The hack itself is alarmingly simple. In versions >= 2.6.0, MongoDB includes a default configuration file that binds MongoDB to 127.0.0.1 by default. As a result, the database will only listen to local connections.
Before version 2.6.0, that wasn’t true. By default, MongoDB was left open to remote connections. Authentication is also not required by default, which means that out of the box installs of MongoDB before version 2.6.0 happily accept unauthenticated remote connections.
Users could still restrict access to local connections if they took the time to configure the install but that meant manually adding a line to their mongodb.conf file. Since that wasn’t the default configuration, many existing installs never included this critical step.
Making matters worse is that it’s easy to identify potential MongoDB attack candidates. MongoDB’s default port is 27017. Using a search engine such as ZoomEye, you can query for MongoDB installs, see what port they’re available over, and find around 100,000 vulnerable candidates.
The vulnerability itself is hardly new. The issue was first raised back in 2012 and released somewhere around 2015. Also, in early 2015, John Matherly made some noise when he reported finding around 30,000 insecure installs of MongoDB. In other words, this is something that everyone could have known about for a while.
That's not a vulnerability, that is STILL a half configured system AND no firewall on the server. And MongoDB 2.6 is relatively old, we are on 3.3 these days. This is a database cluster component, not a complete database piece on its own. Whatever "security" professional is writing this piece clearly isn't aware of what they are writing about. What they write is half true, 27017 is listening on 0.0.0.0, but it does so for a reason and is only vulnerable in places where someone did not finish setting up their database AND their server. It's not a vulnerability in the product.
This is where credit fraud protection comes into place, and class action law-suits start for all of the declined claims from people who have had their credit cards used illegally, and the bills not dropped by Visa.
I'd be surprised if there aren't already commericals on TV for 'Do you have a Visa credit card? Has your credit card been used without your consent, and the charges not dropped by Visa, call us now, you may be entitled to X"
Call J. G. Wetworth! 1-877-CASH-NOW....
Sorry... I'll see myself out now.
Let's all jump on board for lawsuits that only make the lawyers money!
Fixed it. You had used the tags incorrectly. You can only use that on unbroken paragraphs. You had it on a big block of text that had paragraph breaks in the middle, so there was no open/close tag pairs.
Ah, well, good thing that wasn't a rattlesnake, I'd be dead.
Seagate Technology plc (NASDAQ: STX) today introduced the ClusterStor® 300N storage system with Nytro® Intelligent I/O Manager, the newest addition to its family of scale-out storage systems for high-performance computing (HPC) and the first with a flash cache accelerator.
Powered by the software-based Nytro Intelligent I/O Manager, the ClusterStor 300N seamlessly runs multiple mixed workloads simultaneously on the same storage platform, eliminating performance bottlenecks that can result when data demands outpace what the existing storage architecture can accommodate. As a result, organizations can use it to automatically support multiple applications that generate a diverse range of I/O workloads on the same storage platform without negatively impacting performance. It’s particularly suitable for the kinds of mixed and unpredictable workloads found in many of today’s most demanding, data-intensive HPC applications like seismic processing, financial transition modeling, machine learning, geospatial intelligence and fluid dynamics.
Ideal for organizations seeking both peak performance and cost efficiency when managing large data sets at scale with unpredictable workloads, the ClusterStor 300N represents the convergence of Seagate’s market leading enterprise class hard drives, innovative solid state designs and the industry’s most sophisticated system software within a platform purpose built to help organizations manage and move massive amounts of critical data while maintaining workload efficiency and minimizing the cost per terabyte. The Nytro Intelligent I/O Manager software delivers up to 1,000 percent input/output workload acceleration over traditional HPC storage systems and can quickly scale to accommodate any workload at any time.
“Maximizing value of data in the kinds of extraordinary environments represented by supercomputing is all about being able to handle extreme, unpredictable storage bandwidth and capacity needs at scale,” said Ken Claffey, vice president and general manager, Seagate HPC systems business. “Seagate’s ClusterStor 300N expands on our proven, engineered systems approach that delivers performance efficiency and value for HPC environments of any size, using a hybrid technology architecture to handle tough workloads at a fraction of the cost of all-flash approaches.”
The ClusterStor 300N is architected specifically as a common platform for both the ClusterStor, Lustre® and IBM Spectrum Scale™ storage systems as the L300N and G300N, respectively.
“With a long track record of mission-critical HPC deployments and support, Atos Extreme Computing is excited to extend its support to Seagate’s new range of Nytro Intelligent I/O Manager -based ClusterStor appliances,” said Eric Eppe, head of products and solutions, Extreme Computing, Atos. “We believe Seagate’s 300N appliance will help our HPC customers solve their most data intensive workloads and data hierarchy issues in a comprehensive, yet more efficient way.”
“The 300N offers the density, extreme bandwidth, low latency and simplified manageability that our customers demand in their HPC storage environments today,” said Mike Vildibill, vice president, HPC Storage, Hewlett Packard Enterprise. “New storage innovations like the ClusterStor 300N are critical for answering these demands and maintaining a high level of performance across a wide range of workloads.”
The 300N will be widely available in January 2017. Learn more at Seagate’s booth #1209 at the Supercomputing 2016 conference in Salt Lake City, Utah, Nov. 14-17. Other Seagate technology demonstrations at the event will include the highest density 720 terabyte, two-rack unit (RU) Lustre storage system technology configuration, making it possible to build the world's first 15 petabyte, 42RU system, as well as a single NVMe over a Fabric, 24-drive all flash array shared storage system delivering 4.8 million IOPS with single-digit microsecond latency.
The ClusterStor family architecture is built on Seagate’s field-proven, enterprise-class hard drives and high-performance parallel file systems such as Lustre and IBM Spectrum Scale. Combining superior performance with ultra-efficient scalability, the ClusterStor family includes the new ClusterStor L300N and G300N, as well as the ClusterStor A200 Active Archive, ClusterStor L300, ClusterStor G200, ClusterStor 9000, ClusterStor 1500, ClusterStor Secure Data Appliance and Hadoop Workflow Accelerator for ClusterStor’s architecture.
Active users of mobile banking apps should be aware of a new Android banking malware campaign targeting customers of large banks in the United States, Germany, France, Australia, Turkey, Poland, and Austria. This banking malware can steal login credentials from 94 different mobile banking apps. Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication. Additionally, it also contains modules to target some popular social media apps.
Defeats two factor authentication!!
Honestly, any vendor using Flash is just asking for this.
SMS has never been a secure factor. Easy to intercept on wireless networks, even more on smartphones where an malicious app has access to the GSM modem or messaging API.
Just confirmed this works on Ubuntu as well. I imagine that means Mint would also work, but have not confirmed Mint yet, and probably will not as the only installs of that I have are workstations that don't require quite the same level of monitoring.
I've got it installed, and backing itself up, but the first client system is throwing errors on me. Firewall ports are open and services running according to the guide here. It'll be this afternoon before I can get around to looking at the error logs.
Verizon closing down a number of call centers... as if their customer service wasn't already terrible enough. One of the call centers is apparently in Rochester, NY. You're job market just got even worse
They will probably open a new one. In Romania. Or even worse, in Egypt. Seen that before
Romania is way more technical than Rochester
This is true. Had a Romanian guy try to install some remote control software on my family's computers back in the mid 90s. Software was in Romanian. That was the last time I let anybody near a computer that was mine and left hem alone, unsupervised.
And are you saying if it is over 2TB you cannot thin provision?
That's the issue, thin provisioning is limited currently to 2TB or smaller volumes (VHDs.)
Wait, is it 2 TB volumes as in ext3 partitions or is it 2 TV VHDs?
That was another thing people are always clamoring about with XS ... the lack of VHDX.
Which I think is ridiculous that it's not in 7. VHDX is over 4 years old. Even worse, QCOW2 is something like 10 (or more) years old, and has almost a 9 EB limit.
The limitation on the partitions sizes is because of the use of snapshot functionality. Imagine having a 9EB array and partition, and then trying to perform a snapshot on it.
VHDX has the same limit (or similar). No one would really have an image that size, but it would be compatible with every other system. And snapshots wouldn't take any longer. It creates a new file and writes to it and reads from the old one.
I had to try and find a key for QuickBooks here, what a nightmare. Didn't have the login for their online site, and getting a confirm sent by phone was impossible due to them only being able to send text message to the registered phone on the account. Or an automated call. the phone is an ip phone that cant get texts and is answered by an attendant, so neither of those worked.
So I had to call them. Or it, rather. Had some very nice and unhelpful computer voice tell me to talk to it like a normal person. Not happening. Hitting 0 doesn't work. Infuriated, I hung up, and proceeded to search through years of old email to find the key. Eventually found the key in an old file folder in a file cabinet.
Really wish we could get away from it.