This is David Kirkpatrick's Typepad Profile.
Join Typepad and start following David Kirkpatrick's activity
Join Now!
Already a member? Sign In
David Kirkpatrick
Recent Activity
Mark, The whole point of the blog was to inform people that default instances of Mongodb are being installed in live environments, and to provide a helpful script to find these instances, given that the default configuration has no authentication. Note the word 'default' is mentioned throughout. So, if the 'default' configuration has no authentication enabled, my inference is you are trusting the people downloading and installing it to read your security best-practice and configure it securely. Again, my point of the blog is, this isn't happening in certain environments where I have tested. So, again, my conclusion is what I stated, that you are leaving the onus of the security to the people using it. Where is the problem with this fact? Where in my blog did I say the developers of the product couldn't care less about security? The reason why I added the section for 'best-practice' was to inform people that there is a way of securing the default configuration, which your site quite rightly goes into detail. I apologize for not providing a link, but I think people reading this would have the intelligence to find it, given they are interested in the product, it is quite easy to find. Again, I think you are missing the point that people are installing it using default configurations in live environments. I am not and did not attempt to review or research your road-map or future developments of the product. All I can comment on is the product I downloaded, and the experience of what i see in customer's environment and report on it. I dont deem weak default installations of products as vulnerability information disclosure,and therefore there is no requirement to contact the developers in these cases. This is why 10gen were not contacted before this post. If your 'honest' feeling is that not much work has been done on this research, of course you are entitled to your opinion. However I take a different approach that the people reading this will now be informed (if they didnt already know) of the security weakness that default installations and configurations of mongodb can be easily hacked without taking the appropriate measures to harden it using your own best-practice guidelines. And again providing a script to find these helps readers find these and address the issue. Of course, I'd be glad to contact you directly if I should find information disclosure vulnerabilities in your product in the future. My blog was not one of these cases, given I was discussing default installations. The fact that I see more instances of your product in the field show that it is indeed moving up the ranks and becoming more popular. The more popular it is the more chance there is of people installing it using default configurations. Hopefully this post will help improve the security of their environments and the data. Thanks for your feedback.
Hi Mark, Thanks for your comments and yes I did read your documentation. After having spent many years compromising databases such as MSSQL, and Oracle as a result of weak default authentication credentials I found it odd that the latest generation of databases could be installed with the same or similar issues. One part of my job involves going into peoples networks and telling them what I could access without any credentials. The reason I decided to write about MongoDB is because Im seeing it more often where people are deploying it on their networks without any credentials, thereby making it an easy target. Unfortunately, it is human nature to take the easy option and just install the defaults. In this case, mongodb authentication is disabled by default, thereby human nature comes into play. The mongodb security best practices page states you can reduce risk by installing it in a "trusted environment". The issue here is, a typical scope for my job is to find vulnerabilities in a customer's internal network. The customer believes their internal network is a "trusted environment". Therefore this means just by connecting my laptop to their environment, with a default mongodb configuration I will be able to access their database whatever it is. From a risk perspective, that¹s a high risk, as I have access to the data without any skill required to retrieve it. And this is happening now in live environments, from my experience. And yes, mongodb has ways of improving its security, but that old human nature kicks in. Default installs are out there in the field. Thanks for informing me of the latest versions and your roadmap again. I'll certainly take the time to look at the new versions coming out. Thanks, Dave
Its a database user you are using in the script not an OS user. The user must exist in the Oracle database but doesn't need to exist in the OS.
Its not intended to be a 'best-practice' on how to connect to Oracle, the user used is just to show it can be done. How you want to secure your Oracle database is up to you.
I was wanting to find a method which didn't require any enabling or tweeking on the target host. Powershell, I believe you have to enable executable scripts, so there's no guarantee it would work. However, I'll check it out for future releases. Cheers.
David Kirkpatrick is now following The Typepad Team
May 24, 2012