On American TV there is a trend away from classic sitcoms and movies into the new world of Reality TV. I am not sure what is real about it because who wants to eat in Hell’s Kitchen when Gordon Ramsey is touching your food and sending it to your table. Don’t worry if the chef fails to deliver, they can always be on Worst Cooks in America for a chance to win $25,000. Maybe even a Survivor on Temptation Island where they discuss 19 Kids and Counting. It is turning out to be an Amazing Race as America’s Next Top Model becomes an American Idol when they watch Dancing with The Stars and hear So You Think You Can Dance? Well in my world I believe the Cupcake Wars need to start as every new star at The Black Hat Conference is trying to be the new Howard Stern. We realize that as long as there has been software there have been bugs and potential risks. Most people accept that every week you need to shut down Microsoft Windows and reboot. There are even jokes about if Microsoft built cars you would have to pull over, shut down, walk around the car and continue your trip. Potentially a funny story as long as it impacts someone else and not you.
Driving home from work I hear the national news discussing events at the 2011 Black Hat Conference on August 4, 2011. The presenters have pride in the shock and awe factor as they attack the software giants of the world. Microsoft, Oracle, JD Edwards, IBM, SAP… WHAT? It was not a big deal until they started in my world. When Mariano Nuñez Di Croce started the next Extreme Makeover: Home Edition with a guide to hacking SAP, it rocks my world. I could see that he was either trying to bring down my house, or increase his consulting revenue. What has my SAP software done to deserve the creation of a hackers cookbook?
The shock and awe factor of hacking into SAP is real. When Howard Stern went out of bounds the FCC attempted to hold him accountable for his actions on the public air waves. Who is holding the Black Hat Conference accountable? When I was attempting to insure that my SAP landscapes were protected, I attempted to automate some of this analysis using GRC Access Control. With experience in security controls, business processes and IT audit, I attempted to build rule sets with the proper authorization checks. I even reached out to the SDN community to see if my analysis was complete. Within SDN, participants were quick to point out that this was a public forum and that SAP security risks should not be discussed. Although I was attempting to use the information for good, there were concerns that the lurkers would use it for evil. No one in the SDN community offered any valuable feedback for risks or protection. It seems they either believe that SAP is fully secure, or that the SAP security guide documents all potential risks. I can confirm that the SAP documentation does document some areas of risk, but there is no single documented source of potential SAP risks.
After hearing the news report I followed up with my SAP contacts and they were aware of the Black Hat guide to SAP vulnerabilities. I am proud to report that SAP does listen and has a monthly Security Patch Day to address potential security threats. (I have written about this process previously and you can find it here: Security Notes Made Simple Part Deux.) Within days of the conference, SAP had not only released notes 1589525 and 1616058 to address the security risks. They also created a note specific to the 2011 Black Hat Conference. This note includes the two above, but also a consolidated list of related notes that were already available to address similar issues. I would strongly suggest that you review SAP note 1616259 which discusses how to be protected against these published vulnerabilities.
Although SAP has provided solutions to these risks, the threat is still real until you apply the notes within your environment. Is your application web enabled? Do your users have unencrypted mobile applications? Are all of your users’ good stewards of your system and protective of their passwords? I initially thought that this attempt to Bring Down the SAP House was new, but a quick search of the internet will show you similar topics as far back as the 2008. The threat is real, but you may be able to stop it with the right protection measures.