Of data and servers, a cautionary tale

This is the final blog in a four-part series delving into information security concerns and what you can do to keep your organisation safe.

An interesting hack was brought to my attention by our ever-vigilant National Support Manager not so long ago, and it highlights what is frequently a blind spot in IT security.

The hack in question was a data leak for a site called "Beautiful People", a dating site where existing members get to vote on whether new members are approved based on their physical characteristics. I'm not going to comment on my feelings about the site's concept, that's outside the scope of this article. What is within the scope of this article, though, is that their production website was not hacked at all. The data (details of 1.1 million users) was taken from an Internet-facing test system.

Under the radar

Information breaches have gained a lot of press in recent years. As a result, there's an increasing focus on Information Security. Organisations are engaging security consultants, installing firewalls, implementing policies, and generally lifting their infosec game. This is a good thing. However, most of the attention is focused on securing the front doors. In the case of Beautiful People, their primary web servers were properly secured. However, while all eyes were on the front door (the public website), nobody noticed that the tradesman's entrance (the test system) was open, and a big "please come in" sign was plastered above the lintel.

Beautiful People uses a MongoDB backend. MongoDB access (at least for the version they're running) is unauthenticated by default. Access control is supposed to be handled by specifically allowing access from legitimate IP's and blocking everything else. For their production servers, this was done. For their test servers it wasn't. (A similar situation existed and data leaks have happened for ElasticSearch databases). As a result, all of the Beautiful People information was exposed to the Internet. Beautiful People have said that the data was copied to the test system last July, so newer member details haven't been accessed. However, that also means the data has been accessible since last July.

If it's on the interney

I'm sure the IT people who ran up the test system didn't suspect they were exposing all of their user data. The system had no DNS entries to point people at it, and it wasn't well known outside of the company. However, there are well known, freely available services that scan the entire Internet and allow users to search the results. In this instance, it was easy for attackers to find a list of unsecured MongoDB databases and check them for content. The person who reported the issue used a search engine called Shodan which is widely used by penetration testers, information security consultants, and hackers.

The message from the Beautiful People breach is clear - security by obscurity is not a valid information security strategy.

Security decisions need to consider the data

The underlying issue here is that the system was not considered to be a target because it was a test system. However, the data on the test system was production data. Because the data on the system was confidential, the test system should have been classified as confidential and the same protections put in place as for the production system.

Similar situations happen all the time.

  • Developers run up virtual machine on their unsecured laptop using production data to test changes take them to insecure environments
  • Business execs import production data into spreadsheets on their laptops so they can generate reports at home
  • Backups are put on optical and USB media and left around the office
  • Backups are stored in "cloud storage" services for easy access and sharing

Once the data is away from the production servers, it's often no longer considered. The risk is overlooked because "it's just a test machine" or "it's just a backup." IT teams focus on protecting their servers. However, the hackers' end goal is not the servers, it's the data. And if it's exposed, they'll find it.

Back to the top of this page