Bob Diachenko of “Security Discovery” on Finding Exposed Databases and Cyber-Security Hygiene
Bob Diachenko is an independent cyber-security consultant with over a decade of experience in matters of data leaks and responsible disclosures. He is also the owner of "SecurityDiscovery.com," a platform created to help raise awareness on the importance of securing online data systems, and also to provide training on how to do it. Diachenko is often publishing cases of data leaks that he finds online, to remind people of the dangers of sensitive data exposure. Also, his goal is to force the companies responsible for these incidents to adopt better practices, and to apply pressure on the authorities to promote stricter data protection legislation.
Having covered a large portion of these disclosures via TechNadu's news section, we thought that it would be great to have a quick interview with Mr. Diachenko, so here we go.
TechNadu: Tell us a few things about your background, and how did you decide to become a "hunter" of unprotected databases?
It all started with a data breach reported to the company where I worked back in the days. I was part of the PR & Communications department and did not know much about cybersecurity. After that incident, I was responsible for communication with the security community, clients, partners, customers, media, etc. Thus, I learned a lot, however, I never had any deep technical knowledge, and I never wanted to become "a hacker." I always highlight that everything I find and report can be also found by anyone, so anybody has the power to make a difference and make the Internet a bit safer.
TechNadu: Is finding unprotected servers and open databases a purely technical matter (using search engines and indexers), or is there any form of intuition leading you towards certain "realms"?
There is, of course, some magic behind my discoveries, based on experience and gut feeling. I still do a lot of analysis manually and see things missed by automatic scanners and engines. But in my work and researches, I never employ active scanners, everything comes from open and public sources - IoT search engines and Google.
TechNadu: How many unprotected instances and leaking buckets do you discover each month on average, and do you get to disclose everything related to your findings eventually?
Despite all my efforts in responsible disclosure and raising awareness on cybersecurity, the number of unprotected instances I explore monthly remains almost the same it was a year ago. Every week there are 2-3 finds worth reporting. Not everything is disclosed publicly, sometimes it is just me lacking time to cover it all. Perhaps, I need to start my own RSS feed of short disclosure notes to save some time on writing big reports.
TechNadu: Have you ever had a problem with the entity that was responsible for the misconfiguration of an unprotected server? I understand that not everyone appreciates tips, let alone unilateral disclosures.
When I just started doing my researches and alerting companies about their misconfigurations, it was quite a common practice to shoot the messenger. For the last year or so, I don't remember a single similar case, even with smaller companies. Perhaps, that is my reputation now working for me, but I prefer to think that the business community is growing up and becoming more mature when it comes to incident response.
TechNadu: How often the databases you discover show signs that they have already been accessed by malicious actors?
Quite often, these days. Every second discovery comes with a ransom note. The longer a database remains exposed, the bigger the chances that it got destroyed by malicious actors. Some time ago, we deployed a honeypot (unprotected 1GB MongoDB with dummy data) - within 24 hours it was indexed by a search engine, and in the following 48 hours it was wiped out by criminals.
TechNadu: Can you estimate the rate of well-meaning researchers like you, to hackers looking to steal data from leaky buckets on a daily basis?
I know quite a few people who do the things I do, but the number of hackers looking to steal data seems to be much bigger (based on the different signatures they leave in the exposed instances)
TechNadu: What is the level of automation that takes place in the search of misconfigured instances that are publicly accessible without requiring a password?
I'm sure that bad actors are actively running automated scripts to find and attack misconfigured instances with their injections, given the amount of Readme notes searchable in Shodan and BinaryEdge. But I found it very challenging to fully automate our "responsible disclosure" process. Still, you need to manually analyze the content and find the owner to send an alert to the right person inside the organization. That said, I am following a semi-automated approach, with 90% of my analysis being done by hand.
TechNadu: What is your weirdest finding in the troves of data that you got to take a look at?
The weirdest findings are those databases managed by criminals themselves. For example, unprotected instances left online by Gootkit trojan creators.
TechNadu: Tell us about the "Security Discovery" platform and what was the motive behind its creation.
Me and my colleague, Jeremiah Fowler, founded SecurityDiscovery.com with a mission to raise awareness on the good cyber-hygiene by publicizing the most prominent cases from our experience. It also helps us in our responsible disclosure approach since a security researcher with a media channel has much higher chances to receive a reply, comment, or statement from a company.
TechNadu: Are you satisfied with the impact of your work on "Security Discovery" thus far?
Sometimes I feel like I'm fighting the windmills, as the number of exposed instances is not decreasing, and the companies keep on running them without authorization and such. But at the same time, the amount of positive response from the community and businesses motivates me to continue with perseverance.
TechNadu: Typically, we cover about four cases of someone leaving a server online and set to public access without a password each month. Why do you think this happens so often? Is it just a moment of negligence during testing or maintenance? Is it the lack of fundamental knowledge?
It is just human nature, we always make mistakes. Whether you learn from them or not, this is what makes you a professional.
TechNadu: Training on proper security practices can reach many people but not everyone, so besides that, what else can be done in order to put an end to this phenomenon?
I still think that only by educating your personnel, you may stand a chance in breaking this never-ending circle. It's not just about training, but also about having an entertaining session, with real-time examples that illustrate cybersecurity issues in layman's terms. This is what I am trying to do and share with others.
TechNadu: Last June, MongoDB announced end-to-end field-level encryption with version 4.2. Would you say that moves like this are enough to tackle the problem, and have they really made a difference?
It is encouraging to see that vendors pay attention to security issues. We've seen a similar announcement from Elastic and Amazon earlier last year. These are very necessary and vital moves but again, it is nothing without an educated employee behind the configuration desk.
TechNadu: Most of the leaks affect people/customer/client data. Do you think that the legislation that underpins personal data protection in the United States and in Europe is rigid and strict enough to help prevent irresponsible data handling from the firms that collect and manage it?
The introduction of the CCPA and GDPR regulations helped the security community to bridge the gap between them and businesses. Nowadays, companies are much more responsive to messages from security researchers and it is much easier to find a corresponding contact within an organization. However, I doubt that these and other legislative acts are enough to help in preventing irresponsible data management.
TechNadu: What’s the best thing that people can do to protect themselves in the context of the existing legislation?
The least they can do is to have a special email (or just a one-time email address) to be used for marketing needs (for registrations on forums, sites, etc.) Do not link much to your personal email address, and try to share as least personal details as possible on online platforms.
TechNadu: Are there any trends in the field that indicate the rise of novel attack and defense practices in 2020? What predictions can you share with us for this year?
I'm not a fan of trend predictions, but I would assume that attacks on unprotected databases will come at a new level. We have started to see some signs of that coming already, with instances being destroyed within seconds after they're indexed. Like with any new virus rise, we must follow hygiene rules – this is the best defense practice.