NoSQL Means No Security?

let's get started um yeah I I think besides Vienna and that is always an end of year like last two editions already um and yeah I'm from Vienna I always describes Vienna like the city of come on no no yes to be armed Teddy foods

know what is up with you ethical architecture and classical music yeah but it's the only way how we can win anything around dizzy anymore so I work for elastic the company behind left research classic stack and I'm part of the infrastructure team so internal cooling AWS docker containers all these things and then I always say and this is a unique type I kind of pipe that into developer advocacy so I'm doing lots of conferences if you have any questions articles on come to me quickly because I need to head to Russia in the afternoon and yeah and I was running so meters in Vienna what about databases and what about the various inside of soft light

papers do you have a papist Munich group there between the Munich it's kind of a worldwide thing you you read an academic paper each month and then you just discussed it like the new study group and what you hated it at university you kind of do it voluntarily now and yeah so I guess everybody knows that one little Bobby tables so no sequence not on the SQL where you generally don't have as you can without SQL no SQL injections right problem solved who thinks that it's kind of true like there is no way square I obviously know SQL injections with no injections energy people is anybody ok I will see arm so let's talk about manga DB because its

most widely used one and because those are web scale maybe if people still remember that one in the heydays of no sequel like there was this comic we're making fun of mommy to be like oh you need to use it because its web scale and throw away your SQL database yeah stuff has changed since then but still most widely used and let's see how it goes there so X K injections are probably not since there is no SQL but you can do stuff like that if anybody still remembers diaspora that was the sex lots of years ago that the Facebook killer or whatever the decentralized social network stuffed with garlic billion dollars venture capital I think and then

nothing ever got out of it but if you're interesting to fuji articles for example is they I think it was Ruby and they had stuff like that so they have defined dollar where where the kind of define a condition for more gdb and then they just throw a string against it and while it's not an Afghan injection obviously that is a script injection whatever you put in there you can just yeah close whatever you're doing and run some other arbitrary script there so don't do that that was found in the Astro script they got rid of that eventually but it didn't help them they didn't really make it so stuff you should watch out for if you

rise mommy-to-be queries for example is these a BB evil kind of the obvious one but the others as well like if you run any of these and you pop in some strings you just do it down the string concatenation we promptly have injection problems or you could have them because it's just running some random script don't just take that and sanitized you can turn off scripting and I don't really know why it's an able because it's normally really bad performance wise and security wise not great either but yeah you can either pass it as a parameter to the momma Dee process or you can just a blip in the script in the conflict or you can if they have these

weird code w scope blocks like you can put script into that and we properly escaped I've never tried that but normally it just seems scripting any database like why would you even have stripping images and and then we had something from solid 2015 when they just can't the internet for open MongoDB database simply followed quite a lot of them and as it often happens like academia is first and then it takes some time to actually get out to the real world and in probably January this year it was pretty much that's far when people's guarded ransomware attacks of business doors so they would hopefully backup the data somewhere then heat it and leave a note

on page pairs that amount of money and you will get your data back so from what i heard sometimes they don't actually take the backups and they will just delete your data and leave the message and yeah if you pay your you're not getting your database um but that's just accidental so that is not what you want um quick show of hands who thinks that mom will be only binds to localhost nobody but they do and I can recent versions like I think they changed it two or three years ago already ahsoka demek was learning experience before they bounced going interfaces just be easy to get started but for two or three years they have been binding just

localhost by default so anybody who can be attacked over the internet actually change that setting sun at some point who thinks that authentication neighbors by default unfortunately that is not the case so there are the protection is they will find just to read localhost and if you change that you're supposed to change the authentication as well and and obviously nobody does it so let's see what do they even have to even have something like authentication authorization um yes but you need to enable it with all true witches love that hard they had one implementation preview p which was the challenge sports movie thingy and in more recent versions they have a new implementation called Graham

shell one which seems like just from looking at it very solid using an official standard and they've added some nice features so you have stuff like you can define the iteration count for hashing you have a salt per user now and not only per server anymore they had finally gotten rid of md5 and also the server authenticate against the clients and look only the other way around so that looks very promising you just need to use it and just to show you unfortunately it's a bit of it and dance around the system to get it started so these are the predefined both there are lots of roles you can just use them you can create your own this maybe even too

many because it's a bit confusing ah but how do you enable them so normally what you would do is you start your process with the north / so you can log in for the first time and sort of pretty much as people parameters and then you can just say I'm creating a user fill your passwords and I have the role route on the MU database and then you exit it so first you create user and you exit it then we started a tab it again that's the first line and instead of North we're just saying all so we're all Senta cating against it now if I then just do the Mongoose or Moody's always the

server process and [ __ ] is the client process so if i use mumbles local admin i'm trying to collect i connect us to the moment be processed on local o people caught us yet in database if i run any man live show db's it will throw me an error because you're not authenticated now you really need authentication so we're trying again with that line i'm actually providing my user it will ask interactively from a password and then i can create another non admin user who can repurpose it and write every to therapy and then we can leave that again because you probably don't want to use real admin user for anything because as soon as somebody gets that you're done

again so then L is authenticated and with this line work here what we have in here any guesses so we have said read on pet a and reprise on Pepe so that is so we're connecting to test a you're trying to try something that we fail then we're switching the device here will work then we're switching to the database in an example yes we can write we can read then we're switching to the seagate can I even switch you to see database do you think yes but you can unfortunately replacement that makes scripting pretty difficult because you can't switch to a database but you don't have any permissions on it and so here will only

happen here if you do define so yeah but that is kind of the dance you need to do to create the root user and to create dedicate user for whatever you want to do and then you can use it in a secure fashion ssl as far as i know it's silly commercial but the commercial part is only like the binaries don't contain in it but the source code does so if you compile this device other source code yourself you can have as a self support yeah everybody needs to make money somewhere I fight it with decision but yeah anyway continuing to readies anybody using ready it's so simple and nice right and it has some very unique

security features do you think defines to all interfaces who thinks yet who thinks no so it does but with a little trick um since a pretty recent version like yes year ago they added something called protected mode so it will bind to all interfaces but you will only respond to queries are unlocking doors with the actual result and for remote viewers it will just throw a message like oh you're not properly authenticated and your remote system in fix that so it's not not working but it's not working correctly either it's just showing you what you need to do which I find actually in can kind of a user friendly approach is not just blocking you but it

will tell you okay you need to change that to work but by default if we bind to all interfaces and yet they have something like authentication but there is no authorization or like pretty binary yes-or-no X's and even in their documentation they call it a tiny layer of authentication which I find very nice coat like so tiny because nearly doesn't exist so what you can do is you can say all password if you have set a password in the ready configuration file and then you can run your command problem is the password is stored in plain text in the reddit com I think it's also transmitted plain text and there is no ssl encryption or anything by people and

there's also no rate-limiting so you read it is very fast so you can also run this off command very fast so you can pretty much just start from forcing that one password there is yeah but that's the authentication they have and the other feature i find very nice is hiding commands so they have you set it in the configuration again and you need to restart the server to change that it's a bit security through obscurity so what they have is if you have to come on cough it you can say rename the command post it to my secret config name so it's just like the commander still there you just don't know what it's called and one

common approach is that you take the the parameter or the commands name add some salt and then just md5 hashes and then you know okay that is the hatch and if I use that ash i'm using actually decimal yeah but since the networking is not encrypted like anybody listening on the way I can just see what you can answer call but yet it can rename commands which is an interesting approach what might make more sense is that you can kind of remove commands you can just say they have an empty name and then they're gone then you cannot access them anymore so that is kind of their approach of removing features or limiting the use of specific features

and have some some commands they normally advise you to remove so they have commands which make sense for test service where you just drop all the keys you have in your key value store but probably that's not what you want in your production system and this poor Lua scripting and obviously don't pass in random doing scripts otherwise that stuff would happen okay and electric search well what do we are um we have some security issues over the years um yeah they are on our website so we try to document them as yeah publicly as possible and if you take a closer look um these are the most severe ones and they were related to scripting that

somebody could break out of the search box so in the beginning we had groovy scripting because it was since epic search is written in Java that was very easy to add abuse and you have just scripts is very hard to contain improve escape to the general-purpose programming language you can do lots of interesting stuff and that turned out to be very hard to contain to a sandbox and for example an ex work colleague of mine he once had an electric server so electric search server running somewhere and yeah somebody I don't know which one probably the middle one the groovy sample is escape and somebody took over his box and started spamming the world I

think it was sending so many mates even in sage into the box anymore be closing that the connection was so unstable yeah so that was kind of a problem and elastic what kind of like maybe we should do something it's not the way we want this to go so we added something called payment to literally take the pain away so pain that is our own scripting language and yeah so we hired a developer and we put him into exalted for a year and he developed painless there because there's not in enough scripting languages you can only hear always have n plus 1 and painless is our n plus 1 and even wrote a blog post afterwards about that why we the

brand new language shooing they're always so many out there we still did because we kind of thought it worth it or because we thought that there are no really good alternatives for that so there is two goals and security and performance security and no more dvds on sandbox escapes and scripting is possible and performance problem the brewery scripting is I think it's interpreted every time it runs so there is an overhead to that which we want to get rid of and so those were the two main goals of writing custom scripting language so just to give you very quickly sample of what that looks like the top line is a document and I have played and some I don't know what it is

ok no I don't know I scored like I played three games and I score some goals and I am about many cities and now in our scripting language you want to know how many goals did I score in total so since it looks pretty familiar and the only thing that must be weird is that you take inputs document that targets the documents we have set up there yes use goals yeah and then we operate from that and we just add all the goals we have and that is our final result so this point is just have a general purpose is a language which cannot escape sandbox and forward so it has some features which don't really make much or too much if

internet security concepts unless unless every value so we have methods and feet level whitelisting so only it's certain stuff that we think makes sense is allowed because I think that much business in the past so you cannot say class full name to just load any random class you have on the glass pass and then do with stuff with it so only kind of sensible stuff is allowed and everything else is like visit so you should not be able to escape that and that was kind of the main point of creating that programming language by now paying this is a default in the current version we still have scripting language the other scripting languages most people use groovy but we support

Python and JavaScript as well so they are deprecated and will definitely go away in the next major version so anybody doing scripting there we try to force you into the right car it's all works and yeah and then we have this authentication authorization and encryption thing I know it's called SL we refactored on all the encryption stuff in the latest major release and I don't really know why but unfortunately we caught the premise and now everywhere ssl because before we had TLS and ssl mix and obviously it is TLS but we still call it as a cell so don't be confused by that if it's still apps that we just call it into self for whatever reason

but it's the same everywhere and so how does it work out with elastic search unfortunately that is how my seller is being paid so those are the commercial features we have and just to show you how this came out end up let's do we do something live so should I guess everybody knows okay sorry I'm trying to touch anything I guess everybody knows that back right you can't just find stuff on the internet is just scanning what is out there and then you can try using that so we can do can just put in elasticsearch here and I hope my wife I my yeah so we have some stuff called elastic search but it's mostly for a one

so they have a reverse proxy in front of that so that is not going to help us so we can just start searching for 200 and we should get some more results and it actually tells less than 600 results now and I early this morning I try to login into those and most of them I don't know our either more text or are probably a honey pot anyway like I'm pretty sure any pretty much everything of that this is a honey pot anymore so I didn't find anything that was too revealing there anymore but what I guess all the script kiddies has used those up already so you can't just switch to port 9000 planet

which is the default elasticsearch port and I'm going forward to hundreds now and that leaders should lead us to more results the demo birds are not with me oh come on no showdown is broken yeah probably too many results okay since i since i have tried it i think i have one working IP in my cash in my command history so assume the site is up and you get like with that search i got i think more than a hundred thousand results you get an IPS and now you just were just looking no touching just looking weird let's see what we have so on since elasticsearch is just providing a red space interface is very easy to just

interact with it with curl you don't need any fancy tools i just found the IP address 54 blah blah blah hold 9200 and then i'm using the API underscore kept it slides kept the command line tool just show you stuff in mep consumable session and images I'm just interested in which indicates does this elasticsearch register have and the question might be is just turn me the header information for that as well and if I run that it will tail tell me we threw the challenge jobs and then please read and please read has a document count of 1 so that is kind of the design that somebody has been here and done something let's see what is in that

document so i can copy that power can't say no yeah you we're very polite so um so this is all red space this is the next we want to use now I want to search this and I have a query just show me everything and i'm adding a pretty so it's nicely formatted as well and we should close there and if I didn't miss type what wide awake um please research clearly pretty much come on live spoken as well you ? before cookie yeah sorry usually putting some are people ready correct on this great this song yet oh I edited yeah that was yes tube type of yeah and what you didn't get is something like this and yes 0.5 second I

don't know what is it today 600 600 Europe so the problem is there is no reason aren t that Rebecca and I've already seen instances like they're just a few weeks ago there were there was not only one team or person doing that for multiple ones and they left different messages and so kind of somebody deleted you later and left that message like please pay pay that up and then somebody else left another message so they didn't remove the the one message which which like the original ransom message but they just would add another ransom message and then you probably would end up with two or three random messages and then you will need to decide like who was there

first like who probably has your data or maybe not like you don't really know and then you can just start paying a loss and hope for the best yeah but let's not let it get that far so we've seen those so the first thing you should do is so by default like everybody else by now but that also changed like one or two years ago only our electric search is only found two local hood you will explicitly need to change the configuration if you want to bind in somewhere else just put it on a private network only like with any data store there's no real point in having it on a public IP put a firewall in front of it

even though I've like people think me on Twitter and said Oh our firewall kind of like we had some bad rules and the firewall was just down for an hour and somebody still took download data during that one hour so firewalls are also not not helping you all the time and what you can always do is you can add a random force but again this is more like security through obscurity which might help your like give you a long a chance to avoid problems but yeah it's no real solution and what you can do what you can do for fries you can just use your breasts proxy so since it's all http-based then everybody has lots of

experience with HTTP you can use engine X H a proxy whatever just put a sender and and basic off and run that or we have ex extension for that as well and the commercial extension can also do stuff like fifth level security or document level security which you cannot easily deal with reverse proxy so and that is part of the cluster already because one other common scenario where people has problems if they had their nice little proxy somewhere but then there has some some other way around that to access the data store and yeah the proxy didn't really have them and if something bad happens and please make backups like if you don't have backups you shouldn't be

in charge of anybody stay there anyway so you can always read next from another source or just restore its nature if you've taken and and it's the only way to guarantee to get your data back like from what I thought the chances if somebody will remove the data it might not be dead great even though from the things instance you can find my now most of them are just forgotten testing sentences or honey pots anyway so I guess there is no point in starting a new resume tech now if anybody feels very motivated I guess like these feeds has been harvested pretty well by now okay to conclude um yes injections are still a thing even though no sequel

doesn't have SQL or some have added kind of SQL Lite interfaces by now as well but injections are still a thing don't pass in any I escape stuff that just executing the datastore that is more something for the providers or vendors like please enable security but I guess this is pretty much a learning experience my secret didn't have authentication authorization in the beginning then it didn't have that enabled by default and I think the notes equal world is kind of going through the same cycle as well we're at first you don't have much then then you just find to localhost and at some later point you decide okay maybe we need to enable this security security just slightly for

creativity can be interesting or not like reddit is always I'm always a bit torn like hiding the commands that cruise another cool feature on the other hand I find that just answering queries are on localhost and for remote series just show you know fix that and configure that that is final an interesting approach yeah elastic we think that custom scripting can make sense so far we didn't have any security issues yet we'll see what time brings in the long run yeah and it's just I guess development thing like most of the relational database has been around since the 80s and had lots of security issues over the years and no sequel is kind of going through the same growing

pains i would say just learning experience ah which you unfortunately cannot really fast forward with somewhere you need to pay that price yeah I don't know that I have lots of stickers here if you want secret there's one of my main obligations at tested student tickets are throughout Europe I don't have any questions by the way who is using MongoDB who admitted okay ready okay that is more elastic search source or more ok very nice um hey has anybody been renting no I'm always interested in stories from the beach any questions well well okay then okay I have a few questions okay so you just think about how a single database or database systems have sort of a hardened can meet

a security model that's grown over time naturally and so my question for you is this you talk about authentication schemes and for you sort of lost over though the elastic search authentication scheme what are some of the features of the authentication scheme there so things this is a basic off basically so yeah you have to baby if you have the paper news you get TLS encryption but most basic off and then you can limit that down to G Nixon like d mix was the please read thing we've seen and or in the highest plan you could even limit this down to fees so you could say okay everybody can see all the feeds of employees but only the management can

see the speed salary so you could limit that or just document where you could say stuff like everybody can see all the documents but if the B was over ten thousand euro on this is 50 FPS and then it passed example is not in reverse proxy from the fish that is really part of the culture and there is no easy way to circumvent this so we have stuff like a year scism to target multiply there's a remain soft but there is estimated time up in the course you can work around that in any way and then my next question would be as a pen tester I would be interested in paying okay so you have an authentication scheme that I

can't quite find pounder so do you have the fruit horse protection oh nothing I'm aware okay then my next question would be you have a way okay as a pen tetra I have the next question do you have a way to set up a password policy such that people actually create or Fergus for basic authentication yes let's think about it for suit so must be 13 characters long at least a mixed case numbers special characters when I don't think so buddy it's only a REST API so depending on how you interact with it you can set up your own like we can hook into a supply as FX directory like we can reuse that so if you have a purse

apology i will just reuse that actually no i don't have eggs and yeah it would take two minutes to start off Jesus we had web interface I'm not sure if we can set up a password policy item and get it just like whatever you had in things is manageable but heavy Kings had such apologies innovation databases thank you yeah for example my people you can head up a password policy it has a polygon your day I'm i will get to ask em another where if you came in this okay does anyone else have any questions or difficulties sorry certificate benefited yeah it was wait hey but where would you pinned it on in your application I mean that's yeah that's up

to your application then I mean it's not a it's not a porosity you cannot use a browser as tificate pinging no I mean well macquinet indignation house is just like server so many like when you come again then you just be sure what I'm talking yeah but that's pretty much part of your client application right that would need to be implemented in your kind application yes tell me today schedule from somewhere oh but but but when you get the right child back with the certificate as well then but I think he's working with my hsps whether a lazy eye yeah but setting age hsps like in a client application no because HTS better would be on the server certificate

pinning hell he's talking about the certificate thing yeah be sure what server on top tables verify and its origin that the header and the reporting don't tell me like what you should be questioned exit interview in turn into the yeah II you should be able to be cutting out of you so if there is a way to insert the hell up also what you can implement the public answer yeah philemon you're talking about security bed including this shield yes so we kind of did a renaming strategy and in the beginning that before 50 everything was called up the marvel comics and stuff so it was called she's marvelous cetera the product and we kind of renamed that two

more generic boring names and so what was shield is now security and what was marvelous now monitoring because it's like she's kind of methods for people's but marvel was not really obvious what is what his mother doing and what sure was the alerting thing and it's called now is that so yeah what was she is now security um that's kind of did to be branding there as well yes running okay so internally it doesn't talk read it has its own binary protocol so that's it like 9,000 trying to rest api which you expose the outside and the internal traffic communication is 9300 that's just John protocol and that use the security internally as well but it's not

basic off because it's it's not wrist anymore how does it know when I were I was it uses a tenant you have the credentials as well the inside the cluster appreciate you yeah if there is a so there are generally two ways to set this up you can either have configuration file but there is not very convenient to add new users and provide the rest interface and thank the kind of story inside elasticsearch so we have a special index keeping the users and credentials so you don't always need to edit files especially if you have lots of service you don't want to edit files on all of them that can be cumbersome any more questions thank you very much

thank you [Applause]