Code & Data Security

Resource Center

The Lessons we can Learn from the MongoHQ Hack

October 30, 2013 - by Irene Abezgauz

Tiny Url for this post: http://tinyurl.com/o5r6677

October 30 2013 – Today, Database-as-a-Service company MongoHQ has reported a breach in its applications, resulting in the theft of customer private data and authentication credentials. This reminds us of the importance of encrypting sensitive data at rest, two factor authentication, routine employee awareness training and ensuring the security level of internal applications. The security breach at MongoHQ was the result of a combination of factors, together leading to attackers being able to compromise data of MongoHQ customers.

First, there is employee awareness. Intruders were able to get into internal MongoHQ applications by using authentication credentials they stole from a different place. Employee awareness programs educate employees on the risks of using the same password for their work and personal accounts. Passwords were, and still remain, one of the weakest links as they are strongly dependent on the human factor. Forcing employees to choose strong passwords is not sufficient as it does not, as in this case, prevent them from using the same passwords in other locations. Moreover, often the need to use a complex password is what leads users to having one strong password they remember and shareacross different functions.

Second, the lack of two factor authentication for privileged access to internal applications. Two factor authentication means the password consists of “Something you know” – a passkey, and “Something you have”, such as a token, a cellular phone, a one-time-password generating device and so on. Mandating the “Something you have” component protects in situations where employee negligence leads to password compromise.

Third is compartmentalization. Access to customer data should be restricted as much as possible. In the MongoHQ case it is not clear what was the actual level of access required by the employee for his routine work. However, as a general practice, compartmentalization helps in preventing further damage when a breach has already occurred.

Fourth is the importance of encrypting data at rest. MongoHQ utilized bcrypt, which is a complex hashing function which takes longer computing times, therefore useful in slowing attackers who launch brute force attacks on hashed passwords. This helps guarantee that even if (and in this case – when) hashed passwords are compromised, attackers cannot easily launch brute force attacks on them to reveal the clear-text versions. This greatly minimizes the impact of hashed passwords theft.

The fifth factor is application security for internal applications. Internal applications” security is often overlooked, as they are considered “internal” and therefore inherently more secure. However, in the days of BYOD and employees connecting remotely, the boundaries between internal and world-facing applications hardly exist. Therefore it is important to remember that intranet applications and databases, such as internal portals, code repositories, internal issue tracking and support tracking, internal CRM and so on, require the same level of security as public facing applications. Sometimes they require even more security as they deal with an organization”s most critical data.

To summarize, many factors are to be taken into account, each one of them helping to prevent intrusion or assisting in minimizing damages if an intrusion occurs despite measures taken. Combining multiple security controls which protect data and minimize the human error factor together with effective user training is crucial when protecting sensitive data.

MongoHQ provided a great level of clarity in their report of the incident, detailing exactly what happened and providing full information. This vendor behavior is to be commended as it allows their customers to understand the impact and take relevant precautions.

This post is also available in: French

AboutIrene Abezgauz

Irene Abezgauz (@IreneAbezgauz) has ten years of experience in information and application security, focusing on application security testing and research. She is the Product Manager of Seeker, the new generation of automatic application security testing, as well as the leader of the research center in the company. She has discovered and published numerous vulnerabilities in products of leading vendors, and is a frequent speaker at professional conferences.

Learn more about Seeker

More Blog