Monthly Archives: February 2015

Cyber security students at Saarland Univeristy in Germany (which I attended during 1975 and 1976. Ed.) have discovered up to 40,000 insecure databases on the internet, the university reports.

Anyone could retrieve or even amend several million customer accounts with name, address, email and credit card details via the internet, according to information from the University’s Center for IT-Security, Privacy, and Accountability (CISPA). The cause is a wrongly configured, freely available database on which millions of online shops and platforms around the world are establishing their services. If the operators blindly stick to the defaults in the installation process and do not consider crucial details, the data is available online, completely unprotected. CISPA has already contacted the vendor and data protection authorities.

“It is not a complex bug, but it’s effect is disastrous”, explains Michael Backes, professor of information security and cryptography at Saarland University and director of CISPA. He was contacted by the students and CISPA employees Kai Greshake, Eric Petryka and Jens Heyens at the end of January. Heyens is a cyber security student at Saarland University and his two fellow students plan to concentrate in this subject in the forthcoming semester. The flaw which they detected affects 39,890 databases. “The databases are accessible online without being protected by any defensive mechanism. You even have the permissions to update and change data. Hence we assume hat the databases were not left open on purpose”, Backes explains. The vendor of the database is MongoDB Inc. Its MongoDB database is one of the most widely used open source databases. Out of curiosity, the students queried a publicly accessible search engine for servers and services connected to the internet and thus discovered the IP addresses companies use to run unprotected MongoDB databases.

When the students called up the detected MongoDB databases with the respective IP addresses, they were surprised. Access was neither locked, nor protected in any other way. “A database unprotected like this is similar to a public library with a wide open entrance door and without any librarian. Everybody can enter”, explains Backes. Within a few minutes, the students also detected this critical condition in numerous other databases as well. They even found a customer database possibly belonging French ISP and mobile phone provider containing the addresses and telephone numbers of roughly 8 million French customers. According to the students, they also found the data of half a million German clients among those addresses. Another unprotected database detected was that of a German online retailer which included payment information. “The saved data can be used later to steal identities. Even if the identity theft is known, even years later the affected people have to deal with contracts signed under their own names by the identity thieves”, says Backes. The CISPA researchers began contacting MongoDB Inc. immediately, as well as the international computer emergency response teams (CERTs). They informed the French data protection service, the Commission nationale de l’informatique et des libertés, and the German Office for Information Security. “We do also hope that the developer of MongoDB will quickly include our results, incorporate them into its guidelines and forward them to the companies using the database”, says Backes.

CISPA has released a report of its findings (pdf).

GnuPG is the de facto standard implementation of the PGP standard. Anyone currently encrypting their emails as a private individual is almost always using a software package that has GnuPG under its bonnet. Since the middle of December GnuPG’s main developer has been collecting donations to enable financing of his work on the software. This was going rather slowly until last Thursday, when, helped by media reports of the project’s plight, main GnuPG Werner Koch and his fellow developers succeeded in raising the required €120,000 within one day, German IT news site heise reports.

The software’s development will therefore be fully financed for the current year for the first time. In addition, Facebook and payment processor Stripe have both stated their readiness to subsidise its development with $50,000 per year each and The Linux Foundation has given Koch a one-off donation of $60,000. Even the German Federal Office for Security & Information Technology (Bundesamt für Sicherheit in der Informationstechnik – BSI) is intending to support the GnuPG project. This was announced via German computer periodical c’t. It is believed the BSI has given the project similar support in the past.

Explaining its decision, Facebook stated:

We think it’s important to have a diverse family of software that can stand the test of time, and this is a great opportunity to support such a project. GnuPG was started 17 years ago, and we hope it keeps improving for years to come.