Slashdot Mirror
Vulnerable SAP Deployments Make Prime Attack Targets
wiredmikey writes "Using a combination of TCP scans and Google, security researchers found that nearly a quarter of the organizations running vulnerable versions of SAP are tempting fate by leaving them exposed to the Internet. This discovery, researchers from ERPScan say, dispels the myth that SAP systems are only available from the internal network, leading to the misconception that they are protected by design. By March 2012, there were more than 2,000 security advisories published by SAP. Of those, about 7% (124) have publicly available PoC (proof-of-concept) exploit code available to the public. Many of the issues discovered are related to poor configuration or poor deployment planning. For example, 212 SAP Routers were found in Germany, which were created mainly to route access to internal SAP systems. Another issue with the vulnerable and exposed SAP installations is that many of them run on Windows NT, creating a twin set of risks for the organization, as they have to contend with a bad SAP deployment and unsupported OS that is full of security issues all by itself."
I cant find it anywhere on the SAP site!
Windows NT has been out of support for a very long time. Even windows 2000 has been out of support for a while.
Given how much SAP costs, you think they could afford to upgrade to win2003 at least.
I wish it were as easy to download and install as say, Peoplesoft HCM 9.1
I have no idea what the hell SAP is, but it sounds really dangerous.
Better known as 318230.
Remember the post we had yesterday, where many of us bemoaned that we had to lie in order to get a job?
And employers were looking for the speedy solution instead of a well-thought out solution? It takes more time to do it right.
older means wiser to computer security
Its also been known there is no free lunch, and one generally gets what one pays for.
The problem is corporations tolerate buggy stuff if they can get it fast.
To make matters worse, the bugginess of it encourages the customers who bought in will pay more for "hopeware" in the future, that supposedly fixes the bug.
Its the business response of the problem I studied in economics of the situation of selling a man a hammer - once he's bought one, he'll never buy another as he won't another one if the hammer was made right in the first place. Far more profitable to sell "cancer treatments" - than a "cure".
I've ran across way too much "fancy presentation" stuff that simply doesn't work right. Its like hiring someone based on their dress, haircut, demeanor, and strong handshake - while ignoring what they bring to the table as far as knowing how to do the job.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
It's everywhere. I hate it. You should to.
Having pretty good success wrapping Baby SAP, aka SAP Business One in WCF (Windows Communication Foundation) through the SAP B1 DI API then consuming the resulting WCF IIS service through BCS (Business Connectivity Services) in SharePoint 2010, architecturally a very secure solution thats scalable to the cloud ie. SAP B1 on premise and SharePoint Online in cloud , and it just works !, especially when you present the required Business screens via forms server based InfoPath froms and handle the business logic via WF (Workflow Foundation) SharePoint workflow .... actually haven't seen anyone else do this and its very Elegant, I would recommend ... obiously there is Duet Enterprise for the big SAP R3 version and SharePoint, but less common than B1
bæ8Ã0sÃOE?5r©oÂÃ?âz:ÃÃAÃ?ÃOEÂ6fXÃ?]Â
The fuck does SAP stand for? The website doesn't even say. Fucking terrible OP.
All the pieces and parts are hard enough to keep running on a good day. Thing takes weekly downtime just to cycle modules....even simple patches shut your business users out for hours. Upgrading your version and OS shuts your business down for a week just to properly test. Sure you can use Dev boxes an HA, but you have to have ALL the users PROVE IT WORKS. So you waste terrible amounts of their TIME the could be selling stuff!!
And of course, SAP doesn't INSTALL anything THEMSELVES. You have to use some fly-by-night third party. So just like Microsoft, it's YOUR fault when you didn't include hiring an extra $1m per year in employees to run the thing and use all the "secret settings" after they all leave you.
The only exception is completely isolated networks. But even those are vulnerable, even if you shoot people that breach the security. Just ask the Iranians about that.
Thinking that anything visible in parts of a corporate LAN is not reachable over the Internet is stupid and highly incompetent. Of course, you can have very tight network security and very isolated LAN segments. But until you invested a lot of effort and had competent external review of the security measures and have no direct reachability from the general LAN, that is not really going to help either.
What I strongly suspect here is just stupid management not willing to invest any money to even find out whether they have a problem. The general rule is that anything has to be considered insecure unless proven otherwise, not the other way round. Just stupidity, incompetence and greed, as usual. This high level of exposure is no surprise to any competent security expert.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
WOW!!!!
You must work for a consulting firm, only a consultant would think that solution is Elegant.
I re-used part of my existing two factor authentication infrastructure as the gatekeeper to my Web based SAP installation. All of my SAP infrastructure is available to my employees and/or clients and you couldn't get to it, even if I told you how. None of the security companies have been able to defeat the gatekeeper, even with credentials. The best things, no additional costs or additional infrastructure to support.
I know of at least one large company that thinks giving potential applicants a login on their SAP installation to "streamline the application process" is a good idea. Through a public-facing SAP web front-end.
How I know? I tried to apply there. Got rejected by some faceless jerk behind a SAP terminal somewhere far away, then needed HR to play helpdesk because removing my details from the system didn't work as promised. Think of it as an exit interview by email before you've even started.
Of course that system also made all sorts of assumptions about what sort of enterprise-blessed desktop and browser I would be using. Except that I wasn't an employee and I was applying for a unix position, so, er, that didn't work out very well.
Let me tell you how wonderful a first impression I got from that company: Never again. In fact, I won't ever again apply to companies that require webforms (on possibly third-party platforms, without SSL, with the wrong domain name, etc.) and that sort of crap. If you're that institutionally-stupid, well, be that way but without me, TYVM.
I know those words but that post makes no sense
Another issue with the vulnerable and exposed SAP installations is that many of them run on Windows NT, creating a twin set of risks for the organization, as they have to contend with a bad SAP deployment and unsupported OS that is full of security issues all by itself.
Yeah, the whole Windows NT series is fucked up.
The real problem is that Windows NT 6.1 is sold down to that day.
You must work for a consulting firm, only a consultant would think that solution is Elegant.
That sounded like "I hop on a plane for a 30 minute flight at 6am, to take a cab to the train station when I land and take a 2hr train trip to get off and buy my coffee at the Starbucks down the street from my home where I started, and walk home - because I work from home... its a really Elegant solution."
But then again, it sounds exactly like a solution a SAP consultant would come up with.
This might explain why they make it so ridiculously difficult to download the SAPGui. There was a time when they had it available on their FTP site. Now you need a OSS ID just to download the GUI. Of course the OSS ID supplied through my employer doesn't allow me to download and install the GUI. Thus, each time I get a new laptop it's a regular pain in the butt to get the latest version installed. Just let me download the damn thing already! If anybody knows if a simple easy place to download the latest SAPGui then please let me know. (Check out my slashdot name - I work with this stuff every day and I honestly can't figure out why they want to hide the GUI from anybody.)
All i could understand is that SAP is an online suite of accounting, risk analysis, HR tools and whatever other bs is on the menu. Seemingly It just a tool used by top exec's to micromanage everything, since it's designed to integrate all the data received by its multiple departments. For example, a POS makes a sale on a cookie. Confirmation of sale is recorded by cameras. HR sends word to the store for an additional brownie point.
And now that you know how much data there is, you should realize how much money there is. Get hacking folks.
124 out of 2000 is 6.2%, so 124 out of more than 2000 should be less than 6.2%, which is obviously less than 7%. Are they rounding up?
I haven't used SAP but I have implemented other enterprise software systems. Any enterprise system can fall out of compliance for various reasons. If even one component is unpatched (server OS, database, web server, etc.) then the whole system becomes potentially vulnerable. Sometimes customers delay apply patches. The complexity of these systems require a massive amount of regression testing whenever you change something. Many customers make the mistake of thinking that the work is done once the system goes live. Between regulatory updates, tax updates (for payroll systems) and new functionality it's more or less a constant cycle of upgrade, test and roll out. It's nearly impossible to describe how complex these systems are unless you have used them. There is literally millions of lines of code. If you're going to put in SAP, or any other enterprise software system, you will need a dedicated staff to support it. It is surprising to me that more systems are not out of compliance.