Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/8/2014
12:15 PM
50%
50%

MBIA Leaves Customer Data Exposed On Web

The breach was due to a misconfigured server that exposed sensitive data online.

Customers of the municipal bond insurance company MBIA had their information exposed due to a server misconfiguration issue.

After being notified about the breach, the company disabled the vulnerable site, mbiaweb.com. The site contained customer data from Cutwater Asset Management, a fixed-income unit of MBIA set to be purchased by BNY Mellon Corp.

Cutwater Asset Management is an investment adviser specializing in fixed income investments. It has $23 billion of assets under management and ranks among the world's largest fixed-income asset managers. Clients include state and local governments and pension funds.

According to Krebs on Security, most of the information had been indexed by search engines, including a page with administrative credentials that attackers could have used to get their hands on data that wasn't available by searching the web.

"We have been notified that certain information related to clients of MBIA's asset management subsidiary, Cutwater Asset Management, may have been illegally accessed," MBIA spokesman Kevin Brown tells Dark Reading. "We are conducting a thorough investigation and will take all measures necessary to protect our customers' data, secure our systems, and preserve evidence for law enforcement."

Brown also confirmed that the affected server had been taken offline, and that the company is continuing to investigate.

Bryan Seely, CEO of Seely Security, discovered the situation, using a search engine. He told Krebs on Security that he believes the data was exposed due to a poorly configured Oracle Reports database server. This type of database server is normally set to provide information only to authorized users accessing the data from within a private network.

"This is the same class of problem as connecting a test server with a default password to the Internet, like happened at HealthCare.gov," says Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. "IT organizations should have quality and change management controls in place that prevent this in the first place. And even if that should fail, their information security teams should be performing testing of systems and continuous monitoring, because a set of check boxes on a change management form does not mean that all is well, as this data leak makes clear."

"Whether a cybercriminal needs to probe to find these flaws, or can stumble upon sensitive data indexed by a search engine, they will abuse these oversights," says Amy Blackshaw, manager for RSA fraud and risk intelligence at EMC. "Now, we can all shake our heads and think that these types of mistakes shouldn't occur -- and perhaps that is correct -- but it points to a fact that we need to change the way we are monitoring and detecting abuse on websites."

If organizations rely only on having 100% correct configuration and business logic, this type of incident will continue to occur, she says. Instead, the industry needs to start assessing the behavior of all activity occurring on a website to look for anything out of the ordinary, not just for known bad.

"If organizations had visibility into each and every click across each and every session, with analytics that quickly flagged anomalies, these types of business logic abuse could be stopped before they started," says Blackshaw.

"We need to accept that it's impossible to build prevention mechanisms that are immune to human error," says Tal Klein, vice president of strategy for Adallom. "What happened at MBIA was a misconfiguration. What happened at [JPMorgan Chase] was a mistaken click on the wrong link. What happened at Target was an ignored alert. The biggest fallacy that exists in cyber security remains our belief that we can somehow prevent the next breach with more people or better technology. It's time to accept that breaches are a fact of life and invest in a strategy that 'assumes breach' and treats data like money."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.