The latest database attacks: Tips of the icebergs

MongoDB, ElasticSearch and Hadoop have been hit by ransomware. This is just the beginning of such attacks.

The latest database attacks: Tips of the icebergs
AWeith (CC BY-SA 4.0)
Current Job Listings

MongoDB wasn’t the first database hit by ransomware, just a rich target for attacks. Now, ElasticSearch and Hadoop have become ransomware targets. They won’t be the last. Were these three database products insanely simple to secure? Yes. Were they secured by their installers? Statistics and BitCoin sales would indicate otherwise. 

And no, they won’t be the last. Every hour of every day, websites get pounded with probes. A few are for actual research. When the probe is a fake logon, like the dozens of hourly WordPress admin fails I get on my various websites, you have some idea that the sender isn’t friendly.

+ Also on Network World: Huge spike in ransomed MongoDB installs +

This begs a new question: Are the admins of these sites just plainly stupid? Does no one change the defaults? Apparently not, it would seem. They give their brethren admins a bad name in their lax attitudes towards basic, even primitive, security. 

Yes, you can presume that virtually every product will be summarily hammered until it cracks, but initially it’s through this low-hanging-fruit sort of crack. Sometimes, however, the motivation isn’t low-hanging fruit, it’s about extortion. 

Attacks are about money 

The old phrase “follow the money applies.” There are Advanced Persistent Threat (APT) candidates, like the horrid DDoS attacks that Brian Krebs seems to have gotten to the bottom of—with a lot of help, but not with the aid of the three letter agencies that are supposed to protect citizens. I’m sure these agencies are doing something important. Apparently, those attacks were about the Minecraft Server Protection Racket, e.g. extortion. 

As of Sunday evening, Jan. 22, 2017, the prime suspect in the Krebs massive DDoS attack hadn’t been arrested, or it hasn’t been reported, or he disappeared. But Krebs’ case wasn’t ransomware; it was MineCraft Extortion Gone Wrong

The database targets, however, happen like flash fires. Expect every type of db, SQL or otherwise, to get hammered. 

Here’s a thought: If you’re a maker of any kind of software that uses passwords or certs of any kind, as part of the initial installation routine, mandate a tough password prior to the product’s ability to be used. This would include operating systems, containers, portable workloads—the entire gamut of what we do. 

I know it’s contrary to popular belief that you must mistrust your user, but humor me here. They’re in a hurry and like to use stupid passwords. Don’t let them. Hurl epithets at them, but don’t let them use the default stuff. 

This, in turn, extends not only from industry products where the administrator should know better, but also to products for civilians, like the Io(s)Tupidity that now is the crux of the extortion attacks, see above. They were easy, but if there’s revenue in the tough stuff, expect them to be targets, too. 

It’s up to us to protect our sites 

Don’t expect help from the government(s). This is your responsibility, and mine. 

I just logged on to a few WordPress sites that I manage. WordPress has a plugin called Wordfence helping me out with the administration of them, but it’s up to me to look at the long list of probers and block them. There are several attacks an hour, every hour of the day. Is there a great FBI place where I can put the offending IP address into a form, and that form might be looked at by a human who will jump across the IPv4/6 address space and bring the prober to justice? No. I doubt there ever will be.

No one listens to your cries of attack on the internet. At ground level, it’s up to you and your organization to knit together security, and you should hang the admins that let your sites be so easily cracked. Let them find employment elsewhere. No one seems to fall on their swords anymore, as the internet seems more about profits than honor.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT