Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/8/2014
12:15 PM
50%
50%

MBIA Leaves Customer Data Exposed On Web

The breach was due to a misconfigured server that exposed sensitive data online.

Customers of the municipal bond insurance company MBIA had their information exposed due to a server misconfiguration issue.

After being notified about the breach, the company disabled the vulnerable site, mbiaweb.com. The site contained customer data from Cutwater Asset Management, a fixed-income unit of MBIA set to be purchased by BNY Mellon Corp.

Cutwater Asset Management is an investment adviser specializing in fixed income investments. It has $23 billion of assets under management and ranks among the world's largest fixed-income asset managers. Clients include state and local governments and pension funds.

According to Krebs on Security, most of the information had been indexed by search engines, including a page with administrative credentials that attackers could have used to get their hands on data that wasn't available by searching the web.

"We have been notified that certain information related to clients of MBIA's asset management subsidiary, Cutwater Asset Management, may have been illegally accessed," MBIA spokesman Kevin Brown tells Dark Reading. "We are conducting a thorough investigation and will take all measures necessary to protect our customers' data, secure our systems, and preserve evidence for law enforcement."

Brown also confirmed that the affected server had been taken offline, and that the company is continuing to investigate.

Bryan Seely, CEO of Seely Security, discovered the situation, using a search engine. He told Krebs on Security that he believes the data was exposed due to a poorly configured Oracle Reports database server. This type of database server is normally set to provide information only to authorized users accessing the data from within a private network.

"This is the same class of problem as connecting a test server with a default password to the Internet, like happened at HealthCare.gov," says Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. "IT organizations should have quality and change management controls in place that prevent this in the first place. And even if that should fail, their information security teams should be performing testing of systems and continuous monitoring, because a set of check boxes on a change management form does not mean that all is well, as this data leak makes clear."

"Whether a cybercriminal needs to probe to find these flaws, or can stumble upon sensitive data indexed by a search engine, they will abuse these oversights," says Amy Blackshaw, manager for RSA fraud and risk intelligence at EMC. "Now, we can all shake our heads and think that these types of mistakes shouldn't occur -- and perhaps that is correct -- but it points to a fact that we need to change the way we are monitoring and detecting abuse on websites."

If organizations rely only on having 100% correct configuration and business logic, this type of incident will continue to occur, she says. Instead, the industry needs to start assessing the behavior of all activity occurring on a website to look for anything out of the ordinary, not just for known bad.

"If organizations had visibility into each and every click across each and every session, with analytics that quickly flagged anomalies, these types of business logic abuse could be stopped before they started," says Blackshaw.

"We need to accept that it's impossible to build prevention mechanisms that are immune to human error," says Tal Klein, vice president of strategy for Adallom. "What happened at MBIA was a misconfiguration. What happened at [JPMorgan Chase] was a mistaken click on the wrong link. What happened at Target was an ignored alert. The biggest fallacy that exists in cyber security remains our belief that we can somehow prevent the next breach with more people or better technology. It's time to accept that breaches are a fact of life and invest in a strategy that 'assumes breach' and treats data like money."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.