via Christian Priebe of Imperial College London, Manuel Costa and Kapil Vaswani both from Microsoft Research, comes a tour dé force of database security, ostensibly monikered EnclaveDB (published this past May 2018, in the Proceedings of the 39th IEEE Symposium on Security & Privacy, in co-operation with the International Association for Cryptologic Research). The interesting functionality descibed in the trio's paper - pursuant to a secure database (if there possibly could be such a thing) is not the security of data in-motion or at-rest, but the addition of encrypted in-memory data. More here...
Quite likely, the single most significant data security educational series of blog posts this year - via the Imperva Cyber Security Blog,written by Elad Erez and Luda Lazar - now in Part 3 of the series (Part 1 and Part 2 are highly recommended as well). Rather than put my spin on what Elad and Luda have presented on the Imperva blog, I'll let their brilliant speak tell the tale! Today's highly important Must Reads.
My suggestion is to, um - perhaps...not expose your database layer to external contact... Perhaps a DENY ALL to rule for your MongoDB deployment in your firewall would be helpful as well... just saying. Oh, and very good advice from Lucian at the end of his reportage: Use the MongoDB security checklist. It is - I can assure you - prietenul tău!. I also strongly suggest taking the time to read the Security Hardening documention from MongoDB; you can also download an EPUB version of the MongoDB manual. You'll be glad you did. That is all.
DarkMatters takes us down the slippery-slope of poorly configured Databases, and Database Management Systems. Threats abound, yet little is accomplished to remdiate (until after data loss). Today's Must Read.
'As of this writing, there are more than 27,000 instances of MongoDB and approximately 29,000 instances of Redis on the internet that do not have authorization enabled. Misconfigured databases are just as dangerous as vulnerabilities—they provide the bad guys an easy-access, exploitable front door to user data.' via DarkMatters
Meanwhile, in Blatant Stupidity news, ArsTechnica's Dan Goodin writes of the latest Uber mistep. This time, Uber decided to store an encrypted database's PRIVATE KEY (anecdotally, the DB contained sensitive data for at least fifty thousand of the company's drivers) on a GitHub public page. Apparently, there may have been a wee bit of confusion as to what a PRIVATE KEY is, in relation to a PUBLIC KEY within Uber's apaprently crack IT department... Oops.