With great interest I followed the actual discussion of publishing a SAP hack on sdn by Custodio. In this case, it seems to be the one of “bypassing” the registration code for modifications of SAP owns ABAP prgram sourcecode.
As I mentioned in an earlier blog, I worked for a certain period in time for SAP implementations in the surroundings of national agencies. I think, it would be worthwile to share some of the viewpoints of Do’s and Don’ts in the security world in this context.
If you look at “Who is posing threads to IT security in enterprises?” you get a “pyramid”.
On the lower side, but nominal the largest groups, you have the script kiddies. This is named after the lowest security thread where you can observe a daily wave of attacks in any environment, shortly after school is out in the afternoon and the “buddies” trying out the latest basic hacker’s script that they exchanged on the schoolyard. This is also the name for the occassional hacker, that get’s some “exciting tools” from some dark rooms in the internet and try’s them out.
This level is no serious thread and is captured by any regular firewall and security measure. The next level is more serious: The level of professional hackers, sometimes associated with organized crime and corporate espionage. The tools are serious and the countermeasure is difficult. They will attack an average system, buit they will fail at serious contermeasures in hardened security environments.
The last level is well present in all newspaper: National agencies, that are utilizing the ultimate tools. Hard to detect, if secret-service-style technology is involved. Feel sure about the latest TPM 2.0 chips in your laptop? Well, Re-Think.
If you look now into the question, who would be talking about his knowledge?
What would you guess? The answer is easy: Only the script kiddies will brag about their stuff in a public way on the Internet. The “claim for fame” is the driver to share, wanted or not, the knowledge with the world. If you look into the blackhat conferences, you will also notice, that even the professionals will only publish the stuff on “skript kiddie” level or the occassional “hot” zero day exploit that act as great topic to make it into the headlines.
On the professional side, everyone who knows the real exploits will use them either to “blackmail” the targets, when he/she is on the blackhat, the evil side, or will try to make money by selling the so called “zero-day” (fresh unknown) exploits back to the original companies, when he/she is a “whitehat hacker”, the good one. Usually, the company will pay a prime for every zero-day exploit that is discovered.
Same is valid for the programs and tools for the hacks on this professional level. Tthey will be used either for blackhat hacking (bad guys) or pen tests (good guys) and security hardening. But then you will tell your knowledge only to a very specific audience.
Check out the companies that are doing Penetration tests for SAP? Will they even advertise on Google? I doubt that you will find a lot of them by Google Search. I think, in generally, publishing exploits in public forum is no professional behaviour and is only for the purpose of either “fame for script kids” or teasing about the own knowledge.
If you know the serious hacks, you have no interest in sharing this uncontrolled in public, be it white hat or black hat hacks.