NoSQL Benchmarks NoSQL use cases NoSQL Videos NoSQL Hybrid Solutions NoSQL Presentations Big Data Hadoop MapReduce Pig Hive Flume Oozie Sqoop HDFS ZooKeeper Cascading Cascalog BigTable Cassandra HBase Hypertable Couchbase CouchDB MongoDB OrientDB RavenDB Jackrabbit Terrastore Amazon DynamoDB Redis Riak Project Voldemort Tokyo Cabinet Kyoto Cabinet memcached Amazon SimpleDB Datomic MemcacheDB M/DB GT.M Amazon Dynamo Dynomite Mnesia Yahoo! PNUTS/Sherpa Neo4j InfoGrid Sones GraphDB InfiniteGraph AllegroGraph MarkLogic Clustrix CouchDB Case Studies MongoDB Case Studies NoSQL at Adobe NoSQL at Facebook NoSQL at Twitter



security: All content tagged as security in NoSQL databases and polyglot persistence

A Quick Tour of Internal Authentication and Authorization Security in DataStax Enterprise and Apache Cassandra

Robin Schumacher describes the new security features added to Apache Cassandra and DataStax Enterprise:

This article will concentrate on the new internal authentication and authorization (or permission management) features that are part of both open source Cassandra as well as DataStax Enterprise. Authentication deals with validating incoming user connections to a database cluster, whereas authorization concerns itself with what a logged in user can do inside a database.

I’m happy to see NoSQL databases entering the space of security as this would ease their way inside enterprises. But I fear a bit the moment when the marketing message will change from “it’s too early to provide security features” to “the first enterprise grade NoSQL database”.

Original title and link: A Quick Tour of Internal Authentication and Authorization Security in DataStax Enterprise and Apache Cassandra (NoSQL database©myNoSQL)


A Tragically Comedic Security Flaw in MySQL

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

  $ for i in `seq 1 1000`; do mysql -u root --password=bad -h 2>/dev/null; done

Don’t try this at home. Or if you try it, don’t tell anyone the result.

Original title and link: A Tragically Comedic Security Flaw in MySQL (NoSQL database©myNoSQL)


Data Encryption for Hadoop and NoSQL Databases From Gazzang

The Gazzang Encryption Platform for Big Data works as a last line of defense for protecting data within Hadoop, Cassandra and MongoDB, non-relational, distributed and horizontally scalable data stores that have become common management tools for big data initiatives.

Sounds good so far. But then:

Gazzang today launched a cloud-based encryption […] The Encryption Platform transparently encrypts and secures data “on the fly,” whether in the cloud or on premises, ensuring there is minimal performance lag in the encryption or decryption process.

Anyone having any idea how a cloud-based solution could encrypt/decrypt on premises data on the fly? I don’t.

Original title and link: Data Encryption for Hadoop and NoSQL Databases From Gazzang (NoSQL database©myNoSQL)


NoSQL Security: Installing and Hardening Redis

Many useful pieces of advice—from the very basics to renaming commands—in Marc Wickenden post about securing Redis:

Redis doesn’t have much in the way of security so I knew that anyone who managed to pop the box could theoretically connect to the local Redis instance and mess around. I’ll take you through the steps I took to install and harden Redis, on a Debian Squeeze GNU/Linux box.


Original title and link: NoSQL Security: Installing and Hardening Redis (NoSQL database©myNoSQL)


NoSQL Databases and Security: Cassandra and MongoDB Security Reviewed

Herman Stevens summarizes the findings of the paper “Security Issues in NoSQL Databases”:

The paper itself concluded that the main problems to both Cassandra and MongoDB are “the lack of encryption support for the data files, weak authentication both between the client and the servers and between server members, very simple authorization without support for RBAC or fine-grained authorization, and vulnerability to SQL Injection and Denial of Service attacks”

Cassandra security reviewed

Cassandra security

MongoDB security reviewed

MongoDB security

Even without the findings of Attacking NoSQL and Node.js: Server-Side JavaScript Injection (SSJS) things might be scary.

Original title and link: NoSQL Databases and Security: Cassandra and MongoDB Security Reviewed (NoSQL database©myNoSQL)


Nmap Scripts for Riak, Redis, Memcached

If you take a look at the topic of security in the NoSQL context, you’ll notice that things are far from being perfect. So, any contributions in this area are welcome. Patrik Karlsoon added a couple of network exploration Nmap scripts for Riak, Redis, and Memcached. And while these will not help much with security they might proove useful for managing your NoSQL deployments:

  • Added the script riak-http-info that lists version and statistics information from the Basho Riak distributed database.

  • Added the script memcached-info that lists version and statistics information from the distributed memory object caching service memcached

  • Added the script redis-info that lists version and statistic information gathered from the Redis network key-value store.

  • Added the redis library and the script redis-brute that performs brute force password guessing against the Redis network key-value store.

Original title and link: Nmap Scripts for Riak, Redis, Memcached (NoSQL database©myNoSQL)

Attacking NoSQL and Node.js: Server-Side JavaScript Injection (SSJS)

Jeff Darcy has written a while back about the (lack of) security in NoSQL database. Unfortunately things haven’t changed much and if you check the NoSQL + Node.js applications I’ve posted lately you’ll notice that some of them are completely ignoring security.

And there are some people realizing the risks and starting to express their concerns:

Playing with MongoDB lately, I’m getting scared. Because I’m seeing some really bad practices out there. Seeing it in live code. In tutorials.

Bryan Sullivan (Senior Security Researcher, Adobe Secure Software Engineering Team) has published a paper (PDF) explaining some of the possible server-side JavaScript injection attacks and the risks the apps and the data are exposed to. Teaser: he can do pretty much everything.

It should be noted that exploitation of server-side JavaScript injection vulnerabilities is more like that of SQL injection than of cross-site scripting. SSJS injection does not require any social engineering of an intermediate victim user the way that reflected XSS or DOM-based XSS do; instead, the attacker can attack the application directly with arbitrarily created HTTP requests.

Because of this, defenses against SSJS injection are also similar to SQL injection defenses:

  • Avoid creating “ad-hoc” JavaScript commands by concatenating script with user input.
  • Validate user input used in SSJS commands with regular expressions.
  • Avoid use of the JavaScript eval command. In particular, when parsing JSON input, use a safer alternative such as JSON.parse.

Remember there’s no such thing as security through obscurity.

Original title and link: Attacking NoSQL and Node.js: Server-Side JavaScript Injection (SSJS) (NoSQL database©myNoSQL)

Hadoop Security Explained

Brilliant article:

In nutshell, Hadoop has strong support for authentication and authorization. On the other hand privacy and data integrity is optionally supported when Hadoop services are accessed through RPC and HTTP, while the actual HDFS blocks are transferred unencrypted. Hadoop assumes network involved in HDFS block transfer is secure and not publicly accessible for sniffing, which is not a bad assumption for private enterprise network.

Original title and link: Hadoop Security Explained (NoSQL database©myNoSQL)


Securing MongoDB

So, MongoDB presented us with two problems:

  • When sharding it, we can’t even use the basic security that it supports.
  • The basic security that it offers is not reasonable for allowing external servers to connect to MongoDB.

Let’s just review:

  • you have this sharding setup: MongoDB sharding

  • on top of that add some Nginx

  • switch from using a binary protocol to HTTP

Doesn’t sound easy or out of the box anymore.

Original title and link: Securing MongoDB (NoSQL databases © myNoSQL)

Secure HBase

A short presentation about HBase access control security

Original title and link: Secure HBase (NoSQL databases © myNoSQL)

Secure HBase Access Control: A Step Towards Better Security and NoSQL-as-a-Service

From Trend Micro guys:

Enter Secure HBase. Secure HBase adds support for table and column family ownership and access control. Secure HBase builds on recent development work in the Hadoop and HBase community, specifically:

  • First, we built on the Kerberos support that’s recently been been contributed by Yahoo! to Hadoop
  • Secondly, we implemented a Coprocessor Framework that lets HBase administrators load custom code that runs on HBase regionservers. We’ve submitted our own implementation for community review;
  • Finally, we have contributed our own Coprocessor, named AccessController, which enforces access control. This has also been submitted for community review at: ☞ “Coprocessor based simple access control” (HBASE-3025).

The (long) post provides a lot of details about the implementation and various other aspects of this solution.

Leaving aside for now the HBase Coprocessor Framework hidden gem, not only is this acknowledging NoSQL databases need better security, but this could be an important aspect of NoSQL as a Service.

Original title and link: Secure HBase Access Control: A Step Towards Better Security and NoSQL-as-a-Service (NoSQL databases © myNoSQL)


MongoDB and Security via Diaspora

When asked why MongoDB is using their own query language instead of SQL, the answer was that using JSON for both data and queries made more sense. Plus, it helped avoid injection attacks. As showed by Patrick McKenzie’s post on recently released Diaspora, turns out this is not quite true:

Diaspora uses MongoDB, one of the new sexy NoSQL database options. I use a few myself. They have a few decades less experience getting exploited than the old relational databases you know and love, so let’s start: I claim this above code snippet gives me full read access to the database, including to serialized encryption keys.

The conclusion is quite obvious: as long as developers continue to use string concatenation and interpolation, the query language doesn’t really matter. So you might be better off with something that people feel familiar with.

Original title and link: MongoDB and Security via Diaspora (NoSQL databases © myNoSQL)