Date: Tue, 07 Oct 2014 21:00:08 -0400
From: mark <whitroth@5-cent.us>
To: undisclosed-recipients:;
Subject: [WSFA] MBIA giant disclosure are your accounts listed?
Reply-To: WSFA members <WSFAlist@KeithLynch.net>

Excerpt:
On Monday, KrebsOnSecurity notified the Municipal Bond Insurance
Association \342\200\224 the nation\342\200\231s largest bond insurer \342\200\224 that a misconfiguration
in a company Web server had exposed countless customer account numbers,
balances and other sensitive data. Much of the information had been
indexed by search engines, including a page listing administrative
credentials that attackers could use to access data that wasn\342\200\231t already
accessible via a simple Web search.
A redacted screenshot of MBIA account information exposed to search engines.

MBIA Inc., based in Purchase, N.Y., is a public holding company that
offers municipal bond insurance and investment management products.
According to the firm\342\200\231s Wiki page, MBIA was formed in 1973 to diversify
the holdings of several insurance companies, including Aetna, Fireman\342\200\231s
Fund, Travelers, Cigna and Continental.
<...>
Some 230 pages of account statements from Cutwater had been indexed by
Google, including account and routing numbers, balances, dividends and
account holder names for the Texas CLASS (a local government investment
pool) ; the Louisiana Asset Management Pool; the New Hampshire Public
Deposit Investment Pool; Connecticut CLASS Plus; and the Town of Richmond,
NH.
<...>
Bryan Seely, an independent security expert with Seely Security,
discovered the exposed data using a search engine. Seely said the data was
exposed thanks to a poorly configured Oracle Reports database server.
Normally, Seely said, this type of database server is configured to serve
information only to authorized users who are accessing the data from
within a trusted, private network \342\200\224 and certainly not open to the Web.

Worse yet, Seely noted, that misconfiguration also exposed an Oracle
reports diagnostics page that included the username and password that
would grant access to nearly all of the customer account data on the
server.
--- end excerpt ---

<http://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/#more-28020>

        mark