It seems every few days the news is filled with some tidbit of news about some systems online being hacked. Most of the time, hacking is the wrong word used. Most of the mistakes resulting in loss of data was just a configuration error on the entity responsible for the data.
Take for example this email I got from HaveIBeenPwned a few days ago.
In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed.
I don't know this company, I don't remember them but they lost my personal information along with 763 million other people. They made a mistake that seems like a day zero student of the computer science industry would make. I wouldn't expect a company to make mistakes of this size, but time and time it happens again.
I remember an article a few years old about the default security in Redis. The article basically was in response to lashback in the community about default Redis installs lacking any default security. The response was that early adoption would be difficult if users had to create ACL rules or perform some complicated procedure of granting access.
What happened in actuality is users worldwide would move Redis installs into production environments without changing any security settings. This means data is just sitting out there in public environments. As Redis evolved, later versions continued to change the default settings to be secure first. This meant that users had to intentionally change settings to get things less protected.
Yet data is still lost and its due to configuration issues. So why is this happening? Is this because security is set aside? I remember getting into a difficulty with the occasional complicated mess of security groups on AWS, but never in my mind did a thought occur to open everything to everywhere.
AWS has additionally evolved setting default protections on a S3 bucket to be private. This means that accidents can not happen unless an administrator wants a public bucket.
Finding a comparison
Most of those above paragraphs are difficult to understand unless you work in this industry, so let's take a different approach. How many people had a house key under a doormat? This was so that anyone coming home could use the key to unlock the door.
I had one of those, except it was under a pot. At one point, our thinking finally evolved and instead we produced enough house keys for everyone to have one. The key under the doormat is a good example of what is happening now. If everyone in the world had good intentions, everyone could leave their doors unlocked. However, that is not the case and thus servers left in the default (key under mat) will be targeted.
Data is being leaked faster than I can sign up with and this just makes me nervous. My entity history of KBA (Knowledge based authentication) is public at this point. With enough time someone can figure out every bit of information about me, because multiple companies made a mistake and lost my data.
The online war goes on and we are simply casualties in the never ending battle.