It’s 2017. The theft of data from public and private entities is a real problem, and it has been for years. Estimates are that about 1 billion records were exposed in 2016. In the U.S. healthcare sector alone there were 286 breaches in 2016 reported to the Department of Health and Human Services affecting 15 million people.
The public likes to imagine that data thieves are technical wizards who craft up arcane attacks or clever ruses to get access to protected systems. The truth, however, is that finding and stealing sensitive data is often trivial, requiring little if any technical expertise beyond knowing how and where to look.
Two recent incidents underscore this. First, the security researcher Chris Vickery at the firm MacKeeper wrote about the discovery of 11 Gigabytes of data on employees of the U.S. Military’s Special Operations Command (SOCOM) that was sitting, unprotected, on systems belonging to Potomac Healthcare Solutions. SOCOM, based in Tampa, Florida, is charged with overseeing special operations commands across the armed services. So… you know… kind of important.
The data Vickery discovered included the names, locations, Social Security Numbers, salaries, and assigned units for psychologists and other healthcare professionals who work in SOCOM. According to Vickery, “not a single username or password” was protecting the data, which appears to have been copied from another, remote system to the unprotected server.
After emailing with both of Potomac Healthcare’s CEOs, Vickery got the file removed, though he said that he was met with skepticism and felt it necessary to email both CEOs their current home addresses, dates of birth, phone numbers and Social Security Numbers, plucked from the unprotected data trove, to make his point.
This isn’t the first time Vickery has stumbled across records on an insecure and misconfigured database server – notably in late 2015 he discovered records of 191 million U.S. voters in a 300 Gigabyte file that was left open to the web.
Also: owners and operators of web applications using the popular MongoDB database program are finding that hackers have taken control of their databases, wiped out the data and posted ransoms for its return. According to research by Victor Gevers (@0xdude), hundreds of Internet accessible and insecure MongoDB servers have been compromised in attacks dating back to late December.
A search using Shodan, the Internet of Things search engine, shows more than 50,000 MongoDB databases that are publicly exposed around the globe. At least 3,500 of them have been hit with the MongoDB ransomware already, per John Matherly (@achillean), who created the Shodan engine.
While some of these may be low value assets that do not contain data worth ransoming, it is clear that some are quite the opposite. The website Databreaches.net relates the story of an insecure Emory Brain Health Center database that ran MongoDB. The researchers at MacKeeper first noticed the misconfigured server on December 30th, noting that it appeared to contain patient data. By the time they returned on January 3rd to dig a bit deeper, the database had been discovered, hacked and ransomed.
The two incidents underscore the continuing challenges that organizations – even sophisticated organizations – have in identifying and securing their data. The confluence of easy to deploy hosted applications, third party relationships and a lack of security know-how and expertise often bedevil well-intentioned firms. The results are easy to see and document: a steadily rising tide of stolen data, despite gallons of (digital) ink spent documenting failings and promoting best practices.
The fix won’t be easy. As Josh Corman at The Atlantic Council has observed: hackers are only as sophisticated as we require them to be. And these days, we’re not asking adversaries to be very sophisticated at all.