Attacks on Unsecured Databases

Imagine that you’re a researcher doing some data analysis for your company. You run some queries or load some data and then go home. The next day, you come in and find that all of our data has been deleted. Perhaps you’re the victim of a Meow attack, where people look for unsecured databases and wipe them out. If you read the comments, many of them indicate this may be considered a public service.

I think I agree with that, and here’s why. If you put up data about me in a system and don’t secure it. I’m not sure you should be trusted with the data. The article notes that UFO VPN was a victim. They got caught not only with an unsecured database, but one that had data that wasn’t supposed to be logged, including passwords. They moved their data to a new database, also unsecured, and a meow attack wiped it out.

While I understand this might cause a company to fail and affect employees who hadn’t made the decision to store this data and ignore security, I’m don’t think that the world overall is worse off because their data is gone. I’m also not sure that the employees are worse off as I’d suspect fines or other legal action might have wiped the company out anyway.

I know some university groups may lose data that is difficult or impossible to recover. I know some companies might be irreparably harmed. However, I also know that it’s 2020 and there is no reason to have an unsecured set of data available to the public. Whether a database, a file-share service, or anything else. Security needs to be provided for data.

Like many of you, I do use some services in the cloud to share files. I also find it maddening that most public access has been revoked and I need to specifically invite people, set passwords, and more to easily share things. However, that’s what we need to do in an interconnected world where we have personally identifiable and sensitive data. We need to secure it.

I’m glad SQL Server doesn’t allow blank passwords for sa, and I hope that no one allows simple, easy passwords on their systems. It is convenient, but the price your organization might pay for this convenience could put them out of business. It’s also a large price to ask someone whose data you have to pay if it impacts their life.

Steve Jones

Listen to the podcast at Libsyn, Stitcher or iTunes.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.

1 Response to Attacks on Unsecured Databases

  1. Eitan Blumin says:

    Now that you’ve convinced us that it’s important to secure our databases, the next step is to learn how to do it 😄.

    I recently published a blog post about this topic:

    https://www.madeiradata.com/post/how-to-protect-sql-server-from-hackers-and-penetration-tests

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.