Monthly Archives: February 2012

Earlier today, Microsoft issued a statement that declared that the financial information belonging to customers of its online store in India may have been compromised by the recent attack perpetrated by a Chinese group called the "Evil Shadow Team." It is widely believed that this information was stored in clear text in databases raided by the group. The Evil Shadow Team may also have breached the supposedly secure gateway handling the payment process. In an original statement issued shortly aft ...
read more
SAP's acquisition of SECUDE in 2011 is finally bearing fruit. Recently, SAP announced the launch of Netweaver Single Sign-On 1.0 which can be downloaded from the Service Marketplace. This is the latest addition to SAP's identity and access management portfolio and is based on SECUDE's Secure Login and Enterprise SSO solutions. It uses protocols such as Kerberos, X.509 and SAML to enable mutual authentication between not only SAP applications but between SAP and legacy systems. It also supports c ...
read more
Imagine a system that provides a single, unified interface to all your SAP applications for not only everyone in your company but customers and suppliers. Imagine also that this system is web-based and uses single-sign-on. Congratulations, you've just envisioned the Netweaver Portal, the cornerstone of SAP's strategy to integrate business information and processes and the fountain of much of the company's recent success. Given its importance, you would think that any security vulnerability in th ...
read more
If you missed Ertunga Arsal's presentation on SAP Rootkits and Trojans at the 27th Chaos Communication Congress, you can now watch the entire hour-long session below. Ertunga is an accomplished SAP security expert and an entertaining speaker if you appreciate dry, German humour. In this video, Ertunga demonstrates how attackers can use several paths to compromise weak SAP systems (usually development or test environments), infect clients that connect to the compromised systems and then eventuall ...
read more
Does anyone remember the world before GRC? I know it seems like decades ago but the fact is solutions such as SAP GRC are a relatively new phenomenon. Until recently, most of us were working with SU01 and SUIM. While such tools have undoubtedly made life easier for administrators and auditors alike, there's a hidden danger associated with their use that I've observed over and over again when clients rely too heavily on them to secure their environments. Before we get to that, here's a brief sur ...
read more