Navionics Marina Navigation owned by Garmin has accidentally exposed the personal data of thousands of boat owners through a misconfigured MongoDB Server. The exposed data was found by a security researcher at Hacken io.
“Just when you thought it was safe to go on the water, even there you can be exposed as this latest news demonstrates. Monitoring and securing data is a difficult task as most companies are finding out. Patching vulnerabilities, and reviewing security architecture and authentication is not a checkbox, but an ongoing process. Consumer data has been going through the meat grinder lately with the number of exposures, attacks and information that has been stolen, by cybercriminals. Once this information falls into the wrong hands it is used to make synthetic identities, and take over identities and accounts. To stop relying on static data that could have been stolen, companies are implementing layered defenses that include passive biometrics and behavioral analytics to identify consumers by their behavior. By doing so, inadvertent mistakes like a misconfigured database exposing personal information won’t put the victim’s identity at risk.”
Adam Brown, Manager of Security Solutions at Synopsys:
“The vulnerability that has resulted in this breach isn’t something that is peculiar to marine technology, which we have seen a lot of noise about this year. Instead, it is a systemic failing that many organisations across all verticals fall foul to when using cloud infrastructure. There are sometimes assumptions about cloud security that can leave security gaps. These assumptions do not consider the shared responsibility model necessary for security when using cloud providers. While the cloud provider is responsible for securing the infrastructure hardware, the software running on it and the configuration of that is still the responsibility of the organisation that uses it.
Security Misconfiguration is common enough to have made it to #6 in the OWASP top ten and this is a premium example of that. MongoDB ships by default with no enabled access control, as it needs to have users created otherwise it remains wide open. I would strongly recommend any cloud user organisation to undertake a cloud security configuration review. The use of standard techniques like penetration testing may fail to detect these implantation defects as many cloud providers firewalls / load balancers will simply deflect penetration test efforts.
Over and above this all software editors should have a deliberate, defined and supported effort for software security – a successful one would prevent terrible errors like this in future.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.