back to article MongoDB on breaches: Software is secure, but some users are idiots

You shouldn't expect to see any end to data breaches caused by misconfigured instances of MongoDB soon, the company's strategy veep has told The Register. MongoDB is a fairly popular document store in the database world, used by eBay, Foursquare, and The New York Times. It's open source, available under the GNU APL v3.0 …

  1. Anonymous Coward
    Anonymous Coward

    New strapline

    MongoDB: It's for mongs

    1. Anonymous Coward
      Anonymous Coward

      Re: New strapline

      Is that new slang these days for Millennial web 3.0 craptastic "developers"? Bong hits for JSON brah.

    2. Captain DaFt

      Re: New strapline

      Eh, try this one: https://youtu.be/SKRma7PDW10

  2. Neil Alexander

    "servers [...] on the internet that were completely open"

    Firewalls. They aren't just for fun.

    1. sabroni Silver badge

      Re: Firewalls. They aren't just for fun.

      Isn't the problem here that mongo DBs were accessible from the internet without authentication? The firewall shouldn't be handling DB authentication.

      1. Anonymous C0ward

        Re: Firewalls. They aren't just for fun.

        If they were firewalled the Internet wouldn't know there was a MongoDB there at all.

    2. Adam 52 Silver badge

      Re: "servers [...] on the internet that were completely open"

      There is an emerging breed of devops/microservice web developers who take the view that firewalls are an unnecessary barrier to all their microservices talking to each other.

      The same people who spin up insecure db instances on cloud providers.

      1. werdsmith Silver badge

        Re: "servers [...] on the internet that were completely open"

        This is in the Getting Started doc, in a red panel:

        Warning:

        Do not make mongod.exe visible on public networks without running in “Secure Mode” with the auth setting. MongoDB is designed to be run in trusted environments, and the database does not enable “Secure Mode” by default.

        1. sabroni Silver badge

          Re: This is in the Getting Started doc, in a red panel:

          Warnings will be ignored, even if they're in red boxes. Who would've thought it?

          It should be secure by default, with a red box in the Getting Started doc saying:

          Warning:

          Mongod.exe is not visible on public networks as it defaults to “Secure Mode” with the auth setting. MongoDB is designed to be run in trusted environments, so if you are confident in your network security you can disable this behaviour like this.....

  3. Sir Sham Cad

    Convenience

    Yep, I conveniently don't need to look for my important data because it's all over the Internet.

    1. asdf

      Re: Convenience

      Wish I could upvote this several times.

  4. theOtherJT

    There really is no defence...

    ...against users being idiots. If you're going to leave your DB open to the internet with a default password or worse no password on it, well, this is what happens.

    1. werdsmith Silver badge

      Re: There really is no defence...

      I think SQL Server allowed no password for the sa account up to version 7, thereafter the installation required an sa password if installed in dual authentication mode.

      Because blank was the first thing to try if you didn't have the sa password available, and it often worked.

      MySQL/Maria requires a password for root and it has to be reconfigured for remote access because by default it will only work when used from @localhost.

      Nowadays, people just use Pa55w0rd because nobody would ever think of trying that.....

  5. sabroni Silver badge

    The default install should be secure.

    The user installing it should have to open it up to allow anonymous access.

  6. Doctor Syntax Silver badge

    If these are being used for BI then we know the users don't understand security as well as not understanding statistics - http://www.theregister.co.uk/2016/05/02/stats_the_problem_with_bi/ .

  7. LDS Silver badge

    Many commercial databases were laughed at...

    ... because their default setups usually created known users with default password, including highly privileged ones. Oracle's internal/oracle and system/manager, SQL Server's sa without password, Interbase sysdba/masterkey and so on.

    Almost all of them understood it was a stupid practice and now require a password to be set, while non-critical accounts are disabled or no longer created.

    And MongoDB didn't learn the lesson? Making the database inaccessible but from localhost is not the answer - it was a just a bad habit of the LAMP stack where the database was on the same host of the web server - every other databases usually resided on their own hardware and needed to be accessible on the network to be useful (sure, that network should not be the Internet...)

    Most naive user will just make the database available on the network to access it and won't change/set default password if not explicitly asked.

    Sure, you can blame the user just like those who didn't change their default Oracle passwords had to be blamed, but a lazy setup which just set default weak and known password is to be blamed as well.

    1. thedarke

      Six of one, half a dozen of the other

      Mongo have a point in that developers don't generally think about security- especially with the 'move fast, break things' mentality being shorthand with some as 'build shit, be sloppy' but equally it's nowhere a well thought out fresh out of the box experience. Very clear they're developers have never actually had to setup up a sharded cluster from the install or have any experience of secure environments or defense in depth. Silly things like being able to set the username and password to the same value, have multiple security schemas (do they apply it on the root or the db level? For some that's not clear and the documentation is poorly written).

      Time for Mongo to grow up and hire some experienced hands who have gone through all the SQL injection instances and learned from those bitter and painful experiences. Could also do with hiring better documentation writers who actually have to follow the guidance they give before publishing it as it's all over the place.

      Being fair to Mongo as well- it's a damn sight better from a security perspective than ElasticSearch (they didn't have ANY security until they bought someone who was tacking it on top- recipe for disaster in the short and long term as it's not built in at the ground floor), or Redis' reliance on Network ACLs (because you couldn't possibly spoof that...). In fact, if you merged Redis with Mongo and gave them some half sensible developers who have eaten the dog food they might have a far superior offering than the SQL crowd. But security is seen as a resource drain not a feature because it's not sexy for screen demos for the sales guys.

    2. John 104

      Re: Many commercial databases were laughed at...

      @LDS

      You obviously didn't fully read the article. The DB has been secure for quite some time and has security requirements by default. Users are either using an older version or bypassing on purpose.

      1. LDS Silver badge

        Re: Many commercial databases were laughed at...

        No, you didn't read the article "simple as creating a password", "since then our most popular installer, RPM, makes it so you cannot connect to MongoDB remotely ". And that's about the RPM installer only, what about the others?

        I read 1) Mongo does not have a password until you create one 2) Its security just installed relies only on not being accessible outside the host - something most user will change ASAP to use the DB, while not setting a password....

        It's really not different from the old habit of default known password.

    3. John Brown (no body) Silver badge

      Re: Many commercial databases were laughed at...

      "Sure, you can blame the user just like those who didn't change their default Oracle passwords had to be blamed, but a lazy setup which just set default weak and known password is to be blamed as well."

      Car analogy time.

      Kid, fresh out of college, buys first car. Just because it can do 180mph doesn't mean you should. Especially if it comes with a 70mph governor which you choose to by-pass. Driving lessons? We don' need no steenkin' driving lessons!

      It's not as if people, devs, both new and old, don't know of the dangers out on the Internet Superhighway. Even the mainstream news carries stories of data breaches.

  8. frank ly

    Actually

    “We can't force them to make these changes, but we can educate them.”

    You can force them, in new versions, but that might drive them away.

    Free, permissive licence, many users, lots of forums; what's not to like? Oh, wait a minute, what's this security thing?

  9. Anonymous Coward
    Anonymous Coward

    This doesn't surprise me at all. It's always good fun to port scan your local network ranges, those just outside your own front door. You can find some very interesting stuff that's unprotected, I've found MP3 and video NAS boxes with tons of media, lots and lots of printers ( wtf would you connect a printer direct to "da toobs" for? ), quite a Windows servers, all wide open.

  10. Anonymous Coward
    Anonymous Coward

    But but but

    When I installed MongoDB, I couldn't connect to it from a remote computer so I asked StackOverflow.

    I mean that's how the pros do it right?

    How was I supposed to know I needed to ask about security as well?

  11. energystar
    Childcatcher

    Right now Elections Management Agency is just allowing screen capture...

    Right now Elections Management Agency is just allowing screen capture -with their INK pens, if necessary- but the huMONGOus damage is already done.

    1. energystar
      Angel

      HuMONGOus DataBases...

      ARE NOT toys. Some people shouldn't be allowed to even touch them.

    2. energystar
      Childcatcher

      Have anyone tryed to negotiate [security levels] with Legislators?

      Weirdos of the foil aluminum hats. Poor bastards...

  12. John 104

    DevOps for the win!

    Developers in particular were too afflicted by myopia, focusing on developing their applications, while “security isn't something they focus on until the end,” according to Stirman.

    But in a previous article some nob executive said that operations was easy.

    Oh well, just publish it. We'll figure out how to fix it later and blame ops when it is borked.

  13. Anonymous Coward
    Anonymous Coward

    Mongo is

    -by far- the most secure of the NoSQL database players. And it has authorization off by default.

    We'll let that one sink in.

    I assume that they are afraid that setting auth on by default would scare away prototype developers etc., but it's really something that they need to fix.

  14. Anonymous Coward
    Anonymous Coward

    MongoDB is very secure

    because whenever you try to use it in any serious kind of capacity it will just stop working. If it doesn't handle requests it's hard to exploit it.

    1. Tim99 Silver badge
      Coat

      Re: MongoDB is very secure

      But, but, MongoDB is webscale... YouTube link

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022