I work for a high-use API site, and I've been seeing these kinds of attacks regularly now for 6 months or more.
Basically, it's a barrage of user/pass attempts coming from hundreds, sometimes thousands of different IP addresses. I wrote custom filters to specifically identify these requests and black-hole them in the nginx proxy. Luckily, we require that 2FA is enabled on all accounts, so nothing seriously at risk,
I urge everyone to use 2FA on all sensitive sites where available. These kinds of attacks are going to become more commonplace.
Sure it is. Two factor is something you know and something you have. Your ATM card is two factor: to use, supply a PIN (what you know) and the card itself (what you have).
SMS (what you have) combined with a password (what you know) is a perfectly valid two factor authentication system.
There are hundreds of millions of username/password combinations, stolen from lots of different websites that have been breached over the years. A person(s) or group(s) with this collection decides to target teamviewer users, especially after learning that teamviewer doesn't require their users to enable 2FA. Of course, 99.99% of all the accounts in the huge list will fail (user doesn't exist, wrong password, etc.). But, it doesn't cost any money to continually bang on teamviewer servers looking for username/password combos that work - this part is automated and being done from thousands of computers all at the same time (essentially a botnet). They take the list of successful user/pass combos and give it to a group of people determined to transfer paypal, buy gift cards, anything that will let them infiltrate money by taking control of that user account. Who is at fault? Teamviewer doesn't deserve to walk from this completely free of blame. They should have required 2FA for accounts that allow for remote session activity. In addition, they should have noticed huge spikes of bad user/pass combos being tried on their servers. Unfortunately, the majority of the blame lay with poor security decisions made by users. Any critical account (like remote access or anything related to money) should be protected by a unique strong password and 2FA (when available). This is just the beginning folks. We're going to see more and more of these types of attacks.
Seeing Doom for the first time was an eye-opener, but I think an even bigger one was when I bought a 3DFX card when it first came out, and saw Quake in openGL. Simply incredible.
We can all brain storm and dream up cool tech, but it's the folks that actually create it that should be credited. It's clear that CW had nothing to do with the development of the initial release, but it's likely that he knew the folks that did. If he had come out publicly with an honest statement to that effect, he would have been received much differently. Instead, he chose to be dishonest and misleading, and there is no forgiveness for that.
If CW could cryptographically prove himself, then he wouldn't be attacked and/or chased away. I mean, without proof, what did he expect was going to happen?
It really depends on what exactly we're talking about. In this case, the parent is speaking specifically around the configuration and deployment of MongoDB, and my response is that a SecDevOps architect is going to a much better job in the design, configuration and security than your standard developer with such a product. Keep in mind that security doesn't just focus on keeping the baddies away, it also includes high availability for services and ensuring data integrity.
It's true that many devs are security minded, however in my experience, many are not. As a SecDevOps architect, security comes first in every design and configuration. This includes pentesting, static code analysis and much more.
Devs are typically focused on function and deliverables, which generally means that security takes a backseat. In cases where a startup is rushing a product to market, security is often never considered at all.
>> 8. Max size limit of data in a key-value that can be indexed,
If you're wanting to store large blobs over 16MB in size, then use something like GridFS, which breaks up large blobs into smaller ones for easy storage.
>> 9. Replica set or sharding , which is better? Who knows. Administering both at the same time requires a bottle of whisky and/or prozac on standby.
It depends on what you're wanting to do. Replica Sets are good for redundancy while sharding is ideal for large amounts of data that should be partitioned across many servers. Using a combination of the two does require some architect work, however.
The main weaknesses found are: unpatched network appliance exposed to public, services on deep network layers exposed to less secure subnets, using mongo with no authentication, passwords in plaintext found in backups, weak, bruteforcable passwords across the board, no password rotation in place and unpatched windows boxes.
for driverless cars to become popular. I'll be able to take advantage of their dialed-up safety protocols and be able to cut my way through traffic faster with less risk.
Slashdot Mirror
...you might learn something new about yourself.
I work for a high-use API site, and I've been seeing these kinds of attacks regularly now for 6 months or more.
Basically, it's a barrage of user/pass attempts coming from hundreds, sometimes thousands of different IP addresses. I wrote custom filters to specifically identify these requests and black-hole them in the nginx proxy. Luckily, we require that 2FA is enabled on all accounts, so nothing seriously at risk,
I urge everyone to use 2FA on all sensitive sites where available. These kinds of attacks are going to become more commonplace.
In other words, get off my lawn!
Hey NATO, the cold war is over! Your mission is finished! The Warsaw Pact ended in 1991.
Quit trying to surround Russia. Stop being troublemakers already!
> SMS was never true 2-factor
Sure it is. Two factor is something you know and something you have. Your ATM card is two factor: to use, supply a PIN (what you know) and the card itself (what you have).
SMS (what you have) combined with a password (what you know) is a perfectly valid two factor authentication system.
There are hundreds of millions of username/password combinations, stolen from lots of different websites that have been breached over the years. A person(s) or group(s) with this collection decides to target teamviewer users, especially after learning that teamviewer doesn't require their users to enable 2FA. Of course, 99.99% of all the accounts in the huge list will fail (user doesn't exist, wrong password, etc.). But, it doesn't cost any money to continually bang on teamviewer servers looking for username/password combos that work - this part is automated and being done from thousands of computers all at the same time (essentially a botnet). They take the list of successful user/pass combos and give it to a group of people determined to transfer paypal, buy gift cards, anything that will let them infiltrate money by taking control of that user account.
Who is at fault? Teamviewer doesn't deserve to walk from this completely free of blame. They should have required 2FA for accounts that allow for remote session activity. In addition, they should have noticed huge spikes of bad user/pass combos being tried on their servers.
Unfortunately, the majority of the blame lay with poor security decisions made by users. Any critical account (like remote access or anything related to money) should be protected by a unique strong password and 2FA (when available).
This is just the beginning folks. We're going to see more and more of these types of attacks.
Then it seems that a tool you can debug is the right tool for the job.
>> What it means is that the best tool for the job is the one you should be using..
I couldn't agree more.
Seeing Doom for the first time was an eye-opener, but I think an even bigger one was when I bought a 3DFX card when it first came out, and saw Quake in openGL. Simply incredible.
>> From a today perspective calling a program "less" which's only purpose is to display "more" makes no sense at all.
Less is more than more, sheesh.
We can all brain storm and dream up cool tech, but it's the folks that actually create it that should be credited. It's clear that CW had nothing to do with the development of the initial release, but it's likely that he knew the folks that did.
If he had come out publicly with an honest statement to that effect, he would have been received much differently. Instead, he chose to be dishonest and misleading, and there is no forgiveness for that.
If CW could cryptographically prove himself, then he wouldn't be attacked and/or chased away. I mean, without proof, what did he expect was going to happen?
Now I can fly my drone on any school campus without the fear of being molested (by police, haters, etc.)
Better proof would be for him to sign something in today's headlines, or a block that was mined today.
It really depends on what exactly we're talking about. In this case, the parent is speaking specifically around the configuration and deployment of MongoDB, and my response is that a SecDevOps architect is going to a much better job in the design, configuration and security than your standard developer with such a product. Keep in mind that security doesn't just focus on keeping the baddies away, it also includes high availability for services and ensuring data integrity.
It's true that many devs are security minded, however in my experience, many are not. As a SecDevOps architect, security comes first in every design and configuration. This includes pentesting, static code analysis and much more.
Devs are typically focused on function and deliverables, which generally means that security takes a backseat. In cases where a startup is rushing a product to market, security is often never considered at all.
>> 8. Max size limit of data in a key-value that can be indexed,
If you're wanting to store large blobs over 16MB in size, then use something like GridFS, which breaks up large blobs into smaller ones for easy storage.
>> 9. Replica set or sharding , which is better? Who knows. Administering both at the same time requires a bottle of whisky and/or prozac on standby.
It depends on what you're wanting to do. Replica Sets are good for redundancy while sharding is ideal for large amounts of data that should be partitioned across many servers. Using a combination of the two does require some architect work, however.
MongoDB was designed to be configured and used out of the box by developers, not security minded folks like sysadmins or system architects (devops).
The main weaknesses found are: unpatched network appliance exposed to public, services on deep network layers exposed to less secure subnets, using mongo with no authentication, passwords in plaintext found in backups, weak, bruteforcable passwords across the board, no password rotation in place and unpatched windows boxes.
>> It's just being built in China now; cheaper labor, fewer environmental regulations. (Obviously)
Never forget that you always get what you pay for.
A little bit of bitcoin is deducted from your account for viewing content you're interested in? Is their plan to completely monetize the Internet?
How lame can you get. What a bunch of simple, skill-less cowards.
This was my first easter egg experience, when Adventure was a hot, new game on the Atari 2600; truly fascinating.
That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
>>Can you imagine this news article?
You really don't know anything about using bitcoins, do you?
Instead of this reply, I wish I had modpoints to mark you "-1 Clueless".
In Soviet Russia a naked and petrified Natalie Portman pours hot grits down YOU!
for driverless cars to become popular. I'll be able to take advantage of their dialed-up safety protocols and be able to cut my way through traffic faster with less risk.