The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
hat is “in-memory” platform? Usually DBMS rely on disk to store their data but today they are solutions which store data in memory. Why? Memory is cheap today, there is an increase amount of data to process and performance is a key. Well-known solutions are Oracle, SQLserver and SAP HANA.
Ezequiel’s research focused on SAP HANA. The solution is based on many components (DB, HTTP server) and provide a nice attack surface. This is a blended architecture. Instead of an application using a DB connection with limited (or unrestricted) access, the application is the same as the database user. User privileges should be restricted at the DB level. This changes the impact of classic attacks:
SQLi are restricted to the user privileges (better)
XSS is more powerful (bad)
After the introduction, some attack vectors against HANA were reviewed. About SQL injections, HANA has a nice feature: history tables. If the user does not delete it, the information remains available! XSS attacks were reviewed as well as integration with the R-Server.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
Pen Testing SAP Critical Information ExposedOnapsis Inc.
The world's largest organizations process huge amounts of critical information. This information is essential for the proper functioning of your business processes. The systems responsible for administering and managing these processes are called ERP and SAP ERP is the most used ERP by large companies.
An attacker would perform acts of fraud, sabotage or espionage on one of these companies focusing its efforts on vulnerable systems and get direct access to the most critical and sensitive business information.
In this talk we will work backwards to see the different stages and attacks that could be performed to compromise a SAP system without any prior knowledge about the target and credentials to access the same system. Thus, by developing penetration testing, we can help companies solve problems and mitigate risk. All demo’s will be performed using open-source tools such as Onapsis Bizploit - the first ERP Penetration Testing framework. This will allow attendees to apply their knowledge to make these assessments in their companies.
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
Attacks Based on Security ConfigurationsOnapsis Inc.
Many large companies, as well as large government and defense organizations, have something in common: they rely on SAP platforms to process their business critical processes and information. Because of the sensitive nature of the information stored in these complex implementations, they are quickly becoming an attractive target for cyber-criminals looking to perform espionage, sabotage or financial fraud attacks by gaining access to the organizations’ crown jewels.
Securing these large and complex SAP implementations can be an ongoing, complicated and pain-staking task which requires specialized SAP security knowledge. This task encompasses managing the SoD process, patch (Security Note) management and implementation, analyzing interfaces and configuring the systems properly and securely (among many other things). One of the first and most important steps in starting the process of securing SAP implementations is the need to configure SAP application servers in a secure way. This task is not easy, as a SAP system has hundreds of different configurations which can be modified and a wrong setting or combination of settings can introduce large amounts of risk.
During this presentation, Onapsis CTO, Juan Perez-Etchegoyen explained some of the risks a default or insecure setting could introduce to the whole SAP infrastructure. You will see real life examples of these misconfigurations, and the threats introduced by them through several live demos. He will also explain how organizations can begin a process of securely configuring these systems.
The document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like systems, instances, clients and remote function calls. It then discusses the need for penetration testing business applications due to lack of security during implementations. The document outlines the phases of SAP penetration testing: discovery to find SAP targets, exploration to gather information, and vulnerability assessment to identify security threats.
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
The major organizations worldwide run their businesses thanks to the (Enterprise Resource Planning) ERP systems. In order to comply with government regulations, the anti-fraud laws, and specific industry requirements (such as NERC, PCI or HIPAA) security practices are usually confined to implement segregation of duties and access control users.
In recent years, attacks based on vulnerabilities and technical weaknesses in the implementation of ERP systems have gained a lot of attention. These revealed a wide range of surfaces attacks unexplored so far that are available for attackers to take advantage of. The ERP market is well defined and divided among a few players who provide ERP solutions to hundreds of government, military agencies and companies in a variety of industries.
In this talk, we will discuss the attack surface exposed by increased distribution ERP systems, and will conduct several live demonstrations of attacks that you will see if you run an ERP Penetration Test. We will focus on systems critical to the business world ERP: SAP, Oracle Siebel and Oracle JD Edwards. Analyze how it is possible for attackers, through exploiting technical vulnerabilities, aim your attack on the crown jewels and the most critical process of victims organizations, resulting in espionage, sabotage and financial fraud.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
hat is “in-memory” platform? Usually DBMS rely on disk to store their data but today they are solutions which store data in memory. Why? Memory is cheap today, there is an increase amount of data to process and performance is a key. Well-known solutions are Oracle, SQLserver and SAP HANA.
Ezequiel’s research focused on SAP HANA. The solution is based on many components (DB, HTTP server) and provide a nice attack surface. This is a blended architecture. Instead of an application using a DB connection with limited (or unrestricted) access, the application is the same as the database user. User privileges should be restricted at the DB level. This changes the impact of classic attacks:
SQLi are restricted to the user privileges (better)
XSS is more powerful (bad)
After the introduction, some attack vectors against HANA were reviewed. About SQL injections, HANA has a nice feature: history tables. If the user does not delete it, the information remains available! XSS attacks were reviewed as well as integration with the R-Server.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
Pen Testing SAP Critical Information ExposedOnapsis Inc.
The world's largest organizations process huge amounts of critical information. This information is essential for the proper functioning of your business processes. The systems responsible for administering and managing these processes are called ERP and SAP ERP is the most used ERP by large companies.
An attacker would perform acts of fraud, sabotage or espionage on one of these companies focusing its efforts on vulnerable systems and get direct access to the most critical and sensitive business information.
In this talk we will work backwards to see the different stages and attacks that could be performed to compromise a SAP system without any prior knowledge about the target and credentials to access the same system. Thus, by developing penetration testing, we can help companies solve problems and mitigate risk. All demo’s will be performed using open-source tools such as Onapsis Bizploit - the first ERP Penetration Testing framework. This will allow attendees to apply their knowledge to make these assessments in their companies.
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
Attacks Based on Security ConfigurationsOnapsis Inc.
Many large companies, as well as large government and defense organizations, have something in common: they rely on SAP platforms to process their business critical processes and information. Because of the sensitive nature of the information stored in these complex implementations, they are quickly becoming an attractive target for cyber-criminals looking to perform espionage, sabotage or financial fraud attacks by gaining access to the organizations’ crown jewels.
Securing these large and complex SAP implementations can be an ongoing, complicated and pain-staking task which requires specialized SAP security knowledge. This task encompasses managing the SoD process, patch (Security Note) management and implementation, analyzing interfaces and configuring the systems properly and securely (among many other things). One of the first and most important steps in starting the process of securing SAP implementations is the need to configure SAP application servers in a secure way. This task is not easy, as a SAP system has hundreds of different configurations which can be modified and a wrong setting or combination of settings can introduce large amounts of risk.
During this presentation, Onapsis CTO, Juan Perez-Etchegoyen explained some of the risks a default or insecure setting could introduce to the whole SAP infrastructure. You will see real life examples of these misconfigurations, and the threats introduced by them through several live demos. He will also explain how organizations can begin a process of securely configuring these systems.
The document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like systems, instances, clients and remote function calls. It then discusses the need for penetration testing business applications due to lack of security during implementations. The document outlines the phases of SAP penetration testing: discovery to find SAP targets, exploration to gather information, and vulnerability assessment to identify security threats.
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
The major organizations worldwide run their businesses thanks to the (Enterprise Resource Planning) ERP systems. In order to comply with government regulations, the anti-fraud laws, and specific industry requirements (such as NERC, PCI or HIPAA) security practices are usually confined to implement segregation of duties and access control users.
In recent years, attacks based on vulnerabilities and technical weaknesses in the implementation of ERP systems have gained a lot of attention. These revealed a wide range of surfaces attacks unexplored so far that are available for attackers to take advantage of. The ERP market is well defined and divided among a few players who provide ERP solutions to hundreds of government, military agencies and companies in a variety of industries.
In this talk, we will discuss the attack surface exposed by increased distribution ERP systems, and will conduct several live demonstrations of attacks that you will see if you run an ERP Penetration Test. We will focus on systems critical to the business world ERP: SAP, Oracle Siebel and Oracle JD Edwards. Analyze how it is possible for attackers, through exploiting technical vulnerabilities, aim your attack on the crown jewels and the most critical process of victims organizations, resulting in espionage, sabotage and financial fraud.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
Distributed Object or Remote Method Invocation (RMI) frameworks facilitate the remote invocation of methods and creation of objects between systems. Conceptually RMI frameworks are similar to Remote Procedure Call (RPC) platforms. A main difference is that in RMI the client and the server work with the entire object lifecycle (i.e. creation, destruction) whereas RPC is typically limited to remote methods or procedures. RMI frameworks are interesting because they provide a remote method for object manipulation. Even though Web Services have taken the lead as the de-facto technology for communication in distributed applications, RMI frameworks are still widely used in many applications. Almost every programming language has support for one or, usually, more RMI frameworks. The proliferation of this technology made RMI interfaces very common among all sorts of software, especially across Enterprise Applications, and constitute a fruitful vector from an attacker's point of view. In this presentation we will discuss the architecture, security features and new vulnerabilities we have detected in two implementations of popular Enterprise RMI frameworks: CORBA and SAP RMI-P4. Through live demonstrations, we will demonstrate novel techniques for remote file read/write, arbitrary database access, session hijacking, and other critical bugs in large enterprise platforms, as well as the countermeasures in order to protect from these threats. We will walk you through the vulnerability research process we performed over these frameworks, enabling you to understand also how these attacks could be extended to other RMI implementations you may encounter.
Highway to Production Securing the SAP TMSOnapsis Inc.
In all SAP implementations there are numerous reasons why organizations would need to make changes and updates; from changes to legislation and compliance mandates to business growth and process evolution. The Transport Management System (TMS) is the backbone for properly executing these changes across a landscape (Dev, QA, PROD, etc). If TMS is not properly secured, a malicious attacker could initiate disruptive and negatively impactful changes to Productive systems.
In this presentation we will explain the main components and capabilities of TMS. We will then detail specific ways in which organizations can increase the protection of their SAP platforms by gaining visibility to the risks and securing TMS.
The presentation is based on the research contained in the latest SAP Security In-Depth publication: SAP TMS: A Highway to Production.
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
Companies nowadays are choosing in between on-premise, cloud and hybrid deployment models. The common factor across all these scenarios is the underlying platform, used in the background to run all on-premise and cloud-based applications developed by SAP. This platform is called SAP HANA, which is an in-memory database and application server, that serves an increasing number of business applications, providing cutting edge features and performance.
Vulnerabilities affecting SAP HANA have now an increased attack surface, as these could be abused to compromise many diverse deployments and many customers, if the customers are not properly taking care of this risks.
Join us on this presentation to learn about diverse attack vectors affecting current SAP solutions, on-premise and cloud-based. You will not only learn technical details about these vulnerabilities, but also understand how to prevent and detect attacks to our crown jewels, running on HANA.
- SAP systems are critical to many large businesses but contain inherent vulnerabilities that could allow backdoors to be installed.
- Several technical vulnerabilities in SAP systems and their databases could allow an attacker to gain high privileges and modify code, including the authentication process.
- Onapsis has developed a tool called Integrity Analyzer for SAP that can detect modifications to SAP code that may indicate backdoors, as it is difficult to detect them from within the compromised SAP system itself. Regular monitoring and security assessments are needed to minimize risks.
This document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like instances, clients, transactions, ABAP, and authorization. It then discusses why SAP penetration testing is important to identify security weaknesses before attackers can exploit them. The document outlines the phases of a penetration test including discovery of SAP systems on a network, exploration of systems to gather information, vulnerability assessment, and exploitation of vulnerabilities. It provides an example case study of assessing security of an SAProuter. The presentation emphasizes that many SAP implementations have default insecure configurations and a penetration test can help secure systems by finding vulnerabilities.
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
After a brief introduction into ERP systems such as Oracle Siebel and JD Edwards this presentation will cover attack scenarios that these systems are faced with.
5 real ways to destroy business by breaking SAP applicationsERPScan
This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
The document discusses security vulnerabilities in SAP web applications. It describes how attackers can identify SAP components and versions through server banners and error messages. Some SAP web services like the "Info Service" are publicly accessible by default and return sensitive system information without authentication. Most SAP web services require authentication but have weak authorization checks by default, allowing authenticated users to execute many functionalities without proper authorization. The document provides recommendations to disable server banners, customize error pages, and strengthen authorization checks for SAP web services.
This document discusses security vulnerabilities in SAP systems. It notes that many SAP systems have non-web services exposed that could allow remote access. It also details how passwords are sometimes stored insecurely in SAP shortcuts, log files, and database tables, allowing attackers to gain access to systems and steal sensitive data. The document recommends steps companies can take to prevent such vulnerabilities, like patching systems, not storing passwords in shortcuts, and using more secure authentication methods.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
SAP provides various business solutions including CRM, ERP, PLM, and SCM. It consists of integrated modules running on the Netweaver platform across multiple operating systems. While SAP systems store centralized information and communicate across systems, they are often not configured securely by default and the RFC interface presents a key vulnerability. Proper user access controls, password policies, database restrictions, patching, and network monitoring are needed to secure SAP systems from vulnerabilities and resulting business and financial losses.
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
This document discusses security risks associated with enterprise resource planning (ERP) systems like SAP. It begins by noting how critical ERP systems are for large companies and the vast number of customers that major ERP vendors have. It then provides examples of security risks like espionage, sabotage and fraud that can occur in ERP modules like materials management. Specific vulnerabilities that could allow manipulating materials prices or blocking materials posting are described. The document emphasizes that while examples focus on SAP, the risks apply to all major ERP systems.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
The document discusses incident response and SAP systems. It begins with an overview of Onapsis Inc. and the backgrounds of Juan Perez-Etchegoyen and Sergio Abraham. It then covers incident response concepts, including detection and classification of incidents, affected assets, legal actions, and impact analysis. The remainder provides an example case study of employee salaries being leaked and the analysis steps taken to investigate the incident.
SAP security landscape. How to protect(hack) your(their) big businessERPScan
This document discusses security risks related to SAP applications. It describes ERPScan, a company that provides SAP security monitoring. It then discusses two specific risks: 1) Credit card data theft, where attackers could access encrypted credit card data stored in SAP tables. 2) Competitive intelligence risks, where attackers could access bidding information in SAP SRM to unfairly underbid competitors. The document emphasizes that SAP systems are complex, customized, and rarely updated, making them vulnerable to attacks.
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
This document discusses cyber attacks against SAP systems. It notes that while many organizations focus on segregation of duties controls for SAP security, the underlying business infrastructure is also vulnerable. The number of reported vulnerabilities in SAP systems has risen dramatically in recent years. The document outlines some of the external and internal threats facing SAP implementations, and reports that penetration tests conducted by the author's company routinely found major security issues in over 95% of SAP systems evaluated, leaving them exposed to espionage and sabotage attacks.
Distributed Object or Remote Method Invocation (RMI) frameworks facilitate the remote invocation of methods and creation of objects between systems. Conceptually RMI frameworks are similar to Remote Procedure Call (RPC) platforms. A main difference is that in RMI the client and the server work with the entire object lifecycle (i.e. creation, destruction) whereas RPC is typically limited to remote methods or procedures. RMI frameworks are interesting because they provide a remote method for object manipulation. Even though Web Services have taken the lead as the de-facto technology for communication in distributed applications, RMI frameworks are still widely used in many applications. Almost every programming language has support for one or, usually, more RMI frameworks. The proliferation of this technology made RMI interfaces very common among all sorts of software, especially across Enterprise Applications, and constitute a fruitful vector from an attacker's point of view. In this presentation we will discuss the architecture, security features and new vulnerabilities we have detected in two implementations of popular Enterprise RMI frameworks: CORBA and SAP RMI-P4. Through live demonstrations, we will demonstrate novel techniques for remote file read/write, arbitrary database access, session hijacking, and other critical bugs in large enterprise platforms, as well as the countermeasures in order to protect from these threats. We will walk you through the vulnerability research process we performed over these frameworks, enabling you to understand also how these attacks could be extended to other RMI implementations you may encounter.
Highway to Production Securing the SAP TMSOnapsis Inc.
In all SAP implementations there are numerous reasons why organizations would need to make changes and updates; from changes to legislation and compliance mandates to business growth and process evolution. The Transport Management System (TMS) is the backbone for properly executing these changes across a landscape (Dev, QA, PROD, etc). If TMS is not properly secured, a malicious attacker could initiate disruptive and negatively impactful changes to Productive systems.
In this presentation we will explain the main components and capabilities of TMS. We will then detail specific ways in which organizations can increase the protection of their SAP platforms by gaining visibility to the risks and securing TMS.
The presentation is based on the research contained in the latest SAP Security In-Depth publication: SAP TMS: A Highway to Production.
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
Companies nowadays are choosing in between on-premise, cloud and hybrid deployment models. The common factor across all these scenarios is the underlying platform, used in the background to run all on-premise and cloud-based applications developed by SAP. This platform is called SAP HANA, which is an in-memory database and application server, that serves an increasing number of business applications, providing cutting edge features and performance.
Vulnerabilities affecting SAP HANA have now an increased attack surface, as these could be abused to compromise many diverse deployments and many customers, if the customers are not properly taking care of this risks.
Join us on this presentation to learn about diverse attack vectors affecting current SAP solutions, on-premise and cloud-based. You will not only learn technical details about these vulnerabilities, but also understand how to prevent and detect attacks to our crown jewels, running on HANA.
- SAP systems are critical to many large businesses but contain inherent vulnerabilities that could allow backdoors to be installed.
- Several technical vulnerabilities in SAP systems and their databases could allow an attacker to gain high privileges and modify code, including the authentication process.
- Onapsis has developed a tool called Integrity Analyzer for SAP that can detect modifications to SAP code that may indicate backdoors, as it is difficult to detect them from within the compromised SAP system itself. Regular monitoring and security assessments are needed to minimize risks.
This document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like instances, clients, transactions, ABAP, and authorization. It then discusses why SAP penetration testing is important to identify security weaknesses before attackers can exploit them. The document outlines the phases of a penetration test including discovery of SAP systems on a network, exploration of systems to gather information, vulnerability assessment, and exploitation of vulnerabilities. It provides an example case study of assessing security of an SAProuter. The presentation emphasizes that many SAP implementations have default insecure configurations and a penetration test can help secure systems by finding vulnerabilities.
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
After a brief introduction into ERP systems such as Oracle Siebel and JD Edwards this presentation will cover attack scenarios that these systems are faced with.
5 real ways to destroy business by breaking SAP applicationsERPScan
This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
The document discusses security vulnerabilities in SAP web applications. It describes how attackers can identify SAP components and versions through server banners and error messages. Some SAP web services like the "Info Service" are publicly accessible by default and return sensitive system information without authentication. Most SAP web services require authentication but have weak authorization checks by default, allowing authenticated users to execute many functionalities without proper authorization. The document provides recommendations to disable server banners, customize error pages, and strengthen authorization checks for SAP web services.
This document discusses security vulnerabilities in SAP systems. It notes that many SAP systems have non-web services exposed that could allow remote access. It also details how passwords are sometimes stored insecurely in SAP shortcuts, log files, and database tables, allowing attackers to gain access to systems and steal sensitive data. The document recommends steps companies can take to prevent such vulnerabilities, like patching systems, not storing passwords in shortcuts, and using more secure authentication methods.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
SAP provides various business solutions including CRM, ERP, PLM, and SCM. It consists of integrated modules running on the Netweaver platform across multiple operating systems. While SAP systems store centralized information and communicate across systems, they are often not configured securely by default and the RFC interface presents a key vulnerability. Proper user access controls, password policies, database restrictions, patching, and network monitoring are needed to secure SAP systems from vulnerabilities and resulting business and financial losses.
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
This document discusses security risks associated with enterprise resource planning (ERP) systems like SAP. It begins by noting how critical ERP systems are for large companies and the vast number of customers that major ERP vendors have. It then provides examples of security risks like espionage, sabotage and fraud that can occur in ERP modules like materials management. Specific vulnerabilities that could allow manipulating materials prices or blocking materials posting are described. The document emphasizes that while examples focus on SAP, the risks apply to all major ERP systems.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
The document discusses incident response and SAP systems. It begins with an overview of Onapsis Inc. and the backgrounds of Juan Perez-Etchegoyen and Sergio Abraham. It then covers incident response concepts, including detection and classification of incidents, affected assets, legal actions, and impact analysis. The remainder provides an example case study of employee salaries being leaked and the analysis steps taken to investigate the incident.
SAP security landscape. How to protect(hack) your(their) big businessERPScan
This document discusses security risks related to SAP applications. It describes ERPScan, a company that provides SAP security monitoring. It then discusses two specific risks: 1) Credit card data theft, where attackers could access encrypted credit card data stored in SAP tables. 2) Competitive intelligence risks, where attackers could access bidding information in SAP SRM to unfairly underbid competitors. The document emphasizes that SAP systems are complex, customized, and rarely updated, making them vulnerable to attacks.
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
This document discusses cyber attacks against SAP systems. It notes that while many organizations focus on segregation of duties controls for SAP security, the underlying business infrastructure is also vulnerable. The number of reported vulnerabilities in SAP systems has risen dramatically in recent years. The document outlines some of the external and internal threats facing SAP implementations, and reports that penetration tests conducted by the author's company routinely found major security issues in over 95% of SAP systems evaluated, leaving them exposed to espionage and sabotage attacks.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
The document discusses blended web and database attacks on in-memory platforms like SAP HANA, outlining potential threat vectors such as SQL injection, cross-site scripting, integration with R server, and post-exploitation using C/C++. It notes that SAP HANA uses a blended web and database architecture, with code and data stored directly in the database, and that vulnerabilities could allow an attacker to access sensitive business and customer data, disrupt operations, or enable fraud. The presentation covers the architecture of SAP HANA, programming languages used, and how attacks may have a greater impact or different execution compared to traditional web application scenarios.
The interconnected nature of modern business systems means that successful companies with critical business on SAP software must effectively manage exposure to external and internal threats. SAP Enterprise Threat Detection helps you identify the real attacks as they are happening and analyze the threats quickly enough to neutralize them before serious damage occurs. More information: http://scn.sap.com/community/security
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...CODE BLUE
On this presentation, we will raise awareness on how the SAP Internet facing systems are particularly vulnerable to Spyware, Ransomware and Worms due to their inherent complexity.
We will also introduce (for the first time in Asia ) the “Project ARSAP”. This project is a semi-automatic mechanism which main goal is to detect and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components and potential risk of compromise.
We will present a brief introduction to SAP, defining its architecture / entry points and explain with great detail the methodology behind the “ARSAP” project.
Then, three different scenarios were malware could strike SAP will be showcased. We will start by recreating a real SAP cyber-attack, where a company got attacked via malicious emails and we will move forward to some other complex techniques that could allow anyone, directly from the Internet to compromise the whole Interfacing SAP system and jump to the adjacent network.
This presentation will have several live demos where the attendees will be able to observe the entire attack workflow. We will conclude the presentation by presenting some suggested remediations and conclusions.
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Symmetry™
Enterprises today use the cloud for applications all across their IT landscape for tools like email, Salesforce, ServiceNow and more. Cost savings, operational stability, and reduced management effort are all proven advantages. But when we consider moving mission-critical systems at the heart of business such as SAP HANA – there is significant angst and uncertainty among IT and security professionals. Tom Evgey – Director of Cloud, Onapsis and Scott Goolik – VP of Compliance & Security, Symmetry explore various security issues organizations are facing when it comes to SAP HANA cloud deployments. During this presentation, we outline foundational elements and best practices for organizations to follow as they build a comprehensive security program when migrating SAP implementations to the cloud.
This document provides an overview and agenda for a technical presentation on SAP API Management. It discusses key capabilities including unified API access, security, insights and analytics, and developer services. Personas are identified for API designers, administrators, and developers. Components are described including the API portal for design, implementation, management and analytics of APIs, API proxies for abstraction and behavior, and products for grouping APIs. Additional features covered include custom templates, predefined policy templates, OData support, and integration with SAP Cloud Platform.
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...PeterSmetny1
This document discusses securing SAP systems and provides an overview of Fortinet's SAP security solutions. It notes that network security is foundational but SAP security is also important as SAP admins do not secure the network and network admins do not secure SAP. It then outlines Fortinet's SAP security blueprint and describes how the company provides network security, web security, secure access solutions, and a SAP connector to help secure SAP deployments. The document concludes by providing contact information for Fortinet's SAP security team.
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
SCA, if used for finding vulnerabilities also called SAST, is an
important technique for detecting software vulnerabilities already
at an early stage in the software development life-cycle. As such,
SCA is adopted by an increasing number of software vendors.
The wide-spread introduction of SCA at a large software vendor,
such as SAP, creates both technical as well as non-technical
challenges. Technical challenges include high false positive and
false negative rates. Examples of non-technical challenges are the
insufficient security awareness among the developers and managers
or the integration of SCA into a software development life-cycle
that facilitates agile development. Moreover, software is not
developed following a greenfield approach: SAP's security
standards need to be passed to suppliers and partners in the same
manner as SAP's customers begin to pass their security standards
to SAP.
In this paper, we briefly present how the SAP's Central Code
Analysis Team introduced SCA at SAP and discuss open problems in
using SCA both inside SAP as well as across the complete software
production line, i.e., including suppliers and partners.
- DeltaGRiC Consulting is an SAP partner focused on helping organizations detect cybersecurity risks and compliance violations affecting their SAP and Oracle systems using ERPScan Monitoring Suite.
- Traditional approaches to SAP security like segregation of duties matrices are insufficient as advanced attacks are targeting application vulnerabilities. Widespread SAP systems expose critical business data to unauthorized access through vulnerabilities.
- Organizations struggle to effectively manage security risks from unpatched vulnerabilities in complex SAP landscapes that include new technologies like HANA and connections to IoT devices. Continuous monitoring of configurations and vulnerabilities is needed to protect SAP systems.
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...Dao Van Hang
Three key points about managing security in the new enterprise:
1. A cloud security reference model outlines foundational security controls across areas like governance, identity management, and incident response that need to adapt for the cloud.
2. Security needs to align with each phase of a cloud project - design, deploy, consume - with a focus on secure development during design and workload security during deployment.
3. A cloud security approach should be secure by design, workload driven, and service enabled to build security into cloud resources and govern ongoing security operations.
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
The presentation provides examples of simple and advanced attacks along with ways to avoid them.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
The document discusses security issues related to SAP systems and portals. It notes that while SAP is widely used, security vulnerabilities are common due to lack of logging and exposure of services. The document emphasizes that SAP portals deserve attention as they provide a common entry point for attackers and link to other critical systems. Proper monitoring of portals and exposed services is needed to detect attacks and unauthorized access.
SAP Hybris solutions are all about providing a connected front office. But the customer experience can easily get damaged if the data from your business partners or end customers is not secure. With the new EU General Data Protection Regulation (GDPR) coming into effect in May 2018, the need to protect your customers’ data is essential for your business. Learn how to reduce cost by integrating security into your implementation process to be ahead of the curve for future cyberattacks.
sPlatform Security: "Are you really that attached to your ABAP security flaws, or can they go?"
-------------------------------------------------------------------------------------
Attacks on companies have increased exponentially in recent years. Not uncommonly, these were made possible by software vulnerabilities. SAP systems are particularly critical for many core business processes and should receive corresponding protections.
However, you'll only achieve a basic level of security that can weather stress tests and remain consistent if you take a truly head-to-toe approach to security. And that includes your ABAP code. In our experience to date, many companies balk at audits of their custom developments or 3rd-party add-ons, or are unsatisfied with the nearly unmanageable number of findings. How can this mass of supposedly critical security flaws be evaluated reliably? Where do you even start to clean up?
The newest module in our SAST SUITE, the Code Security Advisor, offers a solution. It is directly integrated into your SAP system and has a risk assessment enriched by key figures such as usage statistics for prioritization, an option to easily decommission obsolete code and a comprehensive set of rules with test cases developed by our SAP security and compliance consultants based on their years of experience.
-------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
Similar to Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics (18)
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
10. Over 95% of the SAP systems we
evaluated were exposed to espionage,
sabotage and fraud attacks due to
vulnerabilities in the SAP Application
Layer.
Unlike SoD gaps, attackers do not need access
credentials to exploit this kind of vulnerabilities…
13. Our SAP systems have
never been hacked…
ƒGreat! I’m glad we have
configured the audit trails and
are reviewing the logs…
Audit trails? Logs? What
are you talking about?
We are doomed.
14. On October 30th 2012, Anonymous
claimed intent to exploit SAP systems
They claimed to have broken into the Greek Ministry of Finance
(to be confirmed) and mentioned:
"We have new guns in our arsenal. A sweet 0day
SAP exploit is in our hands and oh boy we're gonna
sploit the hell out of it."