SlideShare a Scribd company logo
1 of 69
Download to read offline
Cash is King
Who’s Wearing Your Crown?
Accounting Systems Fraud in the Digital Age
Tom Eston and Spencer McIntyre
DerbyCon 2013
Agenda
• Introduction to Accounting Fraud
• Microsoft Dynamics Great Plains
– Vulnerabilities and Attack Vectors
• Attacking the Users of Dynamics GP
• Fraud with Custom Malware (Mayhem)
• The Attacks: How to Commit Fraud
• Accounting Controls to Prevent Fraud
• Conclusions
DerbyCon 2013
About Your Presenters
Tom Eston
• Manager, SecureState Attack & Defense Team
• OWASP Contributor
• SANS Mentor, Community Instructor
• Security Blogger/Researcher: Spylogic.net
• Podcast Co-host: Social Media Security Podcast
• Speaker: Black Hat, DEF CON, ShmooCon,
DerbyCon, SANS, MSI, OWASP AppSec
DerbyCon 2013
Spencer McIntyre
• SecureState Security Researcher, Exploit
Developer
• Open Source Contributor:
• Speaker: Black Hat Europe, DerbyCon,
Toorcon, ThotCon, B-Sides
• Metasploit
• Scapy
• SQLMap
• Killerbee
DerbyCon 2013
Office Space ©1999 Twentieth Century Fox
Office Space ©1999 Twentieth Century Fox
Office Space ©1999 Twentieth Century Fox
Office Space ©1999 Twentieth Century Fox
$ PROFIT $
Office Space ©1999 Twentieth Century Fox
Who Wants to Create Mayhem?
• “Office Space” IRL (In Real Life)
• Install virus (via floppy disk), infect accounting
system, shave off a fraction of a penny of each
transaction, check account balance, profit!
• Except…we’re not missing any decimal points!
DerbyCon 2013
Introduction to Accounting Fraud
When We Break In
• Penetration Testers and Attackers do this every day!
• Low hanging fruit
(Tomcat/JBoss, Weak Passwords, MS08-067)
• Easy to evade technical security controls
• Find the most sensitive data
– Passwords, SSNs, PCI data, PHI, Proprietary
• Screenshot, Report, Profit, Repeat
• Nothing new here…
DerbyCon 2013
Photo Credit: http://cosine-security.blogspot.com/2011/10/derbycon-retrospective.html
What If?
• We could demonstrate real business risk?
• Typically this is financial risk and hits the
bottom line of an organization
• Attack the accounting and financial systems
• We could test the non-technical accounting
controls (not like an “audit”)
DerbyCon 2013
Technical Controls 101
• Confidentiality
• Integrity
• Availability
Technical controls can only go so far.
When they fail (and they will) what do you rely on?
DerbyCon 2013
Characteristics of Useful
Accounting Information
• Relevant
• Reliable
• Consistent
• Comparable
• Accurate
• Timely
DerbyCon 2013
The Problem?
• Accounting controls may not be in place
– Or properly implemented
• Limited resources
• Limited skill set
• Limited time
It’s very unlikely that accounting departments
are reconciling every account each month!
DerbyCon 2013
Traditional Accounting Fraud
• Insider Embezzlement
• Overstating Profits
• External Check Fraud
• Insider Fraud
– Kickback schemes, skimming, sales fraud, etc.
Primary Control: Reconciling Bank Accounts
DerbyCon 2013
Accounting Fraud Examples
DerbyCon 2013
DerbyCon 2013
"What I did in my youth is hundreds of times
easier today. Technology breeds crime."
- Frank Abagnale
Microsoft Dynamics Great Plains
DerbyCon 2013
So sorry…
You belong to Microsoft now.
DerbyCon 2013
What?
DerbyCon 2013
Microsoft Dynamics GP
• One of the most popular accounting systems
in the world for medium to large size
businesses
• Microsoft purchased GP from Great Plains
Software for $1.1 Billion in 2000
• Written in Dexterity specifically for GP
• As of 2013: 43,000 companies in the world
use GP
DerbyCon 2013
Microsoft Dynamics GP - Users
• No Windows Authentication (Active Directory)
integration available (out of the box)
– User accounts are created, managed and stored
by SQL Server
• SQL Server “SA” account is the most powerful
• DYNSA owns all the GP databases. Performs
privileged actions without the SA account in
GP.
• Regular user accounts perform daily actions
DerbyCon 2013
Microsoft Dynamics GP
• Uses “client-server” architecture
• Application runs on the client, not the server
• Web application front end just introduced this year
DerbyCon 2013
Locating the GP Systems and Database
System Naming Conventions
• Conduct DNS or NETBIOS queries
• Network shares with GP client installation
• Typical names we’ve found on networks:
– GP
– GP-PORTAL
– DYNAMICS
– DYNAMICS_DB
– GREAT PLAINS
– ACCOUNTING
– FINANCE
DerbyCon 2013
Additional Recon
• Most Critical: GP SQL Server
• Others systems include:
– The GP client applications (user workstations)
– GP Business Portal (SharePoint)
• Company Intranet
– Usually reveals GP and/or accounting system
documentation
• Network Shares
– Sometimes the GP application is shared on the SQL
server!
DerbyCon 2013
Attack Vectors in GP
Vulnerabilities in GP
• DoS and remote overflow vulnerabilities in GP
version 9 and lower
• Weak cipher for the system password (2010)
– Debunked by Microsoft as a real issue
• Typical SQL Server vulnerabilities and
misconfigurations
– Example: Local Administrator group added to the
“sysadmin” role on the SQL Server
DerbyCon 2013
Attacks to Commit Fraud
• #1 Gain access to the GP SQL database directly
• #2 GP user account hijack from the client
• #3 Process injection via custom malware on
the client
DerbyCon 2013
Attacking the Database
• Goal: Modify and create GP database entries
to commit fraud
• Easy with direct access to the SQL server
• One problem…
• How do we know what to modify to commit
the fraud?
DerbyCon 2013
GP Table Naming Conventions
• GP Tables are not
named with good
descriptions…
• There is good news
though!
DerbyCon 2013
GP Table Prefix Identification
Credit: Leslie Vail
http://dynamicsconfessions.blogspot.com/2012/05/data-flow-and-table-names.html
DerbyCon 2013
GP Table Identifiers
• Put the prefix with the identifier to determine
the table function
• PM1000 = Payables Management Work Table
DerbyCon 2013
Attacking the GP User
Who to Target?
• Accounting Department Users
• Controller
• Bookkeeper
• CFO
• The Accountant
DerbyCon 2013
The Goal
• Compromise the user’s workstation
– GP application is installed there!
• GP login and password
• Compromise other workstations, pivot to the
accounting users
• Create backdoor into the user’s workstation(s)
DerbyCon 2013
Example Scenario
• Harvest accounting department usernames
and emails via LinkedIn
• Create targeted phishing email
• Link to download malicious attachment
– “Click here to install the latest GP patch!”
• Mayhem ensues…
(more on this in a minute)
DerbyCon 2013
Creating the Perfect Fraud
via Custom Malware
Introducing: Mayhem Malware
• Proof of Concept code created by Spencer
McIntyre of the SecureState Research &
Innovation Team
– Full integration with Metasploit / Meterpreter
• https://github.com/zeroSteiner/metasploit-
framework/tree/project-mayhem
DerbyCon 2013
How Mayhem Works
• Uses function hooking and library injection to
execute within the context of the GP frontend
• Goal: Open a channel back to the attacker so
commands can be made via the GP frontend
• Mayhem is injected at runtime and hijacks the
legitimate ODBC handle from memory
• No installation or administrative rights
required
DerbyCon 2013
How Mayhem Works
1. Start with Meterpreter Session Opened
2. Run install module to infect Dynamics
3. Wait for user to trigger any kind of database
activity
4. Use copied handle from step #3 to execute
evil SQL queries
5. PROFIT!
DerbyCon 2013
How Mayhem Works
• Mayhem creates hooks in key locations
– Most important: ODBC32. SQLAllocStmt
• Mayhem monitors this and then allows
injection of SQL commands into the database
as the authenticated user
• A named pipe is opened on the local system
for meterpreter to communicate with
– Conceptually similar to mimikatz
DerbyCon 2013
Mayhem Demo
• What we’re going to demo today
– Infecting Dynamics
– Creating a new “evil” vendor
– Paying our vendor
– Creating chaos
• All demos are using MS Dynamics GP 10
DerbyCon 2013
Mayhem Demo
Next Step
• Not everything is Dynamics specific
• Execute arbitrary SQL Queries
DerbyCon 2013
Next Step
• Retrieve ODBC credentials
DerbyCon 2013
The Attacks:
How Fraud Can be Committed
Manipulating Existing Vendor Records’
Remit-To Address (in GP)
DerbyCon 2013
Manipulating Existing Vendor Records’
Remit-To Address (in SQL Server)
DerbyCon 2013
Increase Customer Credit Limit
DerbyCon 2013
Increase Customer Credit Limit
CREDTLMT (Credit Limit) in PM00200:
0 – No Credit, 1 – Unlimited, 2 – Amount
DerbyCon 2013
Credit Balance in Customer Account,
Get a Refund
DerbyCon 2013
Other Fraud Attacks
• Mass Steal Banking Information
• Mass Steal Credit Card Data
• Payroll Information (Includes SSNs)
• Access or Modify Private Financial Records
DerbyCon 2013
What about Oracle or SAP?
• Yes, we can attack other ERP systems!
• If the system uses ODBC, you can hijack these
transactions using an attack tool like Mayhem
• You need intimate knowledge of other ERP
systems and how they work
– Highlights the internal threat…
DerbyCon 2013
Accounting Controls to Prevent Fraud
Bank Reconciliation
• Timing is everything
• Bank reconciliation compares the bank
balance with the book balance monthly
DerbyCon 2013
Accounting Controls
• Matching Cleared Checks to Paid Invoices
• “Positive Pay”
• Matching Address on Check to Address on
Invoice
• Process for Adding Vendors to System
• Customer On-Boarding Process
• Confirmation of Vendor Banking Information
• Account Reconciliations
DerbyCon 2013
Conclusions
DerbyCon 2013
What about Technical Controls?
• Never discount “Defense-in-Depth”
• All it takes is for one control to fail!
– GP, SQL server, user permissions/roles, security
awareness, antivirus, IDS, incident response
• This is why the accounting controls are more
important to implement
DerbyCon 2013
What Can ERP Vendors Do?
• Do what the gaming community is doing
• “Self-defending” software
• Valve is a great example
– Valve Anti-Cheat (VAC)
• Enterprise software is way behind on this!
• Implement internal fraud and alerting
mechanisms
– Banks use these techniques to detect fraud as it
happens
DerbyCon 2013
Final Thoughts
• It is possible to perpetrate fraud against the
accounting system from the outside
• Fraud is much easier for an insider
• Combine malware with legitimate entries =
perfect crime
• Combination of technical and accounting
controls are required to combat modern fraud
DerbyCon 2013
More Information
• See our White Paper for details on other
attacks:
– http://bit.ly/mayhem-whitepaper
• Spencer’s Mayhem Metasploit Modules:
– https://github.com/zeroSteiner/metasploit-
framework/tree/project-mayhem
DerbyCon 2013
Appendix: SQL Queries
-- Get useful info about the checkbooks
SELECT CHEKBKID, DSCRIPTN, BANKID, CURNCYID, BNKACTNM,
str(CURRBLNC, 19, 5) AS CURRBLNC FROM CM00100;
-- Give vendor "MAYHEM" unlimited credit
UPDATE PM00200 SET CREDTLMT=1 WHERE VENDORID='MAYHEM';
-- Get sensitive info from payroll
SELECT FRSTNAME, MIDLNAME, LASTNAME, SOCSCNUM, BRTHDATE,
EMPLOYID, JOBTITLE FROM UPR00100;
DerbyCon 2013
Questions?
• Tom Eston
teston@securestate.com
Twitter: @agent0x0
Blog: Spylogic.net
• Spencer McIntyre
smcintyre@securestate.com
Twitter: @zerosteiner
• Who wants military-grade bottle openers?
– Come up front
DerbyCon 2013

More Related Content

What's hot

Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Cloud computing risk assesment presentation
Cloud computing risk assesment presentationCloud computing risk assesment presentation
Cloud computing risk assesment presentationAhmad El Tawil
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
SAP Cloud security overview 2.0
SAP Cloud security overview 2.0SAP Cloud security overview 2.0
SAP Cloud security overview 2.0Rasmi Swain
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceCamilo Fandiño Gómez
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforcePerimeter 81
 
Guide to Cybersecurity Compliance in China
Guide to Cybersecurity Compliance in ChinaGuide to Cybersecurity Compliance in China
Guide to Cybersecurity Compliance in ChinaAlibaba Cloud
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...RightScale
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-UsabilityLarry Wilson
 
Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment Quest
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security ProfessionalHatem ElSahhar
 
Lecture27 cc-security2
Lecture27 cc-security2Lecture27 cc-security2
Lecture27 cc-security2Ankit Gupta
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...Priyanka Aash
 

What's hot (20)

Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Cloud computing risk assesment presentation
Cloud computing risk assesment presentationCloud computing risk assesment presentation
Cloud computing risk assesment presentation
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
SAP Cloud security overview 2.0
SAP Cloud security overview 2.0SAP Cloud security overview 2.0
SAP Cloud security overview 2.0
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
 
Guide to Cybersecurity Compliance in China
Guide to Cybersecurity Compliance in ChinaGuide to Cybersecurity Compliance in China
Guide to Cybersecurity Compliance in China
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-Usability
 
Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional
 
Lecture27 cc-security2
Lecture27 cc-security2Lecture27 cc-security2
Lecture27 cc-security2
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
 

Viewers also liked

Acute Heart Failure Management
Acute Heart Failure ManagementAcute Heart Failure Management
Acute Heart Failure Managementdrucsamal
 
Acute Heart Failure Syndromes
Acute Heart Failure SyndromesAcute Heart Failure Syndromes
Acute Heart Failure SyndromesSun Yai-Cheng
 
Current Management of Acute Cutaneous Wounds
Current Management of Acute Cutaneous WoundsCurrent Management of Acute Cutaneous Wounds
Current Management of Acute Cutaneous WoundsSun Yai-Cheng
 
Acute Heart Failure: Current Standards and Evolution of Care.2015
Acute Heart Failure: Current Standards and Evolution of Care.2015Acute Heart Failure: Current Standards and Evolution of Care.2015
Acute Heart Failure: Current Standards and Evolution of Care.2015hivlifeinfo
 
Acute Heart Failure Current Perspectives
Acute Heart Failure Current PerspectivesAcute Heart Failure Current Perspectives
Acute Heart Failure Current Perspectivesdrucsamal
 
Diagnosis and management of acute heart failure
Diagnosis and management of acute heart failureDiagnosis and management of acute heart failure
Diagnosis and management of acute heart failureAlaa Ateya
 
note of acute heart failure
note of acute heart failurenote of acute heart failure
note of acute heart failure元傑 張
 
A brief synopsis of acute decompensated heart failure
A brief synopsis of acute decompensated heart failureA brief synopsis of acute decompensated heart failure
A brief synopsis of acute decompensated heart failureDr Emad efat
 

Viewers also liked (8)

Acute Heart Failure Management
Acute Heart Failure ManagementAcute Heart Failure Management
Acute Heart Failure Management
 
Acute Heart Failure Syndromes
Acute Heart Failure SyndromesAcute Heart Failure Syndromes
Acute Heart Failure Syndromes
 
Current Management of Acute Cutaneous Wounds
Current Management of Acute Cutaneous WoundsCurrent Management of Acute Cutaneous Wounds
Current Management of Acute Cutaneous Wounds
 
Acute Heart Failure: Current Standards and Evolution of Care.2015
Acute Heart Failure: Current Standards and Evolution of Care.2015Acute Heart Failure: Current Standards and Evolution of Care.2015
Acute Heart Failure: Current Standards and Evolution of Care.2015
 
Acute Heart Failure Current Perspectives
Acute Heart Failure Current PerspectivesAcute Heart Failure Current Perspectives
Acute Heart Failure Current Perspectives
 
Diagnosis and management of acute heart failure
Diagnosis and management of acute heart failureDiagnosis and management of acute heart failure
Diagnosis and management of acute heart failure
 
note of acute heart failure
note of acute heart failurenote of acute heart failure
note of acute heart failure
 
A brief synopsis of acute decompensated heart failure
A brief synopsis of acute decompensated heart failureA brief synopsis of acute decompensated heart failure
A brief synopsis of acute decompensated heart failure
 

Similar to Cash is King: Who's Wearing Your Crown?

Moving To MicroServices
Moving To MicroServicesMoving To MicroServices
Moving To MicroServicesDavid Walker
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
Cloud Computing 4 Accounting Firms
Cloud Computing 4 Accounting FirmsCloud Computing 4 Accounting Firms
Cloud Computing 4 Accounting FirmsDavid Blumentals
 
2016 DSG Webinar Azure HDInsight 2 V4
2016 DSG Webinar Azure HDInsight 2 V42016 DSG Webinar Azure HDInsight 2 V4
2016 DSG Webinar Azure HDInsight 2 V4Janani Eshwaran
 
2016 DSG Webinar Azure HDInsight 2 V4
2016 DSG Webinar Azure HDInsight 2 V42016 DSG Webinar Azure HDInsight 2 V4
2016 DSG Webinar Azure HDInsight 2 V4Janani Eshwaran
 
Jazz for Service Management
Jazz for Service ManagementJazz for Service Management
Jazz for Service ManagementIBM Danmark
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Benedek Menesi
 
Data Management & Warehousing (David Walker, ex-World Pay) 2019 Confluent Str...
Data Management & Warehousing (David Walker, ex-World Pay) 2019 Confluent Str...Data Management & Warehousing (David Walker, ex-World Pay) 2019 Confluent Str...
Data Management & Warehousing (David Walker, ex-World Pay) 2019 Confluent Str...confluent
 
30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love Cloud30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love CloudVuzion
 
BMC Discovery with new Multi-Cloud Function
BMC Discovery with new Multi-Cloud FunctionBMC Discovery with new Multi-Cloud Function
BMC Discovery with new Multi-Cloud FunctionBill Spinner
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationTejaswi Agarwal
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Sri Ambati
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2Anne Starr
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
 
It resource us signal cloud presentation itr - final
It resource   us signal cloud presentation itr - finalIt resource   us signal cloud presentation itr - final
It resource us signal cloud presentation itr - finalsvanelderen
 
How to Bring Shadow IT to the Light
How to Bring Shadow IT to the LightHow to Bring Shadow IT to the Light
How to Bring Shadow IT to the LightRackspace
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control	Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Cloud Computing - What is it?
Cloud Computing - What is it?Cloud Computing - What is it?
Cloud Computing - What is it?Liquid Accounts
 

Similar to Cash is King: Who's Wearing Your Crown? (20)

Moving To MicroServices
Moving To MicroServicesMoving To MicroServices
Moving To MicroServices
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
Cloud Computing 4 Accounting Firms
Cloud Computing 4 Accounting FirmsCloud Computing 4 Accounting Firms
Cloud Computing 4 Accounting Firms
 
2016 DSG Webinar Azure HDInsight 2 V4
2016 DSG Webinar Azure HDInsight 2 V42016 DSG Webinar Azure HDInsight 2 V4
2016 DSG Webinar Azure HDInsight 2 V4
 
2016 DSG Webinar Azure HDInsight 2 V4
2016 DSG Webinar Azure HDInsight 2 V42016 DSG Webinar Azure HDInsight 2 V4
2016 DSG Webinar Azure HDInsight 2 V4
 
Jazz for Service Management
Jazz for Service ManagementJazz for Service Management
Jazz for Service Management
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck
 
Data Management & Warehousing (David Walker, ex-World Pay) 2019 Confluent Str...
Data Management & Warehousing (David Walker, ex-World Pay) 2019 Confluent Str...Data Management & Warehousing (David Walker, ex-World Pay) 2019 Confluent Str...
Data Management & Warehousing (David Walker, ex-World Pay) 2019 Confluent Str...
 
30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love Cloud30 March 2017 - Vuzion Ireland Love Cloud
30 March 2017 - Vuzion Ireland Love Cloud
 
BMC Discovery with new Multi-Cloud Function
BMC Discovery with new Multi-Cloud FunctionBMC Discovery with new Multi-Cloud Function
BMC Discovery with new Multi-Cloud Function
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
 
It resource us signal cloud presentation itr - final
It resource   us signal cloud presentation itr - finalIt resource   us signal cloud presentation itr - final
It resource us signal cloud presentation itr - final
 
AI & AWS DeepComposer
AI & AWS DeepComposerAI & AWS DeepComposer
AI & AWS DeepComposer
 
How to Bring Shadow IT to the Light
How to Bring Shadow IT to the LightHow to Bring Shadow IT to the Light
How to Bring Shadow IT to the Light
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control	Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Cloud Computing - What is it?
Cloud Computing - What is it?Cloud Computing - What is it?
Cloud Computing - What is it?
 

More from Tom Eston

Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyTom Eston
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadTom Eston
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredTom Eston
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsTom Eston
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringTom Eston
 
Staying Safe & Secure on Twitter
Staying Safe & Secure on TwitterStaying Safe & Secure on Twitter
Staying Safe & Secure on TwitterTom Eston
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-MiddleTom Eston
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsTom Eston
 
Information Gathering With Maltego
Information Gathering With MaltegoInformation Gathering With Maltego
Information Gathering With MaltegoTom Eston
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Online Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyOnline Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyTom Eston
 

More from Tom Eston (18)

Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile Technology
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and Uncensored
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More Brains
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
 
Staying Safe & Secure on Twitter
Staying Safe & Secure on TwitterStaying Safe & Secure on Twitter
Staying Safe & Secure on Twitter
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-Middle
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network Bots
 
Information Gathering With Maltego
Information Gathering With MaltegoInformation Gathering With Maltego
Information Gathering With Maltego
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
Online Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyOnline Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safely
 

Recently uploaded

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 

Recently uploaded (20)

UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 

Cash is King: Who's Wearing Your Crown?

  • 1. Cash is King Who’s Wearing Your Crown? Accounting Systems Fraud in the Digital Age Tom Eston and Spencer McIntyre DerbyCon 2013
  • 2. Agenda • Introduction to Accounting Fraud • Microsoft Dynamics Great Plains – Vulnerabilities and Attack Vectors • Attacking the Users of Dynamics GP • Fraud with Custom Malware (Mayhem) • The Attacks: How to Commit Fraud • Accounting Controls to Prevent Fraud • Conclusions DerbyCon 2013
  • 4. Tom Eston • Manager, SecureState Attack & Defense Team • OWASP Contributor • SANS Mentor, Community Instructor • Security Blogger/Researcher: Spylogic.net • Podcast Co-host: Social Media Security Podcast • Speaker: Black Hat, DEF CON, ShmooCon, DerbyCon, SANS, MSI, OWASP AppSec DerbyCon 2013
  • 5. Spencer McIntyre • SecureState Security Researcher, Exploit Developer • Open Source Contributor: • Speaker: Black Hat Europe, DerbyCon, Toorcon, ThotCon, B-Sides • Metasploit • Scapy • SQLMap • Killerbee DerbyCon 2013
  • 6. Office Space ©1999 Twentieth Century Fox
  • 7. Office Space ©1999 Twentieth Century Fox
  • 8. Office Space ©1999 Twentieth Century Fox
  • 9. Office Space ©1999 Twentieth Century Fox
  • 10. $ PROFIT $ Office Space ©1999 Twentieth Century Fox
  • 11. Who Wants to Create Mayhem? • “Office Space” IRL (In Real Life) • Install virus (via floppy disk), infect accounting system, shave off a fraction of a penny of each transaction, check account balance, profit! • Except…we’re not missing any decimal points! DerbyCon 2013
  • 13. When We Break In • Penetration Testers and Attackers do this every day! • Low hanging fruit (Tomcat/JBoss, Weak Passwords, MS08-067) • Easy to evade technical security controls • Find the most sensitive data – Passwords, SSNs, PCI data, PHI, Proprietary • Screenshot, Report, Profit, Repeat • Nothing new here… DerbyCon 2013
  • 15. What If? • We could demonstrate real business risk? • Typically this is financial risk and hits the bottom line of an organization • Attack the accounting and financial systems • We could test the non-technical accounting controls (not like an “audit”) DerbyCon 2013
  • 16. Technical Controls 101 • Confidentiality • Integrity • Availability Technical controls can only go so far. When they fail (and they will) what do you rely on? DerbyCon 2013
  • 17. Characteristics of Useful Accounting Information • Relevant • Reliable • Consistent • Comparable • Accurate • Timely DerbyCon 2013
  • 18. The Problem? • Accounting controls may not be in place – Or properly implemented • Limited resources • Limited skill set • Limited time It’s very unlikely that accounting departments are reconciling every account each month! DerbyCon 2013
  • 19. Traditional Accounting Fraud • Insider Embezzlement • Overstating Profits • External Check Fraud • Insider Fraud – Kickback schemes, skimming, sales fraud, etc. Primary Control: Reconciling Bank Accounts DerbyCon 2013
  • 21. DerbyCon 2013 "What I did in my youth is hundreds of times easier today. Technology breeds crime." - Frank Abagnale
  • 24. So sorry… You belong to Microsoft now. DerbyCon 2013
  • 26. Microsoft Dynamics GP • One of the most popular accounting systems in the world for medium to large size businesses • Microsoft purchased GP from Great Plains Software for $1.1 Billion in 2000 • Written in Dexterity specifically for GP • As of 2013: 43,000 companies in the world use GP DerbyCon 2013
  • 27. Microsoft Dynamics GP - Users • No Windows Authentication (Active Directory) integration available (out of the box) – User accounts are created, managed and stored by SQL Server • SQL Server “SA” account is the most powerful • DYNSA owns all the GP databases. Performs privileged actions without the SA account in GP. • Regular user accounts perform daily actions DerbyCon 2013
  • 28. Microsoft Dynamics GP • Uses “client-server” architecture • Application runs on the client, not the server • Web application front end just introduced this year DerbyCon 2013
  • 29. Locating the GP Systems and Database
  • 30. System Naming Conventions • Conduct DNS or NETBIOS queries • Network shares with GP client installation • Typical names we’ve found on networks: – GP – GP-PORTAL – DYNAMICS – DYNAMICS_DB – GREAT PLAINS – ACCOUNTING – FINANCE DerbyCon 2013
  • 31. Additional Recon • Most Critical: GP SQL Server • Others systems include: – The GP client applications (user workstations) – GP Business Portal (SharePoint) • Company Intranet – Usually reveals GP and/or accounting system documentation • Network Shares – Sometimes the GP application is shared on the SQL server! DerbyCon 2013
  • 33. Vulnerabilities in GP • DoS and remote overflow vulnerabilities in GP version 9 and lower • Weak cipher for the system password (2010) – Debunked by Microsoft as a real issue • Typical SQL Server vulnerabilities and misconfigurations – Example: Local Administrator group added to the “sysadmin” role on the SQL Server DerbyCon 2013
  • 34. Attacks to Commit Fraud • #1 Gain access to the GP SQL database directly • #2 GP user account hijack from the client • #3 Process injection via custom malware on the client DerbyCon 2013
  • 35. Attacking the Database • Goal: Modify and create GP database entries to commit fraud • Easy with direct access to the SQL server • One problem… • How do we know what to modify to commit the fraud? DerbyCon 2013
  • 36. GP Table Naming Conventions • GP Tables are not named with good descriptions… • There is good news though! DerbyCon 2013
  • 37. GP Table Prefix Identification Credit: Leslie Vail http://dynamicsconfessions.blogspot.com/2012/05/data-flow-and-table-names.html DerbyCon 2013
  • 38. GP Table Identifiers • Put the prefix with the identifier to determine the table function • PM1000 = Payables Management Work Table DerbyCon 2013
  • 40. Who to Target? • Accounting Department Users • Controller • Bookkeeper • CFO • The Accountant DerbyCon 2013
  • 41. The Goal • Compromise the user’s workstation – GP application is installed there! • GP login and password • Compromise other workstations, pivot to the accounting users • Create backdoor into the user’s workstation(s) DerbyCon 2013
  • 42. Example Scenario • Harvest accounting department usernames and emails via LinkedIn • Create targeted phishing email • Link to download malicious attachment – “Click here to install the latest GP patch!” • Mayhem ensues… (more on this in a minute) DerbyCon 2013
  • 43. Creating the Perfect Fraud via Custom Malware
  • 44. Introducing: Mayhem Malware • Proof of Concept code created by Spencer McIntyre of the SecureState Research & Innovation Team – Full integration with Metasploit / Meterpreter • https://github.com/zeroSteiner/metasploit- framework/tree/project-mayhem DerbyCon 2013
  • 45. How Mayhem Works • Uses function hooking and library injection to execute within the context of the GP frontend • Goal: Open a channel back to the attacker so commands can be made via the GP frontend • Mayhem is injected at runtime and hijacks the legitimate ODBC handle from memory • No installation or administrative rights required DerbyCon 2013
  • 46. How Mayhem Works 1. Start with Meterpreter Session Opened 2. Run install module to infect Dynamics 3. Wait for user to trigger any kind of database activity 4. Use copied handle from step #3 to execute evil SQL queries 5. PROFIT! DerbyCon 2013
  • 47. How Mayhem Works • Mayhem creates hooks in key locations – Most important: ODBC32. SQLAllocStmt • Mayhem monitors this and then allows injection of SQL commands into the database as the authenticated user • A named pipe is opened on the local system for meterpreter to communicate with – Conceptually similar to mimikatz DerbyCon 2013
  • 48. Mayhem Demo • What we’re going to demo today – Infecting Dynamics – Creating a new “evil” vendor – Paying our vendor – Creating chaos • All demos are using MS Dynamics GP 10 DerbyCon 2013
  • 50. Next Step • Not everything is Dynamics specific • Execute arbitrary SQL Queries DerbyCon 2013
  • 51. Next Step • Retrieve ODBC credentials DerbyCon 2013
  • 52. The Attacks: How Fraud Can be Committed
  • 53. Manipulating Existing Vendor Records’ Remit-To Address (in GP) DerbyCon 2013
  • 54. Manipulating Existing Vendor Records’ Remit-To Address (in SQL Server) DerbyCon 2013
  • 55. Increase Customer Credit Limit DerbyCon 2013
  • 56. Increase Customer Credit Limit CREDTLMT (Credit Limit) in PM00200: 0 – No Credit, 1 – Unlimited, 2 – Amount DerbyCon 2013
  • 57. Credit Balance in Customer Account, Get a Refund DerbyCon 2013
  • 58. Other Fraud Attacks • Mass Steal Banking Information • Mass Steal Credit Card Data • Payroll Information (Includes SSNs) • Access or Modify Private Financial Records DerbyCon 2013
  • 59. What about Oracle or SAP? • Yes, we can attack other ERP systems! • If the system uses ODBC, you can hijack these transactions using an attack tool like Mayhem • You need intimate knowledge of other ERP systems and how they work – Highlights the internal threat… DerbyCon 2013
  • 60. Accounting Controls to Prevent Fraud
  • 61. Bank Reconciliation • Timing is everything • Bank reconciliation compares the bank balance with the book balance monthly DerbyCon 2013
  • 62. Accounting Controls • Matching Cleared Checks to Paid Invoices • “Positive Pay” • Matching Address on Check to Address on Invoice • Process for Adding Vendors to System • Customer On-Boarding Process • Confirmation of Vendor Banking Information • Account Reconciliations DerbyCon 2013
  • 64. What about Technical Controls? • Never discount “Defense-in-Depth” • All it takes is for one control to fail! – GP, SQL server, user permissions/roles, security awareness, antivirus, IDS, incident response • This is why the accounting controls are more important to implement DerbyCon 2013
  • 65. What Can ERP Vendors Do? • Do what the gaming community is doing • “Self-defending” software • Valve is a great example – Valve Anti-Cheat (VAC) • Enterprise software is way behind on this! • Implement internal fraud and alerting mechanisms – Banks use these techniques to detect fraud as it happens DerbyCon 2013
  • 66. Final Thoughts • It is possible to perpetrate fraud against the accounting system from the outside • Fraud is much easier for an insider • Combine malware with legitimate entries = perfect crime • Combination of technical and accounting controls are required to combat modern fraud DerbyCon 2013
  • 67. More Information • See our White Paper for details on other attacks: – http://bit.ly/mayhem-whitepaper • Spencer’s Mayhem Metasploit Modules: – https://github.com/zeroSteiner/metasploit- framework/tree/project-mayhem DerbyCon 2013
  • 68. Appendix: SQL Queries -- Get useful info about the checkbooks SELECT CHEKBKID, DSCRIPTN, BANKID, CURNCYID, BNKACTNM, str(CURRBLNC, 19, 5) AS CURRBLNC FROM CM00100; -- Give vendor "MAYHEM" unlimited credit UPDATE PM00200 SET CREDTLMT=1 WHERE VENDORID='MAYHEM'; -- Get sensitive info from payroll SELECT FRSTNAME, MIDLNAME, LASTNAME, SOCSCNUM, BRTHDATE, EMPLOYID, JOBTITLE FROM UPR00100; DerbyCon 2013
  • 69. Questions? • Tom Eston teston@securestate.com Twitter: @agent0x0 Blog: Spylogic.net • Spencer McIntyre smcintyre@securestate.com Twitter: @zerosteiner • Who wants military-grade bottle openers? – Come up front DerbyCon 2013