they backed up to /dev/null because it was web scale.
  
  --
  putting the 'B' in LGBTQ+
4. Re:Nuke, upgrade, and restore from backups by Anonymous Coward · 2017-01-04 14:41 · Score: 0
  
  They should have, mongodb makes doing backups a complete snap
  ex if I have a database named 'DataBase'
  I could open up a terminal window and just do
  cd /var/www /** gets you to the general directory for web files **/
  mongodump --db DataBase /** and that is all there is to it, it's very easy, and very simple, restoration is a similarly simplistic affair **/
Where's the training and hard experience? by Anonymous Coward · 2017-01-04 11:46 · Score: 0

This is part of why I am against all this fashionable "programming should be easier" bullshit.
You should be required to take the time to learn not just some decent technical skills but also the reasons behind creating complicated security and authentication systems.
You should have to learn to write real software in a complex language, and you should know why script-kiddies who think they have a quick solution should never be given a real job, especially on world-facing internet solutions.
You should also gain enough knowledge to understand why this "no-sql" bullshit should only be considered a hobbiest's toy.
1. Re:Where's the training and hard experience? by BarbaraHudson · 2017-01-04 12:32 · Score: 1
  
  Good thing my copy of dBASE5 still runs like a charm under dosbox and is impervious to all this web crap. Clipper still works like a charm too ...
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
2. Re:Where's the training and hard experience? by Anonymous Coward · 2017-01-04 14:36 · Score: 0
  
  Technically if they had configured the security there wouldn't be a problem. Web enabled is inevitable. Honestly the economy sucks, jobs are scarce and the web offers the possibility of breaking barriers by giving the average joe global reach. Things are just beginning, we are in the infantile baby step stages even if we believe all of this is old because we've been hearing about the web for a few years. The web is growing up, but technologies like mongodb came out in 2007, and nodejs just came out in 2009. I've got pairs of pants older than these ground breaking technologies.
  I'm not sure why web would be 'crap' it's the whole reason that most of these changes are happening at all. Honestly if you take away the internet, you'd cripple and mutilate an already failing seizing society. We've been spared the totality of the reality of our loss of super power status along with the loss of a super power war chest and super power manufacturing capabilities only because we've had new trickling little avenues like the web to wriggle into and stay warm against the harsh economic winter.
  We need the web, and we need web enabled databases because a website is generally speaking a skin of logic interaction around a database.
3. Re: Where's the training and hard experience? by Anonymous Coward · 2017-01-04 15:10 · Score: 0
  
  I really hope you are trolling. You said: "Uh, sql is bullshit dude, it's horrific and not because it's 'better' its crap syntax and inherant lack of security (fusing the command and payload into a fucking string, insane!)."
  Cluestick: relational DB developers don't build up a string like that to create a SQL statement from raw browser input. (That's called "dynamic SQL"; think of it as interpreted SQL.) Instead, clued in relational DB developers compile the SQL statements (called "prepared statements") ahead of time which allows for arguments to be sent to the prepared statements afterward just like any normal programming language procedure call.
4. Re:Where's the training and hard experience? by BarbaraHudson · 2017-01-05 03:22 · Score: 1
  
  Wow, someone who wants to race to the bottom even quicker. Then again, what can you expect from an AC?
  
  Technically if they had configured the security there wouldn't be a problem.
  Provably false, because it is impossible to anticipate every security problem, especially since you're trying to hit a moving target. Never been done, can't be done within the heat death of the universe.
  
  Web enabled is inevitable
  Only if you're someone who wants to really screw over users, with things like all-time connections required, downloadable content, adware, etc. Local networks did just fine for a LONG time for all sorts of business applications, and both standalone and local networks for things like games and other forms of entertainment. You show the lack of imagination given by not knowing history. The internet is a symptom, and has caused more harm than good for the average person. Fake news wouldn't be possible without stupidity like Failbook and Twithead.
  
  Honestly the economy sucks, jobs are scarce and the web offers the possibility of breaking barriers by giving the average joe global reach
  First, there is a limited demand for internet-enabled jobs, and already far too many people trying to fill that demand, which is why most intenet-based jobs pay less than minimum wage by the time you account for everything. Second, we're seeing the beginning of the bursting of the second internet bubble. You can't eat virtual pizza, your bitcoin is a terrible form of currency (as seen by the 18% drop in value in 5 days, the vast majority of "App developers" still make far less than the minimum wage and that has always been the case, and always will be, because people always hope that they will be the exception.
  If you want to compete with developers in India, you'll end up with their standard of living - which means a country where, like India, there are so many people without a toilet (indoor OR outdoor) that they could literally form a line from the earth to the moon - something that will NOT change over the next 40 years because poverty is both ingrained in the corruption and class structure, and because the reservoir of poverty is just too large - and of course it doesn't help that India will have more people than China in 5 years.
  Also, your "ground breaking technologies" are not. Most of the "new technologies" are shit, same as ruby used to be the latest hotness. Anything based on javascript is inherently worse than Flash - at least flash doesn't need a web browser to run in, and can be easily confined either to the local machine or local network. It also requires far less ram and cpu to do the same job. This is the problem with so many of the "new technologies" - holier than swiss cheese, layered upon other layers that are also full of bloat and rot (even Flash was bloat, but nowhere near as bad as, say, chrome or firefox).
  We can exist fine without the internet. Specialized networks with limited access, non-interchangeable protocols, devoted to specific tasks, are going to happen, if only because the current internet is defective by design when it comes to security - the original goal was to be as failsafe as possible, no matter how much of the intervening network was destroyed - but that also means that any node can always attack anyone and everyone. Heck, it was possible at the dawn of the internet to take Microsoft down with a dial-up modem and a 386.
  Society started failing when trickle-down economics and both the left and the right started ignoring economic disparity (which includes the Clintons even before he became president, having helped dismantle some of the new deal economic protections that actually allowed the economy to grow by growing the base instead of feeding the rich - a policy Obama continued by, among other things, bailing out the car companies and
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Personally I blame... by FlyingGuy · 2017-01-04 12:11 · Score: 1

The idiot developers that want everything in [ insert the name of your currently favorite dev language here ] including security!
They all want a single, or better yet, no username and password on the db in question! When will the developers EVER learn, anything

--
Hey KID! Yeah you, get the fuck off my lawn!
1. Re:Personally I blame... by plopez · 2017-01-04 12:29 · Score: 1
  
  This is one big reason I have come to hate IT and developers. The same stupid mistakes over and over again. And when you flag it you get a an attitude of "u r old sk3w1", "you don't get it", etc.
  And in at least 2 cases I tried to warn them and when the fecal material impacted the rotary air circulation device guess who got blamed? The guy who tried to stop them. As if I had somehow jinxed them by trying to help them.
  
  --
  putting the 'B' in LGBTQ+
2. Re:Personally I blame... by Anonymous Coward · 2017-01-04 15:01 · Score: 0
  
  When their dipshit pointy haired bosses actually give them the appropriate time to complete a project instead of twisting their little precious pony underwear into a knot because they complicated things take time to do right?
  I am a developer at a small company. I'm the only person writing all the code for a website, a spawning system, a client relationship management system, a master control program for website routing, and a few other things.
  My boss pays me roughly as much as a fry dipper at mcdonalds makes and wants everything done in a single day complaining about how expensive it all is.
  Personally I want to take a run at him and drop kick him through a 3rd story glass window.
  Sometimes the developer is seriously doing the absolute best they can under conditions that are complete horse shit and the result isn't always pretty.
3. Re:Personally I blame... by Anonymous Coward · 2017-01-04 16:14 · Score: 0
  
  So man up and do something about it. PHBs are obligated to get as much work for as little compensation as they can. It's your job to make sure you're adequately compensated.
True by raymorris · 2017-01-04 12:14 · Score: 1

You are not wrong
A dipshit and his data by Anonymous Coward · 2017-01-04 12:41 · Score: 0

...are soon held for ransom. If you can't be bothered to take the most basic steps to secure, protect, and back up your data, then you deserve a figurative (and perhaps eventually literal) foot up your ass.
Let's file this expense under "idiot tax" because a bunch of idiots are the ones who will be forced to pay it.
In other news... by Anonymous Coward · 2017-01-04 12:50 · Score: 0

A healthcare organization had 200,000 patient records stored in an unsecured internet facing database.... I hope some heads will roll for that one.
The only surprise here by Anonymous Coward · 2017-01-04 13:04 · Score: 0

... is that Mongo didn't corrupt the data before it could be ransomed.
1. Re:The only surprise here by Anonymous Coward · 2017-01-04 15:06 · Score: 0
  
  ??
  I set a mongodb system up at the company I work for, best thing we ever did, works like a dream. I'm even storing binary files in it, not really sure what your talking about because I have not once seen any instance of corrupted data.
  Try not putting a fridge magnet to hold your login password paper directly on the side of the server computer tower...might help with your corruption issues.
MacKeeper!? by Anonymous Coward · 2017-01-04 13:26 · Score: 0

We're listening to them as a source now are we?
Biker war ? by Anonymous Coward · 2017-01-04 14:56 · Score: 1

The Mongols motorcycle club have been at war with the Hells Angels for years. This might be an attempt at attacking their members.
Heads should roll for this by LeftCoastThinker · 2017-01-04 18:05 · Score: 1

This is equivalent to the facilities guy at work installing new doors with no locks and then a thief putting locks on all the doors with a note to pay him $200 to get the keys to the new locks; it is almost a public service in this case. Heads should roll for this stupidity, though most at the executive level have such a poor understanding of good security practices who knows.

--
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
Mongoeb developed by idisots... by Anonymous Coward · 2017-01-04 21:00 · Score: 0

Why does mongo even start if the admin password has not been set ?
1. Re:Mongoeb developed by idisots... by mlts · 2017-01-05 01:19 · Score: 1
  
  It is a reflection of the software development methodology in general. MongoDB is supposed to be fast... like taking a car, yanking all the seats, the windows, the doors, the hood and trunk, all but one brake pad, and saying that it is a performance monster. Of course, the fact that it has been rendered worthless for tasks that need audibility and security is beside the point.
Mongo is Ransom Scale by cstacy · 2017-01-05 00:13 · Score: 1

https://www.youtube.com/watch?...
Seems to got a few suckers to pay up... by Anonymous Coward · 2017-01-05 01:44 · Score: 0

https://blockchain.info/address/13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq
Even easier with Elasticsearch by kriston · 2017-01-05 04:20 · Score: 1

This is the result of poor decision making, but a hack like this is even easier with Elasticsearch.
Unless you pay for a license, Elasticsearch doesn't even offer something as simple as user/password authentication.
Seriously.

--
Kriston
Shooting off your cocksucker again troll? by Anonymous Coward · 2017-01-05 05:30 · Score: 0

"I don't shoot my mouth off without knowing what I'm talking about" - by raymorris ( 2726007 ) on Thursday December 31, 2015 @09:29AM (#51215379)
BS (I catch you shooting your mouth off fucking up constantly): 2 raymorris security fuckups https://it.slashdot.org/comments.pl?sid=5351503&cid=47379233/ & https://slashdot.org/comments.pl?sid=5351503&cid=47374033/ admitting you = script kiddie https://politics.slashdot.org/comments.pl?sid=8895203&cid=51726265/
&
Tell us how ONLY 'newer script kiddie tools' have stringlength built in (when PASCAL had it for ages - my fav tool) https://slashdot.org/comments.pl?sid=8472509&cid=51114383/ YOU BLUNDERING WANNABE!
APK
P.S.=> You like to talk behind others' backs like the gossiping bitch TROLL you are raymorris https://slashdot.org/comments.pl?sid=9880997&cid=53312265/ well, here I am letting YOU TALK in those links, showing your FAILS wannabe ... apk