Quite likely, the single most significant data security educational series of blog posts this year - via the Imperva Cyber Security Blog,written by Elad Erez and Luda Lazar - now in Part 3 of the series (Part 1 and Part 2 are highly recommended as well). Rather than put my spin on what Elad and Luda have presented on the Imperva blog, I'll let their brilliant speak tell the tale! Today's highly important Must Reads.
My suggestion is to, um - perhaps...not expose your database layer to external contact... Perhaps a DENY ALL to rule for your MongoDB deployment in your firewall would be helpful as well... just saying. Oh, and very good advice from Lucian at the end of his reportage: Use the MongoDB security checklist. It is - I can assure you - prietenul tău!. I also strongly suggest taking the time to read the Security Hardening documention from MongoDB; you can also download an EPUB version of the MongoDB manual. You'll be glad you did. That is all.
DarkMatters takes us down the slippery-slope of poorly configured Databases, and Database Management Systems. Threats abound, yet little is accomplished to remdiate (until after data loss). Today's Must Read.
'As of this writing, there are more than 27,000 instances of MongoDB and approximately 29,000 instances of Redis on the internet that do not have authorization enabled. Misconfigured databases are just as dangerous as vulnerabilities—they provide the bad guys an easy-access, exploitable front door to user data.' via DarkMatters
Meanwhile, in Blatant Stupidity news, ArsTechnica's Dan Goodin writes of the latest Uber mistep. This time, Uber decided to store an encrypted database's PRIVATE KEY (anecdotally, the DB contained sensitive data for at least fifty thousand of the company's drivers) on a GitHub public page. Apparently, there may have been a wee bit of confusion as to what a PRIVATE KEY is, in relation to a PUBLIC KEY within Uber's apaprently crack IT department... Oops.
Well documented paper on the capability to identify entities via credit card metadata [i.e., the identification is based on what was once thought to be anonymous big data...]. Time to move back to currency transactions. Tout Simplement Incroyable.