Monday, December 1, 2008

Fraud Flash for the week of December 1, 2008

Dec. 1, 2008
'Perfect storm' Conditions line up for identity theft
From 8.5 million to 11 million U.S. consumers become victims of identity theft each year, depending on the estimate you use, said Levin, the former director of the New Jersey Division of Consumer Affairs.

Phishing Attacks Set New rerecords During September-October 2008
A researcher at internet security company, Cyveillance, claims that in the past 60 days (September-October), phishing attacks have set new records in terms of frequency and volume, as reported by darkreading on November 17, 2008.

iDefense - Phishing E-mails Become More Sophisticated & Stealthier
According to the statistics given by the company, within a span of six seconds, a new malware gets ready to be installed on the system. Once installed, it becomes extremely difficult to detect it, which, in turn, makes way for a spear-phishing attack.

OSU’s Students & Staff Targeted by Phishers
The spoofed e-mail asked the recipients to log-on to a fake website to catch the current news and information about OSU and directed users to the virtual webmail page of the university. As soon as the page is logged-on, the victims were directed to Ohio State Newark web page. This page is utilized to archive the passwords and usernames of the visitors that can be sold to the criminals.

Wednesday, November 19, 2008

Variations on a Theme: SOA Security Best Practices

Since posting at OOW, I've had a few follow-up discussions - inside and outside or Oracle - about the architecture I presented there. I think the main point I wanted to convey was that there is not a one size fits all for SOA Security - or any security for that matter. That having been said, I would like to comment on two variations which have been suggested.

1 - Instead of using OWSM to protect an end-point could I use OSB?

OWSM (Oracle Web Services Manager) and OSB (Oracle Service Bus) are complimentary technologies. This is not exclusively an either or situation. For example, for public facing web-services, using OWSM to protect the perimeter makes sense. This is the SOA equivalent of using Web SSO (like Oracle Access Manager) to ensure only authenticated traffic accesses the network. Assuming that the services are hosted in OSB, and accessible from inside of the network, it makes sense to have some security on these services as well. In OSB, different proxy services can have different security policies even though they point to the same business service.

So in summary, I could have used OSB instead of OWSM+WLS in my OOW demo. I could have also used both. The scenario was an employee intranet calling out out-sourced HR provider. That HR service publicly exposed on the internet make sense for OWSM+OSB architecture described above.

2 - Instead of using SAML to pass identity from application to could I use my Web SSO token?

In the demo, I used the Credential Mapping capabilities of WLS to generate a SAML assertion, but what if you're running on a container/Web Services client stack that doesn't have that feature? Is there any issue with just passing the SSO cookie in the HTTP header or as part of WS-Security using BinaryToken profile?

There are two separate issues here - the first is the quality of the token (Web SSO vs SAML) and the second in message level security.

Both SAML and Web SSO cookies have some ability to prevent being re-used unauthorized ways - IP Address Checking or Audience restrictions - and have some notion of timeout - Session Timeout or Validity periods. I think one issue when choosing SAML vs. Web-SSO is the duration of the transaction. For example, in the demo, let's assume that the large raise service required approval. In this case, by the time the transaction is approved, it's quite likely that the Web-SSO ticket has expired. A SAML assertion generated for the specific purposes of the transaction could have a longer validity period - weeks. Regulations like PCI require sessions to timeout in 15 minutes.

Regardless of token, to ensure that the credentials are not mis-used, the digitally signing the message essentially "staples" the credential to the message. Taking the credential and adding it to a different message will not work. This ensures that the token - SAML or otherwise is used appropriately. This and other techniques are covered in some detail in the WS-Security SAML Token Profile.

So, in both of the two variations, the answer is "it depends". I wish it was more straight-forward, and I had some universal best practices. I'm happy to share my thoughts on this blog or elsewhere - preferably some place warm :)

Monday, November 17, 2008

Fraud Flash for the week of November 17, 2008

Oct. 24, 2008
'Phishing' fraud e-mails hit Huskymail accounts
Over the last couple of months, an e-mail fraud attempt known as phishing has hit the university's e-mail server, putting thousands of students at risk, according to a report released earlier this week on the university's information and technology security Web site.

Nov. 17, 2008
Celent Tackles Insider Fraud
Insider fraud accounts for 60 percent of bank fraud cases where a data breach or theft of funds has occurred, yet in the last three years, just nine percent of financial services data breaches were a result of insider fraud.

ID Thieves Are Targeting Home Equity Lines
The FBI says HELOC thieves typically use stolen identification to apply online for a line of credit in your name. Then they instruct the bank to wire the funds to their accounts, providing their own contact information in place of yours.

Monday, October 20, 2008

Oracle Adaptive Access Manager (10gR3)

Oracle Adaptive Access Manager provides real time and offline context aware risk assessment, multi-factor authentication and authentication process hardening for enterprise and consumer web applications. Adaptive Access Manager makes it safer for all types of businesses to expose sensitive data, transactions and business processes to consumers, remote employees and partners.

I'm pleased to announce the release of OAAM 10gR3. This release contains a lot of exciting new enhancements that the market has been asking for. Increased effectiveness, ease of use, and adaptability were the main themes of this release. The major areas of enhancement are globalization, behavior profiling, investigation tools, dashboard, reporting, proxy support, configurable actions and the administration interfaces.

1. OAAM 10gR3 has been localized for the standard set of languages supported by Oracle products. Specifically, Adaptive Risk Manager supports the nine standard administration languages and Adaptive Strong Authenticator supports the twenty-six standard runtime languages.
2. Behavior profiling uses administrator defined patterns to profile the behavior/activity of entities such as users, devices, IPs, shipping addresses, credit cards, email addresses, etc. The rules engine uses the profile data to evaluate the risk level of a situation based on comparisons of "normal" activity for the individual entity and all entities of the same type.
3. The new agent cases make forensic investigations quicker, easier and more successful. Events can be configured to create a case automatically. An investigator can quickly view the data involved in an incident and quickly locate related situations by easily harnessing the complex data relationships captured by OAAM.
4. The dashboard has expanded performance statistics and summary data as well as enhanced trend graphing capabilities.
5. A limited license of Business Intelligence Publisher is now included with OAAM so reporting can be fully customized to meet customer requirements. A collection of out of the box templates are provided that can be used as is or altered.
6. An Apache version of the "Universal Installation Option" reverse proxy is now supported to provide an alternative to the MS ISA proxy.
7. New configurable actions allow for customizations and integrations previously not possible. Custom code can be called directly by the ARM rules engine. This capability opens the door to almost unlimited possibilities.
8. The enhanced administration interfaces allow access to functionality previously available only to developers programmatically. The rule template editor allows a non-developer to create, edit and delete rule templates completely in the GUI. The transaction configuration screens allow the definition of a transaction and it's constituent data elements. As well various environment configurations are now exposed in the UI such as logging, properties and enumerations.

You can learn more about OAAM here

You can download OAAM here

Thursday, October 2, 2008

Fraud Flash for the week of September 29, 2008

Sept. 30, 2008
Identity theft victim wins right to sue county clerk over posting of personal data
An Ohio woman whose identity was allegedly stolen after an image of a speeding ticket containing her personal information was posted on a county government Web site can sue the county official responsible for putting such records online, a state appeals court in Cincinnati ruled last week.

Oct. 1, 2008
Online fraud rises by 185 per cent
The amount of money lost to internet fraudsters specifically targeting banking customers rose by an alarming 185 per cent in the first six months of 2008 because of an increase in phishing attacks and spyware scams, according to Apacs, the payment industry association.

Online fraud nearly doubles in just 12 months!
If ever there was a sign that we are in real trouble with worldwide economies it is the massive growth in online fraud as more and more people throw their common sense out of the window and chase an array of free money, gifts and other such prizes.

Oct. 2, 2008
New phishing attempt targets bank customers
Many people are wondering what to do now that their bank has been acquired in the wake of the lending crisis. Well, whatever you do, don't click on links in e-mails purportedly sent by your bank.
Security firm SonicWall said Thursday that it has been seeing e-mails that attempt to lure people to fake bank Web sites, where they are asked to re-verify their personal and bank information as part of a merger.

Phishing scams cash in on bank crisis
Businesses need to be on the lookout for phishing scams trying to cash in on the current economic crisis gripping the US. According to JP Morgan, customers using its Chase services have been receiving spam emails from fraudsters trying to commit identity theft and fraud by coaxing users into giving them account information.

Thursday, September 25, 2008

SOA Security - ADT or Crocodile Filled Moat?

I'm sitting here in the middle of the Moscone center as OpenWorld 2008 comes to an end. It's been a long week, but I wanted to take some time to capture some thoughts on my first open world presentation.

This morning, Eric Leach and I presented to an enthusiastic group on securing WebLogic applications with Oracle Access Management. As the "technical guy", I put together a demo of Oracle Access Manager, Web Logic Server, Oracle Entitlements Server and Oracle Web Services Manager all working together in a "best practice" architecture.

The demo covered a fairly common scenario: end-to-end security in a SOA. For example, the customer already has an investment in OAM, and they need to extend that security capabilities down to the rest of the architecture - applications, services and data.

In the past, I think that the temptation would be to use OAM. Prior to the emergence of the entitlements market, WAM was the only COTS solution for externalizing authorization. WAM products are most successfully deployed when focused on the problem of web SSO. Authorization and the centralized management of security policy is better handled by Oracle Entitlements Server - OES.

I used OES to provide authorization for JEE resources, JSP pages, and Web Services. Both OES and OAM used a common directory - Oracle Internet Directory - as a system of record for users, user attributes and group memberships. This information fed the policies enforced by OES.

In order to have these policies enforced correctly, the various enforcement points need to have the correct user identity. The problem of propagating identity across an SOA is not a simple one. In the course of the demo, I actually had to use multiple mechanisms. The identity from OAM to WLS is passed via OAM Session cookie. WLS then generates a SAML Assertion and passes it in the WS-Security Envelope to a OWSM. OWSM in making the very fine grained access control checks to OES uses a simple USERID_TOKEN (username). In theory, I could have used SAML for all of these interactions, but in many cases the full on SAML is too much.

Like most everything in security, there is no "correct" answer - no perfect solution. The solution that I demonstrated using OAM, WLS, OES and OWSM is an attempt at a reasonable 80% case - something which most customers could use as a jumping off point for defining their own solution.
I think a good analogy in information security to "How much security is enough security?" is "What alarm system should I buy for my house?". I like to think of the solution I outlined in the OOW session as the "ADT Starter Package" of solutions - pretty good for most single family residences. Most houses don't need a moat or guard dogs, but a military base needs more than a "Keep Out" get my point :)

Thanks again to everyone who attended the session and all of the questions. I gave out quite a few business cards, so I hope to hear from all of you. For those who didn't attend, once I get home, I'll add the relevant links form the session, and hope to drive some discussion around the solution.

Wednesday, September 24, 2008

Oracle Entitlements Server Now Available

I'm glad to announce that we have released Oracle Entitlements Server (OES) this week. OES came to Oracle via the BEA acquisition (where it was called AquaLogic Enterprise Security).

OES is a fine grained entitlements management product that allows you establish policies for how users can interact with and access things inside your applications and services. We call it "fine grained" entitlements because OES can protect anything inside an application; user interface elements, server-side transactions, database columns and rows, even "business" things like Reports, and Accounts.

OES (or 10gR3 for short) is the result of several years of refining this product based upon tons of customer feedback. This release (aside from now having a new name and Oracle logo) has a couple of stand-out features:

1. Support for large policy sets and easy Delegated Administration. In OES we can now separate massive policy stores across multiple organizations and applications. Many OES (ALES) customers are setting up enterprise-wide authorization service layers and need a central place to manage policies for multiple LOB applications without everything in the same namespace. OES now has this ability to partition policies according to use and placement in the organization.

2. SharePoint protection. OES now ships a Policy Enforcement Point (PEP) that plugs into a MOSS 2007 environment to perform fine grained entitlements for web pages, web parts, lists, documents and other SharePoint "stuff".

3. Policy Simulation. The OES administration console now has a powerful simulation tool that lets a policy admin try out various scenarios and test policies without having to write an actual application to use them.

You can try out OES by downloading it from OTN here.

Also there is more information on OES here.

Thursday, September 11, 2008

Fraud Flash for the week of September 8, 2008

Aug. 30, 2008
National Technical Institute for the Deaf Rochester Institute of Technology
A recently stolen laptop contained the names, birth dates and Social Security numbers of about 12,700 applicants to the National Technical Institute for the Deaf and another 1,100 people at Rochester Institute of Technology. The laptop belonged to an employee and was stolen on Monday from an office at NTID. People at RIT, who are not affiliated with NTID, are affected because their personal information was being used as part of a control group in an internal study.

Southwest Medical Association
Thousands of medical charts, all listed to Southwest Medical Association, became the property of a man who bought the contents of a storage unit for just $25 dollars in an auction.

Sept. 3, 2008
Oakland School District
Thieves broke into the Oakland school district’s human resources offices and stole up to 12 computers containing the personal information of an estimated 100 new hires.

Sept. 4, 2008
Ecumenical Ministries of Oregon
A computer containing information for at least 350 HIV patients was stolen from the Ecumenical Ministries of Oregon’s HIV Day Center.

Erie County Health Facility
The Erie County Executive’s office issued a statement about a laptop computer stolen from a county health facility.

Sept. 5, 2008
East Burke High School
For the past five years, East Burke High School's website exposed file s containing personal information including names, Social Security numbers, addresses, phone numbers, job titles, email ad-dresses and unlisted phone numbers of teachers, bus drivers, custodians and other staff members on the Internet.

Newly reported incidents elsewhere:

In Japan:

Sept. 5, 2008
The personal data of as many as 18,000 customers have been compromised after the server of Tokyo-based pet supply firm Hotta was accessed by a hacker in China.
About 3,000 cases of identity theft have been found among users of Yahoo Japan Corp.‘s online auction site. The total number of confirmed and suspected ID theft cases targeting the nation’s largest Internet auction site has reached about 10,000.

In Korea:

Sept. 6, 2008
GS Caltex
Two multimedia discs containing the personal information of 11.1 million customers of GS Caltex, one of Korea`s largest oil refineries, were reportedly found on the street, but now it appears to have been an insider job and the story just a coverup.

In the U.K.:

Sept. 2, 2008
The Aberdeen Press
Scottish newspaper The Aberdeen Press inadvertently made it easy to harvest sensitive information about registered users from its site as a result of a basic information security mistake.

Sept. 5, 2008
A memory stick containing information about the STI tests of 146 people has gone missing from the Chelsea and Westminster Hospital

Sept. 6, 2008
Ministry of Justice
A disk containing the personal details of 5,000 prison staff was lost by EDS last year, but the prison service wasn’t notified until this July.

Sept. 7, 2008
Royal Bank of Scotland
A laptop containing the personal details of 100 bank customers was stolen from a Welsh branch of Royal Bank of Scotland in May, but customers had not been informed of the theft because the details held on the laptop were encrypted.

In Canada:

Sept. 6, 2008
Direct Cash Management Inc
Ehud Tenenbaum, an Israeli hacker who broke into U.S. Department of Defense computers as a teenager is the alleged mastermind of a $1.8-million theft from Direct Cash Management Inc. in Calgary.


Sept. 5, 2008
UAE Credit Network
An international investigation is under way to find hackers believed to have stolen information from financial servers in the UAE to make fraudulent credit and debit card purchases in the US.

Thursday, September 4, 2008

Fraud Flash for the week of September 1, 2008

Aug. 22, 2008
Liberty McDonald's Restaurant
An employee at a Liberty McDonald's restaurant, took credit or debit cards from drive-through customers and used a device she had hidden near the window to swipe the cards to record their numbers. The information on the device then was downloaded and used to make new cards either in the names of the persons which the original cards belonged or in the names of the perpetrators.

Aug. 26, 2008
Pennsylvania Department of Public Welfare
Paper jams in a state Department of General Services mail inserter caused benefit renewal packets to go to the wrong Pennsylvania welfare client's home. Nearly half of them included the intended recipients' Social Security numbers.

Prince William County Public Schools
Personal information of some students, employees and volunteers was accidentally posted online by a Prince William County Public Schools employee. Information for more than 2,600 people was exposed through a file-sharing program by an employee working from home on a personal computer. Names, addresses and student identification numbers of more than 1,600 students were exposed. Names and social security numbers of 65 employees were exposed. Other confidential information for about 250 employees was exposed. And the names, addresses and e-mail addresses of more than 700 volunteers were exposed.

Aug. 27, 2008
Kansas State University
An instructor for classes offered through the Division of Continuing Education, taught through the UFM Community Learning Center, reported an overnight theft of numerous items from a car, which was parked outside a Manhattan residence. Items taken included a backpack with a list of names and Social Security numbers of 86 K-State students who had taken that instructor’s classes from fall 2007 through summer 2008.

Aug. 28, 2008
The Washington Trust Co.
The Washington Trust Co. has notified about 1,000 customers that their debit and credit card accounts might have been compromised in a suspected security breach at an unidentified MasterCard merchant. The company is investigating a suspected security breach of a U.S. e-commerce-based merchant's Web server which contained debit card data.

Reynoldsburg Ohio City School District
Reynoldsburg school officials were phasing out the use of Social Security numbers in the district's student database when someone stole a laptop containing that information. The district laptop, taken from a computer technician's car, also included names, addresses and phone numbers for two-thirds of the district's enrollment.

Aug. 29, 2008
Ohio Credit Union
A large number of Ohioans have been receiving e-mails telling them that services from the Ohio Credit Union were withdrawn, followed by a telephone number to contact. The Ohio Credit Union League is entreating people receiving these e-mails to not communicate at the given number, as it is a phishing fraud. Instead, the League is asking recipients to call their financial agency directly and report the messages so that authorities could be alerted as well as their accounts be kept on hold, if necessary, as reported by nbc4i on August 21, 2008.

Aug. 30, 2008
Ohio Police & Fire Pension System
A former mailroom supervisor at the Ohio Police & Fire Pension System forwarded the names, addresses and Social Security numbers from his work e-mail address to his personal e-mail address before quitting his job. The file contains information for 13,000 of the approximately 24,000 retired members of the Ohio Police & Fire Pension System, most of whom are former police officers.

Sept. 02, 2008
Montana Credit Union Network
Many Montanans have been receiving calls purportedly "alerting" them to the fact that their debit or credit card has been deactivated or suspended, followed by a phone number to call. The Montana Credit Union Network is urging recipients to NOT call this number; this is a phishing scam. Phishing is a fraudulent attempt to try to access sensitive information by appearing as a trusted source. In this case, the message appears to be sent by a credit union or financial institution asking the recipient to contact them. Once the call is placed, an automatic message prompts the caller to enter their credit or debit card information.

Thursday, August 28, 2008

Data Security and XACML

XACML is the key standard for fine-grained access control. I'm a big fan of the request/response model and how everything is normalized down to attributes. I also think that the XACML interaction model (PDP/PEP/PIP/PAP) has been very useful in discussing authorization architecture with customers. Good stuff!

One issue that I have with XACML is that there is no obvious way to address the most common customer authorization problem - data security. Most of the customers that I've met with over the past three years who were in the market for a fine-grained entitlements solution, were looking to address this issue. Basically, they had a large number of resources - customers, accounts, deals, documents etc. and they wanted to externalize the authorization.

XACML answers "Can this user perform this action on this resource?". Customers want to know "What resources can a user perform this action on?".

Why externalize to something like XACML in the first place? Don't the systems of record of these objects have access control? Of course they do, but there are a number of reasons why customers aren't using the OOTB authorization.
  • Granularity - RBAC models are not fine grained enough to meet the business requirements
  • Heterogeneity - In many cases there isn't a single SOR for the data. The data is virtualized so externalization is essential to consistency.
  • System Accounts - Many of the access control models are tied to the user accessing the data source. In many cases, an application uses a single system account, so the OOTB authorization would be tied to that user. This means you can define the behavior per application, not per user (I guess this is a variation of granularity)
For resource counts which are relatively small, the PEP can simply call the PDP N times. This works if the PEP knows the list of possible resources a head of time (i.e. menu items or some list of accounts from another SOR) and that number is small - 10s or 100s or 1000s could be OK depending on the performance of the PDP - OES can do 1000s of authorizations at sub-millisecond latency. But there are definitely cases where the number of resources is in the millions or 10s of millions and this approach will not work.

Oracle VPD (Virtual Private Database) and the RLS (Row Level Security) package uses an approach which I think can be used as a model for solving these types of use cases. Essentially when configured, the RLS returns a WHERE clause which the database then applies to the query.

Generically, the model is as follows:

  1. Data Access Object (DAO) receives request (getCustomers for Josh)
  2. DAO PEP intercepts the request and calls the PDP (can Josh getCustomers?)
  3. PDP evaluates policies and returns response ( Yes, but only in dept 1234)
  4. DAO PEP enforces the decision by modify the search criteria (getCustomers WHERE dept=1234)
  5. Query is processed by SOR and result is returned
The "Only in dept 1234" seems to fit very nicely into XACML Obligations. There are some challenges in how to combine obligations - is the behavior AND or OR? I'm not saying that this is a perfect solution - only the best use of the current today.

Conceptually, the authorization system is returning a list of filters (attribute-operator-value) and delegating the responsibility of applying those filters to the data source. The PEP can then translate the filters into an appropriate language specific (SQL, LDAP, XPath, XQuery) expression.

Do you think this approach can work with XACML as is or is there a need for XACML to do something different?

Monday, August 25, 2008

Fraud Flash for the week of August 25, 2008

Aug. 18, 2008
Dominion Enterprises
A computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008. The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and social security numbers of 92,095 applicants who submitted credit applications to IFMG's family of special finance Web sites.

The Ministry of Justice (MoJ) Department for Work and Pensions (DWP)
Resource accounts for two departments revealed around 62,000 people were affected by breaches. In its biggest data breach, the MoJ reported that discs containing 27,000 supplier records, including supplier name, address and some cases bank details were stolen. Data losses reported by the MoJ included a laptop that contained data on 14,000 fine defaulters. The data included names, dates of birth, address, offence and in a fifth of cases national insurance numbers. The laptop was stolen within secured government premises and described as inadequately protected. MoJ also reported a loss of paper documents that involved data on 3,648 people including their alleged offences. The DWP's resource accounts said its biggest breach was the retention of two discs by a contractor. The discs contained the data of 9,000 people and forced the department to notify law enforcement. The department also suffered two other incidents. One in July 2007 that potentially affected 7,800 and one in January when papers with data on 45 people were lost.

Keller High School
Keller family's received a mailing from Keller High School last week. Upon opening it, they found two enrollment forms. One was an emergency-care authorization form. But the other was a student information form containing another classmate’s social security number, student ID number, home address, phone number and contact information for his parents at home and at work. They quickly realized that their child’s private information, which they used to set up their college fund and other accounts, was mailed to someone else.

The Princeton Review
The test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site. One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fla. Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va.

Aug. 19, 2008
Kingston Tax Service
Office computers were stolen from the business. On each of the computers is information which can be used by identity thieves including credit card information and Social Security numbers.

Monday, August 18, 2008

Fraud Flash for the week of August 18, 2008

Aug. 12, 2008
Wells Fargo
Wells Fargo is notifying customers that hackers have accessed their confidential personal data by illegally using its access codes. Personal information including names, addresses, dates of birth, Social Security numbers, driver's license numbers and in some cases, credit account information was accessed by "unauthorized persons".

Child Protective Services
Hundreds of private, personal records were discarded with the trash, including records detailing medical histories of clients with diseases and drug addictions. Documents showing sexual abuse and information that could be used for identity theft, such as Social Security numbers, were also found in the trash.

Aug. 13, 2008
Charter Communications
Computers were stolen from the company’s Greenville offices and contained records of more than 9,000 Charter employees nationwide. The information included Social Security numbers, dates of birth and driver's license numbers.

Aug. 14, 2008
Wuesthoff Medical Center
Hundreds of people in Brevard County found out their personal information was stolen. Names, Social Security numbers and even personal medical information were posted on the Internet.

Apple Inc and MobileMe Online
A recent phishing scam targeting users of Apple Inc.'s .Mac and MobileMe online services has successfully duped hundreds into divulging credit card and other personal information, a security company said today. The phishing campaign scammed between 100 and 200 people with addresses in just one day. An e-mail purporting to be from Apple Inc. alerting users to a billing problem is, in fact, a phishing scam that's targeting users of Apple's online service, according to an e-mail forwarded from a Macworld reader.

Aug. 17, 2008
Bank of Lancaster County (acquired by PNC Bank)
Bank of Lancaster County, which has been acquired by PNC Bank, has been the most frequent target, but it's not alone. Last month Susquehanna Bank warned of fraudulent e-mails trying to trick customers into divulging account information; some Susquehanna customers even received text messages from scam artists.

Friday, August 15, 2008

Where have all the PEP's gone?

I've been having a lot of conversations which customers lately around integrating security services - mostly authentication and authorization - into their enterprise. They've been asking basically the same question - "Where are the Policy Enforcement Points (PEP)?"

First of all, I think this is more than a simple product road map question. For the record - Oracle Access Manager (OAM) supports a large number of Web Server/Operating System platforms. Oracle Entitlement Server (OES) has a Security Module (SM) for a number of Web Servers, WLS + layered products, IBM WebSphere, Oracle VPD support and even Microsoft SharePoint.

Product Management can correct me, but this seems like a pretty good list. So what is the issue?

I think the issue is that many of the customers that I talk to are using a number of application frameworks to build their applications (Struts, JSF, Spring, Hibernate, ADF etc). This means that they want an application framework specific PEP and not a generic Java, JACC, JEE or even Application Server specific PEP. Even though these frameworks are built on these standards, implementing a policy enforcement point at those levels means that the access control policies are going to be based on resources like Java Permissions, Java Servlets or Enterprise JavaBeans. If the goal is to author access control policies which are closely aligned to the business, then securing these lower level resources, especially in the context of an application framework, is practically a non-starter.

So, why not just create PEPs for these application frameworks?

Easier said than done! Not every application framework has a tidy way of wedging an external PEP into the request flow, or reusing the application framework's PEP to call out to a 3rd party PDP. In most cases, externalizing authentication is pretty straight forward, but if you want 3rd party authorization, especially around framework specific objects (Struts Action, JSF UIComponent etc), it will get messy!

Oracle's Application Developer Framework (ADF) and Spring with SpringSecurity (ACEGI) both have the ability to externalize authorization built in, though ADF is based on standard Java security and ACEGI isn't.

In other cases, where there's a will, there's a way. I've pulled together a catalog of some approaches for integrating into various containers. Take a look. I've used these types approaches in the field to integrate various PDPs.

So, what do you think?

- Is dependency injection (aspect oriented) a reasonable way to add this type of fine grained authorization?
- For Struts, is creating a custom RequestProcessor a workable solution? It would allow for authorization at the Struts Action level.
-Is there something short of a custom Render Kit which would meet the requirements for JSF?
-Is a generic approach like JSP tag libraries best?

Wednesday, August 13, 2008

How To: Setting up Oracle Access Manger for Multiple Authentication Types

David Abramowicz, a Senior Sales Consultant for Oracle in Sweden, put together a how to for setting up OAM with multiple authentication types while maintaining the originally requested URL.

Thanks David!


Frequently customers want their users to choose between multiple different authentication types, but still be redirected back to the originally requested URL after authentication. This requires setting up an authentication scheme to broker authentication mechanisms, and some redirect manipulation as described in this document.

Basically a forms based authentication is set up, which is a list of URLs protected with different authentication mechanisms. After a user selects one of the URLs, that particular authentication is executed. The user is then redirected back to the originally requested URL.

In order to set this up, you need to execute the following steps:
  • Set up new authentication mechanism: “Authentication Selection”
  • Set up redirection script on action URL of “Authentication Selection”
  • Make a list of Authentication URLs for choosing “Authentication Selection”
  • Create a policy domain for Authentication URLs

End-User Flow

1. User accesses URL protected with “Authentication Selection”
2. User gets redirected to “Authentication Selection” form URL
3. User chooses between authentication mechanisms
4. User authenticates successfully
5. User gets redirected to action URL of “Authentication Selection”
6. User gets redirected to originally requested URL

Set up new authentication mechanism: “Authentication Selection”

  • Create a “Form” authentication mechansism, call it “Authentication Selection Level 1”
  • Make sure that the mechanism has passthrough:yes, to have access to originally requested URL

It is important to ensure that users can’t actually authenticate using this mechanism, as seen below in the credential_mapping:

Set up redirection script on action URL of “Authentication Selection”

On the action URL of “Authentication Selection”, redirect to originally requested URL by parsing the obFormLoginCookie:

<--code snippet for parsing obFormLoginCookie-->

<%@ page import="java.util.*" %>

//Get Redirect URL from ObFormLoginCookie, and redirect
Cookie[] cookies = request.getCookies();
String cookieValue = null;
for(int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equalsIgnoreCase("ObFormLoginCookie")) {
cookieValue = cookies[i].getValue();

cookieValue =;

String relativeURL = null, host = null, redirectURL = null;

StringTokenizer tokenizer = new StringTokenizer(cookieValue);
relativeURL = tokenizer.nextToken();
relativeURL = tokenizer.nextToken();
relativeURL = relativeURL.substring(relativeURL.indexOf("=") + 1);

host = tokenizer.nextToken();
host = tokenizer.nextToken();
host = host.substring(host.indexOf("=") + 1);

redirectURL = host + relativeURL;


<--code snippet-->

Make a list of Authentication URLs for choosing “Authentication Selection”
  • Create a web page with a list of two or more authentication mechanisms.
  • Every list item should point to a web page that redirects to the action URL of “Authentication Selection”
  • Please make sure you don’t use the same action URL for “Authentication Selection” as for any of the real forms-based authentication mechanisms, as this could overwrite the obFormLoginCookie OAM uses for redirection

Create a policy domain for Authentication URLs

  • Create a policy domain that protects this list.

  • The authorization rule for all URLs in the list should be “Allow all”
  • For each authentication mechanism in the URL list, create a policy domain

  • The authentication rules needs to be set up for each URL/policy, where every URL/policy is protected with the appropriate authentication mechanism

That's it! You should be all set to go. You can also set this up to work with multiple authentication levels.

Authentication Selection with Levels
  • Create another “Form” based authentication as above called “Authentication Selection Level 2”,
  • Point the form URL to a new list of authentication mechanisms, where all mechanisms match authentication level 2.

Monday, August 11, 2008

Fraud Flash for the week of August 11, 2008

July 31, 2008
University of Texas at Dallas
A security breach in UTD’s computer network may have exposed Social Security numbers along with names, addresses, email addresses or telephone numbers. 4,406 students who were on the Dean’s List or graduated between 2000 and 2003 3,892 students who were contacted to take part in a survey by the Office of Undergraduate Education in 2002 88 staff members from Facilities Management 716 faculty and staff members listed in a space inventory record from 2001.

Aug. 1, 2008
Tennessee Valley Authority
A laptop stolen from TVA contained Social Security numbers and reflects generally inadequate policies and procedures for tracking computers at the agency. The laptop was one of approximately 26 computer and computer-related items stolen from TVA between May 26, 2006, and Nov. 30, 2007, according to the IG, although the report stated it was unclear whether sensitive information was present on any of the laptops or PCs stolen from TVA.

Delphi Automotive Ohio Depart. of Job & Family Services
A flash drive with Social Security numbers and other personal information from former Dayton-area Delphi workers was removed from the unattended laptop of a state employee and is missing. The drive included the names, addresses, telephone numbers as well as the Social Security numbers of the workers.

Aug. 2, 2008
Countrywide Financial Corp.,0,7330731.story
The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period though July. The insider was a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division. Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches.

Aug. 4, 2008
Arapahoe Community College
A contractor who manages the student information database had a flash drive lost or stolen. Information on the drive included the names, addresses, credit card numbers and Social Security numbers.

Aug. 5, 2008 The Clear Program
"Fast-pass" Registered Travel program for airline passengers, operated by Verified Identity Pass for the U.S. Transportation Security Admin.A laptop containing personal information for about 33,000 people was reported stolen in a possible security breach for the Clear Program. The laptop was stolen at San Francisco International Airport. The stolen information included names, addresses, dates of birth, and driver's license numbers or passport numbers.

Aug. 7, 2008
Harris County Hospital
A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen. The data on the device included the patients' names, medical record numbers, billing codes, the facilities where the office visits occurred and other billing information. It also included the patients' Medicaid or Medicare numbers, which can indicate their Social Security numbers or those of their spouses.

Monday, August 4, 2008

Fraud Flash for the week of August 4, 2008

July 28, 2008
Facebook accidentally publicly revealed personal information about its members, which could be useful to identity thieves. The full dates of birth of many of Facebook's 80 million active users were visible to others, even if the individual member had requested that the information remained confidential.

July 29, 2008

Moraine Park Technical College
Customers of the bookstores located at three Moraine Park Technical College campuses were notified Tuesday of a security breach that occurred in July 2006.

A laptop containing personal information of current and former employees, including some from Hampton Roads, was stolen from a St. Louis-area Anheuser-Busch office. Information contained on the computer included employees' Social Security numbers, home addresses and marital status.

July 30, 2008
Data Breach Fallout: Do CISOs Need Legal Protection?
Since the security executive is on the hot seat after a data breach, some industry experts suggest CISOs get themselves some form of liability protection. The downside is that such protection could shield those who deserve the blame for an incident

July 31, 2008
City of Yuma
The Social Security numbers of about 300 city of Yuma employees were "unintentionally released" in an e-mail sent to city administrative personnel.

August 4, 2008
Report Sheds Light on Tricky Fraud, I.D. Theft Issues
Consumer fraud and identity theft numbers have risen steadily over the past few years, and consumers are taking notice.

A Marine has admitted robbing a Providence bank and using the identity of a fellow service member to steal money.

CETA warns identity theft boom to continue
An online shopping boom is threatening to accelerate an increase in identity theft according to independent general insurance network CETA Insurance Limited.

Georgia Blue Cross
Poor system testing caused a medical records privacy breach affecting over 200,000 members of Georgia Blue Cross and Blue Shield. The case has implications for both consumer privacy and IT’s impact on business operations.

The identity theft scheme was designed to copy and sell on up to 2 million mortgage holders' details including their social security numbers.

Tuesday, July 29, 2008

Fraud Flash for the week of July 28, 2008

July 17, 2008
Department of Consumer Affairs
A Consumer Affairs personnel specialist in Sacramento, emailed an alpha personnel file containing names and Social Security numbers of the department's more than 5,000 staff to a personal Yahoo email account at the end of the day, her last day at the department.

July 19, 2008
Minneapolis Veterans Home
A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's 336 residents.

July 23, 2008
San Francisco Human Services Department
Potentially thousands of files contaning personal information was exposed after a San Francisco agency left confidential files in unsecured curbside garbage and recycling bins. In some cases entire case files were discarded. Blown up copies of social security cards, driver's licenses, passports, bank statements and other sensitive personal information were all left in these unlocked bins.

July 24, 2008
Village of Tinley Park
Computer backup tapes that contain thousands of Social Security numbers of Tinley Park residents have been lost. The tapes containing information from as long ago as 15 years were lost while being transferred from the village hall to another site within the Chicago suburb.

Saint Mary's Regional Medical Center
A unauthorized person may have accessed the Saint Mary's database. The database, used for Saint Mary's health education classes and wellness programs, contained personal information such as names and addresses, limited health information and some Social Security numbers. The database did not contain medical records or credit card information.

Hillsborough Community College
Hillsborough Community College warned its employees to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia. The programmer had been working on a payroll project for a group of employees using their names, bank-routing numbers, retirement information and Social Security numbers.

University of Houston
The names and Social Security numbers of University of Houston students were inadvertently posted on the Internet for more than two years. The posting occurred when a math department lecturer posted student grades on a UH Web server in October 2005.

July 25, 2008
Ohio University
A clerical error led to the online posting of the names and Social Security numbers of people who spoke at Ohio University's Centers for Osteopathic Research and Education. A spreadsheet that contained the information had been accessible since March 20 and was discovered when a nurse found the information last week while conducting online research. In addition to names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and federal employer identification numbers.

July 26, 2008
Connecticut College/Wesleyan University/Trinity College,0,7548347.story
A Connecticut College library system was breached by hackers apparently looking to set up chat rooms or send spam e-mails. The systems database included the names, addresses and Social Security or driver's license numbers of approximately 2,800 Connecticut College library patrons, 12 Wesleyan University patrons and three from Trinity.

Wednesday, July 23, 2008

Introducing the Oracle Access Management Suite

Oracle Launches Oracle® Access Management Suite
Accerelates Oracle Fusion Middleware and BEA Product Integration to Advance Delivery of its Application-Centric Identity Management Vision
REDWOOD SHORES, Calif. 23-JUL-2008 01:40 PM
  • Further delivering its vision for Application-Centric Identity, Oracle today unveiled Oracle(r) Access Management Suite, the industry's first and only comprehensive offering for next generation access management.
  • The Oracle Access Management Suite is the only solution offering next-generation technologies that enable risk-based authentication, proactive online fraud prevention, and fine-grained authorization, as well as best-of-breed functionality including web access management and identity federation.
  • The company also announced general availability of the new Oracle Entitlements Server, a fine-grained authorization solution and a key component of the suite. Oracle is the first major identity management vendor to offer this capability.
  • Oracle Entitlements Server (previously BEA AquaLogic Enterprise Security) enables application developers to externalize and centralize fine-grained authorization policies that would previously have been embedded within applications.
  • The Oracle Access Management Suite is certified to work with Oracle Applications - Oracle E-Business Suite, Oracle's PeopleSoft, Oracle's JD Edwards, Oracle's Siebel and Oracle's Industry Applications - and a broad range of leading non-Oracle Applications.
  • The Oracle Access Management Suite is the first of a number of products that combines technology from Oracle Fusion Middleware and BEA Systems. Its introduction illustrates the rapid progress that Oracle is making in combining market-leading technologies from the two companies into a unified product offering.

Integrated, Next Generation Access Management

  • In addition to integration with Oracle Fusion Middleware, the Oracle Access Management Suite includes native integration and support for a broad range of middleware from other vendors.
  • Enabling superior security and ease of deployment, the Oracle Access Management Suite is hot-pluggable with leading applications and platforms, including deep integration with Oracle's PeopleSoft, Oracle E-Business Suite, Oracle's Siebel, and Oracle's JD Edwards.
  • The integrated offering provides the following benefits in a single solution: SSO, authentication and authorization management for web-based applications; Strong authentication and real-time proactive fraud prevention to protect against identity theft and insider risks; Standards-based cross enterprise SSO and federation; Fine-grained access control within applications based on user entitlements
  • Key components of the Oracle Access Management Suite include: Oracle Entitlements Server;Oracle Adaptive Access Manager;Oracle Access Manager;Oracle Identity Federation.

Supporting Quote

  • "Organizations today are struggling to cope with the increasing sophistication of threats, the business and regulatory demands for stronger security controls, and the need to demonstrate compliance across enterprise systems," said Amit Jasuja, vice president, Oracle Identity Management. "Previous generation access management systems are no longer adequate to solve these challenges as businesses today need to adapt quickly to evolving attacks, strengthen controls by eliminating access management silos, and sustainably demonstrate compliance. Through the delivery on our Application-Centric Identity vision and the integrated Oracle Access Management Suite we are delivering what no other vendor can today."

Related Resources

Related News Releases

Oracle Expert Blogs

Podcasts, Webcasts and Videos

Other Resources

About Oracle Identity Management

  • Serving as the security backbone for Oracle Fusion Middleware, Oracle Identity Management helps customers and partners decrease security threats across diverse IT environments while helping address governance, risk and compliance needs. Oracle Identity Management was the fastest growing suite of Identity Management products in 2007, based on total software revenues worldwide. Oracle Identity Management's support of industry standards such as WS*, XACML, SAML and SPML helps enable customers and partners to more easily integrate applications with the framework. The family of best-in-class software includes Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Enterprise Single Sign-On Suite, Oracle Identity Federation, Oracle Role Manager, Oracle Virtual Directory, Oracle Internet Directory, Oracle Management Pack for Identity Management and Oracle Web Services Manager; all of which can be used in its entirety or as individual components. To learn more, visit

About Oracle
Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. For more information about Oracle, please visit our Web site at

# # #
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Monday, July 21, 2008

Fraud Flash for the week of July 21, 2008

July 14, 2008
Washington Metropolitan Area Transit Authority
Metro accidentally published the Social Security numbers of past and present employees on its Web site. The numbers were posted with a solicitation to companies for workers' compensation and risk management services.

July 15, 2008
Weber Law Firm
Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston. Box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more were found in the dumpster.

Missouri National Guard
The Missouri National Guard has called for a criminal investigation after it learned that the personal information of as many as 2,000 soldiers had been breached. The Guard would not release how the personal information had been taken -- whether by computer hackers or other means -- because it has asked for a full law enforcement investigation into the matter.

University of Texas at Austin
The personal information of University of Texas students and faculty has been exposed on the Internet. An independent watchdog discovered more than five dozen files containing confidential graduate applications, test scores, and Social Security numbers. The files were inadvertently posted by at least four different UT professors to a file server for the School of Biological Sciences.

July 16, 2008
Greensboro Gynecology Associates
A backup tape of patient information was stolen from an employee who was taking the tape to an off-site storage facility for safekeeping. The stolen information included patients' names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members.

Indiana State University
A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen. The laptop contained data for students who took economics classes from 1997 through the spring semester 2008. The information includes names, grades, e-mail addresses and student identification numbers and in some cases Social Security numbers.

July 17, 2008
Bristol-Myers Squibb
A backup computer-data tape containing employees' personal information, including Social Security numbers, was stolen recently. The backup data tape was stolen while being transported from a storage facility. The information on the tapes included names, addresses, dates of birth, Social Security numbers and marital status, and in some cases bank-account information. Data for some employees' family members also were on the tape.

University of Maryland,0,7224140.story
University of Maryland accidentally released the addresses and Social Security numbers of thousands of students. A brochure with on-campus parking information was sent by U.S. Mail to students. The University discovered the labels on the mailing had the students' Social Security numbers on it.

Interesting Authentication Questions

People ask me security questions on a daily basis. I’d like to share some of those conversations with you all. Here are a few interesting recent questions I’ve received.

Q1: Some security researchers claim that mutual authentication solutions are vulnerable to “Man in the Middle” attacks. I’m wondering if OAAM could also be compromised this way, or if you have other safeguards that make it stronger. Check out this article

A1: Yes, this particular MITM discussion comes up whenever a security guy is attending an OAAM presentation. The basic issue is that a shared secret solution such as the personalization features of OAAM virtual devices (image, phrase and time stamp) are intended to combat mass phishing attacks not MITM. This is not a deficiency as long as a solution does not stop there. This fortunately is not an issue for OAAM because personalization is only one small feature of the product as opposed to some other products that make mutual authentication the primary feature. Personalization serves its purpose but to stop MITM other OAAM features are needed. To best illustrate how OAAM can prevent MITM here is an example scenario. I'm using banking for the example because many MITM attacks focus on banking applications but this could be extended to any type of application.

For example: The MyBank banking site allows their customers to do money transfers online. Money transfers are a favorite target of MITM attacks. Generally a MITM attack will wait for a user to login and submit a transfer request. At that moment the software will alter the receiving account number and dollar amount before it reaches the bank application. Basically this allows them to transfer money to their own account. One simple way to stop this is to protect the to account number so it cannot be altered.

A user flow might go as follows:

1. User logs in successfully

2. User navigates to the transfer page

3. User selects the account to transfer from

4. User enters the transfer receiving account number using a PinPad virtual device

5. User enters the dollar amount and clicks submit

Since the receiving account number is not sent over the wire in an understandable form it cannot be altered by the MITM so the fraud is prevented.

In addition to this of course there is the Adaptive Risk Manager watching for anomalies in behavior to prevent MITM and other types of attacks while they are being attempted.

Q2: I’ve seen a number of interesting new authentication products. One in particular uses categories of images mapped to characters that are used in the creation of a one-time use password. The user memorizes categories then matches images shown to those categories then figures out what their OTP is then authenticate with it. Will OAAM include similar methods in future releases?

A2: There are many unique attempts at authentication solutions. Over the last few years we have developed and experimented with many different unique approaches in our labs. Some have worked and some others have not been as successful. In my experience solutions that have an overly complex user experience, such as you describe, will have a lot of user issues resulting in costly call center activity. This is why even the most technically complex OAAM virtual authentication devices are easy to operate. An important concept to keep in mind when thinking through these issues is that authentication alone is not enough to stop sophisticated attacks such as MITM. Even traditional strong authentication methods such a hardware tokens and biometrics when working alone cannot stop MITM. Notice that many of the authentication only products do not say they can stop MITM. They say things like "man in the middle attacks are hindered". I'm not sure what that means but their solution won't stop the scenario I describe above. This is precisely the reason we developed both components of OAAM to be a complete solution.

Q3: What is your take on CAPTCHAs. I was just reading an article on just how compromised they have become:;489635775

But I was intrigued by a link in the article to a 3-D based CAPTCHA that may prove invulnerable to the bots (for now).

A3: The 3D CAPTCHA is an interesting take on the idea. The purpose of a CAPTCHA of course is to prevent navigation of a process by automated means such as a bot. OAAM virtual devices actually offer CAPTCHA like capabilities but from the opposite direction. CAPTCHA attempts to prevent a bot from "reading" a temporary code by hiding it in a 2D or 3D image. A KeyPad or PinPad virtual device prevents a bot from entering a credential/code because the automated process does not know how to figure out where the keys are in the image and how to navigate a mouse to click on them. We actually have a customer that is using the PinPad virtual device in the classic role of a CAPTCHA, to secure their new account registrations. Most customers however get this capability as part of the total solution and don’t even think about it in these terms. Of course the most powerful way to stop automated bot type activity is a complete solution that includes use of the virtual devices, multifactor authentication and risk analytics.