Home > News > Hacker: 2 Ivy League Schools Vulnerable to a Serious Data Breach

Comments 0 Comments

Hundreds of companies, local government agencies and universities — including two Ivy League schools — continue to expose sensitive financial, medical, academic, personal and other records to anyone who knows a few finer points about how to use Google or the Shodan search engine.

These organizations are all in the same boat as MBIA, the nation’s largest bond insurer, which has been scrambling to downplay the revelation that it has not taken very good care with customer accounts.

Ethical hacker Bryan Seely of Seattle-based Seely Security showed how MBIA has long been exposing details of municipal bond and investment management accounts in a way that made it easy for criminals to transfer funds from existing accounts into newly created ones they control. There’s no evidence any theft took place, only because the bad guys appear to have overlooked this freebie.

MBIA’s security lapse came to light in a story posted by security blogger Brian Krebs early last week. But that’s just the tip of the iceberg, Seely tells ThirdCertainty.

Seely has reviewed 25,000 Oracle Web servers known to have a vulnerability that can be accessed if the Web server owner fails to configure the Oracle server in the proper way.

“In the case of MBIA, it was not at risk because of a flaw in Oracle,” Seely says. “This was simply because the customer did not configure the server correctly when they deployed it, and it caused private banking records to be exposed to the Internet.”

8,000 Exposed Servers

Seely says he has identified more than 8,000 other servers that are similarly misconfigured and likewise exposing sensitive accounts on the open Internet. These are accounts that should be kept under lock and key.

Seely has been on a one-man campaign to notify organizations, and a few have listened to him. Among those who have heeded Seely’s heads up and locked down their misconfigured Oracle servers are:

  • Texas Department of Family Protective Services
  • Meridian Community College in Mississippi
  • University of Wisconsin
  • Purdue – Calumet
  • Maryland Port Authority

MBIA initially gave Seely the cold shoulder, but took action after receiving a phone call from Krebs. Most organizations Seely has tried to alert assume he’s out to hustle them. “They think it’s a ransom attempt or a scam,” he says. “I’m not selling anything, and I’m not asking for money. If they want to hire me to help fix or find more problems, I would welcome it, but it is not a condition by any means.”

A one-time U.S. Marine, Seely is no slouch. He has worked as a network engineer at Microsoft and Avanade. Last February, he demonstrated a way to set up and record calls between unwitting citizens and the FBI and Secret Service — by hacking Google Maps. Billionaire Dallas Mavericks owner and Shark Tank TV personality Mark Cuban is a fan.

Last month Seely and fellow ethical hacker Ben Caudill proved LinkedIn does not do a robust job of protecting email addresses by using a low-tech hack to find and manipulate Cuban’s email address, and those of other celebrities.

That hack led to Cuban asking Seely and Caudill to check Cyber Dust, a privacy-centric chat messenger startup backed by Cuban, for security soft spots.

Seely says it would have been trivial for criminals to steal from MBIA subsidiary Cutwater Asset Management — the company found to have the exposed accounts — but it appears MBIA and Cutwater dodged one big bullet.

MBIA Dodged Bullet — Will Others?

“It’s highly unlikely that criminals accessed MBIA’s data because the only thing at risk was the money,” Seely says. “If the money is there, then nothing has been stolen. There were not any Social Security numbers or PINs, but the ability to change or otherwise add and remove signers, additional bank accounts and such. It would have been all too easy to take money from accounts in small or large amounts prior to discovery.”

Cutwater’s server was misconfigured to expose countless account numbers, balances and forms in such a way that the records were being indexed by Google and Shodan, a search engine that looks for specific types of routers and servers connected to the Internet.

Seely personally was able to use Google and Shodan to directly access individual financial accounts, account balances, participant profiles, lists of names, addresses, email addresses and phone numbers of authorized account users.

“If you needed to add someone, you could just fill out a form and email it,” he says.

Now that the cat is out of the bag, you can bet the attention of organized cyber gangs has been directed to this low-hanging fruit. Companies using misconfigured Oracle servers that are slow to address this exposure are at risk of paying a high price. The two Ivy League schools Seely found to be exposed have not yet fixed the problem, he says.

More on Identity Theft:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team