Black Hat Presentation

mvoros · ‎03-19-2012

Hi everyone,

the Black Hat Europe conference happened last week in Amsterdam. There was a presentation by Mariano Nunez Di Croce dedicated to SAP secuirty. I did not attend Black Hat and I only quickly went through the presentation. It does not seem to contain anything new but it seems to be a good summary of one big issue in SAP security field. Many people still believe that SAP security is only about SoD/authorizations. There have already been some discussions about this issue here on SDN. The last one which I remember was about reducing SAP security certification.

The presentation can be found in Black Hat archive.

http://blackhat.com/html/bh-eu-12/bh-eu-12-archives.html

Cheers

Former Member · ‎03-20-2012

Interesting but the presenter owns a software company and the presentation glosses over the basics to build up the fear factor sales pitch. I thought these black hat conferences were supposed to be attended by hackers who really expose flaws in apps and bring awareness. Would be nice to get real world examples of how to hack into a SAP system to demonstrate to mgmnt the core problems, instead of just talking theoretically about it. I thought that's what happens at these black hat conferences. oh well.

mvoros · ‎03-20-2012

Hi,

you are right. As I said it does not say anything new. He's been giving similar presentation for last couple of years. I guess he uses it to promote his company. To his credit he found some serious security issues in SAP software. Probably the worst one was that allowed to create a new account in Java AS with full privileges. I guess he might have shown some issues during presentation. You can find a video of one of his previous presentation.

Cheers

Former Member · ‎03-20-2012

didn't mean to make it sound like i was disrespecting his company.. the product is admittedly kind of neat. just saying, if i paid $1000's to attend a "black hat" conference i would expect to get some hacking knowledge. otherwise might as well go to sapphire.

Former Member · ‎03-23-2012

Martin, i just would like to mention that vulnerability in Java AS was not found by this guy. It was presented by me

mvoros · ‎03-23-2012

Sorry mate. I am really sorry. I know that there are 2 or 3 companies doing pen testing specialized for SAP.

BTW well done.

Cheers

Former Member · ‎03-23-2012

would you mind telling us of the other companies that you know about? I checked ecohub but couldn't find something. Mariano's company got some free attention here, to be fair would you mind telling us the other companies performing SAP pen test that you know about?

Former Member · ‎03-23-2012

Ok Kesayamol, if you are asking, i can add that ERPScan is also offering SAP Security Services and Products and you can read more on the website.

Former Member · ‎03-23-2012

Nice company, thank you for sharing. It led me to your "Forgotten World" presentation which is great from a different black hat conference

koehntopp · ‎03-23-2012

This is probably a good time to mention that applying security patches regularly is a good idea. We're working with security researchers to make sure these finding are being adressed in SAP security notes _before_ they're being shown to the public, so that customers have a chance to secure their systems. Kudos to all of them for their professional attitude.

Alexander has only recently moved his blog on the updated secure ABAP configuration guide over, so go and have a look:

http://scn.sap.com/community/security/blog/2012/03/23/compliance-to-new-secure-configuration-of-sap-...

Frank.

Former Member · ‎03-26-2012

Dear Martin,

Thanks for linking the presentation.

@Kesayamol, let me answer you about some of the points you mentioned:

1- The presentation was not intended to bring fear, but to share our real-world experience. It condenses the results from 5 years of performing SAP Penetration Tests to some of the largest organizations of the world. If you pay close attention at the conclusions, the main point that I try to make is not that you should be afraid, but instead to analyze what is the reason that makes that most organizations' SAP implementations are still exposed to 10 or 5-years-old vulnerabilities known in the public domain.

2- I have been presenting at BlackHat since 2007, already over 12 times including trainings, about several different critical threats affecting SAP systems (Gateway, RFC, Backdoors, Web Applications, etc). Even this presentation, which was a bit more of a "lessons learned", had live demonstration of real-world attacks. Furthermore, ALL the presentations that Onapsis has always done were regarding threats that have been informed to SAP beforehand and for which there were workaround/patches already available, and we always included this information in our slides/papers.

3- Please read the presentation's paper. We have outlined the Top-11 vulnerabilities from BIZEC, which is a non-profit organization to focus on technical threats to ERP systems and business-critical applications.

If you want to obtain more information about this subject, you can always download free-of-charge our publications in this matter. It can also be useful to attend a BlackHat so that you can understand it first-hand.

Cheers,

Mariano