 Hey Hey, everyone. I'm Philip. Um, I don't want to imply that there is no security that question mark at the end is very important Because sometimes this gets cut off and there isn't there is not the message. I want to convey Did anybody get Ransom in kind of like with one of the noise scale data stores anybody? No, okay, you've been lucky. I guess and so let's dive a bit into security and what is going on in that regard So I work for elastic the company behind elastic search, but I'm generally running a meet-up about databases So I'm I'm interested in all things SQL or relational database and non-relational database and security is one of the more interesting ones in that area So I guess a lot of you know the DB engines.com, which is kind of like the Tioba index for databases And this is the current version of that So I'm picking three systems here that top three no SQL systems I'm taking and then I'll take a quick look at security in each one of them So those are longer to be read is and then the last search. So let's see what we can do here I guess everybody is familiar with little bobby tables So the nice thing is if you don't have SQL and you don't have SQL injections, right? So it's much more secure Assumably who thinks that is true? Yeah, I'm I'm afraid I have bad news But let's see. So let's talk about MongoDB. I guess everybody's familiar with MongoDB They're the web scale database if you still remember that one where Whatever that the two guys are talking to each other and kind of a computer voice And one is always asking questions and the other one is responding and the response here is Whatever you're asking about MongoDB their answer is always web scale And then there's this other thing they recently had their IPO and then people were like, oh awesome It's it's not only that you can lose your data now, but also yeah your money Anyway, so let's talk about injections. Do you think injections are a thing in MongoDB who thinks injections are a thing? Yeah, that's that's a good guess Maybe you still remember the asperite. I don't know how many years that was ago like five Seven, I don't know the aspera the idea was to have like this competitor to Facebook Which was open source and kind of distributed But it was still a social network and they started taking stuff together. I think in rails and with MongoDB However later on they discovered Social networks are a very relational problem and MongoDB is not a good fit for that So they redid that but their first iteration had MongoDB in there and one of the things they had in the code was that they had these magic queries where they were just passing in random strings and That was not a great idea because that is the classical injection you can get within anything And since they have JavaScript in the back end. Well, you didn't have SQL injections You had instead JavaScript injections, but it it ended up as the same thing So these are kind of like the functions you might want to be aware of If you use these and take any random scripts or any random user inputs You have a nice JavaScript injection in your data store. So yeah, no SQL injection But you have the JavaScript version of that You can disable scripting in general because there's always a discussion should the database even be able to do scripting If you think it does you can actually escape all the code blocks To avoid these injection problems there, but otherwise you can just turn off scripting and avoid the problem altogether Yeah, and then this ransomware thing took a hold basically so back in 2015 a German University found lots and lots of MongoDB instances which were not secured and Everybody said well, that's not a good idea if somebody could look at the data But it doesn't really scale and nobody can really make money easily out of that and people didn't really care about that So while the universities were saying well, this might be a problem do something people said well I don't really care and then it took like two years until people figured out how to make money out of that Because then suddenly you had cryptocurrencies Which have like anonymous transactions and then people figured out well We could do something there and a general idea is you download the data You store it somewhere you delete the data from the live server that people have and then you offer to give them The data back if they pay up the problem is from what I've heard a lot of people don't actually take that backup of the data Because a takes a lot of time and it also needs a lot of bandwidth and storage So they just delete the data and ask for the ransom and if you get your data back is always up for questions But yeah, that's the general idea of what people did and that hit MongoDB pretty hard Who thinks that MongoDB is binding to all interfaces by default? Yeah, they used to do that for a long time, but it changed So at least with the latest version 3.6 they changed it for all distribution mechanisms Before that it depended a bit on how you installed MongoDB So if you were using their app to young rpm packages, it was disabled by default But if you compiled it yourself There was no standard configuration and it would bind just to any interface and wherever it was reachable It would happily accept any connection, but they changed it now I guess a lot of people complained. So yeah, that problem has been solved Do you think authentication is enabled by default in MongoDB anybody? No, no, no, it is not who thinks that MongoDB has any authentication authorization mechanisms Yes, they do actually they are pretty good So authentication authorization is one of the strongest points of MongoDB at least for the know a square ecosystem Because you always build a new product. You want to get users security is kind of like the the step child Which always comes afterwards you need to have like production users and then security becomes like an important point Otherwise, you don't care that much. You just want to get started and claim to be web-scaled But MongoDB actually is pretty good in that regard. You just have to enable that by default any Authentication authorization is disabled. So in the configuration or if you started on the command line You always need to pass that off through Otherwise, you're not really secured in earlier versions. They had their own implementation, which was challenge response thing in more recent versions they switched to Shah's scram Shah one I think Postgres recently, but only in the most recent versions switch to Shah 512 so kind of a very similar implementation since it's an open standard It has a lot of cool features Like both side needs to authenticate against each other. It's it's an actual standard. You can check the implementation so that part is actually done very well and They even have a lot of predefined roles. So whatever you need to do. There's probably a predefined role You just need to activate and Then everything works as expected or you can just say okay security that is kind of done Okay, next or final thing is SSL has been included in most of the recent versions now I think some special builds for some platforms don't they include SSL because it's kind of harder to include there But generally they have SSL everywhere. So That is actually MongoDB even though they have been or had the most ransomware problems Their security is actually very strong Next up talking about red is anybody using red is Yeah, I thought so Anybody happy with the security red is is providing Let's see and does red is bind to all interfaces. Yes. Who thinks yes Okay It does they have this special thing now I'm called protected mode and and protected mode is actually very clever So it was added in a rather recent version or not that long ago But what it does is by default all queries coming from local host will do the right thing Every query coming from remote will answer to the query But it will also only answer back like you need to set up this correctly Like they don't have this that they don't or kind of cut off remote connections They allow remote connections, but we'll only tell you what to do or how to configure it So that is kind of their approach how to make stuff easier to get started with Which I think is a kind of interesting approach It's just if you have like anything that is exploitable Binding to all interfaces by default is kind of questionable But otherwise from the usability point of view, that's an interesting trade-off Yeah, they have some kind of authentication. There is no authorization Their own documentation says it's kind of a tiny layer And you know if you're on that documentation says it's a tiny layer. It's probably really small so what they have is you can set one password for the entire system it store this plain text in the ready's configuration if I'm not mistaken and There is no rate limiting a thing and there is no Encryption involved so if you want to encrypt anything you will need to proxy that yourself and the problem with no rate limiting is The point of Redis is that it's very fast and it's a key value store So you can do a lot of queries and you can also try a lot of passwords that way So if you want to make sure nobody's trying to brute force your passwords either watch that or pick a very very good password The other very interesting thing that Redis does is hiding commands So what they have added is you can set them in the ready's configuration and it will need a restart to get them back But what you can do is you have a command name rename command And then if you say I want to rename that conflict command You can just give it a different name and only if you know the different name you can actually call that command anymore Some people use kind of like a hashing function to do that and then figure out automatically how the command is called Others just keep track of that. That is pretty much the security by obscurity approach You just hide the name of a command and only if you know the right name then you can change stuff But it's kind of working the other approach they have is you can even hide commands entirely So if you say rename command and say config has an empty string It just will not be able to call that function at all anymore. It's just kind of gone from the system and They actually recommend to do that for production systems I think with three different functions like drop all the data in Redis Which you normally don't want to do on a production system. They actually recommend doing that for the data store okay, and Finally don't enable Lua scripting or don't pass in random functions to the Lua scripting because that's the classical injection again Everybody has that who supports scripting Finally elastic search Doesn't elastic search bind to all interfaces who thinks yes Not anymore we changed that I think in version two Which is already at least two years ago that has changed. So we are not binding to all interfaces anymore Are we still broadcasting to all the nodes on the local subnet? No, we stopped doing that and the main thing was that that was a very cool feature You just start one node on a subnet and then another node somewhere else on the subnet and they will find each other automatically You don't have to do anything Which was cool. I know when I did trainings and everybody started one node on their laptop They would form one big cluster But you could also see the problems back then because somebody would write in some data and somebody else would delete some data And it was pretty much chaos and the worst-case scenario You people would have at some point is when they VPN to their production system and they have elastic search running locally And then it connects to that and forms one big cluster and you think you'd run one command locally That is a very bad day And it only applies if you keep the default cluster names You should always change those only then will you form one cluster, but it is something I'm sure that happened to people. So we stopped doing that Yeah, can you run elastic searches root? anybody thinks that We get complaints about that about kind of like once a month because elastic search when you try to run it As route it will just system exit and it will not run and now with the rise of Docker containers A lot of people want to run stuff as root again And we are arguing about that like once a month with somebody and I always call this idea the cockroaches Like it's something that you think has been kind of like you got rid of that in the past But it's still there and it's not going away Yeah, and then there is scripting If you had security issues with elastic search, there was probably a good chance that it was around scripting So these are all the the security issues we had in elastic search and you can see out of those six Three were related to or seven actually Three were related to scripting and kind of like the worst ones They were all around scripting because well we thought adding a general purpose scripting language like groovy is nice To add a lot of features and it's very quick to get started with that problem is Securing a general purpose language is super hard So we added a new language which is called painless The story is the developer of that has chronic back pain and he just wants something that is painless And that's why he called it like that. We kind of want to take the security pain away So we hired a developer. He has been working on that for a year And then people asked like why would you create another scripting language? There are already that many out there? However, we had kind of like this specific design goal We want to have something that is secure in performance and has just the right feature set for us So we thought it was the right trade of kind of to develop our own Painless scripting language and security and performance where it goes Just to give you a quick idea. This is how this looks like if you have like that Absurd operation where you either create something with a value of one or you increment the value That is how you do it in painless Language looks pretty familiar Yeah, and painless is the new default Let's see if we can do that in 40 seconds Normally, I try to do that live, but if you know Shodan it scams the internet for open stuff and this is actually how ransomware attacks works They just look like who has an open an open elastic search instance And then you can query that and you can actually see this instance has already been ransom because Please read. Let's take a look what is in please read. I will tell you. Yeah, we got your data Pay us 0.5 Bitcoin though. I have recently seen since the dollar price or that the Bitcoin price is fluctuating so much Yeah, they have switched back to US dollar values And with that, I think we're out of time The only thing you need to be aware of sometimes different people try to ransom you and then somebody takes your data and you Somebody else then takes that data and you would need to pay each one of them to get kind of like back to the original who took your initial data So that is not where you want to be. Um, thanks a lot