Hacker: 2 Ivy League Schools Vulnerable to a Serious Data Breach

Hundreds of companies, local government agencies and universities — including two Ivy League schools — continue to expose sensitive financial, medical, academic, personal and other records to anyone who knows a few finer points about how to use Google or the Shodan search engine.

These organizations are all in the same boat as MBIA, the nation’s largest bond insurer, which has been scrambling to downplay the revelation that it has not taken very good care with customer accounts.

Ethical hacker Bryan Seely of Seattle-based Seely Security showed how MBIA has long been exposing details of municipal bond and investment management accounts in a way that made it easy for criminals to transfer funds from existing accounts into newly created ones they control. There’s no evidence any theft took place, only because the bad guys appear to have overlooked this freebie.

MBIA’s security lapse came to light in a story posted by security blogger Brian Krebs early last week. But that’s just the tip of the iceberg, Seely tells ThirdCertainty.

Seely has reviewed 25,000 Oracle Web servers known to have a vulnerability that can be accessed if the Web server owner fails to configure the Oracle server in the proper way.

“In the case of MBIA, it was not at risk because of a flaw in Oracle,” Seely says. “This was simply because the customer did not configure the server correctly when they deployed it, and it caused private banking records to be exposed to the Internet.”

8,000 Exposed Servers

Seely says he has identified more than 8,000 other servers that are similarly misconfigured and likewise exposing sensitive accounts on the open Internet. These are accounts that should be kept under lock and key.

Seely has been on a one-man campaign to notify organizations, and a few have listened to him. Among those who have heeded Seely’s heads up and locked down their misconfigured Oracle servers are:

Texas Department of Family Protective Services
Meridian Community College in Mississippi
University of Wisconsin
Purdue – Calumet
Maryland Port Authority

MBIA initially gave Seely the cold shoulder, but took action after receiving a phone call from Krebs. Most organizations Seely has tried to alert assume he’s out to hustle them. “They think it’s a ransom attempt or a scam,” he says. “I’m not selling anything, and I’m not asking for money. If they want to hire me to help fix or find more problems, I would welcome it, but it is not a condition by any means.”

A one-time U.S. Marine, Seely is no slouch. He has worked as a network engineer at Microsoft and Avanade. Last February, he demonstrated a way to set up and record calls between unwitting citizens and the FBI and Secret Service — by hacking Google Maps. Billionaire Dallas Mavericks owner and Shark Tank TV personality Mark Cuban is a fan.

Last month Seely and fellow ethical hacker Ben Caudill proved LinkedIn does not do a robust job of protecting email addresses by using a low-tech hack to find and manipulate Cuban’s email address, and those of other celebrities.

That hack led to Cuban asking Seely and Caudill to check Cyber Dust, a privacy-centric chat messenger startup backed by Cuban, for security soft spots.

Seely says it would have been trivial for criminals to steal from MBIA subsidiary Cutwater Asset Management — the company found to have the exposed accounts — but it appears MBIA and Cutwater dodged one big bullet.

MBIA Dodged Bullet — Will Others?

“It’s highly unlikely that criminals accessed MBIA’s data because the only thing at risk was the money,” Seely says. “If the money is there, then nothing has been stolen. There were not any Social Security numbers or PINs, but the ability to change or otherwise add and remove signers, additional bank accounts and such. It would have been all too easy to take money from accounts in small or large amounts prior to discovery.”

Cutwater’s server was misconfigured to expose countless account numbers, balances and forms in such a way that the records were being indexed by Google and Shodan, a search engine that looks for specific types of routers and servers connected to the Internet.

Seely personally was able to use Google and Shodan to directly access individual financial accounts, account balances, participant profiles, lists of names, addresses, email addresses and phone numbers of authorized account users.

“If you needed to add someone, you could just fill out a form and email it,” he says.

Now that the cat is out of the bag, you can bet the attention of organized cyber gangs has been directed to this low-hanging fruit. Companies using misconfigured Oracle servers that are slow to address this exposure are at risk of paying a high price. The two Ivy League schools Seely found to be exposed have not yet fixed the problem, he says.