Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


4 Lessons From MongoHQ Data Breach

Security experts urge companies to implement two-factor authentication, VPNs, and graduated permission levels to better protect customer data from hackers.

How could MongoHQ have prevented last month's breach that gave an attacker access to the company's customer database and its customers' social media accounts?

The breach of MongoHQ -- a database-as-a-service provider that provides hosted instances of MongoDB -- began on October 27, when a hacker accessed the site's service infrastructure. "The MongoHQ password of one of MongoHQ's employees was stolen," said Joel Gascoigne, CEO of social media account management company Buffer, who helped trace back the intrusion after someone began posting spam via the Facebook and Twitter accounts of Buffer's customers.

By October 28, MongoHQ warned its customers that it had detected "unauthorized access to an internal support application using a password that was shared with a compromised personal account." After detecting the breach, to the company's credit, it immediately reset all customers' passwords, began working with the FBI, and hired a third-party digital forensic investigator.

The speed and seriousness of the company's response and warning, as well as its promise to make specific security improvements to prevent a breach recurrence, earned the company plaudits from information security experts.

Even so, here are four ways the company might have prevented the breach altogether:

1. Two-factor authentication
In the wake of the breach, MongoHQ CEO Jason McCay promised that support applications would remain offline until "we have [a] functioning, enforced two-factor authentication" system. Once that was in place, even if an employee's password were to be stolen, an attacker couldn't use it to access the site. Instead, they'd have to find some other, more difficult way to access the site, for example by exploiting a web application vulnerability.

Never underestimate the power of a good two-factor authentication system -- or making that a "must have" buying decision for any product -- especially when handling or safeguarding large amounts of customer data. For example, this week's hack of MacRumors that resulted in 860,000 emails and passwords being stolen could have been prevented if the Apple rumors and news website had been able to use two-factor authentication to secure administrator access to the vBulletin software that runs its online forums. Unfortunately, however, the vBulletin software doesn't currently offer that capability.

2. VPN access for support portal
One contributing factor to the MongoHQ breach, according to a blog post from Imperva security researchers Barry Shteiman, Michael Cherny, and Sagie Dulce, was that "a support application was accessible through the Web and not behind a VPN."

As with two-factor authentication, using a VPN would have added another layer of security that a would-be attacker would have to defeat before gaining access to a targeted site.

On that note, MongoHQ's McCay said that after the breach, the company's "employee-facing support applications" would remain disabled until the company created a system that restricted access solely to VPN connections. "Our backend applications, supporting services, and utility tools will be moved into a private network and require employee VPN access," he said.

3. Restrict employee access to customer accounts
Do customer service personnel need a "god mode" for accessing customers' accounts? That was the capability given to MongoHQ's support personal, via an "impersonate" feature that allowed them to browse customers' data and manage their databases for troubleshooting purposes.

But in the hands of attackers -- or a potential malicious insider -- that feature provided carte blanche access to sensitive information. "Hackers logged into the main admin dashboard of MongoHQ and were able to use the 'impersonate' feature to see all of Buffer's database information," Buffer CEO Gascoigne said. "Through that, they wrote a script to steal our social access tokens and post spam messages on behalf of our users."

Of course, some service personnel may require direct access to customers' data. But McCay said MongoHQ has now created "a system of graduated permissions, tested thoroughly, that allows only the minimum needed privileges to support personnel based on role," thus curtailing outright most support access to sensitive information.

4. Know what customers expect, then work backwards
Another useful test for the effectiveness of your business's security program is to ask: "What would customers expect?"

Or as the Imperva reearchers put it: "Were MongoHQ customers aware that their sensitive data was visible to the MongoHQ support application? Do you know who can access your data? How is it stored? Can it be copied? These are all questions that are all too often forgotten, especially for young startup companies eager to build applications and avoid dealing with security and management costs."

Another excellent information security question to ask is: "Where are our crown jewels?" Then ensure that a greater portion of your security budget goes to securing that ultra-sensitive information.

In the case of MongoHQ, for example, while the investigation is still ongoing, "currently, it appears that the unauthorized user was scanning for social media authentication information for spamming purposes, and probing for financial information in customer database," said McCay. In other words, at least for that company, the Twitter and Facebook access credentials and financial information it's storing are a high-priority target.

Going forward, thanks to revisions introduced with the Payment Card Industry's Data Security Standard (PCI DSS) version 3, businesses such as MongoHQ that have customers that must comply with PCI will need to put these types of details in writing. Under PCI version 3.0, which will take effect at the beginning of January -- although businesses will have until the end of 2014 to comply -- "service providers are now accountable for protecting the data of their customers," the Imperva researchers said. "Data center security needs to be out in the open, especially 'up in the cloud.' "

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...