The document discusses cybersecurity risks related to SAP systems. It describes two main risks: 1) Credit card data theft, where a hacker could access tables storing unencrypted credit card data in the SD module and steal the data. 2) Competitive intelligence theft through the SRM module, where a competitor could access bidding information to undercut prices unfairly. The document advocates for stronger configuration controls, access management, and patching to help mitigate these risks.
13 real ways to destroy business by breaking company’s SAP applicationsERPScan
All SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 13 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
5 real ways to destroy business by breaking SAP applicationsERPScan
This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
SAP security landscape. How to protect(hack) your(their) big businessERPScan
This document discusses security risks related to SAP applications. It describes ERPScan, a company that provides SAP security monitoring. It then discusses two specific risks: 1) Credit card data theft, where attackers could access encrypted credit card data stored in SAP tables. 2) Competitive intelligence risks, where attackers could access bidding information in SAP SRM to unfairly underbid competitors. The document emphasizes that SAP systems are complex, customized, and rarely updated, making them vulnerable to attacks.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
13 real ways to destroy business by breaking company’s SAP applicationsERPScan
All SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 13 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
5 real ways to destroy business by breaking SAP applicationsERPScan
This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
SAP security landscape. How to protect(hack) your(their) big businessERPScan
This document discusses security risks related to SAP applications. It describes ERPScan, a company that provides SAP security monitoring. It then discusses two specific risks: 1) Credit card data theft, where attackers could access encrypted credit card data stored in SAP tables. 2) Competitive intelligence risks, where attackers could access bidding information in SAP SRM to unfairly underbid competitors. The document emphasizes that SAP systems are complex, customized, and rarely updated, making them vulnerable to attacks.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
This document discusses security risks associated with enterprise resource planning (ERP) systems like SAP. It begins by noting how critical ERP systems are for large companies and the vast number of customers that major ERP vendors have. It then provides examples of security risks like espionage, sabotage and fraud that can occur in ERP modules like materials management. Specific vulnerabilities that could allow manipulating materials prices or blocking materials posting are described. The document emphasizes that while examples focus on SAP, the risks apply to all major ERP systems.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
SAP provides various business solutions including CRM, ERP, PLM, and SCM. It consists of integrated modules running on the Netweaver platform across multiple operating systems. While SAP systems store centralized information and communicate across systems, they are often not configured securely by default and the RFC interface presents a key vulnerability. Proper user access controls, password policies, database restrictions, patching, and network monitoring are needed to secure SAP systems from vulnerabilities and resulting business and financial losses.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
This document discusses vulnerabilities in connecting ERP and ICS systems. It notes that while ERP, ICS, and other business systems need to be connected to share information, these connections can be exploited by attackers to infiltrate corporate networks. The document outlines several ways that vulnerabilities in ERP systems, misconfigurations, unnecessary privileges, and system interconnectivity can be leveraged to access sensitive business data or disrupt operations. It emphasizes that securing these connections and monitoring for security issues is critical for business security and continuity.
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes
This document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like instances, clients, transactions, ABAP, and authorization. It then discusses why SAP penetration testing is important to identify security weaknesses before attackers can exploit them. The document outlines the phases of a penetration test including discovery of SAP systems on a network, exploration of systems to gather information, vulnerability assessment, and exploitation of vulnerabilities. It provides an example case study of assessing security of an SAProuter. The presentation emphasizes that many SAP implementations have default insecure configurations and a penetration test can help secure systems by finding vulnerabilities.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
The document discusses security issues related to SAP solutions and introduces ERPScan as an innovative product to help address these issues. It notes that over 2500 security notes have been released for SAP, highlighting growing threats. ERPScan provides integrated assessment of application platform security, ABAP code security, and business logic security. It can monitor SAP servers for vulnerabilities, misconfigurations, critical authorizations, and compliance with standards. The system aims to help automate security checks and reduce costs associated with SAP security problems.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
The presentation provides examples of simple and advanced attacks along with ways to avoid them.
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.
Forgotten world - Corporate Business Application SystemsERPScan
This document discusses penetration testing of enterprise resource planning (ERP) systems. It notes that ERP systems are complex, mission-critical applications that contain sensitive business and financial data. Penetration testing ERP systems requires in-depth knowledge of business processes, custom implementations, and various operating systems, databases, and hardware platforms used. The goal is to identify risks like data exposure or business disruption, not just gaining shell access. Exploits also need to be carefully adapted to avoid unintended impacts to the system.
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
This document discusses server-side request forgery (SSRF) attacks and their history. SSRF attacks allow an attacker to exploit vulnerabilities in web applications to initiate requests from the server to other internal or external systems. The document outlines the basics of SSRF attacks and categorizes different types, providing examples of how SSRF can be used in proxy and connect-back attacks. It emphasizes the risk of SSRF attacks against critical enterprise applications given the sensitive data they contain.
GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentationrclark004
The document discusses 11 risks that could leave an SAP system vulnerable to cyber attacks. It begins by explaining why SAP systems are targets, such as storing sensitive business information. It then debunks common misconceptions about SAP security like believing systems are intrinsically secure. The risks covered include missing security notes, standard users with default passwords, and vulnerabilities in the SAP application layer which handles authentication and authorization. Addressing these 11 risks is important to protect an SAP platform from espionage, sabotage and financial fraud.
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes PeopleSoft Architecture and provides several internal and external attack vectors. Let’s look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.
The document discusses security issues related to SAP systems and portals. It notes that while SAP is widely used, security vulnerabilities are common due to lack of logging and exposure of services. The document emphasizes that SAP portals deserve attention as they provide a common entry point for attackers and link to other critical systems. Proper monitoring of portals and exposed services is needed to detect attacks and unauthorized access.
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet.
Top 10 vulnerabilities 2011-2012 are:
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
This document discusses security risks associated with enterprise resource planning (ERP) systems like SAP. It begins by noting how critical ERP systems are for large companies and the vast number of customers that major ERP vendors have. It then provides examples of security risks like espionage, sabotage and fraud that can occur in ERP modules like materials management. Specific vulnerabilities that could allow manipulating materials prices or blocking materials posting are described. The document emphasizes that while examples focus on SAP, the risks apply to all major ERP systems.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
SAP provides various business solutions including CRM, ERP, PLM, and SCM. It consists of integrated modules running on the Netweaver platform across multiple operating systems. While SAP systems store centralized information and communicate across systems, they are often not configured securely by default and the RFC interface presents a key vulnerability. Proper user access controls, password policies, database restrictions, patching, and network monitoring are needed to secure SAP systems from vulnerabilities and resulting business and financial losses.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
This document discusses vulnerabilities in connecting ERP and ICS systems. It notes that while ERP, ICS, and other business systems need to be connected to share information, these connections can be exploited by attackers to infiltrate corporate networks. The document outlines several ways that vulnerabilities in ERP systems, misconfigurations, unnecessary privileges, and system interconnectivity can be leveraged to access sensitive business data or disrupt operations. It emphasizes that securing these connections and monitoring for security issues is critical for business security and continuity.
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes
This document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like instances, clients, transactions, ABAP, and authorization. It then discusses why SAP penetration testing is important to identify security weaknesses before attackers can exploit them. The document outlines the phases of a penetration test including discovery of SAP systems on a network, exploration of systems to gather information, vulnerability assessment, and exploitation of vulnerabilities. It provides an example case study of assessing security of an SAProuter. The presentation emphasizes that many SAP implementations have default insecure configurations and a penetration test can help secure systems by finding vulnerabilities.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
The document discusses security issues related to SAP solutions and introduces ERPScan as an innovative product to help address these issues. It notes that over 2500 security notes have been released for SAP, highlighting growing threats. ERPScan provides integrated assessment of application platform security, ABAP code security, and business logic security. It can monitor SAP servers for vulnerabilities, misconfigurations, critical authorizations, and compliance with standards. The system aims to help automate security checks and reduce costs associated with SAP security problems.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
The presentation provides examples of simple and advanced attacks along with ways to avoid them.
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.
Forgotten world - Corporate Business Application SystemsERPScan
This document discusses penetration testing of enterprise resource planning (ERP) systems. It notes that ERP systems are complex, mission-critical applications that contain sensitive business and financial data. Penetration testing ERP systems requires in-depth knowledge of business processes, custom implementations, and various operating systems, databases, and hardware platforms used. The goal is to identify risks like data exposure or business disruption, not just gaining shell access. Exploits also need to be carefully adapted to avoid unintended impacts to the system.
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
This document discusses server-side request forgery (SSRF) attacks and their history. SSRF attacks allow an attacker to exploit vulnerabilities in web applications to initiate requests from the server to other internal or external systems. The document outlines the basics of SSRF attacks and categorizes different types, providing examples of how SSRF can be used in proxy and connect-back attacks. It emphasizes the risk of SSRF attacks against critical enterprise applications given the sensitive data they contain.
GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentationrclark004
The document discusses 11 risks that could leave an SAP system vulnerable to cyber attacks. It begins by explaining why SAP systems are targets, such as storing sensitive business information. It then debunks common misconceptions about SAP security like believing systems are intrinsically secure. The risks covered include missing security notes, standard users with default passwords, and vulnerabilities in the SAP application layer which handles authentication and authorization. Addressing these 11 risks is important to protect an SAP platform from espionage, sabotage and financial fraud.
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes PeopleSoft Architecture and provides several internal and external attack vectors. Let’s look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.
The document discusses security issues related to SAP systems and portals. It notes that while SAP is widely used, security vulnerabilities are common due to lack of logging and exposure of services. The document emphasizes that SAP portals deserve attention as they provide a common entry point for attackers and link to other critical systems. Proper monitoring of portals and exposed services is needed to detect attacks and unauthorized access.
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet.
Top 10 vulnerabilities 2011-2012 are:
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
The interest in SAP security has been growing exponentially, and not only among whitehats. SAP invests money and resources in security, provides guidelines, and arranges conferences, but, unfortunately, SAP users still pay little attention to SAP security
There are most important takeaways for CISOs to provide SAP Security for Enterprises. The presentation destroys the SAP Security myths, includes statistics obtained by ERPScan Research Group, and future trends in SAP Security.
EAS-SEC: Framework for securing business applicationsERPScan
For a quite long time, ERP Security was only the synonym of segregation of duties. But nowadays this situation has changed. There are 3 areas of Business Application Security such as SOD, Custom Code security and Application platform security. SAP customers are now aware of problems with SAP installations, but they still don’t know, where should they start to solve them.
The aim of EAS-SEC (http://eas-sec.org/) is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment.
This document discusses securing enterprise business applications. It notes that major companies rely on applications like SAP, Oracle, and Microsoft Dynamics for critical functions. However, these applications are often vulnerable to attacks like espionage, sabotage, and fraud due to issues like outdated versions, poor patching processes, and internet accessibility. The document argues that securing these widely implemented but vulnerable applications is essential for protecting companies and their sensitive data, operations, and financials.
Ten Things You Should not Forget in Mainframe Security CA Technologies
Given the current state of security and breaches in the news every day, you won’t want to miss this session. We will cover the top 10 areas that you should be reviewing as a security practitioner that most organizations overlook. With the knowledge taken from this session, you will be able to better educate your staff and auditors about how to take security to the next level for your business and protect z/OS®.
For more information, please visit http://cainc.to/Nv2VOe
SECUDE is an innovative provider of IT security solutions for SAP customers. It focuses on data-centric security and classification with its Halocore solutions. Halocore allows users to identify sensitive data extracted from SAP, apply data loss prevention controls, and protect documents with rights management. This helps mitigate security risks, reduce compliance costs, and prevent data breaches and theft. The presenters discuss how rising security threats, lack of preparedness, and stringent compliance regulations are pushing companies to find new ways to secure their SAP data.
Big Data is a formidable opportunity for the Telecommunications industry. The abundance of data must be leveraged thanks to Data Science to improve the management of customer relationships, operational analyses, network optimization and monetization. Skylads, a startup specialized in R&D on Artificial Intelligence and Big Data offers products and services to make of the most of your data.
The document discusses insider threats and cybersecurity. It notes that the biggest threat companies face is from insiders like employees and vendors. While doing nothing on cybersecurity risks costly data breaches and fines, companies should implement regular employee training, vet vendors thoroughly, and create a risk management plan to address vulnerabilities. The presentation provides tools to assess risks like DREAD and STRIDE models and recommends prioritizing the highest impact risks with mitigation strategies and an incident response plan.
Business applications like ERP, CRM, SRM, and others are one of the major topic of information security as these applications store business-critical data and any vulnerability in them can cause a significant monetary and reputational loss or even stoppage of business.
There are several myths about Business Applications Security such as:
Myth 1: Business Applications are available only internally.
Myth 2: ERP security is a vendors' problem.
Myth 3: Business Application internals are very specific and unknown to hackers.
Myth 4 ERP security is all about Segregation Of Duties.
Our findings explode these myths.
This document discusses how Hewlett-Packard Enterprise (HPE) can help airlines transform their maintenance, repair, and overhaul (MRO) processes through new technologies. It describes how HPE can leverage big data platforms, cloud computing, analytics, mobility, 3D printing, and security to help airlines increase efficiency, reduce costs and risk, and improve customer experiences. The document provides examples of how HPE has helped clients in industries like mining use real-time data analytics to enable predictive maintenance and optimize operations.
Indonesian e-Commerce requires Scalability, Reliability and Security to Achi...Sutedjo Tjahjadi
Datacomm Cloud Business (cloud.datacomm.co.id) participated in idEA (Indonesian ecommerce Association) workshop to discuss how the platform, infrastructure and security to impact end user experience.
APAC Confluent Consumer Data Right the Lowdown and the Lessonsconfluent
The document discusses the Consumer Data Right (CDR) framework in Australia and lessons that can be learned from it. It provides an overview of the CDR, including that it applies to existing consumer data and requires data holders to share data with accredited third parties if authorized by consumers. It also notes the CDR will apply across multiple sectors starting with banking, energy, and telecommunications. The document also discusses some of the technical challenges of implementing CDR like maintaining a single customer view, tracking accredited parties, and ensuring data privacy and governance. It provides examples of how streaming data platforms like Apache Kafka can be used to power use cases enabled by CDR like customer and product 360-degree views, payments traceability, and open banking
Pixels.camp - Machine Learning: Building Successful Products at ScaleAntónio Alegria
See video at: https://www.youtube.com/watch?v=p7s1lcaeoZk
How to build Machine Learning products that scale and autonomously evolve using open source technologies like Spark, Cassandra, Hadoop and many others.
While data technologies have been exploding and becoming commoditized, using them effectively to build a product that delivers real value to users can be a mysterious art. A lot of companies still use "gather data, think about it later" but then fail to put that data to work.
Let’s demystify machine learning system’s Data Science lifecycle (from data to production to a continuously evolvable system). Explore the fundamental recipe to build data-learning products that put data to work and provide experiences that are, ironically, more human.
We all know how it goes – once a year, the auditor carries out an IT audit as part of the year-end audit. The idea is to flag potential threats in SAP cyber security, and in identity & access management.
In terms of risk, this procedure is no solution; rather, the step is taken much too late in the process to allow for any kind of quick reaction. Hackers may have already had ample time to take advantage of the risks. Despite this fact, many companies leave it too late to close loopholes.
In this webinar, we will show you a much better approach that addresses this discrepancy. Thanks to SAST SUITE, you can achieve continuous, highly efficient real-time monitoring of all critical and security-related changes to your SAP systems. This means you can act immediately. No more waiting until next year when the auditor is at your doorstep.
Topics of focus:
• Immediate detection of unauthorized authorization assignments
• Monitoring role allocation and any evasion of the dual control principle
• Proper reaction – without delay – to suspicious table change documents
• Cost-benefit analysis: manual downstream controls vs. intelligent real-time monitoring
-------------------------------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
Concorde provides software asset management solutions to help customers simplify complexity, gain visibility into their software estate, and optimize costs. Their Core Control platform integrates with ITSM systems and provides analytics to help customers with license optimization, risk management, technology transformation modeling, and root cause analysis of issues. The document describes Concorde's experience implementing their solutions for a global financial institution to gain visibility, optimize licensing costs, model technology changes, and integrate with the customer's ITSM systems.
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
Work from Home - Practical Advice on Operations and Security Impact and what to do about it.
DR and BCP Planning Ideas
Widening Attack Surface Solutions
Managing Threats Solutions
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
Presentation from IBM InterConnect 2016 . With growth in the number of business applications and exponential growth in connectivity between applications and systems, it is important to understand not just how to implement security, but why it is important to ensure all parts of the business can appreciate it and apply the right levels of security to their messaging system use. - jointly presented by Leif Davidsen and Rob Parker
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
These slides were presented at Interconnect with Leif Davidsen presenting why securing your environment is important and then i presented what security features in IBM MQ can be used to protect your environment.
There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance.
This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.
Controlling Access to IBM i Systems and DataPrecisely
Security best practice and regulations such as SOX, HIPAA, GDPR and others require you to restrict access to your critical IBM i systems and their data, but this is easier said than done. Legacy, proprietary access protocols now co-exist with new, open-source protocols to create access control headaches.
View this webcast on-demand for an in-depth discussion of IBM i access points that must be secured and how exit points can be leveraged to accomplish the task. We’ll cover:
• Securing network access and communication ports
• How database access via open-source protocols can be secured
• Taking control of command execution
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
Presented by: Gib Sorebo, SAIC
Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.
InfoSec is a mainframe services and software provider that has been operating since 1998. They offer expertise in securing and supporting IBM z/OS and VM/VSE environments. The document discusses that there is a lack of real-time visibility into what is happening on mainframes, and most incidents originate from internal employees. It states that reactive event monitoring leaves mainframes unmonitored for long periods and in-house monitoring code can become outdated. Working with a third-party like InfoSec can help create a mainframe security plan with 24/7 monitoring.
How to Raise Cyber Risk Awareness and Management to the C-SuiteSurfWatch Labs
Who's responsible for cybersecurity at your organization? The accountability for cybersecurity has shifted to the C-Suite, and it's needs to become part of the overall business strategy.
Similar to The latest changes to SAP cybersecurity landscape (20)
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfUndress Baby
The quest for the best AI face swap solution is marked by an amalgamation of technological prowess and artistic finesse, where cutting-edge algorithms seamlessly replace faces in images or videos with striking realism. Leveraging advanced deep learning techniques, the best AI face swap tools meticulously analyze facial features, lighting conditions, and expressions to execute flawless transformations, ensuring natural-looking results that blur the line between reality and illusion, captivating users with their ingenuity and sophistication.
Web:- https://undressbaby.com/
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
1. Invest
in
security
to
secure
investments
The
Latest
Changes
to
SAP
Cybersecurity
Landscape.
Dmitry
Chastuhin.
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
soluBon
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta=ons
key
security
conferences
worldwide
• 25
Awards
and
nomina=ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. SAP
3
• The
most
popular
business
applicaBon
• More
than
250000
customers
worldwide
• 83%
Forbes
500
companies
run
SAP
• Main
system
–
ERP
• Main
plaSorms
- SAP
NetWeaver
ABAP
- SAP
NetWeaver
J2EE
- SAP
BusinessObjects
- SAP
HANA
- SAP
Mobile
PlaSorm
(SMP)
4. • Business
applicaBons’
role
in
a
typical
work
environment
• The
need
to
harness
them
to
opBmize
business-‐processes
• Scope
for
enormous
reducBon
in
resource
overheads
and
other
direct
monetary
impact.
• PotenBal
problems
that
one
can’t
overlook
• The
need
to
reflect
on
security
aspects,
is
it
overstated!
• Why
is
it
a
REAL
and
Existent
Risk?
4
Business
Applica=ons
5. Large
Enterprise
sectors:
• Oil
and
Gas
• Manufacturing
• LogisBcs
• Finance
• Nuclear
Power
• Retail
• TelecommunicaBon
• etc.
5
6. • Espionage
– Thed
of
Financial
InformaBon
– Corporate
Secret
and
informaBon
thed
– Supplier
and
Customer
list
thed
– HR
data
thed
• Sabotage
– Denial
of
service
– Tampering
of
financial
records
and
accounBng
data
– Access
to
technology
network
(SCADA)
by
trust
relaBons
• Fraud
– False
transacBons
– ModificaBon
of
master
data
6
What
can
be
the
implica=ons?
7. SAP
Security
• Complexity
– Complexity
kills
security.
Many
different
vulnerabiliBes
in
all
levels
from
network
to
applicaBon
• Customiza=on
– Can
not
be
installed
out
of
the
box.
They
have
many
(up
to
50%)
custom
codes
and
business
logic
• Risky
– Rarely
updated
because
administrators
are
scared
they
can
be
broken
during
updates
and
also
the
downBme
aspect
• Unknown
– Mostly
available
inside
a
company
(closed
world)
hhp://erpscan.com/wp-‐content/uploads/pres/Forgohen%20World%20-‐%20Corporate%20Business
%20ApplicaBon%20Systems%20Whitepaper.pdf
7
8. Risk
1:
Credit
card
data
theQ
• Risk:
credit
card
data
theQ
• Affects:
Companies
storing
and
processing
PCI
data:
Banks,
Processing,
Merchants,
Payment
Gateways,
Retail.
• Type:
Espionage
• Module:
SD
(
Sales
and
DistribuBon)
–
part
of
ERP
• Ahacker
can
get
access
to
tables
that
store
credit
card
data.
There
are
mulBple
tables
in
SAP
where
this
data
is
stored.
Tables
such
as
VCKUN,
VCNUM
,CCARDEC
and
also
about
50
other
tables.
Credit
card
data
thed
is
a
direct
monetary
and
reputaBon
loss.
8
9. Risk
1:
Credit
card
data
theQ
• There
are
mulBple
ways
how
an
ahacker
can
access
the
CC
Data
• Even
if
its
encrypted
one
can:
– use
FM
to
decrypt
it
-‐
CCARD_DENVELOPE
– Use
Report
to
get
decrypted
– Or
use
another
report
to
find
some
info
RV20A003
• SoluBon:
ConfiguraBon
checks,
Patch
Management,
Access
Control,
Code
scanning
• Defense
– DecrypBon
of
credit
card
data
in
SD
-‐
notes
766703
– DecrypBon
of
credit
card
data
for
the
whole
ERP
-‐
note
1032588
– Credit
Card
data
in
report
RV20A003
-‐
note
836079
9
11. Risk
2:
Compe==ve
intelligence
• Risk:
Compromise
of
bidding
informa=on
• Affects:
Companies
using
SRM
for
bidding
• Type:
Espionage
• Module:
SRM
• Compe1tors
intelligence
(Espionage)
• Access
to
the
SAP
SRM
systems
is
available
through
the
Internet
and
could
provide
unfair
compeBtors
sufficient
loophole
required
to
glance
privileged
pricing
informaBon
and
allow
them
to
propose
compeBBve
pricing,
thus
helping
in
wining
a
tender
by
unfair
means.
11
12. Risk
2:
Compe==ve
intelligence
• SAP
Cfolders
applicaBon
for
document
exchange
is
a
part
of
SRM
and
has
some
vulnerabiliBes
and
unsecure
configuraBon
problems,
which
could
help
in
availing
access
to
official
pricing
informaBon.
• This
means
that
the
compeBtor’s
documents
could
be
completely
removed
from
the
systems,
or
the
informaBon
might
be
manipulated
to
win
a
tender.
• This
ahack
was
successfully
simulated
during
penetraBon
tests.
• Some
program
vulnerabiliBes
that
aid
an
ahacker:
– hhp://erpscan.com/advisories/dsecrg-‐09-‐014-‐sap-‐cfolders-‐mulBple-‐stored-‐xss-‐vulnerabilies/
– hhp://erpscan.com/advisories/dsecrg-‐09-‐021-‐sap-‐cfolders-‐mulBple-‐linked-‐xss-‐vulnerabiliBes/
• Defense:
SAP
Notes
1284360
,1292875
12
13. Risk
3:
Inten=onally
causing
manufacturing
defects
• Risk:
Inten=onally
causing
manufacturing
defects
(Sabotage)
• Affects:
Manufacturing
sector
such
as
AviaBon,
Aerospace
AutomoBve,
TransportaBon,
Consumer
Products,
Electronics,
Semiconductor,
Industrial
Machinery
and
Equipment
• Type:
Sabotage
• Module:
SAP
PLM
• Access
to
SAP
PLM
systems
could
allow
unauthorized
changes
in
product
creaBon
schemaBcs,
as
usually
SAP
PLM
is
integrated
into
CAD.
This
means
that
only
one
small
change
could
result
in
producBon
of
a
defecBve
batch
of
products,
causing
serious
financial
and
reputaBonal
losses
and
someBmes
harm
to
life
and
limb.
13
14. Risk
3:
Crea=ng
defects
in
products
inten=onally
• FDA
recalled
the
whole
producBon
batch
of
1200
tracheostomical
devices
because
of
three
deaths
which
were
caused
by
technical
problems
• IKEA
had
to
recall
the
enBre
batch
of
10000
beds
with
steel
rods,
claiming
it
to
be
a
designer’s
mistake
[8],
that
had
caused
physical
trauma
to
kids.
• Toyota
was
forced
to
recall
3
large
batches
of
passenger
cars
of
up
to
500000
each
because
of
wide
ranging
construcBon
problems
with
airbags,
throhle
and
other
parts
of
the
car
having
impaired
funcBonality.[9]
14
15. Risk
3:
Crea=ng
defects
in
products
inten=onally
• US
staBsBcs
from
FDA
[10]
reveal
such
recalls
occurring
frequently.
A
similar
situaBon
can
also
be
observed
with
consumer
products
The
financial
losses,
caused
by
different
traumas
is
about
one
trillion
dollars
per
year.
*
those
examples
are
not
caused
by
misusing
SAP!
15
16. Risk
4:
Salary
data
unauthorized
access
• Risk:
Salary
data:
unauthorized
data
manipula=on
• Affects:
Every
company
• Type:
Fraud
• Module:
HCM
• Access
to
the
SAP
HR
system
also
allows
insiders
to
manipulate
the
wage
figures.
Since
the
direct
change
can
be
easily
detected,
the
risk
lies
in
the
manipulaBon
potenBal
of
number
of
addiBonal
working
hours
to
be
processed,
which
inturn
affects
the
amount
payable
as
wages.
In
such
a
case,
the
fraud
is
extremely
difficult
to
detect.
16
17. Risk
4:
Salary
data
unauthorized
access
• User
can
find
out
a
colleague’s
salary
details
(PA30
transacBon)-‐>
DemoBvaBon
• Also,
ahacker
may
do
this
by
direct
table
PA0008,
PA0014,
PA0015
access
• DEMO
(PA30)
17
18. Risk
4:
Salary
data
unauthorized
access
• User
can
modify
own
salary
– TransacBon
PA30
Is
responsible
for
salary
access
– Ahacker
can
change
number
of
hours
by
using
this
transacBon
18
19. Risk
5:
Industrial
Sabotage
• Risk:
Industrial
sabotage
and
Disaster
• Affects:
Every
company
with
ICS/Technology
network.
Oil
and
Gas,
UBliBes,
Manufacturing
• Type:
Sabotage/Fraud
• Module:
SAP
EAM
/
SAP
XMII
• SAP
EAM
system
can
have
technical
connecBons
to
facility
managements
systems
thus,
by
breaking
into
EAM
system
it
may
be
possible
to
hack
facility
management/SCADA/Smart
Home/Smart
Grid
systems
as
well.
So,
if
hacker
can
get
access
to
SAP
EAM
he
can
more
easily
get
access
to
facility
management
and
industrial
systems
and
he
can
actually
change
some
criBcal
parameters
like
heat
or
pressure
which
can
lead
to
disaster
and
potenBal
loss
of
life.
19
20. Risk
5:
Industrial
Sabotage
• Usually
technology
systems
are
not
secure
and
based
on
obsolete
operaBon
systems
and
the
only
security
for
them
is
a
firewall,
which
totally
isolates
them
from
corporate
network
• Except
for
those
systems
with
which
there
should
be
connecBon
for
data
transfer
such
as
SAP
EAM.
• How
they
ahack:
– RFC
ConnecBons
– Shared
Database
or
other
resource
– Same
passwords
for
OS/DB/ApplicaBon
– Same
domain
– Simply
exploit
ICS
vulnerabiliBes
20
21. Risk
6:
Misappropria=on
of
material
resources
• Risk:
misappropria=on
of
material
resources
• Affects:
Every
company
with
Warehouse,
Or
natural
resources
mining
• Type:
Insider
Fraud
• Module:
MM(Material
Management)
–
part
of
ECC
• Ahacker
can
manipulate
data
about
quanBty
of
material
resources
in
stock
or
delivery,
pilfer
from
warehouses
at
Bmes
in
collusion
with
the
very
employees
entrusted
with
the
stock
taking
responsibiliBes.
21
22. Risk
6:
Misappropria=on
of
material
resources
• Exploit
by
direct
table
access
• Not
so
hard
if
you
can
google
for
it
22
23. Risk
6:
Tampering
banking
informa=on
• Risk:
Tampering
banking
informa=on
• Affects:
Every
company
• Type:
Insider
Fraud
• Module:
ERP
• Ahacker
can
manipulate
data
about
bank
Account
number
of
any
company
in
database
and
pilfer
money
to
a
chosen
account
number.
23
25. How
they
can
do
this?
• 3000+
VulnerabiliBes
in
all
SAP
Products
• 2368
VulnerabiliBes
were
found
in
SAP
NetWeaver
ABAP
based
systems
• 1050
VulnerabiliBes
were
found
in
basic
components
which
are
the
same
for
every
system
• About
350
VulnerabiliBes
were
found
in
ECC
modules.
25
1
1
13
10
10
27
14
77
130
833
731
641
364
161
322
0
200
400
600
800
1000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
29. SAP
NetWeaver
ABAP
29
• Main
plaSorm
• Base
plaSorm
for:
ERP,SRC,CRM,PLM
• Purpose:
Automate
business
processes
• If
compromised:
- HalBng
of
operaBons
and
other
business
processes
- Fraud
- Industrial
espionage
32. 32
SAP
NetWeaver
ABAP
-‐
Services
• NetWeaver
Applica=on
Server
ABAP
– SAP
Gateway
– SAP
Message
server
– SAP
Message
server
HTTP
– SAP
Dispatcher
– SAP
ICM
– SAP
IGS
– SAP
Enqueue
server
– SAP
MMC
– SAP
HostControl
34. SAP
NetWeaver
ABAP
-‐
Publica=ons
• 2002
"Wir
hacken
eine
SAP
Datenbank
• 2003
“SAP
Password
Sicherheit”
• 2007
"Ahacking
the
giants:
ExploiBng
SAP
internals"
• 2009
“Ahacking
SAP
users
with
SAPSploit”
• 2011
“SQL
InjecBon
with
ABAP”
• 2011
“SAP
(in)security:
Scrubbing
SAP
clean
with
SOAP
• 2012
“The
SAP
PlaSorm's
Brain:
Ahacks
to
SAP
SoluBon
Manager
• 2012
“Top
10
most
interesBng
SAP
vulnerabiliBes
and
ahacks”
• 2013
“TransporBng
evil
code
into
the
Business:
Ahacks
on
SAP
TMS”
• 2013
“If
I
Want
A
Perfect
Cyberweapon
I’ll
Target
ERP
• 2014
“Analysis
Of
3000
VulnerabiliBes
In
SAP
• 2014
“PracBcal
SAP
PentesBng”
• +50
more…..
34
35. SAP
NetWeaver
ABAP
-‐
Latest
• Mul=ple
DOS
vulnerabili=es
– [ERPSCAN-‐14-‐011]
SAP
NetWeaver
Dispatcher
Buffer
Overflow
–
RCE,
DoS
(sapnote
2018221)
– [ERPSCAN-‐14-‐012]
SAP
NetWeaver
Dispatcher
MulBple
VulnerabiliBes
–
RCE,
DoS
(sapnote
2025931)
– [ERPSCAN-‐14-‐014]
SAP
Network
Interface
Router
–
RCE,
DoS
(sapnote
2037492)
– [ERPSCAN-‐14-‐016]
SAP
Netweaver
HTTPd
-‐
ParBal
HTTP
POST
requests
DoS
(sapnote
1966655)
– [ERPSCAN-‐14-‐017]
SAP
Netweaver
HTTP
-‐
Slowloris
HTTP
POST
requests
DoS
(sapnote
1986725)
– [ERPSCAN-‐14-‐019]
SAP
Netweaver
J2EE
Engine
-‐
Slowloris
HTTP
POST
requests
DoS
(sapnote
1986725).
– [ERPSCAN-‐14-‐019]
SAP
Netweaver
J2EE
Engine
-‐
Slowloris
HTTP
POST
requests
DoS
(sapnote
1986725)
– [ERPSCAN-‐14-‐020]
SAP
Netweaver
Management
Console
(gSAOP)
-‐
ParBal
HTTP
requests
DoS
(Sapnote
1986725)
35
36. • Remote
backdoor
update
– Remotely
(Via
SAP
Router)
– Almost
without
any
trace
• SAP
Router
is
used
to
obtain
updates
from
SAP
before
sending
them
to
SAP
SoluBon
Manager
• Ahacker
can
exploit
SAP
Router’s
Heap
overflow
issue
– hhp://erpscan.com/advisories/dsecrg-‐13-‐013-‐saprouter-‐heap-‐overflow/
• Ader
that,
he
can
change
updates
on
the
fly
• Defense:
SAP
Security
note
1820666
36
SAP
NetWeaver
ABAP
-‐
SAProuter
37. SAP
NetWeaver
ABAP
-‐
Defense
• Vulnerability
Management
• ConfiguraBon
Monitoring
• Source
Code
Security
• SOD
The
SAP
NetWeaver
ABAP
PlaSorm
Vulnerability
Assessment
Guide
hhp://erpscan.com/wp-‐content/uploads/2014/05/EASSEC-‐PVAG-‐ABAP.pdf
37
38. SAP
NetWeaver
J2EE
• AddiBonal
plaSorm
• Base
plaSorm
for
IT
stuff.
Like:
– SAP
Portal
,
SAP
XI,
SAP
SoluBon
Manager,
SAP
NWDS
– Purpose:
IntegraBon
of
different
systems
• If
compromised:
- Stopping
of
all
connected
business
processes
- Fraud
- Industrial
espionage
38
40. SAP
NetWeaver
J2EE
-‐
Services
• General
services
– SAP
Visual
Admin
(P4)
– SAP
NetWeaver
HTTP
(webserver)
• AddiBonal
services
– SAP
Portal
(Part
of
HTTP)
– SAP
SDM
– SAP
SDM
Admin
– SAP
LogViewer
– SAP
LogViewer
Standalone
– SAP
J2EE
Telnet
40
42. SAP
NetWeaver
J2EE
-‐
Papers
• 2011.
Architecture
And
Program
VulnerabiliBes
In
SAP’s
J2EE
Engine
– hhp://erpscan.com/wp-‐content/uploads/2011/08/A-‐crushing-‐blow-‐at-‐
the-‐heart-‐SAP-‐J2EE-‐engine_whitepaper.pdf
• 2011.
SAP:
Session
(FixaBon)
Ahacks
and
ProtecBons
– hhps://media.blackhat.com/bh-‐eu-‐11/Raul_Siles/
BlackHat_EU_2011_Siles_SAP_Session-‐Slides.pdf
42
43. SAP
NetWeaver
J2EE
-‐
Papers
• 2012.
SSRF
Vs
Business
CriBcal
ApplicaBons:
XXE
Tunneling
In
SAP
– hhp://erpscan.com/wp-‐content/uploads/2012/08/SSRF-‐vs-‐Businness-‐
criBcal-‐applicaBons-‐whitepaper.pdf
• 2012.
Breaking
SAP
Portal
– hhp://erpscan.com/wp-‐content/uploads/2012/12/Breaking-‐SAP-‐Portal-‐
DeepSec-‐2012.pdf
• 2014.
“InjecBng
Evil
Code
In
Your
SAP
J2EE
Systems”
– hhp://erpscan.com/wp-‐content/uploads/2014/03/SAP-‐SDM-‐Hacking.pdf
43
44. SAP
BusinessObjects
-‐
Overview
• SAP
BusinessObjects
(a.k.a.
BO,
BOBJ)
is
an
enterprise
sodware
company,
specializing
in
business
intelligence
(BI).
acquired
in
2007
by
SAP
SE
• AddiBonal
plaSorm
for
business
analyBcs
• If
compromised:
– Fraud
– Industrial
espionage
44
45. SAP
BusinessObjects
-‐
Products
• Business
Intelligence
– BI
PlaSorm
• New
-‐
SAP
BusinessObjects
Business
Intelligence
PlaSorm
4.1
• Old
-‐
SAP
BusinessObjects
Enterprise
XI
3.x
– Dashboards
• New
-‐
SAP
BusinessObjects
Dashboards
4.1
• Old
-‐
Xcelsius
2008
45
46. SAP
BusinessObjects
-‐
Products
• GRC
– SAP
Process
control
10.x
– SAP
Access
control
10.x
• Enterprise
InformaBon
Management
– SAP
Data
Services
4.2
– SAP
BusinessObjects
Data
Services
4.0
46
48. SAP
BusinessObjects
-‐
Services
• General
services
– Apache
Tomcat
– Web
applicaBon
Container
– CMS
(Central
management
Server)
– SIA
(Server
Intelligence
Agent)
– Version
Management
– Database
• AddiBonal
services
– JobServer
– fileserver
– EventServer
– crystalras.
– ConnecBonServer
hap://gerardnico.com/wiki/dat/bobj/bobj_architecture
48
49. • 2011
MulBple
advisories
in
SAP
BusinessObjects
– [DSECRG-‐11-‐001]
SAP
Crystal
Reports
2008
—
AcBonNavjsp_xss
– [DSECRG-‐11-‐002]
SAP
Crystal
Reports
2008
—
AcBveX
Insecure
Methods
– [DSECRG-‐11-‐003]
SAP
Crystal
Reports
2008
—
Directory
Traversal
– [DSECRG-‐11-‐011]
SAP
Crystal
Reports
2008
—
MulBple
XSS
– [DSECRG-‐11-‐033]
SAP
Crystal
Reports
Server
PubDBLogon
–
Linked
ХSS
Vulnerability
• 2010
”Hacking
SAP
BusinessObjects”
– hBp://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP
%20BusinessObjects.pdf
• 2014
“SAP
BusinessObjects
Ahacks”
– hBp://www.onapsis.com/slides/Onapsis-‐IT_Defense-‐
SAP_BusinessObjects_ABacks_(IT_Defense_2014).pdf
49
SAP
BusinessObjects
-‐
Papers
50. • [ERPSCAN-‐13-‐001]
SAP
Xcelsius
–
Insecure
Crossdomain
Policy
– hBp://erpscan.com/advisories/dsecrg-‐13-‐001-‐sap-‐xcelsius-‐insecure-‐crossdomain-‐policy/
-‐
(sapnote
1412864)
• CSNC-‐2013-‐016
SAP
BusinessObjects
Explorer
Port-‐Scanning
– hBp://www.csnc.ch/misc/files/advisories/
CSNC-‐2013-‐016_SAP_BusinessObjects_Explorer_Port-‐Scanning.txt
-‐
(sapnote
1908562)
• CSNC-‐2013-‐017
SAP
BusinessObjects
Explorer
Cross-‐Site-‐
Flashing
– hBp://www.csnc.ch/misc/files/advisories/
CSNC-‐2013-‐017_SAP_BusinessObjects_Explorer_Cross-‐Site-‐Flashing.txt
-‐
(sapnote
1908647)
• CSNC-‐2013-‐018
SAP
BusinessObjects
Explorer
XXE
– hBp://www.csnc.ch/misc/files/advisories/
CSNC-‐2013-‐018_SAP_BusinessObjects_Explorer_XXE.txt
-‐
(sapnote
1908531)
50
SAP
BusinessObjects
-‐
Latest
51. SAP
HANA
• New
plaSorm
SAP
HANA
(High-‐Performance
AnalyBc
Appliance)
– In-‐memory
relaBonal
database
management
system
• Will
be
default
database
for
all
systems
• If
compromised:
- Fraud
- Industrial
espionage
- Sabotage
51
54. SAP
HANA
-‐
101
• A
lot
of
new
SAP
technologies
which
can
be
used
for
ahacks
– XSJS
– Web
IDE
– Call
c/c++
funcBon
directly
from
browser
(XSCFUNC)
• XSJS
– This
is
HANA’S
version
of
Server
Side
Javascript
– UI
rendering
completely
in
the
client
– Server
side
procedural
logic
in
Javascript
– All
arBfacts
stored
in
the
SAP
HANA
repository
46
55. SAP
HANA
-‐
Injec=ons
• Client
side
javascript
code
injecBon
– service.xsjs
(note
1993349
)
• Server
side
javascript
code
injecBon
• Code
injecBon
– net.xsjs
(note
2015446)
• SQL
injecBons
– [ERPSCAN-‐14-‐009]
SAP
HANA
Net.Xsjs
–
SQL
InjecBon
(note
2014881
)
– [ERPSCAN-‐14-‐013]
SAP
HANA
metadata.xsjs
-‐
SQL
injecBon
(note
2067972)
47
56. SAP
HANA
-‐
More
injec=ons
with
R
• R
–
language
• Can
be
used
to
extend
SQLScript
funcBonality
• It
is
possible
to
– Read
OS
files
– Write
OS
files
– Execute
OS
code
– Open
remote
connecBons
• CREATE
R
SCRIPT
privilege
should
be
assigned
Example of procedure creation:
CREATE PROCEDURE p_name(param)
LANGUAGE RLANG AS
BEGIN <R CODE HERE>
END.
48
“HANA
supports
the
usage
of
R,
but
R
is
not
part
of
the
HANA
shipment.
HANA
just
delivers
an
adapter.
A
customer
has
to
install
an
R
server
on
a
separate
server
(it
is
not
supported
to
install
an
R
server
on
the
HANA
machine)
and
secure
this
server
appropriately.
That
means
the
most
customers
are
not
affected
by
R
issues.”
–
says
SAP
PSRT
57. SAP
HANA
–
Other
vulnerabili=es
• [ERPSCAN-‐14-‐010]
SAP
HANA
Applica=on
Lifecycle
Manager
–
CSRF
Token
Bypass
• Hardcoded
keys
49
58. SAP
HANA
-‐
Passwords
• User
details
(including
passwords)
stored
in
hdbuserstore
• Located
in
the
/usr/sap/hdbclient/SSFS_HDB.DAT
‒ User
data
(login,
encrypted
pass)
‒ Encrypted
Root
key
‒ Encrypted
Other
keys
50
59. SAP
HANA
-‐
Passwords
• File
:
SSFS_HDB.DAT
• Signature:
RSecSSFsData
• Algorithm:
3DES
• Default
key:
The
same
as
in
the
ABAP
Security
Storage
51
60. SAP
HANA
-‐
Passwords
• SAP
HANA
–
in
memory
database
• But
it
drops
some
data
into
FS
– Backup
– Savepoint
“The
SAP
HANA
database
holds
the
bulk
of
its
data
in
memory
for
maximum
performance,
but
it
s`ll
uses
persistent
disk
storage
to
provide
a
fallback
in
case
of
failure.
Data
is
automa`cally
saved
from
memory
to
disk
at
regular
savepoints.
The
data
belonging
to
a
savepoint
represents
a
consistent
state
of
the
data
on
disk
and
remains
so
un`l
the
next
savepoint
opera`on
has
completed.,
Aaer
a
power
failure,
the
database
can
be
restarted
like
any
disk-‐
based
database
and
returns
to
its
last
consistent
state”
–
SAP
HANA
Security
Guide
52
61. SAP
HANA
• “Data
volume
encrypBon
ensures
that
anyone
who
can
access
the
data
volumes
on
disk
using
operaBng
system
commands
cannot
see
the
actual
data.
If
data
volumes
are
encrypted,
all
pages
that
reside
in
the
data
area
on
disk
are
encrypted
using
the
AES-‐256-‐CBC
algorithm.”
• “Ader
data
volume
encrypBon
has
been
enabled,
an
iniBal
page
key
is
automaBcally
generated.
Page
keys
are
never
readable
in
plain
text,
but
are
encrypted
themselves
using
a
dedicated
persistence
encrypBon
root
key.”
53
62. SAP
HANA
“SAP
HANA
uses
SAP
NetWeaver
SSFS
to
protect
the
root
encryp`on
keys
that
are
used
to
protect
all
encryp`on
keys
used
in
the
SAP
HANA
system
from
unauthorized
access.”
• SSFS_HDB.DAT
–
HDB_SERVER/PERSISTENCE/ROOTKEY
–
HDB_SERVER/DPAPI
• The
persistence
encrypBon
feature
does
not
encrypt
the
following
data:
–
Database
redo
log
files
–
Database
backups
–
Database
traces
54
63. SAP
HANA
-‐
Defense
• Vulnerability
management
• Change
the
encrypBon
key
ader
installaBon
• Restrict
access
to
the
DAT
file
• SAP
HANA
Security
Guide
– hBp://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
• Secure
storage
in
the
file
system:
– hBp://help.sap.com/saphelp_nw70ehp2/helpdata/en/
a0/82dd0abbde4696b98a8be133b27f3b/content.htm
• SAP
HANA
Security
Overview
– hBp://events.asug.com/2013AC/Business%20Integra`on%20Technology
%20&%20%20Infrastructure/3909%20SAP%20HANA%20Security%20-‐
%20What%20You%20Need%20to%20Know.pdf
63
64. SAP
Mobile
Plalorm
• SAP
Mobile
PlaSorm
– From
3.0
– Formerly
Sybase
Unwired
plaSorm
(before
2.3)
• Mobile
ApplicaBons
(318+
applicaBons)
56
65. SAP
Mobile
Plalorm
-‐
Architecture
Backend
Systems
Middleware
Device
65
SAP
ERP
6.0
Ehp4
SAP
ERP
7.0
APO
SAP
BusinessObjects
SAP
Mobile
PlaSorm
66. SAP
Mobile
Plalorm
-‐
Possible
aaacks
• InformaBon
disclosure
• Man
in
the
middle
• Hardcoded
data
• Buffer
overflow
• Code
injecBon
• RCE
66
Sybase
Mobilink,
SQL
Anywhere
CVE-‐2008-‐0912
67. SAP
Mobile
Plalorm
–
Mobile
applica=ons
• Hardcoded
CredenBals
(patching
)
• Lack
of
permissions
(patching
)
• Stored
cerBficates
(patching
)
• SQL
Injec=ons
– [ERPSCAN-‐13-‐024]
SAP
EMR
Unwired
Unauthorized
access
(note
1864518)
67
68. Defense
• EAS-‐SEC:
Recourse
which
combines
– Guidelines
for
assessing
enterprise
applicaBon
security
– Guidelines
for
assessing
custom
code
– Surveys
about
enterprise
applicaBon
security
68
70. Conclusion
• CriBcal
networks
are
complex
• System
is
as
secure
as
its
most
insecure
component
• HolisBc
approach
• Check
eas-‐sec.org
• Check
erpscan.com
70