Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/8/2014
12:15 PM
50%
50%

MBIA Leaves Customer Data Exposed On Web

The breach was due to a misconfigured server that exposed sensitive data online.

Customers of the municipal bond insurance company MBIA had their information exposed due to a server misconfiguration issue.

After being notified about the breach, the company disabled the vulnerable site, mbiaweb.com. The site contained customer data from Cutwater Asset Management, a fixed-income unit of MBIA set to be purchased by BNY Mellon Corp.

Cutwater Asset Management is an investment adviser specializing in fixed income investments. It has $23 billion of assets under management and ranks among the world's largest fixed-income asset managers. Clients include state and local governments and pension funds.

According to Krebs on Security, most of the information had been indexed by search engines, including a page with administrative credentials that attackers could have used to get their hands on data that wasn't available by searching the web.

"We have been notified that certain information related to clients of MBIA's asset management subsidiary, Cutwater Asset Management, may have been illegally accessed," MBIA spokesman Kevin Brown tells Dark Reading. "We are conducting a thorough investigation and will take all measures necessary to protect our customers' data, secure our systems, and preserve evidence for law enforcement."

Brown also confirmed that the affected server had been taken offline, and that the company is continuing to investigate.

Bryan Seely, CEO of Seely Security, discovered the situation, using a search engine. He told Krebs on Security that he believes the data was exposed due to a poorly configured Oracle Reports database server. This type of database server is normally set to provide information only to authorized users accessing the data from within a private network.

"This is the same class of problem as connecting a test server with a default password to the Internet, like happened at HealthCare.gov," says Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. "IT organizations should have quality and change management controls in place that prevent this in the first place. And even if that should fail, their information security teams should be performing testing of systems and continuous monitoring, because a set of check boxes on a change management form does not mean that all is well, as this data leak makes clear."

"Whether a cybercriminal needs to probe to find these flaws, or can stumble upon sensitive data indexed by a search engine, they will abuse these oversights," says Amy Blackshaw, manager for RSA fraud and risk intelligence at EMC. "Now, we can all shake our heads and think that these types of mistakes shouldn't occur -- and perhaps that is correct -- but it points to a fact that we need to change the way we are monitoring and detecting abuse on websites."

If organizations rely only on having 100% correct configuration and business logic, this type of incident will continue to occur, she says. Instead, the industry needs to start assessing the behavior of all activity occurring on a website to look for anything out of the ordinary, not just for known bad.

"If organizations had visibility into each and every click across each and every session, with analytics that quickly flagged anomalies, these types of business logic abuse could be stopped before they started," says Blackshaw.

"We need to accept that it's impossible to build prevention mechanisms that are immune to human error," says Tal Klein, vice president of strategy for Adallom. "What happened at MBIA was a misconfiguration. What happened at [JPMorgan Chase] was a mistaken click on the wrong link. What happened at Target was an ignored alert. The biggest fallacy that exists in cyber security remains our belief that we can somehow prevent the next breach with more people or better technology. It's time to accept that breaches are a fact of life and invest in a strategy that 'assumes breach' and treats data like money."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...
CVE-2021-31737
PUBLISHED: 2021-05-06
emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
CVE-2020-28198
PUBLISHED: 2021-05-06
** UNSUPPORTED WHEN ASSIGNED ** The 'id' parameter of IBM Tivoli Storage Manager Version 5 Release 2 (Command Line Administrative Interface, dsmadmc.exe) is vulnerable to an exploitable stack buffer overflow. Note: the vulnerability can be exploited when it is used in "interactive" mode wh...
CVE-2021-28665
PUBLISHED: 2021-05-06
Stormshield SNS with versions before 3.7.18, 3.11.6 and 4.1.6 has a memory-management defect in the SNMP plugin that can lead to excessive consumption of memory and CPU resources, and possibly a denial of service.