The SAP Security Blog

After recently losing Beneficial Mutual as an audit client, Deloitte suffered another major setback last week. While a U.S District Court Judge dismissed racketeering and other claims against the firm made by Marin County as a result of what the Californian authority considered a botched implementation of SAP for Public Sector, the court declared that the county had a plausible claim of bribery against Deloitte. In the $30M complaint against Deloitte attached below, Marin County alleged that De ...
read more
The answer is when your Legal department is managing the fallout after a data breach. The case in point is the Utah Department of Health which announced this week that over 280,000 records belonging to Medicaid and CHIP recipients were compromised after a breach last week believed to be perpetrated by a group in Eastern Europe (http://www.health.utah.gov/databreach). The group exported 25,000 files containing personal information including social security numbers, belonging to hundred of thousa ...
read more
IBM released an advisory in February for a Denial of Service (DoS) vulnerability in AIX versions 5.3, 6.1, and 7.1. The warning seems to have flown under the radar since so far, many companies running the effected AIX OS platforms for their SAP environments have yet to deploy the patch. The vulnerability relates to a flaw in ICMP packet handling. An ICMP echo reply with ID=1 can lead to a DoS. ICMP is part of the Internet Protocol Suite and can be used to relay query messages. Echo reply is a pi ...
read more
As you probably recall, MasterCard issued a directive in 2009 that required all Level 2 merchants to comply with the PCI DSS through either a Self-Assessment Questionnaire (SAQ) prepared by a certified Internal Security Assessor or an assessment performed by a Qualified Security Assessor by June 30, 2010. Following an uproar from merchants, this was pushed back to June 30, 2012. The latest news is that MasterCard has every intention of sticking to this deadline. If you're a Level 2 merchant with ...
read more
Earlier today, Microsoft issued a statement that declared that the financial information belonging to customers of its online store in India may have been compromised by the recent attack perpetrated by a Chinese group called the "Evil Shadow Team." It is widely believed that this information was stored in clear text in databases raided by the group. The Evil Shadow Team may also have breached the supposedly secure gateway handling the payment process. In an original statement issued shortly aft ...
read more
SAP's acquisition of SECUDE in 2011 is finally bearing fruit. Recently, SAP announced the launch of Netweaver Single Sign-On 1.0 which can be downloaded from the Service Marketplace. This is the latest addition to SAP's identity and access management portfolio and is based on SECUDE's Secure Login and Enterprise SSO solutions. It uses protocols such as Kerberos, X.509 and SAML to enable mutual authentication between not only SAP applications but between SAP and legacy systems. It also supports c ...
read more
Imagine a system that provides a single, unified interface to all your SAP applications for not only everyone in your company but customers and suppliers. Imagine also that this system is web-based and uses single-sign-on. Congratulations, you've just envisioned the Netweaver Portal, the cornerstone of SAP's strategy to integrate business information and processes and the fountain of much of the company's recent success. Given its importance, you would think that any security vulnerability in th ...
read more
If you missed Ertunga Arsal's presentation on SAP Rootkits and Trojans at the 27th Chaos Communication Congress, you can now watch the entire hour-long session below. Ertunga is an accomplished SAP security expert and an entertaining speaker if you appreciate dry, German humour. In this video, Ertunga demonstrates how attackers can use several paths to compromise weak SAP systems (usually development or test environments), infect clients that connect to the compromised systems and then eventuall ...
read more
Does anyone remember the world before GRC? I know it seems like decades ago but the fact is solutions such as SAP GRC are a relatively new phenomenon. Until recently, most of us were working with SU01 and SUIM. While such tools have undoubtedly made life easier for administrators and auditors alike, there's a hidden danger associated with their use that I've observed over and over again when clients rely too heavily on them to secure their environments. Before we get to that, here's a brief sur ...
read more
Welcome! This blog is designed to help you stay in touch with the latest trends and developments in SAP security. Feel free to join the discussion by leaving comments and stay updated by subscribing to the RSS feed. To subscribe by email, click the RSS icon in the top right hand corner of the page, select 'View Feed XML' and then choose your email application. For most of you, this will be Microsoft Office Outlook. Thanks! ...
read more