12:46 PM

4 Lessons From MongoHQ Data Breach

Security experts urge companies to implement two-factor authentication, VPNs, and graduated permission levels to better protect customer data from hackers.

How could MongoHQ have prevented last month's breach that gave an attacker access to the company's customer database and its customers' social media accounts?

The breach of MongoHQ -- a database-as-a-service provider that provides hosted instances of MongoDB -- began on October 27, when a hacker accessed the site's service infrastructure. "The MongoHQ password of one of MongoHQ's employees was stolen," said Joel Gascoigne, CEO of social media account management company Buffer, who helped trace back the intrusion after someone began posting spam via the Facebook and Twitter accounts of Buffer's customers.

By October 28, MongoHQ warned its customers that it had detected "unauthorized access to an internal support application using a password that was shared with a compromised personal account." After detecting the breach, to the company's credit, it immediately reset all customers' passwords, began working with the FBI, and hired a third-party digital forensic investigator.

The speed and seriousness of the company's response and warning, as well as its promise to make specific security improvements to prevent a breach recurrence, earned the company plaudits from information security experts.

Even so, here are four ways the company might have prevented the breach altogether:

1. Two-factor authentication
In the wake of the breach, MongoHQ CEO Jason McCay promised that support applications would remain offline until "we have [a] functioning, enforced two-factor authentication" system. Once that was in place, even if an employee's password were to be stolen, an attacker couldn't use it to access the site. Instead, they'd have to find some other, more difficult way to access the site, for example by exploiting a web application vulnerability.

Never underestimate the power of a good two-factor authentication system -- or making that a "must have" buying decision for any product -- especially when handling or safeguarding large amounts of customer data. For example, this week's hack of MacRumors that resulted in 860,000 emails and passwords being stolen could have been prevented if the Apple rumors and news website had been able to use two-factor authentication to secure administrator access to the vBulletin software that runs its online forums. Unfortunately, however, the vBulletin software doesn't currently offer that capability.

2. VPN access for support portal
One contributing factor to the MongoHQ breach, according to a blog post from Imperva security researchers Barry Shteiman, Michael Cherny, and Sagie Dulce, was that "a support application was accessible through the Web and not behind a VPN."

As with two-factor authentication, using a VPN would have added another layer of security that a would-be attacker would have to defeat before gaining access to a targeted site.

On that note, MongoHQ's McCay said that after the breach, the company's "employee-facing support applications" would remain disabled until the company created a system that restricted access solely to VPN connections. "Our backend applications, supporting services, and utility tools will be moved into a private network and require employee VPN access," he said.

3. Restrict employee access to customer accounts
Do customer service personnel need a "god mode" for accessing customers' accounts? That was the capability given to MongoHQ's support personal, via an "impersonate" feature that allowed them to browse customers' data and manage their databases for troubleshooting purposes.

But in the hands of attackers -- or a potential malicious insider -- that feature provided carte blanche access to sensitive information. "Hackers logged into the main admin dashboard of MongoHQ and were able to use the 'impersonate' feature to see all of Buffer's database information," Buffer CEO Gascoigne said. "Through that, they wrote a script to steal our social access tokens and post spam messages on behalf of our users."

Of course, some service personnel may require direct access to customers' data. But McCay said MongoHQ has now created "a system of graduated permissions, tested thoroughly, that allows only the minimum needed privileges to support personnel based on role," thus curtailing outright most support access to sensitive information.

4. Know what customers expect, then work backwards
Another useful test for the effectiveness of your business's security program is to ask: "What would customers expect?"

Or as the Imperva reearchers put it: "Were MongoHQ customers aware that their sensitive data was visible to the MongoHQ support application? Do you know who can access your data? How is it stored? Can it be copied? These are all questions that are all too often forgotten, especially for young startup companies eager to build applications and avoid dealing with security and management costs."

Another excellent information security question to ask is: "Where are our crown jewels?" Then ensure that a greater portion of your security budget goes to securing that ultra-sensitive information.

In the case of MongoHQ, for example, while the investigation is still ongoing, "currently, it appears that the unauthorized user was scanning for social media authentication information for spamming purposes, and probing for financial information in customer database," said McCay. In other words, at least for that company, the Twitter and Facebook access credentials and financial information it's storing are a high-priority target.

Going forward, thanks to revisions introduced with the Payment Card Industry's Data Security Standard (PCI DSS) version 3, businesses such as MongoHQ that have customers that must comply with PCI will need to put these types of details in writing. Under PCI version 3.0, which will take effect at the beginning of January -- although businesses will have until the end of 2014 to comply -- "service providers are now accountable for protecting the data of their customers," the Imperva researchers said. "Data center security needs to be out in the open, especially 'up in the cloud.' "

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.