Tuesday, July 29, 2008
Department of Consumer Affairs
A Consumer Affairs personnel specialist in Sacramento, emailed an alpha personnel file containing names and Social Security numbers of the department's more than 5,000 staff to a personal Yahoo email account at the end of the day, her last day at the department.
July 19, 2008
Minneapolis Veterans Home
A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's 336 residents.
July 23, 2008
San Francisco Human Services Department
Potentially thousands of files contaning personal information was exposed after a San Francisco agency left confidential files in unsecured curbside garbage and recycling bins. In some cases entire case files were discarded. Blown up copies of social security cards, driver's licenses, passports, bank statements and other sensitive personal information were all left in these unlocked bins.
July 24, 2008
Village of Tinley Park
Computer backup tapes that contain thousands of Social Security numbers of Tinley Park residents have been lost. The tapes containing information from as long ago as 15 years were lost while being transferred from the village hall to another site within the Chicago suburb.
Saint Mary's Regional Medical Center
A unauthorized person may have accessed the Saint Mary's database. The database, used for Saint Mary's health education classes and wellness programs, contained personal information such as names and addresses, limited health information and some Social Security numbers. The database did not contain medical records or credit card information.
Hillsborough Community College
Hillsborough Community College warned its employees to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia. The programmer had been working on a payroll project for a group of employees using their names, bank-routing numbers, retirement information and Social Security numbers.
University of Houston
The names and Social Security numbers of University of Houston students were inadvertently posted on the Internet for more than two years. The posting occurred when a math department lecturer posted student grades on a UH Web server in October 2005.
July 25, 2008
A clerical error led to the online posting of the names and Social Security numbers of people who spoke at Ohio University's Centers for Osteopathic Research and Education. A spreadsheet that contained the information had been accessible since March 20 and was discovered when a nurse found the information last week while conducting online research. In addition to names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and federal employer identification numbers.
July 26, 2008
Connecticut College/Wesleyan University/Trinity College
A Connecticut College library system was breached by hackers apparently looking to set up chat rooms or send spam e-mails. The systems database included the names, addresses and Social Security or driver's license numbers of approximately 2,800 Connecticut College library patrons, 12 Wesleyan University patrons and three from Trinity.
Thursday, July 24, 2008
- Microsoft Windows 64-bit native ISAPI Webgate
- RHEL 4/5 NPTL enabled 64-bit native Apache 2.2 Webgate
- HPUX 11.23 NSAPI Webgate
- HPUX 11.23 OHS v1.3 Webgate
Wednesday, July 23, 2008
| Oracle Launches Oracle® Access Management Suite |
Accerelates Oracle Fusion Middleware and BEA Product Integration to Advance Delivery of its Application-Centric Identity Management Vision
| REDWOOD SHORES, Calif. 23-JUL-2008 01:40 PM |
Integrated, Next Generation Access Management
Related News Releases
Oracle Expert Blogs
Podcasts, Webcasts and Videos
About Oracle Identity Management
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Monday, July 21, 2008
Washington Metropolitan Area Transit Authority
Metro accidentally published the Social Security numbers of past and present employees on its Web site. The numbers were posted with a solicitation to companies for workers' compensation and risk management services.
July 15, 2008
Weber Law Firm
Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston. Box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more were found in the dumpster.
Missouri National Guard
The Missouri National Guard has called for a criminal investigation after it learned that the personal information of as many as 2,000 soldiers had been breached. The Guard would not release how the personal information had been taken -- whether by computer hackers or other means -- because it has asked for a full law enforcement investigation into the matter.
University of Texas at Austin
The personal information of University of Texas students and faculty has been exposed on the Internet. An independent watchdog discovered more than five dozen files containing confidential graduate applications, test scores, and Social Security numbers. The files were inadvertently posted by at least four different UT professors to a file server for the School of Biological Sciences.
July 16, 2008
Greensboro Gynecology Associates
A backup tape of patient information was stolen from an employee who was taking the tape to an off-site storage facility for safekeeping. The stolen information included patients' names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members.
Indiana State University
A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen. The laptop contained data for students who took economics classes from 1997 through the spring semester 2008. The information includes names, grades, e-mail addresses and student identification numbers and in some cases Social Security numbers.
July 17, 2008
A backup computer-data tape containing employees' personal information, including Social Security numbers, was stolen recently. The backup data tape was stolen while being transported from a storage facility. The information on the tapes included names, addresses, dates of birth, Social Security numbers and marital status, and in some cases bank-account information. Data for some employees' family members also were on the tape.
University of Maryland
University of Maryland accidentally released the addresses and Social Security numbers of thousands of students. A brochure with on-campus parking information was sent by U.S. Mail to students. The University discovered the labels on the mailing had the students' Social Security numbers on it.
People ask me security questions on a daily basis. I’d like to share some of those conversations with you all. Here are a few interesting recent questions I’ve received.
Q1: Some security researchers claim that mutual authentication solutions are vulnerable to “Man in the Middle” attacks. I’m wondering if OAAM could also be compromised this way, or if you have other safeguards that make it stronger. Check out this article http://news.cnet.com/8301-10784_3-9776757-7.html
A1: Yes, this particular MITM discussion comes up whenever a security guy is attending an OAAM presentation. The basic issue is that a shared secret solution such as the personalization features of OAAM virtual devices (image, phrase and time stamp) are intended to combat mass phishing attacks not MITM. This is not a deficiency as long as a solution does not stop there. This fortunately is not an issue for OAAM because personalization is only one small feature of the product as opposed to some other products that make mutual authentication the primary feature. Personalization serves its purpose but to stop MITM other OAAM features are needed. To best illustrate how OAAM can prevent MITM here is an example scenario. I'm using banking for the example because many MITM attacks focus on banking applications but this could be extended to any type of application.
For example: The MyBank banking site allows their customers to do money transfers online. Money transfers are a favorite target of MITM attacks. Generally a MITM attack will wait for a user to login and submit a transfer request. At that moment the software will alter the receiving account number and dollar amount before it reaches the bank application. Basically this allows them to transfer money to their own account. One simple way to stop this is to protect the to account number so it cannot be altered.
A user flow might go as follows:
1. User logs in successfully
2. User navigates to the transfer page
3. User selects the account to transfer from
4. User enters the transfer receiving account number using a PinPad virtual device
5. User enters the dollar amount and clicks submit
Since the receiving account number is not sent over the wire in an understandable form it cannot be altered by the MITM so the fraud is prevented.
In addition to this of course there is the Adaptive Risk Manager watching for anomalies in behavior to prevent MITM and other types of attacks while they are being attempted.
Q2: I’ve seen a number of interesting new authentication products. One in particular uses categories of images mapped to characters that are used in the creation of a one-time use password. The user memorizes categories then matches images shown to those categories then figures out what their OTP is then authenticate with it. Will OAAM include similar methods in future releases?
A2: There are many unique attempts at authentication solutions. Over the last few years we have developed and experimented with many different unique approaches in our labs. Some have worked and some others have not been as successful. In my experience solutions that have an overly complex user experience, such as you describe, will have a lot of user issues resulting in costly call center activity. This is why even the most technically complex OAAM virtual authentication devices are easy to operate. An important concept to keep in mind when thinking through these issues is that authentication alone is not enough to stop sophisticated attacks such as MITM. Even traditional strong authentication methods such a hardware tokens and biometrics when working alone cannot stop MITM. Notice that many of the authentication only products do not say they can stop MITM. They say things like "man in the middle attacks are hindered". I'm not sure what that means but their solution won't stop the scenario I describe above. This is precisely the reason we developed both components of OAAM to be a complete solution.
Q3: What is your take on CAPTCHAs. I was just reading an article on just how compromised they have become:
But I was intrigued by a link in the article to a 3-D based CAPTCHA that may prove invulnerable to the bots (for now).
A3: The 3D CAPTCHA is an interesting take on the idea. The purpose of a CAPTCHA of course is to prevent navigation of a process by automated means such as a bot. OAAM virtual devices actually offer CAPTCHA like capabilities but from the opposite direction. CAPTCHA attempts to prevent a bot from "reading" a temporary code by hiding it in a 2D or 3D image. A KeyPad or PinPad virtual device prevents a bot from entering a credential/code because the automated process does not know how to figure out where the keys are in the image and how to navigate a mouse to click on them. We actually have a customer that is using the PinPad virtual device in the classic role of a CAPTCHA, to secure their new account registrations. Most customers however get this capability as part of the total solution and don’t even think about it in these terms. Of course the most powerful way to stop automated bot type activity is a complete solution that includes use of the virtual devices, multifactor authentication and risk analytics.
Monday, July 14, 2008
Clark County Nevada District Court
A contracted vendor released personal information on about 380 potential jurors to an employee's private e-mail address. The information provided to the e-mail account could have included names, addresses, Social Security numbers and birth dates.
July 7, 2008
Florida Agency for Health Care Administration
A security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their Social Security numbers. Other data included donors' names, addresses, birth dates and driver license numbers.
July 8, 2008
Hackers potentially got their hands on clients unencrypted names, addresses and Social Security numbers. Hackers compromised the logon passwords of 14 financial advisers and four assistants.
July 9, 2008
Wichita Radiological Group
A former employee stole patient records before being fired from the Wichita Radiological Group. Tens of thousands of patient records were in the database could have been compromised.
Wagner Resource Group
Sometime late last year, an employee of a McLean investment firm used the online file-sharing network LimeWire. In doing so, he inadvertently opened the private files of his firm to the public. That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.
Division of Motor Vehicles Colorado
The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers
July 10, 2008
Williamson County (TN) Schools
Social Security numbers and other personal information of 4,000 children were posted on the Internet.
July 11, 2008
US Army Fort Lewis
A laptop computer that was reported stolen from an Army employee’s truck contained personal information on about 800 to 900 Fort Lewis soldiers. A 17-year-old Lacey boy faces a charge of suspicion of possession of stolen property after Tumwater police uncovered items from vehicle prowls, including a stolen Army laptop containing information about up to 900 Fort Lewis soldiers.
Sunday, July 13, 2008
Due to the many possible download locations, there is no simple answer to any such questions. Hence, I decided to post a guide to finding all OAM 10.1.4.x component packages.
OAM 10.1.4.0.1 base installers can be downloaded here:
- In the row marked "Oracle Access Manager".
OAM 10.1.4.2.0 patchset (latest version as of this post) can be downloaded here:
Metalink Patch Number 5957301
- Make sure to select the appropriate platform.
Index of all OAM 10.1.4.x 3rd Party Packages including webgates and connectors is here:
- At the bottom of the page labeled as "Index of Released Oracle Access Manager 10.1.4 3rd Party Packages (PDF)" or use this direct link here.
- The index lists all the package names and download locations of all OAM 10.1.4.x 3rd party packages. The last column labeled as "Link" states the download locations.
- If the download location indicates something like IBM CD2 or Linux CD1, please go to the following link http://www.oracle.com/technology/software/products/ias/htdocs/101401.html and look in the row "Oracle Access Manager - 3rd Party Integration".
- If the download location indicates "Oracle Access Manager CDs", then the package is bundled with the OAM 10.1.4.0.1 base installers. Download location for the base installers is listed above.
- If the download location indicates Patch
, please log into Oracle's metalink here https://metalink.oracle.com. In the Quick Find section choose "Patch Number" and enter the patch number as indicated in the index PDF.
- Please note that the index will be updated regularly as new packages are released.
Monday, July 7, 2008
Texas Department of Public Safety
The personal information of 826 state employees was stolen from a Wichita Falls home office. Notices are in the mail to inform the hundreds of victims that their names, home addresses, dates of birth, driver's license and Social Security numbers are in the hands of criminals.
June 27, 2008
Hackers extracted stolen information from an online database that held credit card account information.
July 2, 2008
Due to a breach by an unauthorized person in the information systems, there is a possibility that some personal information, such as name, address, date of birth, Social Security number, and reason for coming to Baptist Health. No information in the patient’s “medical records” and no information about the patient’s diagnosis or prognosis was accessed.
University of Nebraska at Kearney
Officials at the University of Nebraska at Kearney discovered a security breach involving nine university computers. Of the nine computers involved, five contained names and partial or complete Social Security numbers.