1. IoT with basically no security
Also, dev time has become so expensive, the InfoSec teams in the companies I've worked at have had shockingly low head counts for all the responsibilities they have.
It used to be you had to actually break into a system to exfiltrate all its data. Now you just make an HTTP query. Owning a big system was really important because bandwidth and server space was expensive. Now you rent some VPS space with bitcoin you made from spam or DDoS-for-hire using someone else's botnet that had been sitting around with a default password, and use it to distribute pirated media like it's text files. Mass-scan for SQL injections, inject some malware you found on a forum, and amass a botnet to play with. What a time to be a script kiddie.
I'm not sure about the modern age, but to me the golden age of blackhats was pre-2003, when nobody was really watching their networks or systems and advanced techniques were everywhere with zero defenses. Metasploit and the age of shitty webapps and packaged malware ushered in the dumbing-down of blackhats as a general concept.
(Get off my lawn!)
Look at it from the blackhat perspective. I don't care what the hell loops you're going through on the backend. If there's a 0day, i'm going to use it and it's going to work, because you don't even know about it yet, much less have a patch built into a binary pushed to mirrors that your Docker image building box needs to update to before you can rebuild your image and push it to your servers and do a maintenance window to switch to the new services.
It doesn't matter if you are running in a VPS in a container in a virtual machine in an emulator, because I can still use an SQL call to dump everyone's passwords, or get voting records and account details for one of your political parties. If I execute code you're still going to get owned because you don't have security patches in your kernels and you don't use signed binaries (none of which are new technologies, btw).
I would even go so far as to say you would never in a million years find exploited code in one of your systems because you somehow believe container apps are immune to basic vulnerabilities. Containers are just fancy chroots.
You'd need to:
* Get through the CDN to hit origin
* Get through the patched internet facing rproxies
* Exploit the JVM to get code execution, while your target area is something like spring
* Get a code exec on that box as the appserver user
_THEN_ use your j33t exploit..
If an attacker is capable of doing that, then absolutely nothing you can do is capable of stopping them anyway.
Patching is only important for your internet facing stuff, depending on your environment.
I WANT to patch such systems, we all agree that it's poor practice to do so; sometimes life is unfair though and in the grand scheme of things I don't see any significant risk in this scenario..
It was mainly app vulns, not platform, but there were certainly things that could have avoided it. The system was just not hardened at all, and the devs were sloppy.
Luckily they had basic network security best practices and so it was confined to frontend, but blah blah SQL blah blah MITM, still not a good situation to be in.
Sure, but with the number of unpatched systems out there most black hats aren't paying (in time/effort or straight cash) for 0-days except for exceptional circumstances. 0-days are great for targeted attacks, state actors, and hack-for-hire/contractors, but for the everyday dude who wants a botnet? Why bother...
Look at Mirai - that wasn't anything close to a 0-day and it had a huuuuge impact. Anyone running a similar botnet could be extorting hosts and providers to this day if it hadn't been used in such a public way.
Mongo DB security didn't come until version 3. VERSION 3. It was assumed you could just firewall it off and life is good.
Also where did you get the idea that security didn't come to MongoDB 3 ? You're talking nonsense.
HN bubble generalization.
Also, was the stupid part necessary?
1. Breaking up my app (eg, across containers) increases exploitation difficulty, because it's harder to chain weaknesses between parts of my stack. A weakness in the API layer doesn't let you run against the DB directly -- you either need to find a weakness in the interface between containers or use a container jailbreak exploit. You also have fewer system libraries to use, since the container only has those needed by either the API or DB, not both.
2. The frequency of rebuilding means that a lot of system components get patched faster. Sure, you can burn a 0-day on my app, and there's relatively little I can do about it, but all of my builds are <1week old, so you're using new exploits, not easy-to-get legacy malware.
The point of security is always economics. So containers (and more generally, frequent rebuilds and virtualization) provide security by raising the complexity and freshness of exploits required.
That's a non-trivial gain.
So you're running brand new code on your production systems on a regular basis? Fantastic! I'll find a new 0day in the latest releases since those are the ones that have had the least review. If you're using an old stable build, the 0days keep working until one gets leaked, and then you just find another one.
How do you figure containers raise complexity of an exploit? The exploit is of the app or the stack, but the container isn't part of the app stack. A container is literally just a way in which you run your app. If I can execute code, the game is over, in all container systems that don't prevent traditional exploits. The only thing containers make easier is namespaces, which is a white hat mitigation. Like locks on doors, they only keep honest people out.
By the way, exploits don't really need to be fresh. Many exploits getting patched these days are years old, and some were patched years ago and a recent update re-instituted the vuln. You can resist 99% of attacks using 10 year old technology, but nobody implements it. They just say stuff like "I put it in a container!" and your boss is happy so everyone goes on with life.
Docker is just a fancy chroot, a motivated attacker can escape from it, it remains far less secure than a freebsd jail or a solaris zone.
Except maybe some somewhat safer compiled languages (rust, newer versions of C++), and a few interesting tools (like AFL), there was not much improvements in security mechanism in late years.
SELinux is still so annoying that it's commonly the first thing disabled in many install.
A large amount of sysadmins and developers still do a chmod -R 777, not fully understanding what there are doing.
And in the area of micro services, the traditional 3/4 tiers architecture can easily be replaced by a clusterfuck of containers deployed in a flat network where it's impossible to monitor what is speaking with what. And it's much easier to make a mistake like putting a database on the Internet with no authentication whatsoever...
What is more, because of containers, infrastructures tends to be far more diverse than ever: python, node, php, ruby, go, java, each with various version, from various distribution, with various libraries. Each of these environments must be properly monitored, but when you deal with thousands of containers, hundreds of technological stacks, with 3 or 4 versions for each layer, it becomes a nightmare.
In languages that encourage bundling, Java with war webapps for example, I've rarely seen developers properly monitor security issues of what they ship. Too often I've seen only opportunistic updates. And in some extreme cases I've seen products shipping version of libraries 10 or even 15 years old.
Containers being a way to generalize bundling, I don't see it being an improvement in that regard. Quite the contrary in fact.
However, to be completely honest, new tools like chef/puppet/containers and new methodologies like Infrastructure as Code somewhat helped to be less frighten about updates as it reduces the risk/impact of something breaking in the process, no more 'don't touch it, it will break comething'. Even containers can help in that regard, it's easier to do AB testing, avoid downtime or put servers in maintenance with them.
Fundamentally, some things are better, some things are worth, and in the end the security level has not really changed.
And honestly, it's a truly frightening view. Software/Infrastructure security is becoming more and more important as sensitive operations are increasingly done through websites (ex: banking operation), private data is increasingly stored in the "cloud" and an increasing number of devices are now connected.
Security flows are still as numerous as before, but their impact, once exploited, tends to be far greater. If it continues like that, something really bad will happen, exactly what is difficult to predict (massive data leak? major industrial disaster caused by a hack? an election being manipulated?), but it will happen.
So; the noobs have gone upstack. Why bother trying to break out of an ASLR'd JVM behind a CDN with selinux and etc just to get a shell on a box if your goal is to read a .properties so you can dump the db out? Instead you can probably pull the data one rq at a time with some bad form sanitation or whatever? The latter also means you're targetting code the actual target has written which is more likely to have easy to find issues as no one but the target is looking over it than say, openssl which has rather a few eyes on it..
There's a flipside to config mgt from security tho.. Tools like chef/puppet, while enabling you to maintain a _basic_ level of state actually tend to be great attack surfaces and so overall reduce your sec. How many ops teams out there would notice if you pwned one of their lappys and replaced some puppet handler code before they push it into CI and it gets run across their entire estate? Over-Using config mgt (like using it to orcestrate app deploys) with even mid skilled ops folks generally makes an attackers job much easier than say, rolling out immutable containers..
Most places I've seen without much thought have ended up with superpowerful CI boxes that by owning you get absolutely EVERYTHING and they'll happily give out keys to all the devs while not letting them near prod... >_<
If you have a shell account on a CI and the jenkins taskrunner user has access to ssh in anywhere you want to be, then you're just a commit away from having those rights too...
Just my $0.02
(edit: actually, if you just have commit rights to any ./script that is running on that jenkins, you can do everything that jenkins can do without even needing a shell...
Your jenkins builds the artefacts for your app and ALSO does the deploys? Bet you can get into prod with two lines of nc and push)...
Why are their lappys on the internet? Aren't we discussing online vulnerabilities?
After all, if you pwn an admin-credentialled computer, you can do all sorts of damage in any but the most locked-down shop. Puppet has little to do with it per se - it's the privileges an ops laptop will have that matters.
Even if you can't spearphish 'em; several beers at a meetup or three followed by a subtle rpi install when you're somewhere useful usually has better results.
So I've.. Been told.
(edit: The point was though that in almost all targets, all you need is commit rights to a single repo to own everything; so you don't even need a sysadmin just a dev... Hell, PM's and BA's sometimes even have commit rights...)
But the dangers are pretty high. You never know how ten years from now the digital trail you left comes back to bite you.
Cashing large amounts it's not trivial. Sure, you can meet in private locations with local bitcoin buyers, but when you have $1 mil to sell it gets tricky, there aren't that many buyers in any particular area. And then you have the problem of justifying how you suddenly have one million.
Assuming I'm willing to pay the tax if it's due has anyone had trouble with authorities questioning your new cash pile say if before this you had no real money and lucked out on Bitcoin?
How? The public block chain only contains records of how coins moved from one wallet to another. It doesn't have any information about who those wallets belonged to, or what the terms of the transaction were. Maybe the coins were sold for fiat currency, or maybe they were compensation for goods and services. There's no way to know just from the information in the blockchain.
[EDIT] Let me make this more clear: it is easy to anonymize BTC. It is so easy that the technique even has a name (bitcoin tumbling) and companies that will do it for you as a service (e.g. https://bitlaunder.com). (I thought this was common knowledge around here.) In the face of these facts, how is the IRS going to enforce the tax code against a someone who tumbles their coins?
As for anonymity... you lose it when you associate a bank account to get liquidity (as mentioned by GP: "nominate a bank account"). Of course, this assumes you can't get liquidity in some other way... but that's non-trivial with large qty of BTC.
Yes, that's true, but that not enough to enforce the tax code. (See the update to my OP.)
Uh, yes it is. Money came into your bank account, and you'll need to explain its origin if the IRS audits you.
Do you honestly believe the IRS would just give up on enforcing the law because you used a tumbler before you converted the bitcoins to USD and put the money in your bank account? The fact that you have the money in your account at the end of that process is what really matters.
If you mined or gained your bitcoin by buying it through local bitcoin, the taxman might give you some trouble, but generally, the presumption of good will and non-guilty still applies, meaning that if they don't agree, it kind of their job to prove that you are guilty of something (ie: you got your bitcoin through ransomware)
Well, yeah, obviously. The issue is not how to deal with honest actors, it's how to deal with dishonest ones. (See the update to my OP.)
Sorry about that. I would go back and edit my OP but it's locked already.
They can simply ask you to provide the evidence yourself, and if you cannot, then tax the full rate on the full amount.
If you obtain large amounts of money, then you (presumably) will want to use it to obtain large amounts of goods and services. You can hide your income, but it's harder to hide your spending.
If you spend it all on food, booze, drugs and minor items, then they don't care about you, since the amounts aren't that large.
If you want to buy mansions, flashy cars, high end jewelry and ownership in companies, then they have evidence of you spending much more money than you have declared income. At that point, it becomes your problem - carefully tumbling your coins simply gives the IRS evidence that instead of treating your situation as "forgot to declare that income" (fines) they can prove that you took explicit steps to hide and disguise that income, which carries a risk of jail for tax evasion.
Indeed, in many ways they make things worse for users who attempt to gain anonymity by using it. Once the addresses which are used by the tumbler service are identified it is pretty easy to identify other suspicious transactions.
In practice, what happens is that they require you to keep records tracing your assets from when you get them to when you sell them, and assume a basis of 0 (i.e. capital gains gets taxed on the entire value of the coin) otherwise.
>Assuming I'm willing to pay the tax if it's due has anyone had trouble with authorities questioning your new cash pile say if before this you had no real money and lucked out on Bitcoin?
"If taxpayers cannot provide their basis in the property, the IRS will deem it to be zero."
That means 100% of the sale price of an asset is treated as gains.
That is not true. In fact, the IRS does not care about the vagaries of bitcoin wallets, or the blockchain. The IRS cares that you got money that you didn't have before.
Bitcoin isn't the only thing in the world that goes up and down in value, so it isn't new from the tax perspective.
Speak to a local tax advisor about CGT.
100k is a significant amount and I would advise you don't intentionally break the law "cashing out".
Naturally, you'll have to shell out some "transaction fees" to some authorities, but that's just standard laundering thing.
But even if you're legally totally in the clear and don't mind the huge trouble of having all your gear confiscated for who knows how long, people have lost friends and jobs over accusations of CP or other crimes before.
I might understand why you should be responsible for an open Wi-Fi but "enough to just have your IP" is ridiculous. It is easy to hack a (D-Link ) wireless router. Why should you be responsible if somebody uses it for illegal activities?
Botnets use millions of devices of unsuspecting ordinary citizens.
Open wireless routers were far more common 10-15 years ago, when ISPs first started pushing them. Most people hadn't warmed up to the technology yet, and security was barely on the radar; similar to what we're currently seeing with IoT.
Maybe you have no enemies and trust your neighbors, that's awesome. But, anecdotes aside, someone could cause some very ugly problems with your open wifi, without much skill or effort -maybe just for the lulz.
I feel like cheering you on for giving people free internet, but at the same time, I want to pull you aside and say "hey crazy person, please put a password on your WAP." Because, it's a bummer when bad things happen to good people.
Absence or presence of auth is irrelevant. You're database servers, message queues and other infrastructure shouldn't be accessible from the internet. No auth protocol can protect you from this.
If a product is misconfigured by default and it takes expertise in the product to not leak data, then the product is unfit for purpose, it will burn anyone who wants to learn it.
What if you learned that Linux had a massive security vulnerability that leaves the OS open for remote code execution. What would you say if a Torvalds would laugh at its users, saying that if they didn't change that low level kernel security setting, the users were ignorants and deserved their troubles?
I think no one can pretend he understands all of the settings in the hardware, firmwares, drivers, kernels, many other OS layers, database, etc. We rely on having safe and secure default settings, and it is the only way an insanely complex machine like a modern server can be usable.
That choice of example is particularly weak, given that Linux developers are explicitly working on hardening the kernel's internal security: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Pr...
Person develops 2 or 3 apps, setup 2 or 3 databases and thinks he/she is a professional.
Many businesses and managers care less about security and more about getting the deliverables into production.
Many CEOs and managers lack the understanding that once you launch (app, store, website etc) it doesn't end there, instead, moves into maintenance.
My company just hired an external company to assist with our IT infrastructure. I was asked to meet with the person that showed up to begin the take over. He was not interested at all in understanding what we do as a business. If you don't understand your clients, their interests, their responsibilities and obligations then, simply put, they are fucked!
In my experience the issue isn't so much that C's and managers lack understanding, it's that they refuse to acknowledge that they lack understanding and refuse to listen to people who do understand because it's "Just IT". This mindset is something I've seen backfire many times over the years, and in the end it always ends up costing more than just doing things properly in the first place.
But they didn't hit the oplog/journal, fortunately the full history (a few months of data) was still in the journal, so they were able to replay it (minus the drop commands) and restored their data.
Certainly scared a lot of people and (hopefully) taught a lesson about double-checking what's exposed to the internet.
(And anyone who deploys any service on an internet-facing server should know what they're doing)
I agree that they should. History has shown us, however, that they very often don't.
Who is downvoting this? People who hate common sense?
Expecting it to be secure on the internet is even less reasonable.
Without a public facing DB they're pretty much dead in the water.
(1) This, btw, is what many SPA are: fat client apps running within a browser. When I came back to web development four years ago one of the biggest surprises was how much like desktop development it had become in many ways.
For azure at least, they protect it with a firewall that block all IPs by default. But a database with no internet access is unrealistic.
It's not insecure by default. It just binds to all interfaces. Apache and Nginx both do this and we don't consider them to be insecure. Should a database be doing this ? That's debatable since it's a tradeoff between security and ease of use.
But that said if you are running an internet facing server without a firewall then you will have bigger problems than just your database.
I also don't get this "firewall" idea. Why make something listen for everything, and then place a system outside to restrict it? Why not just whitelist what you want to listen to in the first place?
Note, I get that binding an application to localhost and then letting a dedicated proxy do the heavy lifting to link up with other systems (eg stunnel or haproxy) - but what does packet level filtering really gain you?
In general I see firewalls as just adding complexity - one more source of bugs and potential mis-configuration. (Say the fun when ipv6 exposes the soft inner network that everyone thought was "firewalled" when in fact it just had broken connectivity due to chappy NAT borne from scarcity of routable addresses).
In an ideal world, everyone would care about this stuff (and have time to properly set these things), but we're not in an ideal world.
I'm also pessimistic enough that I think allowing development to install back doors (eh, "useful helper daemons") willy-nilly in production systems is a bad idea ;-)
But you're acting as if you know which dev is the one who is going to do 'it'. I'd rather have a firewall that is largely set-and-forget than keep tabs on teams of devs that go through hiring cycles. There's already enough for ops folks to do without having to psychologically evaluate developers... besides, I've been through a few devs who agree sincerely not to do $bad_thing, and then caught them a few days/weeks/months later doing it again.
It's sad, really. I'm not even a security zealot, but I have overheard the folks in my small company tell each other not to let me know that they've signed up to a SaaS with a weak password (company name + digit).
I get that a firewall can sometimes help fight broken practices (eg: bind on all interfaces, no password by default). But if your devs end up deploying password auth in general (rather than key/cert based) - with weak passwords in particular - your firewall is unlikely to help in the case where a service is supposed to be exposed.
Misconfigured mongodb servers are the issue here, not firewall. Default mongodb shouldn't listen blindly to any connections though.
An irrecoverable disk crash could hold your db ransom for $Inf.
I have not used mongodb in any production environment but it would be nice to know what one should do to make it secure.
- deny (all) incoming traffic by default
- permit only desired traffic (to specific ports) from specific hosts
- avoid binding (listening) to interfaces you don't need to
- set up / verify authentication is in place
In addition to the link to the security manual that cpolis posted, there's also a MongoDB Security Checklist .
Firewall, on the local machine ALL ports except for the ones that you expect to be accessed remotely.
This is for all hosts - even your laptop. Never mind mongo.
There is no reason at all to leave inbound ports open for requests you don't expect to service.
Further, and I know this makes peoples heads spin and they foam at the mouth, but for ports you do need open, but don't serve the public (ssh, for instance) set up a port knock. Now it's invisible and you don't care about the 0day for that service.
 Stop. Take a deep breath. Re-read the above post and realize that I did not say to remove your login passwords and keys and rely on only the port knock for security. Take another deep breath. It's going to be OK.
So the usual rules apply: (1) have a firewall with only the bare minimum ports open, (2) make sure everything you are running is on unusual ports especially SSH, (3) VPN, jump hosts or port knocking if you need remote access, (4) use something like Fail2Ban or Sentry.
But seriously thank you for that stellar contribution.
I understand it needs to be low enough to make payment an "attractive" option (at least compared to other means of recovery, if any...). But 200 USD is significantly less than the 500 USD ransom extorted from private PC users.
Should we conclude the extortionists expect the database content to be worth less to a company owning it than a private person is willing to pay for his/her pictures, music files and documents?
Many of these could be caches, or rebuildable from other sources.
Many could be disposable.
Since you can't really know which database is valuable and which not, you sort of average the price, since this is volume game.
Or maybe he want's to give the impression that this is not very profitable, to keep others from doing the same.
I guess the high risk of getting nothing in return is affecting the pricing.
- A/B testing of ransom prices will happen
- the person paying the ransom is not the company but an employee afraid for their job
- companies more likely to be able to restore from backup
(Ask since to me it reads as gibberish and there's no way to Google it myself.)
(Ask since I'm used to running valid A/B test on groups in the 1000s.)
The "tough love" approach to raising awareness about security.
What I mean is, it's pretty ignorant that just because authentication isn't on by default you don't turn it on at all.
Even if you don't want to or don't think to configure mongodb itself setting up a firewall also seems to be common sense.
Thus, the only reason they'd be unsecured is they're either for random tests or hobby.
This is ironically a good thing as it poisons the well for 'legitimate' ransomware. The less people expect paying up to restore their data, the less people will pay up and the less viable ransomware is as a business model.
0. upload client public key
1. Setup SSH auth by cert/key
2. Move SSH to non-standard port
3. Enable passwordless sudo
4. Disable password auth
5. Setup firewall to only allow the new ssh port
6. Setup port knocking
Most cloud providers offer the option to have a "private" IP space... just having a proper firewall ufw/ipchains/iptables, etc config can go a long way towards helping lock things down.
Of course, that only goes so far when you aren't using passwords or TLS for client/server communications. But it's better than leaving the front door open with a sign saying as much.