Saarbrücken Students Discover Thousands Unsecured Databases On The Net
Students of the University of the Saarland have to have a common configuration errors in MongoDB uncovered, unsecured stood by the thousands of databases on the Internet. In theory anyone could thereby million customer data with names, addresses, emails and credit card numbers to retrieve online or even change how the Saarbrücken competence center for IT Security ( CISPA ) tells.
The three students of cyber security and computer science were able to detect the error in thousands of online databases, inter alia, from Germany and France. On the free NoSQL database MongoDB to build world's millions of online shops and services on their platforms. "The operator holding at the installation blind to the guidelines and do not consider crucial details, the data are defenseless in the Internet," said the CISPA. It has already been informed manufacturers, international coordination sites for IT Security (CERTs) and data protection authorities, to look after the elimination of the problem. Even though many databases are inadequately protected.
"The fault is not complicated, but its effect is catastrophic," said Michael Backes, Professor of Information Security and Cryptography at Saarland University and Director of CISPA. End of January, the students and staff CISPA Kai Greshake, Eric Petryka and Jens Heyens had him informed of the gap that affects 39,890 IP addresses on the current state of knowledge. "The databases including work without any security mechanisms. Since they even write permissions and therefore, the data might change, we assume that the databases without intention are open, "said Backes. Apparently the responsible administrators have not activated due to an incomplete documentation essential safety functions.
The students stumbled by chance on the unsecured databases, as they test as surveyed a search engine to Internet-connected MongoDB servers and services. In this way, they found the IP addresses in which businesses operate databases unprotected. When the students found the calling MongoDB databases under the specific IP address, they were surprised that access was neither closed nor secured in any other form. "Such an unsecured database on the Internet is like a public library without a librarian with standing wide open front door. Anyone can in there, "said Backes. Within a few minutes, the students had found this dangerous condition if there are many other databases.
Among them was, for example, the customer database of a French listed ISP and mobile provider, the addresses and telephone numbers of around eight million people in France and half a million German addresses contained. The a German online retailer, including payment information database was also freely available."The data stored therein sufficient to carry out identity theft. Even if they are known, the persons concerned plagued for years afterwards with problems such as contracts, the scammers have signed on their behalf, "says Backes.
An English-language documentation (PDF) of the research results as well as a guidance for safe configuration of MongoDB can be found for download on the CISPA site. Anyone who operates a MongoDB server itself, should verify that it via the standard TCP port 27017 is accessible from the outside. If this is the case, additional safety measures should be set up as an area closed to unauthorized users or restrict the database access to the IP address of your web server. Backes: "We hope that the manufacturer of MongoDB receive our findings rapidly, incorporating them into its instructions and so on are also to users."
The three students of cyber security and computer science were able to detect the error in thousands of online databases, inter alia, from Germany and France. On the free NoSQL database MongoDB to build world's millions of online shops and services on their platforms. "The operator holding at the installation blind to the guidelines and do not consider crucial details, the data are defenseless in the Internet," said the CISPA. It has already been informed manufacturers, international coordination sites for IT Security (CERTs) and data protection authorities, to look after the elimination of the problem. Even though many databases are inadequately protected.
"The fault is not complicated, but its effect is catastrophic," said Michael Backes, Professor of Information Security and Cryptography at Saarland University and Director of CISPA. End of January, the students and staff CISPA Kai Greshake, Eric Petryka and Jens Heyens had him informed of the gap that affects 39,890 IP addresses on the current state of knowledge. "The databases including work without any security mechanisms. Since they even write permissions and therefore, the data might change, we assume that the databases without intention are open, "said Backes. Apparently the responsible administrators have not activated due to an incomplete documentation essential safety functions.
The students stumbled by chance on the unsecured databases, as they test as surveyed a search engine to Internet-connected MongoDB servers and services. In this way, they found the IP addresses in which businesses operate databases unprotected. When the students found the calling MongoDB databases under the specific IP address, they were surprised that access was neither closed nor secured in any other form. "Such an unsecured database on the Internet is like a public library without a librarian with standing wide open front door. Anyone can in there, "said Backes. Within a few minutes, the students had found this dangerous condition if there are many other databases.
Among them was, for example, the customer database of a French listed ISP and mobile provider, the addresses and telephone numbers of around eight million people in France and half a million German addresses contained. The a German online retailer, including payment information database was also freely available."The data stored therein sufficient to carry out identity theft. Even if they are known, the persons concerned plagued for years afterwards with problems such as contracts, the scammers have signed on their behalf, "says Backes.
An English-language documentation (PDF) of the research results as well as a guidance for safe configuration of MongoDB can be found for download on the CISPA site. Anyone who operates a MongoDB server itself, should verify that it via the standard TCP port 27017 is accessible from the outside. If this is the case, additional safety measures should be set up as an area closed to unauthorized users or restrict the database access to the IP address of your web server. Backes: "We hope that the manufacturer of MongoDB receive our findings rapidly, incorporating them into its instructions and so on are also to users."
No comments:
Post a Comment