Add the U.S. Census Bureau to the list of U.S. government agencies that have been the victim of an IT security attack in recent months. While the Census Bureau's admission that it was attacked is not a surprise, the details on how the attack was able to happen reveals an IT security vulnerability that is common across many types of technology deployments and industries.
Census Bureau Director John H. Thompson publicly confirmed on July 24 that his agency was breached in an incident that exposed non-confidential information from the Federal Audit Clearinghouse that was contained in an external-facing IT system.
"It appears the database was compromised through a configuration setting that allowed the attacker to gain access to the four files posted to the hacker's site," Thompson explained in a blog post.
Thompson stressed that after several days of auditing there was no indication that any confidential information or access to internal systems was gained by the attackers. Going a step further, within 90 minutes of learning about the breach, the Census Bureau made the impacted system inaccessible.
The Census Bureau attack follows the public disclosure of the massive attack against the U.S. Office of Personnel Management (OPM), which impacted 25.7 million Americans. Unlike the OPM breach, the damage from the Census Bureau breach, it appears, is minimal. Also unlike the OPM breach, the root cause of the Census Bureau attack seems to have been quickly identified as a misconfiguration.
While there are many attacks that occur by way zero-day attacks and obscure exploits, misconfiguration errors are also common in IT and they do lead to data breaches. IT consultant Jamie Brown reported that one in every 600 Websites has unintentionally exposed Git software repository information, potentially exposing code to risk.
John Matherly, creator of the Shodan security search tool, has also been looking at misconfiguration and has specifically focused on users of the open-source MongoDB database. "A quick search for MongoDB reveals that there are nearly 30,000 instances on the Internet that don't have any authorization enabled," Matherly blogged. "There's a total of 595.2 TB of data exposed on the Internet via publicly accessible MongoDB instances that don't have any form of authentication."
Misconfiguration is a real, nontrivial issue, and MongoDB is just one example use case out of many. At this point, it's not clear what the precise misconfiguration was at the Census Bureau, but it's good to note that the agency found and corrected the issue quickly. It's also important to remember that not all attacks are zero-day driven; some are just misconfigurations.
As a best practice, organizations of all sizes should continuously enforce and inspect configuration policies for data and directories to make sure that access policies and security are correctly implemented.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.