Oracle Access Management: July 2008

Tuesday, July 29, 2008

Fraud Flash for the week of July 28, 2008

July 17, 2008
Department of Consumer Affairs
http://www.sacbee.com/111/story/1072332.html
A Consumer Affairs personnel specialist in Sacramento, emailed an alpha personnel file containing names and Social Security numbers of the department's more than 5,000 staff to a personal Yahoo email account at the end of the day, her last day at the department.

July 19, 2008
Minneapolis Veterans Home
http://www.startribune.com/local/25623519.html?location_refer=Homepage:latestNews:4
A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's 336 residents.

July 23, 2008
San Francisco Human Services Department
http://www.ktvu.com/news/16961916/detail.html
Potentially thousands of files contaning personal information was exposed after a San Francisco agency left confidential files in unsecured curbside garbage and recycling bins. In some cases entire case files were discarded. Blown up copies of social security cards, driver's licenses, passports, bank statements and other sensitive personal information were all left in these unlocked bins.

July 24, 2008
Village of Tinley Park
http://abclocal.go.com/wls/story?section=news/local&id=6284078
Computer backup tapes that contain thousands of Social Security numbers of Tinley Park residents have been lost. The tapes containing information from as long ago as 15 years were lost while being transferred from the village hall to another site within the Chicago suburb.

Saint Mary's Regional Medical Center
http://m.rgj.com/news.jsp?key=88160&rc=lo
A unauthorized person may have accessed the Saint Mary's database. The database, used for Saint Mary's health education classes and wellness programs, contained personal information such as names and addresses, limited health information and some Social Security numbers. The database did not contain medical records or credit card information.

Hillsborough Community College
http://www2.tbo.com/content/2008/jul/25/me-monitor-your-bank-account-hcc-employees-warned/
Hillsborough Community College warned its employees to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia. The programmer had been working on a payroll project for a group of employees using their names, bank-routing numbers, retirement information and Social Security numbers.

University of Houston
http://www.chron.com/disp/story.mpl/ap/tx/5906964.html
The names and Social Security numbers of University of Houston students were inadvertently posted on the Internet for more than two years. The posting occurred when a math department lecturer posted student grades on a UH Web server in October 2005.

July 25, 2008
Ohio University
http://www.cleveland.com/newsflash/index.ssf?/base/news-41/1216994349131870.xml&storylist=cleveland
A clerical error led to the online posting of the names and Social Security numbers of people who spoke at Ohio University's Centers for Osteopathic Research and Education. A spreadsheet that contained the information had been accessible since March 20 and was discovered when a nurse found the information last week while conducting online research. In addition to names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and federal employer identification numbers.

July 26, 2008
Connecticut College/Wesleyan University/Trinity College
http://www.courant.com/news/education/hc-cthack0726.artjul26,0,7548347.story
A Connecticut College library system was breached by hackers apparently looking to set up chat rooms or send spam e-mails. The systems database included the names, addresses and Social Security or driver's license numbers of approximately 2,800 Connecticut College library patrons, 12 Wesleyan University patrons and three from Trinity.

Thursday, July 24, 2008

New OAM Webgates Released

I am pleased to announce the release of 4 new OAM 10.1.4.2.0 webgates.

All the webgates can be found on Oracle's OTN download site here:
http://www.oracle.com/technology/software/products/ias/htdocs/101401.html

Wednesday, July 23, 2008

Introducing the Oracle Access Management Suite

Oracle Launches Oracle® Access Management Suite
Accerelates Oracle Fusion Middleware and BEA Product Integration to Advance Delivery of its Application-Centric Identity Management Vision

REDWOOD SHORES, Calif. 23-JUL-2008 01:40 PM

Further delivering its vision for Application-Centric Identity, Oracle today unveiled Oracle(r) Access Management Suite, the industry's first and only comprehensive offering for next generation access management.
The Oracle Access Management Suite is the only solution offering next-generation technologies that enable risk-based authentication, proactive online fraud prevention, and fine-grained authorization, as well as best-of-breed functionality including web access management and identity federation.
The company also announced general availability of the new Oracle Entitlements Server, a fine-grained authorization solution and a key component of the suite. Oracle is the first major identity management vendor to offer this capability.
Oracle Entitlements Server (previously BEA AquaLogic Enterprise Security) enables application developers to externalize and centralize fine-grained authorization policies that would previously have been embedded within applications.
The Oracle Access Management Suite is certified to work with Oracle Applications - Oracle E-Business Suite, Oracle's PeopleSoft, Oracle's JD Edwards, Oracle's Siebel and Oracle's Industry Applications - and a broad range of leading non-Oracle Applications.
The Oracle Access Management Suite is the first of a number of products that combines technology from Oracle Fusion Middleware and BEA Systems. Its introduction illustrates the rapid progress that Oracle is making in combining market-leading technologies from the two companies into a unified product offering.

Integrated, Next Generation Access Management

In addition to integration with Oracle Fusion Middleware, the Oracle Access Management Suite includes native integration and support for a broad range of middleware from other vendors.
Enabling superior security and ease of deployment, the Oracle Access Management Suite is hot-pluggable with leading applications and platforms, including deep integration with Oracle's PeopleSoft, Oracle E-Business Suite, Oracle's Siebel, and Oracle's JD Edwards.
The integrated offering provides the following benefits in a single solution: SSO, authentication and authorization management for web-based applications; Strong authentication and real-time proactive fraud prevention to protect against identity theft and insider risks; Standards-based cross enterprise SSO and federation; Fine-grained access control within applications based on user entitlements

Oracle Entitlements Server;

Oracle Adaptive Access Manager;

Oracle Access Manager;

Oracle Identity Federation.

Supporting Quote

"Organizations today are struggling to cope with the increasing sophistication of threats, the business and regulatory demands for stronger security controls, and the need to demonstrate compliance across enterprise systems," said Amit Jasuja, vice president, Oracle Identity Management. "Previous generation access management systems are no longer adequate to solve these challenges as businesses today need to adapt quickly to evolving attacks, strengthen controls by eliminating access management silos, and sustainably demonstrate compliance. Through the delivery on our Application-Centric Identity vision and the integrated Oracle Access Management Suite we are delivering what no other vendor can today."

Related Resources

Related News Releases

Oracle Expert Blogs

Podcasts, Webcasts and Videos

Other Resources

About Oracle Identity Management

Serving as the security backbone for Oracle Fusion Middleware, Oracle Identity Management helps customers and partners decrease security threats across diverse IT environments while helping address governance, risk and compliance needs. Oracle Identity Management was the fastest growing suite of Identity Management products in 2007, based on total software revenues worldwide. Oracle Identity Management's support of industry standards such as WS*, XACML, SAML and SPML helps enable customers and partners to more easily integrate applications with the framework. The family of best-in-class software includes Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Enterprise Single Sign-On Suite, Oracle Identity Federation, Oracle Role Manager, Oracle Virtual Directory, Oracle Internet Directory, Oracle Management Pack for Identity Management and Oracle Web Services Manager; all of which can be used in its entirety or as individual components. To learn more, visit http://www.oracle.com/identity.

About Oracle
Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. For more information about Oracle, please visit our Web site at http://www.oracle.com.

# # # Trademarks
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Monday, July 21, 2008

Fraud Flash for the week of July 21, 2008

July 14, 2008
Washington Metropolitan Area Transit Authority
http://www.washingtoncitypaper.com/blogs/citydesk/2008/07/14/metro-issues-press-release-cues-sad-trombone/
Metro accidentally published the Social Security numbers of past and present employees on its Web site. The numbers were posted with a solicitation to companies for workers' compensation and risk management services.

July 15, 2008
Weber Law Firm
http://www.khou.com/business/stories/khou080711_tj_recordsfound.57f842ba.html
Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston. Box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more were found in the dumpster.

Missouri National Guard
http://www.stltoday.com/stltoday/news/stories.nsf/news/missouristatenews/story/ca0fe7785a2d8471862574870051f7fd?OpenDocument
The Missouri National Guard has called for a criminal investigation after it learned that the personal information of as many as 2,000 soldiers had been breached. The Guard would not release how the personal information had been taken -- whether by computer hackers or other means -- because it has asked for a full law enforcement investigation into the matter.

University of Texas at Austin
http://www.woai.com/content/news/newslinks/story.aspx?content_id=b42b0455-c0d7-4573-9c5a-05b356d314d6
The personal information of University of Texas students and faculty has been exposed on the Internet. An independent watchdog discovered more than five dozen files containing confidential graduate applications, test scores, and Social Security numbers. The files were inadvertently posted by at least four different UT professors to a file server for the School of Biological Sciences.

July 16, 2008
Greensboro Gynecology Associates
http://www.news-record.com/content/2008/07/16/article/security_breach_affects_patients
A backup tape of patient information was stolen from an employee who was taking the tape to an off-site storage facility for safekeeping. The stolen information included patients' names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members.

Indiana State University
http://www.indstate.edu/news/news.php?newsid=1380
A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen. The laptop contained data for students who took economics classes from 1997 through the spring semester 2008. The information includes names, grades, e-mail addresses and student identification numbers and in some cases Social Security numbers.

July 17, 2008
Bristol-Myers Squibb
http://money.cnn.com/news/newsfeeds/articles/djf500/200807171514DOWJONESDJONLINE000844_FORTUNE5.htm
A backup computer-data tape containing employees' personal information, including Social Security numbers, was stolen recently. The backup data tape was stolen while being transported from a storage facility. The information on the tapes included names, addresses, dates of birth, Social Security numbers and marital status, and in some cases bank-account information. Data for some employees' family members also were on the tape.

University of Maryland
http://www.baltimoresun.com/news/education/bal-md.parking19jul19,0,7224140.story
University of Maryland accidentally released the addresses and Social Security numbers of thousands of students. A brochure with on-campus parking information was sent by U.S. Mail to students. The University discovered the labels on the mailing had the students' Social Security numbers on it.

Interesting Authentication Questions

People ask me security questions on a daily basis. I’d like to share some of those conversations with you all. Here are a few interesting recent questions I’ve received.

Q1: Some security researchers claim that mutual authentication solutions are vulnerable to “Man in the Middle” attacks. I’m wondering if OAAM could also be compromised this way, or if you have other safeguards that make it stronger. Check out this article http://news.cnet.com/8301-10784_3-9776757-7.html

A1: Yes, this particular MITM discussion comes up whenever a security guy is attending an OAAM presentation. The basic issue is that a shared secret solution such as the personalization features of OAAM virtual devices (image, phrase and time stamp) are intended to combat mass phishing attacks not MITM. This is not a deficiency as long as a solution does not stop there. This fortunately is not an issue for OAAM because personalization is only one small feature of the product as opposed to some other products that make mutual authentication the primary feature. Personalization serves its purpose but to stop MITM other OAAM features are needed. To best illustrate how OAAM can prevent MITM here is an example scenario. I'm using banking for the example because many MITM attacks focus on banking applications but this could be extended to any type of application.

For example: The MyBank banking site allows their customers to do money transfers online. Money transfers are a favorite target of MITM attacks. Generally a MITM attack will wait for a user to login and submit a transfer request. At that moment the software will alter the receiving account number and dollar amount before it reaches the bank application. Basically this allows them to transfer money to their own account. One simple way to stop this is to protect the to account number so it cannot be altered.

A user flow might go as follows:

1. User logs in successfully

2. User navigates to the transfer page

3. User selects the account to transfer from

4. User enters the transfer receiving account number using a PinPad virtual device

5. User enters the dollar amount and clicks submit

Since the receiving account number is not sent over the wire in an understandable form it cannot be altered by the MITM so the fraud is prevented.

In addition to this of course there is the Adaptive Risk Manager watching for anomalies in behavior to prevent MITM and other types of attacks while they are being attempted.

Q2: I’ve seen a number of interesting new authentication products. One in particular uses categories of images mapped to characters that are used in the creation of a one-time use password. The user memorizes categories then matches images shown to those categories then figures out what their OTP is then authenticate with it. Will OAAM include similar methods in future releases?

A2: There are many unique attempts at authentication solutions. Over the last few years we have developed and experimented with many different unique approaches in our labs. Some have worked and some others have not been as successful. In my experience solutions that have an overly complex user experience, such as you describe, will have a lot of user issues resulting in costly call center activity. This is why even the most technically complex OAAM virtual authentication devices are easy to operate. An important concept to keep in mind when thinking through these issues is that authentication alone is not enough to stop sophisticated attacks such as MITM. Even traditional strong authentication methods such a hardware tokens and biometrics when working alone cannot stop MITM. Notice that many of the authentication only products do not say they can stop MITM. They say things like "man in the middle attacks are hindered". I'm not sure what that means but their solution won't stop the scenario I describe above. This is precisely the reason we developed both components of OAAM to be a complete solution.

Q3: What is your take on CAPTCHAs. I was just reading an article on just how compromised they have become:

http://www.computerworld.com.au/index.php/id;489635775

But I was intrigued by a link in the article to a 3-D based CAPTCHA that may prove invulnerable to the bots (for now).

http://spamfizzle.com/CAPTCHA.aspx

A3: The 3D CAPTCHA is an interesting take on the idea. The purpose of a CAPTCHA of course is to prevent navigation of a process by automated means such as a bot. OAAM virtual devices actually offer CAPTCHA like capabilities but from the opposite direction. CAPTCHA attempts to prevent a bot from "reading" a temporary code by hiding it in a 2D or 3D image. A KeyPad or PinPad virtual device prevents a bot from entering a credential/code because the automated process does not know how to figure out where the keys are in the image and how to navigate a mouse to click on them. We actually have a customer that is using the PinPad virtual device in the classic role of a CAPTCHA, to secure their new account registrations. Most customers however get this capability as part of the total solution and don’t even think about it in these terms. Of course the most powerful way to stop automated bot type activity is a complete solution that includes use of the virtual devices, multifactor authentication and risk analytics.

Monday, July 14, 2008

Fraud Flash for the week of July 14, 2008

July 4, 2008
Clark County Nevada District Court
http://www.lvrj.com/news/23025969.html
A contracted vendor released personal information on about 380 potential jurors to an employee's private e-mail address. The information provided to the e-mail account could have included names, addresses, Social Security numbers and birth dates.

July 7, 2008
Florida Agency for Health Care Administration
http://www.naplesnews.com/news/2008/jul/07/breach-fla-donor-registry-may-have-exposed-ids/
A security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their Social Security numbers. Other data included donors' names, addresses, birth dates and driver license numbers.

July 8, 2008
LPL Financial
http://www.investmentnews.com/apps/pbcs.dll/article?AID=/20080708/REG/134627256/1094/INDAILY01
Hackers potentially got their hands on clients unencrypted names, addresses and Social Security numbers. Hackers compromised the logon passwords of 14 financial advisers and four assistants.

July 9, 2008
Wichita Radiological Group
http://www.kwch.com/Global/story.asp?S=8643448&nav=menu486_8_18_9
A former employee stole patient records before being fired from the Wichita Radiological Group. Tens of thousands of patient records were in the database could have been compromised.

Wagner Resource Group
http://www.washingtonpost.com/wp-dyn/content/article/2008/07/08/AR2008070802997_pf.html
Sometime late last year, an employee of a McLean investment firm used the online file-sharing network LimeWire. In doing so, he inadvertently opened the private files of his firm to the public. That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.

Division of Motor Vehicles Colorado
http://www.denverpost.com/news/ci_9822063
The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers

July 10, 2008
Williamson County (TN) Schools
http://www.wsmv.com/news/16843341/detail.html
Social Security numbers and other personal information of 4,000 children were posted on the Internet.

July 11, 2008
US Army Fort Lewis
http://www.thenewstribune.com/news/local/story/409911.html
A laptop computer that was reported stolen from an Army employee’s truck contained personal information on about 800 to 900 Fort Lewis soldiers. A 17-year-old Lacey boy faces a charge of suspicion of possession of stolen property after Tumwater police uncovered items from vehicle prowls, including a stolen Army laptop containing information about up to 900 Fort Lewis soldiers.

Sunday, July 13, 2008

Where to Download OAM Components

Many Oracle Access Manager customers have asked "Where do I download the latest OAM patchset?" or more specifically "Where do I download the webgate for insert webserver name and version running as a insert 32-bit or 64-bit application on insert OS platform name and version ?"

Due to the many possible download locations, there is no simple answer to any such questions. Hence, I decided to post a guide to finding all OAM 10.1.4.x component packages.

OAM 10.1.4.0.1 base installers can be downloaded here:
http://www.oracle.com/technology/software/products/ias/htdocs/101401.html

In the row marked "Oracle Access Manager".

OAM 10.1.4.2.0 patchset (latest version as of this post) can be downloaded here:
Metalink Patch Number 5957301

Make sure to select the appropriate platform.

Index of all OAM 10.1.4.x 3rd Party Packages including webgates and connectors is here:
http://www.oracle.com/technology/products/id_mgmt/coreid_acc/index.html

At the bottom of the page labeled as "Index of Released Oracle Access Manager 10.1.4 3rd Party Packages (PDF)" or use this direct link here.
The index lists all the package names and download locations of all OAM 10.1.4.x 3rd party packages. The last column labeled as "Link" states the download locations.

If the download location indicates something like IBM CD2 or Linux CD1, please go to the following link http://www.oracle.com/technology/software/products/ias/htdocs/101401.html and look in the row "Oracle Access Manager - 3rd Party Integration".
If the download location indicates "Oracle Access Manager CDs", then the package is bundled with the OAM 10.1.4.0.1 base installers. Download location for the base installers is listed above.
If the download location indicates Patch , please log into Oracle's metalink here https://metalink.oracle.com. In the Quick Find section choose "Patch Number" and enter the patch number as indicated in the index PDF.

Please note that the index will be updated regularly as new packages are released.

I hope this is helpful for everyone. Please look forward to more helpful OAM tips and tricks in the near future.

Monday, July 7, 2008

Fraud Flash for the week of July 7, 2008

June 26, 2008
Texas Department of Public Safety
http://www.kxan.com/Global/story.asp?S=8562199
The personal information of 826 state employees was stolen from a Wichita Falls home office. Notices are in the mail to inform the hundreds of victims that their names, home addresses, dates of birth, driver's license and Social Security numbers are in the hands of criminals.

June 27, 2008
Montgomery Ward
http://www.scmagazineus.com/Mongomery-Wards-online-retail-data-breach/article/111922/
Hackers extracted stolen information from an online database that held credit card account information.

July 2, 2008
Baptist Health
http://www.nwanews.com/adg/News/230290/
Due to a breach by an unauthorized person in the information systems, there is a possibility that some personal information, such as name, address, date of birth, Social Security number, and reason for coming to Baptist Health. No information in the patient’s “medical records” and no information about the patient’s diagnosis or prognosis was accessed.

University of Nebraska at Kearney
http://www.nebraska.tv/Global/story.asp?S=8609047
Officials at the University of Nebraska at Kearney discovered a security breach involving nine university computers. Of the nine computers involved, five contained names and partial or complete Social Security numbers.