Layer Seven Security

How to Secure SAP Systems from Password Attacks

Exploiting weak password hashes is one of the most common and successful attack scenarios used against SAP systems. The availability of open-source programs such as Hashcat and John the Ripper enables even novice hackers to perform attacks against SAP passwords. In fact, Hashcat is capable of breaking any SAP password encoded using the BCODE hash algorithm in a maximum of 20 hours, regardless of the length and complexity of the password.

SAP systems support a variety of cryptographic algorithms to convert passwords into hash values. These values are stored in table URS02. This is designed to prevent the storage of passwords in clear-text. During the logon procedure, passwords entered by users are converted to a hash value and compared to the value stored for the user in table USR02. The logon is successful if there is match between the two values.

Since hash algorithms are one-way, it is not possible to calculate passwords from hash values. However, it is possible to compare values generated by tools such as Hashcat to the values stored in SAP tables to break passwords providing both are encoded using the identical algorithm.

Therefore, it is critical to restrict the ability to read and extract password hash values in table USR02. This can be achieved by controlling direct access to database tables through SQL statements using firewall rules. The ability to read tables using generic table browsing tools accessible through transactions SE16, SE17 and SE11 should also be restricted and monitored.

Note that USR02 is not the only table containing password hash values. In some releases, hashes can also be found in tables USH02, USH02_ARC_TMP, VUSER001 and VUSR02_PWD. Such tables should be assigned to the authorization group SPWD (refer to Note 1484692). Access to table USRPWDHISTORY should also be restricted since attackers are often able to guess current passwords based on former passwords if users employ variations of the same password.

There should be similar restrictions on debugging and transport authorizations since these can also be used to access or export SAP tables containing password hashes.

Users with access to multiple systems or systems in different environments should be required to use different passwords for each system and environment. Passwords for productive systems should not be identical to those used to access development or test systems.

SAP password code versions A-E are based on the MD5 hashing algorithm. The hash values generated through this mechanism are stored in the table column BCODE. All MD5 hashes are susceptible to brute force and other password attacks. Code versions F and G use the SHA1 algorithm. SHA1 hashes are stored in the PASSCODE column. They are less vulnerable than MD5 hashes but can be broken if passwords are short and relatively non-complex. The most secure hashing algorithm supported by SAP systems is iterated salted SHA-1 in code version H. This mechanism uses random salts and a higher number of iterations to mitigate password attacks. Iterated salted SHA-1 hash values are stored in PWDSALTEDHASH.

SAP kernels should be upgraded to 7.02 or higher to support PWDSALTEDHASH hash values. For added security, default iterations and salt sizes can be increased using the login/password_hash_algorithm parameter.

Once this is performed, the profile parameter login/password_downwards_compatibility should be set to 0 to ensure only the strongest possible hash values are generated. CUA systems can be excluded from this requirement if they are connected to systems that do not support PWDSALTEDHASH.

The report CLEANUP_PASSWORD_HASH_VALUES should then be run to discover and remove redundant password hashes. There is a clear security risk if this is not performed. Attackers may be able to use passwords encoded in BCODE and PASSCODE hashes if users employ identical or similar passwords encoded in PWDSALTEDHASH.

Enforcing single sign-on (SSO) for all dialog users provides the optimal level of protection against password attacks by removing the need to store hashes altogether. However, once SSO is enabled, direct logons should be blocked through the parameter snc/accept_insecure_gui=U and by ensuring users are not exempted from SSO through settings in user records maintained in the SNC tab of SU01.

Taken together, these countermeasures should safeguard systems from dangerous password attacks aided by well-known and easily accessible tools that can be leveraged to take full control of SAP systems.

Update: A new version of Hashcat capable of cracking SAP code version H password hashes encoded using SHA-1 is currently in beta testing. You can learn more at http://hashcat.net/forum/thread-3804.html

FBI Director James Comey Speaks out on the Threat of Cybercrime

During a candid discussion with host Scott Pelley of 60 Minutes at FBI headquarters in Washington DC, James Comey speaks out about the threat of cybercrime confronted by American citizens and corporations. Comey declares that cybercrime perpetrated by nation states, criminal syndicates and terrorist organizations has reached epidemic proportions and is directly costing the US economy billions of dollars a year.

Can’t access YouTube? Try Vimeo: https://vimeo.com/108513963

The following is a transcript of the excerpt:

James Comey: Cybercrime is becoming everything in crime. Again, because people have connected their entire lives to the Internet, that’s where those who want to steal money or hurt kids or defraud go. So it’s an epidemic for reasons that make sense.

Scott Pelley: How many attacks are there on American computer systems and on people’s credit card numbers and the whole mass of it? What does a day look like if you’re concerned with crime in cyberspace?

James Comey: It would be too many to count. I mean, I think of it as kind of an evil layer cake. At the top you have nation state actors, who are trying to break into our systems. Terrorists, organized cyber syndicates, very sophisticated, harvesting people’s personal computers, down to hacktivists, down to criminals and pedophiles.

Scott Pelley: What countries are attacking the United States as we sit here in cyberspace?

James Comey: Well, I don’t want to give you a complete list. But I can tell you the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry.

Scott Pelley: What are they trying to get?

James Comey: Information that’s useful to them so they don’t have to invent. They can copy or steal so learn about how a company might approach negotiation with a Chinese company, all manner of things.

Scott Pelley: How many hits from China do we take in a day?

James Comey: Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.

Scott Pelley: The Chinese are that good?

James Comey: Actually, not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.

Scott Pelley: How much does that cost the U.S. economy every year?

James Comey: Impossible to count. Billions.

Scott Pelley: Sounds like cybercrime is a long way from Bonnie and Clyde for the FBI.

James Comey: Bonnie and Clyde could not do a thousand robberies in the same day, in all 50 states, from their pajamas, halfway around the world.

Scott Pelley: The FBI’s had legendary problems upgrading its computer systems. Are you now to a place where you’re satisfied that you’re meeting the cybersecurity threat?

James Comey: We’ve made great progress coordinating better as a government. When I last left government, my sense of us was kind of like four-year-old soccer. So like a clump of four year olds chasing the ball, we were chasing it in a pack. We’re about high school soccer now. We’re spread out. We pass well. But the bad guys are moving at World Cup speed. So we have to get better.

Scott Pelley: Do people understand, in your estimation, the dangers posed by cybercrime and cyber espionage?

James Comey: I don’t think so. I think there’s something about sitting in front of your own computer working on your own banking, your own health care, your own social life that makes it hard to understand the danger. I mean, the Internet is the most dangerous parking lot imaginable. But if you were crossing a mall parking lot late at night, your entire sense of danger would be heightened. You would stand straight. You’d walk quickly. You’d know where you were going. You would look for light. Folks are wandering around that proverbial parking lot of the Internet all day long, without giving it a thought to whose attachments they’re opening, what sites they’re visiting. And that makes it easy for the bad guys.

Scott Pelley: So tell folks at home what they need to know.

James Comey: When someone sends you an email, they are knocking on your door. And when you open the attachment, without looking through the peephole to see who it is, you just opened the door and let a stranger into your life, where everything you care about is.

Scott Pelley: And what might that attachment do?

James Comey: Well, take over the computer, lock the computer, and then demand a ransom payment before it would unlock. Steal images from your system of your children or your, you know, or steal your banking information, take your entire life.

Scott Pelley: We have talked about a lot of menacing things in this interview. Do you think Americans should sleep well?

James Comey: I think they should. I mean, the money they have invested in this government since 9/11 has been well spent. And we are better organized, better systems, better equipment, smarter deployment. We are better in every way that you’d want us to be since 9/11. We’re not perfect. My philosophy as a leader is we are never good enough. But we are in a much better place than we were 13 years ago.

A Five Step Guide to Securing SAP Systems from Cyber Attack Without Breaking the Bank

With SAP solutions deployed by 85 percent of Forbes 500 companies, they are a prized target for cyber attackers. Watch our Webinar playback to discover how to secure your SAP systems against targeted cyber attacks that could lead to denial of service, financial fraud or intellectual property theft. The Webinar is hosted by John Corvin, a Senior SAP Security Architect at Layer Seven Security. The insights delivered during the Webinar are based on lessons learned from hundreds of front-line engagements, aligned with leading practices and SAP recommendations and delivered by experienced SAP security consultants. Learn how to:

Secure SAP networks and communications
Protect remote function calls
Control critical user authorizations
Build log forensics
Configure security-relevant parameters

The Webinar will also enable you to identify opportunities for your organization to continuously monitor the security of SAP systems using standard tools and components available in SAP Solution Manager without licensing costly third party software. This will empower your organization to unlock the potential of SAP software and maximize the ROI of SAP licensing, while minimizing software-related capex and opex.

 

Can’t access YouTube? Watch on Vimeo: https://vimeo.com/107386560

Three More Reasons for using Solution Manager to Secure SAP Systems from Cyber Attack

Our recent article outlining the advantages of using SAP-delivered components versus third party software resonated strongly with customers seeking an effective and cost-efficient solution to address cyber threats impacting their SAP systems. The article examined the five key benefits of a Solution Manager-based strategy that included lower costs through the avoidance of licensing and maintenance fees for third-party software, the ability to configure custom security checks to address system, company or industry-specific risks, alerting for critical security events, detailed reporting driven by SAP Business Warehouse, and the availability of SAP support. The article presented a compelling argument for selecting SAP Solution Manager over the host of competing solutions offered by independent vendors.

The benefits delivered by Solution Manager stem from the depth and volume of security-related data that is continuously pulled from managed systems into the platform. Solution Manager lays at the core of SAP system landscapes and therefore occupies a central vantage point to oversee the security of connected systems. In contrast, third party software solutions are not embedded within SAP landscapes to the same extent and therefore lack the connectivity and range of Solution Manager.

Aside from the advantages mentioned above, there are three other benefits delivered by Solution Manager for security monitoring. The first is the availability of security dashboards. SAP delivers three security apps through the standard WebDynpro dashboard application in Solution Manager, located in the Cross-Application section for dashboard apps. This includes the Security Overview app, which summarizes security policy compliance by system across landscapes, the Security Details app, which displays compliance levels for software, configuration and user categories, and finally, the Security List app, which conveys security compliance levels for every SAP System ID. Dashboards apps can be automatically refreshed as often as every 5 minutes to provide security information in near real-time.

The second is Solution Manager’s ability to deliver detailed metrics for analyzing changes. Like third party solutions, components such as Configuration Validation in Solution Manager are able to pinpoint differences between actual and recommended security settings. However, Solution Manager goes a step further by enabling users to drill-down into the underlying changes that created risks identified by security scans. This is performed through Change Analysis which provides timestamps for changes in managed systems and the original values for instance, profile or other parameters before the changes were implemented.

The third is Solution Manager’s flexibility to support security policies aligned to any compliance framework. This includes not only familiar frameworks such as SOX and PCI DSS but requirements that are unique to specific industries or sectors. The transparent security checks performed by Configuration Validation can be customized for all regulatory, statutory and other forms of compliance standards.

Organizations do not have to look far for the solution to remove security vulnerabilities in their SAP systems. Most are delivered with standard license agreements by SAP and can be leveraged immediately at zero cost. Tools such as Configuration Validation provide a powerful and cost-effective alternative to third party solutions. They are also fully supported by SAP. You can learn more about SAP Configuration Validation here or contact Layer Seven Security to unlock the value of your Solution Manager systems.