Home > Privacy, Security > Current Security Nightmares

Current Security Nightmares

What’s going on out there in the networks in the last couple of days? We had a strange hack into a US health insurance provider exposing tens of millions of SSNs and addresses, a temporary shutdown of a online tax service due to identity theft fraud, a database security issue that came up just by accident using a search engine and finally today there was high level politician dumping emails containing personal information of residents of a US state.

Diving just in two of those security issues with some more detail:

The database issue I mentioned does affect MongoDB, a popular NoSQL database system. Three students just ran over round about 40.000 open MongoDB databases, containing sensitive information up to credit card information, names and email addresses. Anyone might wonder how that could have happen: by just using default configuration values without checking them.

    Default: true
    Disable authentication. Currently the default. Exists for future compatibility and clarity.
    For consistency use the auth option.

So it’s default to disable authentication? For future compatibility? Seriously? Wait… let’s check the auth option for consistency reasons…

    Default: false
    Set to true to enable database authentication for users connecting from remote hosts. Configure users via the mongo shell. If no users exist, the localhost interface will continue to have access to the database until you create the first user.

Yeah… great… Authentication is disabled by default… Pretty consistent…

Source for both: Configuration File Option – MongoDB Manual 2.2.7

Whoever did that decision, I won’t be in his position right now. We’ll see how long it might take until both options are flipped with their default configuration. The conclusion should be: the more you trust a product, the more you should focus on the default configuration before going into production. Spending too much trust in a vendor / community just because you’re a “fan” of the tool will put you at risk if you loose the insight on the configuration options.

The second issue I’d like to dive into is a US politician and potential presidential candidate just dumping emails containing sensitive data of Florida state residents. He just approached to shed some transparency into his work by posting emails he exchanged with residents of the state of Florida. Unfortunately he and his team did not redact the emails before. So he just dumped emails containing SSNs, clear text names and even emails with the following text add-on:

Confidential communications intended for indicated recipient only

Just keeping in mind that this guy might be a future president of the United States of America, trying to rule the world I’m getting worried and afraid. Guys like him are deciding on rules affecting hundreds of million of people without having the touch of a sense in how to deal with their residents data. Is that the future we’re moving into? I don’t hope so. It should be mandatory for politicians to have a brief understanding of privacy, data security, encryption and the way how to deal with sensitive information. I’m really upset right now…

Categories: Privacy, Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: