Monday, June 30, 2008

Fraud Flash for the week of June 30, 2008

June 18, 2008
Domino's Pizza (Tucson, AZ)
Investigators found credit card numbers blowing in the wind. These piles and papers contained hundreds of old receipts from Domino's Pizza stores. The former owner had been discarding boxes of old records and somehow all those receipts got loose.

June 19, 2008
Citibank (New York City, NY)
A Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached. The computer intrusion into the Citibank server led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines, pocketing at least $750,000 in cash

Petroleum Wholesale (Houston, TX)
The company dumped hundreds of records in a publicly accessible trash container outside its former headquarters. The records included receipts with customers' names and full credit or debit card numbers, including expiration dates. The records also included returned checks and forms containing customers' names and bank routing, driver's license and Social Security numbers.

June 23, 2008
Bank Atlantic (Tampa Bay, FL)
Bank Atlantic confirms they had a data loss, involving their MasterCard debit cards. It happened through a local merchant, but at this time, isn't saying which one.

Colt Express Outsourcing Services/CNET Networks (Walnut Creek, CA)
Burglars stole computer systems from the offices of the company that administers the Internet publisher's benefit plans. The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNET's health insurance plans. CNET was only one of several clients affected.

California Department of Consumer Affairs (Sacramento, CA)|jq2q43wvsl855o|x7pfb3bawuo18v&issueId=x79xdv8us2oeyp&xid=x7csom3a3og08k
A Microsoft Word document was improperly transmitted electronically outside of the department. The document contained the salaries and titles of everyone on the document. It may have also compromised their names and Social Security numbers.

June 24, 2008
Southeast Missouri State University (Cape Girardeau, MO)
A former employee has been indicted on two charges of identity fraud and one charge of computer trespass after being found in possession of 800 student names and Social Security numbers.

June 27, 2008
Phishing hits one in four Asian banks
Banks in the region are realizing the importance of online transaction security but not many have taken steps to address this, according to a new study.

What to look for in an ESSO solution?

Enterprises have a need to provide better user experience at the same time decrease the extensive administration costs and increase security and privacy for the users. These business challenges drives an enterprise for a better Identity Management and Enterprise Single Sign On (ESSO) solution. Here are some of the things to looks for in an ESSO solution

1. Web-based access management SSO: Web-based access management solution can include an SSO capability for Web-based applications. With Web-based SSO, the user supplies a credential. The Web server validates the password with a central credential server. If a match is found, the user is granted access to the Web-based application or system.

2. Desktop/Mainframe/Host Applications access Management SSO: The ESSO solution should provide access to all desktop applications (ex: windows/Solaris) Mainframe applications (example 3270, 5250), and Host applications (example Telnet). Provide users to use multiple emulators and multiple emulator sessions simultaneously. Supports user needs to both logons and password-change for desktop applications and allow administrators to add mainframe/desktop applications and configure them and easily deploy them to users.

3. Java Applications & Applets access Management SSO: Provide users access to AWT and Swing and standalone Java Applications and Applets

4. User’s Credential Synchronization: Provide a way to replicate the user's credentials (example username, password) automatically across all applications and resources.

5. Event Logging and Reporting: Provide ESSO administrator’s logs and report on application usage. Provide network administrators comprehensive reports on password-related activity, showing who used passwords, what applications they accessed, where, and when.

Thursday, June 26, 2008

Information Card Foundation discussion with Uppili Srinivasan

Today I had the chance to catch up with Uppili Srinivasan, who is a security architect for Fusion Middleware at Oracle. We were chatting about the Information Card Foundation.

Eric Leach: Hi Uppili, thanks for chatting with me today. What is the Information Card Foundation (ICF)?

Uppili Srinivasan: The Information Card Foundation is an independent, not-for-profit organization formed to advance the adoption and use of Information Cards across the Internet.
The Information Card Foundation is being formed to consolidate dozens of private and corporate online identity management and protection initiatives pertaining to Information Card Technology. The main motivations are to promote interoperability, heterogeneity and openness in underlying architecture, standards and specifications.

Eric: Sounds useful. For the uninitiated out there, what are Information Cards?

Uppili: Information Cards are the digital, online equivalents of your physical identification credentials such as a drivers license, passport, credit card, club card, business card or a social greeting card. Users control the distribution of their personal information through each Information Card. Information Cards are stored in a user’s own online wallet (called a “selector”) and “handed out” with a mouse click just like a physical ID card.

Information Cards can be issued to users by organizations for general or specific use. Users can also create their own Information Cards as a shortcut to avoid the endless process of filling out web forms. But more importantly, the infastructure behind the cards allows for trusted sources (a bank, a credit union, a government office, etc.) to verify specific information (“claims”) made by a user. In other words, Information Cards give users the ability to make claims about themselves, verified by qualified 3rd parties, while using the Internet.

Eric: So why is the Information Card Foundation important?

Uppili: Internet is ripe with Identity related security risks such as phishing and other identity frauds resulting from lack of user control over identity release that accompanies online transactions. Information Card is an emerging “user-centric identity” solution aimed at mitigating these issues.

No single company can succeed in building a vendor-independent, platform-neutral and user-centric identity framework by itself. The goal of the ICF is to help create the infastructure components that enable our complex economic and social networks to support at least the same level of identity capabilities online as they have offline. Doing this requires collaboration among a community of dedicated individuals—architects, designers, developers, users—together with businesses that cross technological, financial and commercial fields.

Eric: There are other web authentication initiatives out there. How does the Information Card Foundation relate to other initiatives like the Higgins Project or OpenID?

Uppili: OpenID is a web SSO standard for the Internet users. It aims to provide an infrastructure for re-usable and persistent Identity across the Internet. It supports the familiar URI based name identifiers and also allows user mediation of trust between OpenID relying web sites and OpenID providers. OpenID is also referred to as an “user-centric” Identity system, but as you can see, Information Cards and OpenID have different but complementary design-centers. For instance, OpenID solutions are not phishing resistent, but OpenID defines a protocol mechanism to integrate with Informaton Card solutions to mitigate this risk.

Higgins Project
is an Eclipse open source project with the goal of delivering platform-neutral and standards based Identity layers that can serve as a foundation to foster Identity solutions that span multiple protocols and provide necessary transparency for end-users accessing the Internet. One of the main components developed under Project Higgins is a platform independent implementation of Information Card. Information Card Foundation will promote open source projects expanding the reach of Information Cards. The Higgins Project is a prominent candidate in that category.

Eric: So how is Oracle involved in the Information Card Foundation?

Uppili: Oracle has joined the Information Card Foundation as a corporate steering member. This includes a seat in the ICF board.

User-centric Identity solutions, of which Information Card is one, carry the potential to address some common problems of safety and usability faced by users on the Internet today. Many standards (such as HTTP, SMTP etc.), and technologies (instant messaging, Wiki etc.) that originated on the Internet have also become pervasive within enterprises. Considering this history and also driven by the benefits of a consistent and safe user experience, it is very likely that user-centric Identity solutions, as they emerge within the Internet, are likely to morph into enterprise deployments as well.

Customers want to incorporate the benefits of user-centric Identity as a complementary component of their overall IAM solution strategy and are concerned about the prospect of fragmented infrastructure and identity silos.

With these considerations, Oracle, through its steering membership in Information Card Foundation (ICF), intends to actively promote the following:

* Openness, platform independence,
* Seamless interoperability with and leverage of established standards
* Flexible architecture to permit ongoing innovations

Eric: What can Oracle's Identity and Access Management customers expect from our participation with the Information Card Foundation?

Uppili: This announcement about Oracle joining Information Card Foundation is a key component of Oracle’s position on “User-centric Identity” (UCI). At the heart of Oracle’s strategy is Oracle’s vision to deliver the benefits of user-centric Identity to its customers as a complementary solution layer that leverages existing Identity infrastructure, solutions and roadmap.

Consistent with the above vision, Oracle’s product roadmap will include both incremental integration of user-centric featuers within existing IAM products as well as focused turnkey solutions for this market, as this evolves and emerges.

Eric: Thanks very much for your time Uppili. This was very informative.

Uppili: No problem. You are welcome.

The 3 “W”s of Oracle ESSO

In a typical heterogeneous enterprise environment, there may be a number of applications running off a multitude of systems and machines a user may have to access on a daily basis. The business challenges of provisioning and mandating these users across different systems and applications drives an enterprise for a better Identity Management and Single Sign On solution.

1. What is Oracle ESSO?

Oracles Enterprise single sign-on(ESSO) solution is an OEM product from Passlogix, rebranded to provide an Oracle look and feel. Oracle has been selling the ESSO product for almost 1.5years now and we have more than 200+ customers who have adopted this product as part of their Oracles identity and Access Management Solution for their enterprise.

2. Why Oracle ESSO?

All enterprises are looking for a way to support password management, Identity Management, Strong Authentication for their users at the same time adhere to compliance thereby Eliminate the hidden end user costs associated with compliance driven initiatives.

Oracle ESSO with Oracles Identity Management solution provides a way for a user in an enterprise the ability to access all of his applications through a single authentication event and do a Self-service password management. For network administrators it helps to set, assign, securely store, and change these passwords from a single point of control.

Oracle ESSO provides Out-of-the-box support for 90% of enterprise applications (like Web, Windows, Java, Applet, Mainframe and host based applications), and can be configured with all others within 15 minutes and is very easy to deploy. Oracle ESSOs GUI-based administrative console provides wizard-based configuration and control over all settings and users, which is a unique, feature that differentiates this products from the competitive products in the market.

3. Where to download Oracle ESSO?

Oracle ESSO suite v10. is the current latest version of the product and it is available for download under a developer’s license at the Oracle Technology network(OTN):download:

For more:

Security-aware business... or business-aware security?

Much of the digitalization of business processes spawns from the desire of humans to minimize manual execution of repetitive tasks and maximize convenience. The field of Business Process Management (BPM) provides IT with tools for modeling business processes in a generic fashion to set frameworks for a variety of business applications, such as HR, procurement, medical, etc. This allows for more flexibility to address change in the business processes when needed as compared to changing code whenever business processes are changed.

Digital business processes cannot exist without human interaction; at the very minimum, a human actor must initiate a request for the automation of the business process to begin. Any human actor, by virtue of being human, will have identity information attached to him or her, and there exists a need to protect this identity information.

In order to participate in a business process, the consumer will have no choice but to leak some minimal identity information because the system needs to know who the consumer is. This identity information is necessary to the provider of the service in order to determine whether the service should be granted. However, the goal of the consumer is to receive the service and at the same time leak as little information as possible. The need to protect the consumer’s privacy to the maximum degree possible sets the context for identity management within business processes.

The provider cannot perform a service for a completely anonymous actor because access rights and privileges that a given consumer has for the system involved in the business process must be determined before the service is granted. Thus, the consumer’s desire for convenience and need for privacy must be balanced with access management, in order to maximize the security of the business process.

This constant three-way tug of war between convenience, privacy, and security presents a need for next-generation business process solutions that would provide business process modelers with embedded security controls.

Historically, the industry practice has been to implement business processes first, with no embedded access controls whatsoever, and then integrate the business process products with external access management products. One shortcoming with this approach is the cost of integration. Another limitation with external integration of security is that while it works well for course-grain security needs, external components do not have granular visibility into details of specific activities within business processes.

Despite their generic nature, BPM tools are no exception. Typically, they have basic access control and identity management capabilities sufficient for proof of concepts and small deployments. However, these out-of-the box capabilities are insufficient for large scale deployments with large user populations. When performance and scalability are required, IT professionals prefer to make sizeable investments into enterprise-level access management tools from security vendors. These access management tools must be integrated with the existing BPM tools.
The question that begs to be asked is: At which point should this integration take place? How do we, as IT vendors, make security business-aware and a business application security-capable, while improving time-to-value and minimizing integration budgets of our customers? It seems that the industry has come to the point where this integration can and should take place initially within BPM products themselves.

When it comes to build versus buy decisions, IT managers must have a choice between continuously funding integration projects with vague scopes and ever-changing deadlines and enterprise-level products from reliable vendors that blend best-of-breed BPM features with stable, tested, and well documented enterprise-level identity and access management capabilities within.

Wednesday, June 25, 2008

Some very exciting news about the new Information Card Foundation...

- Eric


June 24, 2008 – Australia, Canada, France, Germany, India, Sri Lanka, United Kingdom, United States – An array of prominent names in the high-technology community today announced the formation of a non-profit foundation, The Information Card Foundation, to advance a simpler, more secure and more open digital identity on the Internet, increasing user control over their personal information while enabling mutually beneficial digital relationships between people and businesses.

Led by Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community, the group established the Information Card Foundation (ICF) to promote the rapid build-out and adoption of Internet-enabled digital identities using Information Cards.

Information Cards take a familiar off-line consumer behavior – using a card to prove identity and provide information – and bring it to the online world. Information Cards are a visual representation of a personal digital identity which can be shared with online entities. Consumers are able to manage the information in their cards, have multiple cards with different levels of detail, and easily select the card they want to use for any given interaction.

“Rather than logging into web sites with usernames and passwords, Information Cards let people ‘click-in’ using a secure digital identity that carries only the specific information needed to enable a transaction,” said Charles Andres, executive director for the Information Card Foundation. Additionally, businesses will enjoy lower fraud rates, higher affinity with customers, lower risk, and more timely information about their customers and business partners.”

The founding members of the Information Card Foundation represent a wide range of technology, data, and consumer companies. Equifax, Google, Microsoft, Novell, Oracle, and PayPal, are founding members of the Information Card Foundation Board of Directors. Individuals also serving on the board include ICF Chairman Paul Trevithick of Parity, Patrick Harding of Ping Identity, Mary Ruddy of Meristic, Ben Laurie, Andrew Hodgkinson of Novell, Drummond Reed, Pamela Dingle of the Pamela Project, Axel Nennker, and Kim Cameron of Microsoft.

“The creation of the ICF is a welcome development,” said Jamie Lewis, CEO and research chair of Burton Group. “As a third party, the ICF can drive the development of Information Card specifications that are independent of vendor implementations. It can also drive vendor-independent branding that advertises compliance with the specifications, and the behind-the-scenes work that real interoperability requires.”

The Information Card Foundation will support and guide industry efforts to enable the development of an open, trusted and interoperable identity layer for the Internet that maximizes control over personal information by individuals. To do so, the Information Card infrastructure will use existing and emerging data exchange and security protocols, standards and software components.

Businesses and organizations that supply or consume personal information will benefit from joining the Information Card Foundation to improve their trusted relationships with their users. This includes financial institutions, retailers, educational and government institutions, healthcare providers, retail providers, travel, entertainment, and social networks.

The Information Card Foundation will hold interoperability events to improve consistency on the web for people using and managing their Information Cards. The ICF will also promote consistent industry branding that represents interoperability of Information Cards and related components, and will promote identity policies that protect user information. This branding and policy development is designed to give all Internet users confidence that they can exert greater control over personal information released to specific trusted providers through the use of Information Cards.

"Liberty Alliance salutes the open industry oversight of Information Card interoperability that the formation of ICF signifies," said Brett McDowell, executive director, Liberty Alliance. "Our shared goal is to deliver a ubiquitous, interoperable, privacy-respecting federated identity layer as a means to seamless, secure online transactions over network infrastructure. We look forward to exploring with ICF the expansion of the Liberty Alliance Interoperable(tm) testing program to include Information Card interoperability as well as utilization of the Identity Assurance Framework across Information Card deployments."

As part of its affiliations with other organizations, The Information Card Foundation has applied to be a working group of Identity Commons, a community-driven organization promoting the creation of an open identity layer for the Internet while encouraging the development of healthy, interoperable communities.

Additional founding members are Arcot Systems, Aristotle, A.T.E. Software,, CORISECIO, FuGen Solutions, the Fraunhofer Institute, Fun Communications, the Liberty Alliance, Gemalto, IDology, IPcommerce, ooTao, Parity, Ping Identity, Privo, Wave Systems, and WSO2.

Further information about the Information Card Foundation can be found at

Media Contact:

John Fitzsimmons


Tuesday, June 24, 2008

Fraud Flash for the week of June 23, 2008

June 15, 2008
Conn. Department of Administrative Services (Hartford, CT)
Department of Administrative Services posted the Social Security numbers of individual contractors on a state Web site. An audit also uncovered the Social Security numbers of prospective nursing employees accessible on an agency Web site for 19 months until a complaint was lodged.

June 13, 2008
Texas Insurance Claims Services (Dallas, TX)
Hundreds of files with people's names, Social Security numbers and policy numbers were found in a Richardson dumpster.

June 12, 2008
Columbia University (New York, NY)
A student employee had posted a database of students' housing information on a Google-hosted Web site. Their Social Security numbers had been searchable online for the last 16 months.

June 11, 2008
Dickson County Board of Education (Dickson, TN)
A computer containing sensitive personal was stolen from the Dickson County Board of Education. The computer belongs to the new director of schools and was loaded with the name and Social Security number of every school employee from the 2006-2007 school year, a total of 850.

June 10, 2008
Wheeler's Moving Company (Boca Raton, FL)
Personal files with tax information, Social Security numbers and license numbers, were found in a Boca Raton dumpster.

University of Florida (Gainesville, FL),2933,365462,00.html
Current and former students had their Social Security numbers, names and addresses accidentally posted online. The information became available when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program between 2003 and 2005.

University of Utah Hospitals and Clinics (Salt Lake City, UT)
Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center. The records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years.

1st Source Bank (South Bend, IN)
1st Source Bank is replacing ATM cards this month for all its account holders after cyber-thieves accessed an unknown amount of debit-related data.

June 9, 2008
University of South Carolina (Columbia, SC)
Several items were stolen from an office in the Moore School of Business. Among the items was a desktop computer. As a result of the computer being stolen, it is possible that some personally identifiable data could have been compromised.

June 7, 2008
East Tennessee State University (Johnson City, TN)
6,200 people may have had their identities compromised by the theft of a desktop computer. The computer is password protected and files cannot be easily accessed. But there is a small possibility that the information could be compromised.

Southington Water Department (Southington, CT),0,983269.story
Documents with the names and Social Security numbers of 26 people were found scattered by the Quinnipiac River.

June 6, 2008
Stanford University (Stanford, CA)
Stanford University determined that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way.

June 4, 2008
Oregon State University (Corvallis, OR)
The Oregon State Police are investigating the theft of personal information from online customers of the OSU Bookstore who used credit cards to purchase items.

June 2, 2008
Walter Reed Army Medical Center (Washington, D.C.)
Sensitive information on patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach. The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, but may have included names, Social Security numbers, birth dates as well as other information.

Welcome to the Oracle Access Management Blog!

Welcome to the Oracle Access Management blog.

There is a lot going on in the world of access management and we - the product management team responsible for Oracle's Access Management Suite of products (Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, and Oracle Identity Federation) - started this blog to share information and engage discussion.

This blog will focus on informational articles about our products, discussions of product functionality, and our take on industry trends and emerging technologies. We will also share best practices for deploying, integrating, and managing Oracle Access Management products. And we will generally muse on topics we think are important to access management, security, fraud detection, entitlements management, and federation.

We will also be featuring some regular topics including keeping tabs on online fraud and the impact this has on businesses across all industries in a weekly feature we call Fraud Flashes.

Stayed tuned.