I have no words. My mommy always told me to keep my special ports unexposed.
Specifically, a MongoDB exposed publicly with no password.
That was ransomed three times already.
Once is a mistake, twice is carelessness, three times is they’re secretly fronting for the extortion ring.
Yeah, the headline is little unfair – the fact that the datastore happens to be MongoDB is not really relevant. Any unsecured datastore would cause similar problems. You could argue that it’s a bit irresponsible for MongoDB’s default configuration to be insecure, but ultimately the responsibility lies with the developers of the application(s).
Well, MongoDB does ship with unsafe and insecure defaults. I can see an argument that it’s fair to call out a product that is unsafe by default.
It’s the job of the person using the tool to understand the tool and operate it safely.
That’s like buying a knife, accidentally cutting somebody and then claiming that the knife is faulty for being sharp by default or for not coming with a sheath.
But we’ve accepted that you can take simple precautions to prevent really terrible damage by selling them in sheaths or at least wrap it in some wad of news paper. There’s a certain level of basic protection you can provide so those who are new and ignorant won’t just accidentally kill themselves or others.
It’s like saying well, Windows XP ships with all ports open to the network, but you should know that as a manager and you should understand you need to change the default settings to be safe. It’s standard industry practice. You’re probably right, they should know this, but this is useless garbage they shouldn’t need to know if they were all closed by default.
No it’s not. A knife must be sharp to be useful. A database does not need to have an insecure configuration to be useful. It’s a purely unnecessary hazard to users.
A knife doesn’t need a sheath to be useful.
What I was trying to say is this: the reason a knife can cut you is the exact same reason that it is useful: it’s sharp. Take away the danger and you take away the utility. Nobody would ask for that.
But a database is useful for storing data. Giving it insecure defaults does not make it more useful, it simply adds hazard.
So to go back to your analogy, it’s more like if you buy a knife, and when you get it out of the package, the handle is wrapped in razor wire. That’s still not a perfect analogy because insecure defaults are presumably due to laziness or inattention, and the razor wire would be active malice. But it’s closer.
The Register is known for tabloid-style headlines; rather surprised to see two articles from them on the homepage currently…
Maybe this is the incident that will finally result in a massive settlement that convinces businesses to start taking security seriously! It’s got the right ingredients (e.g. kids as victims), but some incredibly egregious failures have already been overlooked, so I’m not that hopeful.