Database Error Exposes Sensitive Information On 1,700 Kids

itwbennett writes: Researcher Chris Vickery discovered that the Arlington, Virginia based child monitoring service uKnowKids.com had a misconfigured MongoDB installation that left sensitive details on over 1,700 children exposed for months. UKnowKids helps parents monitor their child's activities online, by watching their mobile communications, social media activities, and their location. And so the database stored 6.8 million private text messages, 1.8 million images (many depicting children), Facebook, Twitter, and Instagram account details, in addition to the children's full names, email addresses, GPS coordinates, date of birth.

Is all this exposure to the internet worthwhile?

[HeadSoft]

Would it really hurt so bad if private information was you know, kept on a private network? It's not like everything in the world needs to be internet-facing.

Re:Is all this exposure to the internet worthwhile

[Dr_Barnowl]

Well, clearly the only way you can gather this much information is to install a monitor daemon on all their client appliances.

Rather than having it talk to a single central server as it did in this case, why not run that server on a PC in the household and have it sync to that when it's on domestic wifi?

Oh, right : because it wouldn't enable the corporation to collect a huge corpus of highly monetizable data about children for later analysis.

Re:

[cayenne8]

Damn...I'm sure glad I grew up in a time when as a kid, I didn't have to worry about being monitored 24/7, and having a fucking helicopter parent hovering above my every move.

Hell, I guess in todays Bizarro world, my folks would have been arrested for being neglectful parents, and I'd be in safe, loving foster care....

I'm sad that kids can't grow to be kids like we did back in the day....actually having the freedom to fail and fuck up, and learn valuable life lessons from said mistakes.

It also helped the

Re:

[KGIII]

Hmm... I've seen you post before and I'm starting to have my doubts. You're not really a barn owl, are you?

Re:

[Dr_Barnowl]

It's a throwback to my earlier days online... I was playing a flight game where you could set your callsign at the time. I like barn owls, so that's what I set as a callsign.

Then I started going online. That name was taken most places, but I was at med school - hence the prefix.

I'm really a doctor! (In the sense that I have a medical degree - I no longer practice).

Re:

[KGIII]

Heh! The goal was to make you chuckle and maybe go, "What the hell?" I was bored and you were there. Oddly, my handle comes from a game as well - but it's a table top RPG. I am also a Doctor but no... I'm not a medical doctor. It's always been a problem because I've been introduced as Dr. D. and had many, many people ask me about medical issues. Even after I point out that I'm not a medical doctor, they'll say, "Yeah, but you must be smart." No, I'm not even really all that smart and I have no idea if that

Re:

[tibit]

There are these things called one-way gateways. You can only steal data from such a system if you catch it in-flight, via a MITM attack. Once the data enters such a system, it is not accessible from outside. At the most basic level, syslog over UDP is such a system: you can only send messages to it, but there's no way to access any of the data. You can use a hardware fixed-function firewall to guarantee the unidirectionality of the barrier. This is not hard to do, an FPGA dev board with two gigabit ethernet

Re:Is all this exposure to the internet worthwhile

[Bengie]

Seems they misconfigured their Mongo DB, MongoDB server's firewall, inter-vlan firewall, and edge firewall. When the entire system is misconfigured, you use the word "inept".

Re: Is all this exposure to the internet worthwhi

[Anonymous Coward]

Testing ? Hah.

Re:

[Hognoxious]

Somebody found it. That's testing, isn't it?

(see also: ketchup).

Re:

[sjames]

But, but, but...Mongo DB is web scale!

Stupidity...

[Longjmp]

Summary:
Stupidity of helicopter parents backfires.

Re:

[Etherwalk]

Anyone dumb enough to put information about their kids into a database on the internet deserves everything they get.

I see you rolled a crit fail for wisdom.

Re:

[Mikkeles]

I agree; but, here, it's unfortunately the kids who don't deserve everything they may get.

O Nose!

[Anonymous Coward]

About whom shall we think?

1000's die daily from 100% preventable starvation

[Anonymous Coward]

mostly kids... they could use some press?

Not offtopic

[Etherwalk]

mostly kids... they could use some press?

There's nothing wrong with putting a topic in perspective. Parent should not have been modded offtopic.

Re: Lack of own server makes this happen

[John Smith]

Yeah, but it might be a hit with nerds who own their own servers.

Re:

[mars-nl]

Why don't we have out own servers? Why can non-nerds carry around and operate a complicated computer in their pocket but why they cannot own and operate a "server". People already have a modem/router which is perfectly capable of storing any personal information you want.

The only reason we don't do it is, I guess, is that companies make money collecting our information and make it convenient enough for us to go along. If running your own server was as convenient/profitable, we would do it.

It's not the database

[aglider]

It's been those idiotic DBA and system administrator. It's too easy to blame software and hardware. There's always a person behind these cases!

Gj

[Sax Russell 5449D29A]

Cool story bro, and nice SEO you got going on there. I can't stand people who post links to their own sites in this fashion. You could do it once or twice without causing a fuss, but acting like an organic RSS feed? No thanks.

id10t

[ole_timer]

what idiot would put their kid's info here?

easy DB setup

[l3v1]

Well, this is the result that you get after years of advertising whatever db engines to be easy to setup and configure - idiots will actually believe it after a while and will think they know what they are doing, start puting db-professional into their CVs, some other idiot hires them, and so on and so forth.

And, well, I'm sorry, but I just can't submit without the compulsory "Won't somebody please think of the children!" :P

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tablizer]

But It's webscale!

as are the leaks

This is what happens with web corp on autopilot

[evolutionary]

There are so many organizations who get junior/intermediate developers who are told to build it fast, without a plan and without consideration of what they are storing. There are probably hundreds of companies who set up a system, make it big, and never do audits of their code, data or protection. Anyone storing sensitive data should be doing a periodic audit so the people "upstairs" know what is stored and how it is stored. It's not enough for it to "just work". It's not just the medical and psychology ind

Re:

[Tablizer]

From an entrepreneurial perspective, you have to take risks to win. You have to grow fast and beat your competitors because the "first to market" tends to have a big advantage.

This encourages taking shortcuts. I'm not sure how to prevent such security-related risks other than perhaps criminal prosecution or huge fines. However, that would drive up the expense of IT work (think insurance) and result in offshoring. USA regulators will have a hard time dictating the laws of Timbuktu web servers and products.

I

Re:

[sjames]

If you attach the risks to the company itself, they would have to move themselves to the 3rd world to duck the enforcement. Off-shoring wouldn't help them at all, it would just put their contractors out of reach if they want help paying the huge fines.

Re:

[Tablizer]

I'm not sure what you mean. How about a scenario.

The US gov't can't order say a Singapore company to put in a back door or hack their own product. Such restrictions on a US company would give Singapore companies an advantage because they can say they are outside of US govt's control.

I suppose the US gov't can tell Singapore co's that they can't sell products in the US unless they have a back door and unlock it somehow on request. But that's harder to verify and enforce than with a US-based co.

Re:

[sjames]

They could actually block the import unless they have an unlocker in hand.

I'm not saying they should (I don't believe they should have a back door at all), just that they could.

More appropriately, they could enforce a fine for careless handling of customer data by instructing Visa/MC to claw back any funds sent to them and allow no more charges.

Kids Monitoring Services :(

[tibit]

I think that all of these services are, in some capacity, ran by pedophiles, and the clueless parents are simply facilitators. This wouldn't be anything out of the ordinary, in fact: parents often, unwittingly, facilitate abuse of their children by family members or "friends". If you really need to use a service like that, your family relationships are already broken and you should be seeking counseling, not monitoring.

time for a comeback

[Ian McLendon]

This sounds like a job for Little Bobby Tables. Unprotected database? He can take care of it.