Why Do Elasticsearch Databases Keep Getting Hacked?

It seems like you can’t throw a stone these days without hitting an exposed Elasticsearch instance.

The open source software, which lets users index and search unstructured data, is like a massive bucket for all your enterprise information. It slurps up everything from emails to spreadsheets and social media posts, and then lets you search it. It is a valuable repository for all kinds of enterprise information.

Unfortunately, it also means that when unprotected Elasticsearch instances turn up online, they often yield vast repositories of sensitive data. For example, in January reports surfaced of four million intern applications left on a public facing Elasticsearch instance by global non-profit AIESEC. Researchers also found payment information relating to Bancolombia customers on the public Internet. In November, millions of Americans’ personal data was found on an Elasticsearch instance that had been publicly viewable for two weeks. 

What’s with all the hacked systems? Elasticsearch wants to make one thing clear: it isn’t responsible.

“Recent reports about sensitive data being exposed in Internet-facing Elasticsearch instances are not related to defects or vulnerabilities in Elastic-developed software,” said Mike Paquette, security product director at Elastic.

The cause of the problem? A poor understanding of Elasticsearch security and how the software works, he said: “Reports usually involve instances where individuals or organizations have actively configured their installations to allow unauthorized and authenticated users to access their data over the internet.”

The company does its best to stop others getting at Elasticsearch instances by default, he explained. It binds Elasticsearch only to local addresses, meaning that if an administrator wants to communicate outside the local machine, it has to be configured to do so. 

So why would someone do that? It could also be that someone is using a free Elasticsearch instance in the cloud, and choosing open internet access, he warned. Don’t assume that Amazon will protect you just because you’ve deployed Elasticsearch on its cloud. You have to do some extra work to keep the instance safe.

Developers often expose development or testing systems to the internet for convenience and then forget to change the configuration when they move to production, he warns.

Elastic provides security features for the paid versions of its product in the form of X-Pack. These include role-based access control and encryption, but people are exposing instances on the public internet without any protection at all. One reason for this could be the fact that the free version of the software only includes the security options as a trial. You have to pay for the premium product to turn the security features on. 

X-Pack cures a variety of ills, confirms big data and cloud expert Itamar Syn-Hershko, a consultant who specializes in big data products like Elasticsearch. Even if you don’t use that paid option, though, there are still plenty of things you can do to stop your entire Elasticsearch database from showing up on the public Internet.

Syn-Hershko’s advice on secure deployment includes not exposing clusters publicly, and putting them on a segment isolated from the rest of the network.

The topic of Threats, Exploits and Vulnerabilities will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Threats, Exploits and Vulnerabilities here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.

What’s Hot on Infosecurity Magazine?