07
Oct 14

Huge Data Leak at Largest U.S. Bond Insurer

On Monday, KrebsOnSecurity notified MBIA Inc. — the nation’s largest bond insurer — that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines, including a page listing administrative credentials that attackers could use to access data that wasn’t already accessible via a simple Web search.

A redacted screenshot of MBIA account information exposed to search engines.

A redacted screenshot of MBIA account information exposed to search engines.

MBIA Inc., based in Purchase, N.Y., is a public holding company that offers municipal bond insurance and investment management products. According to the firm’s Wiki page, MBIA, formerly known as the Municipal Bond Insurance Association, was formed in 1973 to diversify the holdings of several insurance companies, including Aetna, Fireman’s Fund, Travelers, Cigna and Continental.

Notified about the breach, the company quickly disabled the vulnerable site — mbiaweb.com. This Web property contained customer data from Cutwater Asset Management, a fixed-income unit of MBIA that is slated to be acquired by BNY Mellon Corp.

“We have been notified that certain information related to clients of MBIA’s asset management subsidiary, Cutwater Asset Management, may have been illegally accessed,” said MBIA spokesman Kevin Brown. “We are conducting a thorough investigation and will take all measures necessary to protect our customers’ data, secure our systems, and preserve evidence for law enforcement.”

Brown said MBIA notified all current customers about the incident Monday evening, and that it planned to notify former customers today.

Some 230 pages of account statements from Cutwater had been indexed by Google, including account and routing numbers, balances, dividends and account holder names for the Texas CLASS (a local government investment pool) ; the Louisiana Asset Management Pool; the New Hampshire Public Deposit Investment Pool; Connecticut CLASS Plus; and the Town of Richmond, NH.

In some cases, the documents indexed by search engines featured detailed instructions on how to authorize new bank accounts for deposits, including the forms and fax numbers needed to submit the account information.

Bryan Seely, an independent security expert with Seely Security, discovered the exposed data using a search engine. Seely said the data was exposed thanks to a poorly configured Oracle Reports database server. Normally, Seely said, this type of database server is configured to serve information only to authorized users who are accessing the data from within a trusted, private network — and certainly not open to the Web.

Worse yet, Seely noted, that misconfiguration also exposed an Oracle reports diagnostics page that included the username and password that would grant access to nearly all of the customer account data on the server.

“Malicious hackers finding dozens of universities or companies with Social Security numbers, health data or other information is devastating, but stumbling on bank accounts and the instructions for how to empty them is potentially catastrophic,” Seely said. “Billions in taxpayer funds, invested into one of the largest institutions in the world that were essentially being guarded by a sleeping security guard. What happens to those states when the money disappears?”

A misconfigured Oracle reports server can expose massive troves of sensitive data, a fact documented time and again by another independent researcher — Dana Taylor of NI @root. If your organization depends on Oracle Reports Services, please ensure that your administrators have read and implemented Oracle’s advice on securing these systems.

The accidental disclosure of customer data from MBIA comes amid revelations that foreign hackers — possibly organized crime groups operating out of Russia — hacked into networks of JPMorgan Chase. In public filings last week, JPMorgan said the breach exposed names, addresses, email address and phone numbers for 76 million household accounts and seven million small businesses. However, JPMorgan said that it has no indication that account numbers were exposed in the break-in.

Update, 3:03 p.m. ET: Updated the first and second paragraphs to clarify that the Municipal Bond Insurance Association is a former name for MBIA Inc.

Tags: , , , , , , , ,

69 comments

  1. This is a gross display of incompetence at every level. This isn’t even a story about criminals. These guys just made this problem entirely on their own.

    • Thanks, captain obvious.

      • It does show a bigger problem. Small organizations that either don’t vet vendors or don’t have regular 3rd party security audits. Everyone focuses on the big mega credit card breaches while the incompetence at smaller enterprises dwarfs the any major breach outcome. Many of these smallish companies have been breached for years and they don’t know it. Their IT vendor is nothing more than a $80/hr PC tech who knows how to spell SonicWall and sing a comforting “you’re all secure” tune to a management staff who thinks everything IT is 90% magic and 10% licensing fees.

        • Michael S Black

          Andy,

          IK will quote Brian’s article “Municipal Bond Insurance Association — the nation’s largest bond insurer”

          So, how is your comment related at all? While true, MBIA is NOT a “Small organizations that either don’t vet vendors or don’t have regular 3rd party security audits”

          • If recent history has shown us anything, it’s that large organizations are just as guilty of hiring unqualified individuals as small organizations. If they hire the unqualified individuals, they “save” on compensation, which means there’s more in the pot at the end of the year for executives.

          • Andy’s comment reads that that smaller organisations who use larger ones such as MBIA do not do 3rd party security audits on large vendors such as MBIA, and not that MBIA itself was a smaller organization.
            Although it would be interesting to find out what, if any, independent security audits MBIA had undergone, and when.

      • That’s Captian Obvious …… obviously.

      • It’s not so obvious, and such a comment paves the way for showing that it is reasonable to consider MBIA’s omission as negligence, not just being a reasonable-behaving victim, but as one with fault and liability…Major Duncel.

        • And by the way, has anybody thanked Brian for helping to motivate MBIA to take security seriously? That’s the whole point. Thanks Brian, wish everyone read your blog.

    • Seems you are applying Hanlon’s Razor :

      Never attribute to malice that which is adequately explained by stupidity.

      Whoa. Let’s consider its inverse :

      Never attribute to stupidity that which is adequately explained by espionage.

      Sometimes all it takes is one employee, disgruntled, corporate spy, psychopathic, to remove or reduce software security blocks (or change configurations) or install firmware or hardware information-stealing equipment, to get to the desired data. And there is the possibility of “new” hardware arriving that contains malware embedded in its firmware.

      This company handles large amounts of money and information and thus is an very attractive target for thieves. Or corrupt competitors.

    • iRaSecurityGaWd

      This is what happens when highly critical security infrastructure is filled with brain dump knowledge acquired toilet paper techs. I’m sure this dolt is looking for another job right about now. I’m sure Home Depot or Target will scoop this character up. it’s all down hill from here on out.

  2. “…certain information …may have been illegally accessed.”

    That’s some serious spin. When you publish something to the web, and Google indexes it and anyone can view it without credentials – you cant really call it ‘illegal access’. The company’s statement is unflinchingly disingenuous.

    • Yeah, that irked me too. Thought of weev / A-Fee&Fee case.

    • That was my first reaction, is this asshole trying to say someone attacked their systems and it was not his dumbass fault for exposing reports server to the web insecurely? Sounds like ass covering to me. Totally the wrong response since this information could easily have been sold instead of responsibly disclosed.

  3. TheOreganoRouter.onion.it

    I bet Municipal Bond Insurance Association are using Windows XP machines without any security updates also.

  4. TheOreganoRouter.onion.it

    Why are my posts continuing to be blocked?

    • Doesn’t look blocked. Maybe just your SPAM posts. Krebs would be the wrong guy to try to slip those in on. 🙂

    • I’ve told you this before: Nobody is blocking your posts, or at least not intentionally. For some reason, they are getting flagged as possibly spammy by my system. That in itself may be useful info to you, maybe not. But I don’t like being accused of censorship of any kind, so consider your posts on moderation 100 percent of the time from now on.

  5. I wasn’t clear if it was as a result of hacking or they just left a Oracle Reports server where Google could get at it

    • MBIA’s statement notwithstanding, there are no indications from this side that they were hacked. But the company had voluminous amounts of data indexed by Google — reports that someone ostensibly with legitimate access had asked the Oracle server to run. And one of those pages included a username and password that an attacker could use run whatever reports they wanted.

      • You would wonder why someone would create a report which lists usernames AND passwords? It doesn’t sounds like a mis-configuration, that’s more of a deliberate security breach? I would assume it’s hashed passwords, not plaintext.

        • My question is, why is that kind of data exposed on the www anyway?

          It should be accessible only via ssl / vpn encrypted access within a secure intranet.

          I call failure by design.

      • It sounds like the key failures were in perimeter security controls. Why is misconfiguration of the reports server being identified as the main issue? What am I missing?

    • The good news is that Oracle Reports is one of the most frustrating and slow BI technologies out there, so even if someone malicious sees that it’s there, they may throw their hands up in frustration when trying to use it.

  6. Unfortunately the complexity of computer systems have out stripped the capacity of mere mortals to manage them! Highly skilled investigators criminal or legitimate, are far superior to the average IT staff member. IT is like maintenance, an easy place to cut corners, especially when your bonus is based upon quarterly reviews. And to make matters worse, how many managers do you know are crisis managers? And not until a potential problem becomes a crisis does it get any attention.

  7. Shouldn’t a company be looking for indexing on sites that should not be public? That should be fairly easy to set up as an alert. If you wanted, you could set up the alert for all web-pages and have a person add to the white-list of pages/ directories that should be pubic.

    • Waiting until it’s indexed by Google, and thus showing up on search results, is probably a bit too late.

    • Searching for yourself is a great start. There are a number of services that make it automatic – you subscribe to various key terms and phrases (your company name or product brand, for instance) and will get alerts anytime you are mentioned online. Granted that’s reacting after the breach, but I digress…

      I don’t have first-hand experience with any, so can’t say how broad a scope they monitor.

  8. I am working on a book titled “Oracle Reports Exposed”. You won’t believe how easy it is to get data off these servers. I turned over close to 40 separate exposures to Oracle a couple of weeks ago. Major ones.

    • Well at least I now know that I am not the only one being ignored by the Big Box Stores and the FEDs.
      This is nothing short of gross incompetence.

  9. Sheeez….in haste to panic…..they neglected the usual disclaimer. ‘ We take security very seriously’

  10. “Oct. 6 (Bloomberg) — BNY Mellon Corp., the world’s largest custody bank, said it reached an agreement to acquire Cutwater Asset Management, a fixed-income unit of MBIA Inc. (MBI).
    When the deal is completed, Cutwater will be part of BNY Mellon Investment Management, which oversees $1.6 trillion in assets, the New York-based bank said today in a statement. Cutwater has about $23 billion in assets. ” Does anyone know if this little boo-boo will change the price or is the sale closed, a done deal?

    • I find it strange too that this comes about during or while one of their subsidiaries is being acquired.

      • I don’t find it odd at all, BNY probably requested someone do a “Google search” (that’s the hitech term) and see if there is anything out there. Oh hey there’s some account routing numbers.
        I’m with the people above thinking this was an inside job. You can’t easily expose this info without a lot of steps on the backend.

  11. We met JP Morgan decision makers at Black Hat this past August, upon learning about our unbreakable encryption there… they chose to think about upgrading. Guess they should have thought faster.

    Here’s the thing though. These reports of breaches are going to be coming in on a daily basis and have reached epidemic proportions. Protecting sensitive data with the highest levels of encryption will at least ensure that when the data is stolen, it will be completely useless to the thief.

    Our patented encryption process is fully user defined and is unhackable based on the process. To illustrate this further, the current standard is AES256 (we start where AES256 leaves off) which means the key is no longer than 256 bits, or a maximum of 32 typewritten characters long. Yes, it requires some significant computer power to break but AES256 pales in comparison to our patented system which has no key length limit. Our platform uses for an example, multiple keys of 64KB long. That’s an increase of almost 205 thousand percent! To put it another way – assume with a supercomputer that it could break a single AES256 key in 6 months then a key structure, according to our patent, of 10 keys as small as 1KB would then take that same computer 320 times as long or 160 years. Remember that is with just using 1KB keys…stretch that out to 64KB keys and you are looking at roughly 102 millennia to break. That’s, for all intents and purposes, unbreakable.

    • https://www.schneier.com/crypto-gram-9902.html

      Warning signs 3 and 5 for snake oil crypto. This story reference details what i would call criminally negligent practices for protecting private data. Encryption is only a part of data protection. These guys would have handed over the keys…

    • @ Richard Blech
      I would not disagree with you on the point of improved encryption methods. But I’d like to point out that the “best of breed” encryption technologies themselves become utterly useless in cases where large companies, such as the one I work for, have hundreds of thousands of employees, tens of thousands of internal or client facing applications and databases, many of which interface between each other.
      It takes a lapse of judgement of a single person or a simple oversight and you have a mess on your hands before you even know it.

      Such a blatant leak is pointing to some severe process gaps in UAT, dev and testing at more than one level on the MBIA side.

      My main question would be: what happens now, since the data is out in the open? I am really interested in hearing more details on how they are containing the exposure. I’m saying containment, because I doubt mitigation is even possible in this particular case.

  12. Anyone else remember the Oracle Unbreakable claims?

    • Any system is vulnerable if you allow cart-blanch access to sensitive data due to misconfiguration. If I put a list of administrative passwords on a publicly accessible web server, then link to the page so search engines can find it, the fault is mine – not the web server I put it on.

  13. @Joe Dirt

    “To the best of our knowledge an Oracle database has not been broken into for a couple of decades,” he said, “by anybody.” He earned some applause by adding, “It’s so secure [that] there are people that complain!”

    Oracle systems separate the data from administrator access, Ellison pointed out, which adds to the security of the systems. “Mr. Snowden never could have gotten into an Oracle database,” he said.

    But in a recent blog post from security researcher Dana Taylor claimed to have discovered two vulnerabilities in Oracle Forms and Reports, “…which affected 10.x and 11.x and possibly older versions,” and which she reported to Oracle. The company responded to her reports, she wrote in the post, by saying that these were not vulnerabilities. Oracle was unavailable for comment at press time.

  14. Could this be a clever knowledgeable insider attack? What I mean is what if an employee wanted to steal the data but didn’t want to be suspected of anything more than incompetence. Exposing the data to Google at the time of the employee’s choosing, during vacation for example, allows them to be the first to take advantage of the leak and prevents anyone from accusing them of theft. After all, how does one prove the employee is the culprit when billions of people have access to the same leaked data? The company will most likely fire the employee, which was always part of the plan.

  15. After 25 years in development, six months ago I switched to the security side. The most frustrating part of the switch is that I now regularly read how negligent many of my “peers” (I use the word loosely) have been and continue to be. Security is not a new concept. Granted the internet has magnified its importance a million fold with the increased attack surface and a world of bad guys having direct access. The worst part is that it’s not just the bad guys that you have to worry about. Those entrusted with our information don’t seem to care about it. At least not enough to do their job properly. One-by-one they’re finding out how expensive not implementing appropriate security can be (if they’re not, they should be). And in the mean time people’s lives are being drastically affected. Does anyone have enough time for all of the “conveniences” technology has broght upon us? I think my next hobby might be consumer security advocate. How long before “paper only”/disconnected organizations start popping up? It might not be a bad business model aimed at a growing segment of the population that would like to feel at least moderately safe again. You have reasonable control over your physical safety, but nearly no control over your online safety (and you don’t need to be online to be at risk).

    • It’s not your developer peers that are at fault – it’s the culture of IT management that says “get it done, shove it in, we’ll work out the bugs later”. Products of so-called “Agile” development is fully of security holes, since they don’t drive “business value”. At least, *visible* business value.

      • The software development methodology, insofar as it applies to coding, is not at fault. Big up-front designs had security problems as well. First off, secure programming is hard. That is a fact, not an excuse. This is exacerbated the major problem of testing. “Does this feature work” is a lot easier to test for than “Is this secure”. Secure against what, specifically enough to test for? Now you need to start with a good threat model, and it gets tougher from there.

        Production pressure certainly plays a part, but so does the fact that too many people simply have no idea what they are doing. Hard-coding crypto keys in router, VPN terminator, etc., firmware, with no provision for flashing those chips is a remarkably bad idea, regardless of the coding methodology used.

        At least agile methods commonly contain the concept of pair programming, which can help.

        And even the best possible design and implementation can very often be defeated by how the software is configured by an end-user, etc.

  16. So since all the publicity about breaches hasn’t seemed to get corporate attention, isn’t it time for handing out jail time. The “keeping customer information secure is our most” is just not what is actually demonstrated by the lack of attention. Brian, doesn’t this make feel somewhat disheartened?

  17. Were these pages linked from pages on their website that were supposed to be publicly accessible, or did Google’s crawler arrive their through an external site that had linked to those pages?

  18. If they would have encrypted this data, than would have the crawlers just seen encrypted junk? Seems like such sensitive data should always be encrypted. Not just the database, but those Oracle reports as well – that lost info is going to keep MBIA on the hacker hit list!

  19. Unfortunately it’s this level of security incompetence that needs to be stamped out and penalised from the highest level. This is gross negligence. We simply shouldn’t have to be beholden to places like Krebs to do the security testing for them.

    JP Morgan’s loss of data on the other hand looks to be something that was the result of some significant hacking and although I’m sure there is more that could be done it’s a situation where they were at least awake at the wheel.

  20. While I agree this a a particularly egregious example of incompetence, I think we should all keep in mind that no one is perfect and there is not a person reading this that has not made a mistake that could rival this one for the level of incompetence it displayed (the scope of the data at risk notwithstanding). Managing IT and especially security is not easy and we only have to be wrong once to get compromised. Let’s not pat ourselves on the back about how WE would never make such a mistake, because we probably have and were just lucky enough to catch it before anything bad happened (that we know of). That kind of over-confidence can be more dangerous than inexperience.

  21. If Google indexes data which you mistakenly have left unprotected, how does it compare with you mistakenly not patching the system, thus allowing “bad guys” to access it?

    Should MBIA press charges against Google ?

  22. Does anyone else find it odd that this happened the same day it was announced that the company was being acquired by another corporation. It makes me think more “disgruntled insider” and poor change management than anything else…

  23. Brian, I may have missed it in the article, but do you know how long this vulnerability was exposed? I’m curious whether it would have been open long enough to have been detected by regular vuln scans if they performed them.

    I read that Oracle doc on how to secure Oracle Reports and was surprised they don’t talk about how to secure the perimeter network, for example, how to limit access through a WAF or IPS so that this vulnerability wouldn’t be exploited even if misconfigured.

  24. Reuters other observations on ignored notification attempts by Seely (ouch!):
    http://in.mobile.reuters.com/article/idINL2N0S22LB20141008?irpc=932

    A variety of GoogleDorks don’t turn up any link to the mbiaweb.com data (or cc.cutwater.com) anymore, did they get Google to drop the indexed items?

  25. Reuters other observations on ignored notification attempts by Seely (ouch!):
    in.mobile.reuters.com/article/idINL2N0S22LB20141008?irpc=932

    A variety of GoogleDorks don’t turn up any link to the mbiaweb.com data (or cc.cutwater.com) anymore, did they get Google to drop the indexed items?

  26. The other day I went on-line to my bank to check my credit card statement. To my surprise my accounts included my credit card, a checking, and a savings account. The credit card account was mine but the checking and savings belonged to someone else. I contacted the ban and I had to remain on the phone while they corrected the problem. No harm done.

    • I wish you had named the bank, so as to help spur them on to not leave it at that, should their error be systemic.

  27. “Bryan Seely” another scumbag trying to capitalize on the misfortunes of others. Selfpromotion under the guise of ‘help’. It’s was pathetic twenty years ago.

    • Would you rather this issue remain in the darkness which would allow malicious people to cause harm to others? Sure, fame comes with stories like this but we need these stories to shine a light on this issue so others can protect themselves.

      It isn’t our fault that DBAs don’t know how to run their Oracle servers. Yell at them for exposing the data.

  28. Look at Brian’s linkedin

    http://www.linkedin.com/in/bryanthemapsguy

    Bryan Seely’s Honors and Awards ……. seriously on linkedin…

    Made minute rice in 57 seconds
    August 2014
    I was able to successfully make minute rice in 57 seconds.
    Completed 7 minute Abs in 6 minutes.
    Harland Williams
    June 2014
    Completed 7 minute abs in 6 minutes.
    Still have washtub abs though.
    Most Humble Person of the Year 2013
    December 2013
    Awarded the most prestigious award for Humility for the year of 2013. This is my 5th year as the winner of this. I just don’t know how to go about promoting it.
    Funniest Person at TGI Fridays last Wednesday.
    Kimberly the Waitress
    March 2014
    Number 1 Dad
    My kids
    February 2014
    For all the runners up, no hard feelings, i’m pretty terrific. I’m sure my kids did their research. And were totally unbiased
    CPA – Certified Pain in the A**
    Everyone
    August 2014
    It started with all the written notes home from teachers, and now today on a much larger and more widespread scale.
    Bryan Seely’s Patents

    Being Awesome
    United States Patent Application PEN-15 Filed June 1, 2014
    Inventors: Bryan Seely
    Trying to patent being this awesome. And humble. Kind of a joint patent sort of deal.
    Bryan Seely’s Test Scores

    SAT
    June 2000 Score: All of them

  29. Oh, Sister. Upgraded from 9. 10G is susceptible to this attack if diagnostic output is enabled (new term introduced after two vulnerabilities I found back in 2011/2012. SSO would mitigate this.

    Server: Oracle-Application-Server-10g/9.0.4.3.0 Oracle-HTTP-Server

  30. I have done this myself before, left a BACs payment reports in an unsecured web folder, forgot to restrict permission of the folder to finance users.
    My site did have a robots.txt file telling search engines not to index private parts, every site should have.
    In my case whitebox pen testers spotted the problem and I fixed it.