(NOTE: The following is used with the permission of Byron Acohido, a Pulitzer Prize-winning journalist and editor-in-chief for ThirdCertainty, an IDt911-sponsored online publication dedicated to helping individuals and companies assess risks and embrace best security practices. Acohido will be speaking at the ThreatMetrix Cybercrime Prevention Summit 2014, November 5 – 7.)
By Byron Acohido, ThirdCertainty
Hundreds of companies, local government agencies and universities—including two Ivy League schools—continue to expose sensitive financial, medical, academic, personal and other records to anyone who knows a few finer points about how to use Google or the Shodan search engine.
These organizations are all in the same boat as MBIA, the nation’s largest bond insurer, which has been scrambling to downplay the revelation that it has not taken very good care with customer accounts.
Ethical hacker Bryan Seely of Seattle-based Seely Security showed how MBIA has long been exposing details of municipal bond and investment management accounts in a way that made it easy for criminals to transfer funds from existing accounts into newly created ones they control. There’s no evidence any theft took place, only because the bad guys appear to have overlooked this freebie.
MBIA’s security lapse came to light in a story posted by security blogger Brian Krebs early last week. But that’s just the tip of the iceberg, Seely tells ThirdCertainty.
Seely has reviewed 25,000 Oracle web servers known to have a vulnerability that can be accessed if the web server owner fails to configure the Oracle server in the proper way.
“In the case of MBIA, it was not at risk because of a flaw in Oracle,” Seely says. “This was simply because the customer did not configure the server correctly when they deployed it, and it caused private banking records to be exposed to the Internet.”
8,000 exposed servers
Seely says he has identified more than 8,000 other servers that are similarly misconfigured and likewise exposing sensitive accounts on the open Internet. These are accounts that should be kept under lock and key.
Seely has been on a one-man campaign to notify organizations, and a few have listened to him. Among those who have heeded Seely’s heads up and locked down their misconfigured Oracle servers are:
- Texas Department of Family Protective Services
- Meridian Community College in Mississippi
- University of Wisconsin
- Purdue – Calumet Campus
- Maryland Port Authority
MBIA initially gave Seely the cold shoulder, but took action after they received a phone call from Brian Krebs. Most organizations Seely has tried to alert assume he’s out to hustle them. “They think it’s a ransom attempt or a scam,” he says. “I’m not selling anything, and I’m not asking for money. If they want to hire me to help fix or find more problems, I would welcome it, but it is not a condition by any means.”
A one-time U.S. Marine, Seely is no slouch. He has worked as a network engineer at Microsoft and Avanade. Last February, he demonstrated a way to set up and record calls between unwitting citizens and the FBI and Secret Service—by hacking Google Maps. Billionaire Dallas Mavericks owner and Shark Tank TV personality Mark Cuban is a fan.
Last month Seely and fellow ethical hacker Ben Caudill proved LinkedIn does not do a robust job of protecting email addresses by using a low-tech hack to find and manipulate Cuban’s email address, and those of other celebrities.
That hack led to Cuban asking Seely and Caudill to check Cyber Dust, a privacy-centric chat messenger start-up backed by Cuban, for security soft spots.
Seely says it would have been trivial for criminals to steal from MBIA subsidiary Cutwater Asset Management—the company found to have the exposed accounts—but it appears MBIA and Cutwater dodged one big bullet.
MBIA dodged bullet — will others?
“It’s highly unlikely that criminals accessed MBIA’s data because the only thing at risk was the money,” Seely says. “If the money is there, then nothing has been stolen. There were not any Social Security numbers or PINs, but the ability to change or otherwise add and remove signers, additional bank accounts and such. It would have been all too easy to take money from accounts in small or large amounts prior to discovery.”
Cutwater’s server was misconfigured to expose countless account numbers, balances and forms in such a way that the records were being indexed by Google and Shodan, a search engine that looks for specific types of routers and servers connected to the Internet.
Seely personally was able to use Google and Shodan to directly access individual financial accounts, account balances, participant profiles, lists of names, addresses, email addresses, and phone numbers of authorized account users.
“If you needed to add someone, you could just fill out a form and email it,” he says.
Now that the cat is out of the bag, you can bet the attention of organized cyber gangs has been directed to this low-hanging fruit. Companies using misconfigured Oracle servers who are slow to address this exposure are at risk of paying a high price. The two Ivy League schools Seely found to be exposed have not yet fixed the problem, he says.
More on emerging best practices
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.