For a person who just found the personal details for most of the adult Mexican population sitting in a publicly accessible database, Chris Vickery is remarkably self-effacing. His security research is mostly part-time, he’s entirely self-taught, and his days are spent wrangling the IT at a local law firm. He downplays his out-of-hours security work, but he has still managed to find some data breaches that would leave full-time vulnerability spotters green with envy.
“I’m not hacking so much as doing basic journalism and research based on publicly-available databases. I haven’t hacked anything that made big news. I just found things that made big news,” he said.
‘Hacking’ vs ‘finding’ is an important distinction for him. He won’t even enter passwords to get the records he finds – he just looks for public-facing databases that aren’t configured with any.
He finds these databases, sitting completely open and vulnerable on the Internet, mainly via his browser. He uses sites like Shodan and Zoomeye that index connected devices around the world and make them searchable. He also occasionally breaks out mass port scanning tools like ZMap and Massscan.
These tools have yielded some scarily large breaches. He found millions of records online in an insecure online database operated by Systema Software last year. But that was dwarfed by another: the entire Mexican voter registry, which he found on a MongoDB database sitting on an Amazon cloud storage instance, and then downloaded, all without typing in a single access credential. There were 93 million records on the system (81 million) after deduplication. They included names, addresses, and national identification numbers.
When good databases are badly configured
“I identify software that allows you to make it accessible without any authentication. That would mostly be a NoSQL database like MongoDB,” he said. “Just because you can make it run with no authentication means that some percentage of people will.”
The issue, as MongoDB points out in its security webinars, is that the database is designed to be developer-friendly rather than production-friendly, meaning that admins should take some extra steps to configure it for public access. The database requires a flag to make it authorize users, which can be set manually. Admins can also use Cloud Manager and Ops Manager software to deploy the database securely.
“All these companies say ‘oh, Vickery was the only one who found it. He was the only one’, even though it was up there for six months.”
MongoDB has taken its own steps to lock down access in the default configuration in recent years. Executives point out that the database has had the ability to limit remote access since the early versions, and that this was turned on by default in MongoDB 2.6, released in April 2014. This means anyone trying to access a version purchased since then and deployed with a default configuration won’t be able to get in from a remote IP address.
“For hackers to access the system the way Chris Vickery did, this precaution would have to be disabled, and many best practices would need to be ignored,” said Kelly Stirman, the company’s VP of strategy, who says that the database itself is secure, with multiple available authorization mechanisms. Those best practices are summarized on its web site.
Either the person that deployed the MongoDB instance with the Mexican data was using an old one (version 2.4 reached the end of its support life in March) or the developer would have had to have removed the access restrictions, perhaps because they wanted it to be accessible by developers before it went into production. If it’s the latter, then it’s a really good example of the need for solid DevOps, in which development and operations staff work closely together using automated tools to ensure that anything worked on during development is configured properly to be production-ready.
In any case, people like Vickery are useful for the ecosystem, according to Stirman. “We feel Chris is acting responsibly by notifying organizations of these issues and allowing them the opportunity to properly configure their environments before making the story public,” he said.
Don’t shoot the messenger
If only everyone felt that way. Most people are happy when Vickery points out a flaw. That includes Kromtech, which makes the MacKeeper OSX security and performance optimization software, and which gave him a position as a security researcher after he found a similarly open MongoDB database of theirs. Not all companies are that warm and fuzzy.
Vickery told child safety app vendor UKnowKids about a database of theirs that was operating in the open, and publicly accessible. In a strangely dissonant statement, the firm claimed that he breached it while also praising his ‘proactive, quick notification’.
“Because my initial email to them was called ‘data breach notification’, they said that I was admitting I had breached their system,” Vickery told SecTor. “That’s not true. I was just notifying them that a breach had occurred, and that occurred the moment that they put that data in a publicly accessible area.”
Companies typically don’t try to shoot the messenger, though. “Most of the time they’ll be really grateful or they’ll try to deny it,” he said.
Now, Vickery posts blogs regularly for Kromtech while advising them on other security issues, in addition to his day job. That’s not a bad cybersecurity career for someone who doesn’t go reverse engineering code to find logic bugs, but simply pokes around online to find doors that have been left open.
What scares him most is that he probably isn’t the first one finding them. “All these companies say ‘oh, Vickery was the only one who found it. He was the only one’, even though it was up there for six months,” he said. “There have to be a lot of people finding these things. There just have to be. I can’t understand why I’m pointing this out and making headlines when it’s so danged easy.”