The year 2016 was dominated by major cyberattacks and data hacks including the biggest data breach in history, which has directly impacted a multi-billion dollar corporate acquisition. WIRED called 2016 “the biggest year of corporate and government hacks yet”, and just a few weeks into 2017 we’re well on pace to eclipse that. But while the mainstream media naturally focuses on public hacks where much of the information is well-known, these paradoxically tend to be less impactful than the hacks that we don’t know as much about. Think of it this way: as a professional thief, your job is to steal things without anyone noticing; if you attract a lot of attention, you’re doing it wrong. Today we’re going to look at a massive new hack that affects thousands of businesses and consumers around the world, and that you probably haven’t even heard about yet.
The MongoDB Hacks
While you may not be familiar with MongoDB, there’s a very good chance that it stores personal information about you and your business. MongoDB is an open-source database program used by companies and individuals to store and retrieve information, including customer and financial records. As with many free applications, you get what you pay for – with the default settings, your database is open to anyone on the world to search, retrieve, change and delete information. If this sounds like something that no reputable business would ever deploy misconfigured, consider that in March 2016 Verizon Enterprise Solutions had their MongoDB database hacked, a breach that was only discovered when the contact information of 1.5 million Verizon Enterprise customers showed up for sale on an underground cybercrime forum for a cool $100,000.
And Verizon is definitely not alone – a public search on IoT search engine Shodan.io shows nearly 60,000 publicly accessible MongoDB databases. Last month, respected security journalist Brian Krebs reported that thousands of these databases have been hacked (UK hacker group Darknet estimates the total at over 33,000), with their data stolen and replaced by ransom demands. But here’s the kicker – there’s now evidence that the hackers are replacing each other’s ransom notes, meaning that even people who are paying the ransoms aren’t getting their data back. Consider the following scenario:
- Hacker A, let’s call him Harry, steals your data and leaves a ransom note to deliver a certain number of bitcoins to their address.
- Hacker B, let’s call her Eve, finds Harry’s ransom note and replaces it with a note to deliver the bitcoins to a different address.
- You read the ransom note and, desperate to get your data back, pay the ransom to Hacker Eve.
- Eve keeps your money, Harry keeps your data, and you eventually realize that you’ve been played.
In order to really understand this hack and learn from it, we need to go back to the fundamentals of security:
- Security is extremely difficult. It’s easy to point fingers at the database owners and say they were irresponsible, but when nearly 60,000 databases are publicly accessible, there’s obviously an intrinsic problem with the software’s default configuration.
- Security is only as strong as its weakest link. While some of the companies affected by the hacks likely have strong internal security policies, they clearly weren’t applied to their MongoDB deployments. It will be interesting to see what downstream effects these hacks create and whether the stolen data becomes used for targeted phishing or other attacks.
- Security is about economics. Ransomware works because the ransom amount typically represents a small fraction of the value of the data to the owner. The cost of protecting the data is often a small fraction of the ransom amount, and investing in the right areas of security can provide direct cost savings and improve your bottom line.
Consider these immutable truths about data breaches:
- If you connect it to the Internet, someone will try to hack it.
- If what you put on the Internet has value, someone will invest time and effort to steal it.
- Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.
How BlackBerry Can Help
IT departments are often attracted to the simplicity and cost-effectiveness of free open-source software, which can be extremely difficult to manage and secure across large organizations. That’s why BlackBerry offers BlackBerry SHIELD, a free 90-minute checkup on your mobile security risks that can help you identify gaps in your technical and administrative controls that could be exploited by malicious hackers. For a more in-depth analysis, BlackBerry Cybersecurity Services provides penetration testing, threat intelligence, forensics and even training to help your business or government organization develop a holistic and practical approach to IT security. You can meet the BlackBerry Cybersecurity Services team at the RSA Conference 2017 in San Francisco next week; come to Booth 2045 in the South Hall.
Whether you’re a small business looking for cost-effective alternatives to hiring a full-time security team, a large enterprise looking to ensure regulatory compliance or a government organization concerned about nation-state level attacks, BlackBerry can help you allocate your security budget in the right places in order to protect your assets and maximize ROI.