The Witnet Foundation is creating one of the most important building blocks of the new decentralized economy: an oracle network that connects smart contracts to any external data source.

If you want to learn more about Witnet check this post for a quick overview.

We want you!

Image for post
Image for post

We are looking for the best talent to help us build Witnet. Remote work is OK with us, but we’d love to have you in our offices, in the very center of Madrid. We have a beautiful terrace and flexible working hours.

Open positions:

  • Back-end / Rust developer
  • Javascript developer
  • Community lead
  • UI designer

If you love the crypto space and you want to change the world for the better with open source software don’t hesitate to drop us a line at hiring@witnet.foundation and join our revolution!


Image for post
Image for post

Due to many requests from both the public and our partners Stampery is adding Ethereum to its blockchain anchoring API. All data certified via Stampery is now anchored simultaneously to three blockchains: Bitcoin, Ethereum Classic and Ethereum.

About Stampery:

Stampery is the leading startup in blockchain anchoring. Backed by Draper&Associates, Stampery leverages blockchain technology to ensure the existence, integrity and attribution of any file, document or communication. Once a file is anchored to the blockchain through Stampery anyone can independently verify its integrity — at zero cost and from anywhere in the world.


An automated pentesting tool that lets you know if your MongoDB instances are properly secured

Image for post
Image for post

Companies of all sizes use MongoDB, Stampery included. Why? It’s schema-less, fast, scalable. We all love its deep query-ability.

But it’s no secret that MongoDB pays more attention to scalability, performance and ease of use than to security. There are quite a few holes in its default configuration settings.

This, combined with lazy admins and devs led to what the press has dubbed the MongoDB apocalypse. More than 25,000 MongoDB instances were targeted by hackers. Information was encrypted and money was asked for the decryption keys. In some cases information was wiped with no way to recover it.

Mongoaudit tackles this problem and more. It not only detects misconfigurations, known vulnerabilities and bugs. It also gives advice on how to fix problems and recommends best security practices. …


Learn how to reduce attack surface and mitigate possible security breaches being sensible at the time of creating user credentials and assigning them roles and permissions

Image for post
Image for post

When creating new users and assigning them roles:

  • Never share a single user across several applications, even though they only make queries to the same one database.
  • Remind this. We can’t help but emphasize the previous point: one application, one user.
  • In the same manner, one user should only be granted roles and permissions over a single database.
  • Always grant the most restrictive role. If your app only reads from two collections, grant it a readOnly permission solely over those collections and not over the whole database.
  • Never grant apps the dbAdmin or dbOwner roles. Why in the hell would your app need to create and delete collections or database-wide users? …

Learn how to protect yourMongoDB server from NoSQL injection attacks by disabling server-side Javascript features

Image for post
Image for post

All of the following MongoDB operations permit you to run arbitrary JavaScript expressions directly on the server:

These methods can be really convenient, but they pose a huge security risk to your database integrity if your application does not sanitize and escape user-provided values properly, as proven by many reports of NoSQL injection attacks.

Indeed, you can express most queries in MongoDB without JavaScript, so the most sensible option is to completely disable sever-side Javascript.

Disabling server-side Javascript on MongoDB

Open /etc/mongod.conf with your favorite code editor and look for the security section:

security:
authorization: "enabled"

If you can’t find mongod.conf or it is named mongodb.conf instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.) …


Learn how to encrypt connections to your Mlab MongoDB deployment by enabling TLS/SSL

Image for post
Image for post

Mlab (formerly Mongolab) is one of the most popular “MongoDB as a service” cloud providers.

IP whitelisting is available in Mlab for dedicated plans only, starting at $180. Sadly enough, this option is not available to sandbox or shared cluster plans.

Whether creating a new deployment or upgrading an existing deployment, you can enable SSL support for MongoDB connections directly from the mLab management portal.

Unfortunately, Mlab consider TLS encryption to be a “ premium offering” and SSL domains incur an additional monthly charge (currently $80).

Enabling SSL when creating a new deployment

If you are creating a new deployment, you can enable SSL by choosing a domain scope toward the bottom of the form. The option will only appear if you have chosen a Dedicated plan running MongoDB 2.6 …


Learn how to encrypt connections to your Compose MongoDB deployment by enabling TLS/SSL

Image for post
Image for post

Compose by IBM is one of the most popular “MongoDB as a service” cloud providers.

TLS/SSL encryption is available in Compose for deployments created with the default New MongoDB Deployment option, which will create a new MongoDB 3.2 server.

Sadly enough, this option is not available to deployments created before October 2015, as well as to those provisioned through the Classic MongoDB Deployment option.

Enabling TLS/SSL on Compose MongoDB

The only thing you need to do to enable TLS/SSL on Compose MongoDB is activating the Enable SSL access option when provisioning a new deployment.

Image for post
Image for post

Unfortunately, this option can not be enabled for any existing deployment.

Downloading the server public key and connecting using TLS on the Mongo shell

Log into your Compose account, select your MongoDB deployment and on the Overview page you’ll see an SSL Public Key panel with a Show SSL Public Key button. …


Learn how to properly configure the most important and fundamental security feature that comes with MongoDB

Image for post
Image for post

Never run a production server without authentication on.

Really, never do so. No authentication means inviting everyone out there to enter your databases, seize everything and potentially ransom you for your data.

Running a testing server? Enable authentication either way, just in case you move it into production one day and you forget to enable it then!

Enabling authentication on MongoDB

Disclaimer: this how-to guide only applies to self-managed MongoDB servers. All “MongoDB as a Service” providers already enable authentication preemptively.

1. Start MongoDB without authentication

That’s easy, as this is the default behavior.

2. Connect to the server using the mongo shell

$ mongo mongodb://<host>:<port>

The port numberwill likely be 27017, but for additional security, you can always change it to a different one. …


Learn how to improve your server security by using the new SCRAM-SHA1 authentication mechanism instead of the old MONGODB-CR

Image for post
Image for post
(Scram Image Licensed through Create Commons via Michael Pereckas)

SCRAM-SHA-1 is the default authentication mechanism for versions of MongoDB newer than 3.0. SCRAM-SHA-1 is an IETF standard (RFC 5802), and verifies the user’s name, password and authentication database.

SCRAM-SHA-1 is more secure than the previously-used MONGODB-CR, given that it provides a tunable work factor, per-user random salts, stronger hashes (SHA-1 rather than MD5), and bidirectional client<>server authentication.

How to use SCRAM-SHA-1 on MongoDB 3.x

SCRAM-SHA-1 is enabled by default in MongoDB versions beginning with the 3.0 series. There’s nothing special you need to do in order to use it, apart from enabling authentication.

How to use SCRAM-SHA-1 on older MongoDB versions (2.x)

The MongoDB 2.x series did not support SCRAM-SHA-1 and there’s no way to make it work. For this and many other reasons (among them some alarming security issues), please consider upgrading your MongoDB server to the latest stable version. …


Learn how use TLS/SSL in-flight encryption to authenticate and encrypt connections between your MongoDB server and apps.

Image for post
Image for post

These instructions assume that you have already installed a build of MongoDB that includes TLS support and that your client driver supports TLS. Please read this guide for instructions on how to upgrade to a TLS-enabled MongoDB version.

About certificate Authorities

Your production MongoDB deployments should always use valid certificates generated by a certificate authority. You can get a free, full-fledged TLS certificate for your server signed by Let’s Encrypt using EFF’s Certbot tool.

Self-signed certificates encrypt communications, but provide no validation of server identity. Although they prevent eavesdropping, they leave you vulnerable to man-in-the-middle attacks. Only certificates signed by a trusted certificate authority will allow MongoDB drivers to verify the server’s identity.

About

Stampery Inc.

Leaders in blockchain-based timestamping and security solutions.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store