Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/8/2014
12:15 PM
50%
50%

MBIA Leaves Customer Data Exposed On Web

The breach was due to a misconfigured server that exposed sensitive data online.

Customers of the municipal bond insurance company MBIA had their information exposed due to a server misconfiguration issue.

After being notified about the breach, the company disabled the vulnerable site, mbiaweb.com. The site contained customer data from Cutwater Asset Management, a fixed-income unit of MBIA set to be purchased by BNY Mellon Corp.

Cutwater Asset Management is an investment adviser specializing in fixed income investments. It has $23 billion of assets under management and ranks among the world's largest fixed-income asset managers. Clients include state and local governments and pension funds.

According to Krebs on Security, most of the information had been indexed by search engines, including a page with administrative credentials that attackers could have used to get their hands on data that wasn't available by searching the web.

"We have been notified that certain information related to clients of MBIA's asset management subsidiary, Cutwater Asset Management, may have been illegally accessed," MBIA spokesman Kevin Brown tells Dark Reading. "We are conducting a thorough investigation and will take all measures necessary to protect our customers' data, secure our systems, and preserve evidence for law enforcement."

Brown also confirmed that the affected server had been taken offline, and that the company is continuing to investigate.

Bryan Seely, CEO of Seely Security, discovered the situation, using a search engine. He told Krebs on Security that he believes the data was exposed due to a poorly configured Oracle Reports database server. This type of database server is normally set to provide information only to authorized users accessing the data from within a private network.

"This is the same class of problem as connecting a test server with a default password to the Internet, like happened at HealthCare.gov," says Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. "IT organizations should have quality and change management controls in place that prevent this in the first place. And even if that should fail, their information security teams should be performing testing of systems and continuous monitoring, because a set of check boxes on a change management form does not mean that all is well, as this data leak makes clear."

"Whether a cybercriminal needs to probe to find these flaws, or can stumble upon sensitive data indexed by a search engine, they will abuse these oversights," says Amy Blackshaw, manager for RSA fraud and risk intelligence at EMC. "Now, we can all shake our heads and think that these types of mistakes shouldn't occur -- and perhaps that is correct -- but it points to a fact that we need to change the way we are monitoring and detecting abuse on websites."

If organizations rely only on having 100% correct configuration and business logic, this type of incident will continue to occur, she says. Instead, the industry needs to start assessing the behavior of all activity occurring on a website to look for anything out of the ordinary, not just for known bad.

"If organizations had visibility into each and every click across each and every session, with analytics that quickly flagged anomalies, these types of business logic abuse could be stopped before they started," says Blackshaw.

"We need to accept that it's impossible to build prevention mechanisms that are immune to human error," says Tal Klein, vice president of strategy for Adallom. "What happened at MBIA was a misconfiguration. What happened at [JPMorgan Chase] was a mistaken click on the wrong link. What happened at Target was an ignored alert. The biggest fallacy that exists in cyber security remains our belief that we can somehow prevent the next breach with more people or better technology. It's time to accept that breaches are a fact of life and invest in a strategy that 'assumes breach' and treats data like money."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.