Skip to Content

With great interest I followed the actual discussion of publishing a SAP hack on sdn by Custodio. In this case, it seems to be the one of “bypassing” the registration code for modifications of SAP owns ABAP prgram sourcecode.

As I mentioned in an earlier blog, I worked for a certain period in time for SAP implementations in the surroundings of national agencies. I think, it would be worthwile to share some of the viewpoints of Do’s and Don’ts in the security world in this context.

If you look at “Who is posing threads to IT security in enterprises?” you get a “pyramid”.

/wp-content/uploads/2013/10/sec_pyr_295033.jpg

On the lower side, but nominal the largest groups, you have the script kiddies. This is named after the lowest security thread where you can observe a daily wave of attacks in any environment, shortly after school is out in the afternoon and the “buddies” trying out the latest basic hacker’s script that they exchanged on the schoolyard. This is also the name for the occassional hacker, that get’s some “exciting tools” from some dark rooms in the internet and try’s them out.

This level is no serious thread and is captured by any regular firewall and security measure. The next level is more serious: The level of professional hackers, sometimes associated with organized crime and corporate espionage. The tools are serious and the countermeasure is difficult. They will attack an average system, buit they will fail at serious contermeasures in hardened security environments.

The last level is well present in all newspaper: National agencies, that are utilizing the ultimate tools. Hard to detect, if secret-service-style technology is involved. Feel sure about the latest TPM 2.0 chips in your laptop? Well, Re-Think.

If you look now into the question, who would be talking about his knowledge?

What would you guess? The answer is easy: Only the script kiddies will brag about their stuff in a public way on the Internet. The “claim for fame” is the driver to share, wanted or not, the knowledge with the world. If you look into the blackhat conferences, you will also notice, that even the professionals will only publish the stuff on “skript kiddie” level or the occassional “hot” zero day exploit that act as great topic to make it into the headlines.

On the professional side, everyone who knows the real exploits will use them either to “blackmail” the targets, when he/she is on the blackhat, the evil side, or will try to make money by selling the so called “zero-day” (fresh unknown) exploits back to the original companies, when he/she is a “whitehat hacker”, the good one. Usually, the company will pay a prime for every zero-day exploit that is discovered.

Same is valid for the programs and tools for the hacks on this professional level. Tthey will be used either for blackhat hacking (bad guys) or pen tests (good guys) and security hardening. But then you will tell your knowledge only to a very specific audience.

Check out the companies that are doing Penetration tests for SAP? Will they even advertise on Google? I doubt that you will find a lot of them by Google Search. I think, in generally, publishing exploits in public forum is no professional behaviour and is only for the purpose of either “fame for script kids” or teasing about the own knowledge.

If you know the serious hacks, you have no interest in sharing this uncontrolled in public, be it white hat or black hat hacks.

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

  1. Custodio de Oliveira

    Hi Holger,

    Nice Blog. I reckon I will follow the security space more often.

    I think, in generally, publishing exploits in public forum is no professional behaviour and is only for the purpose of either “fame for script kids” or teasing about the own knowledge.

    This is pretty much what Robbo said on twitter and I think you are both right.

    Cheers,

    Custodio

    (0) 
    1. Martin Voros

      Hi,

      The discussion about responsible disclosure vs full disclosure is old (according to wikipedia it was first raised in 19th century). Claiming that guys who fully disclose bugs are doing it only for fame is gross simplification.

      Playing devil’s advocate. The big vendors are notoriously slow to publish fixes for security vulnerability. Some of them even refuse to fix these issues. I personally reported some vulnerabilities to SAP. It took SAP months to publish fixes for these issues. Is this fair to customers?

      Cheers

      (0) 
      1. Holger Stumm Post author

        Hi Martin,

        thanks for your comment. The format of a blog in response to Custodio is limiting the focus of the discussion a little bit. You are right, it is simplifying – but on the other hand, the issue that you adressed should be taken care of by the software companies.

        SAP for example should have a public program for exploits and vulnerability reports and answer with a well defined reward. And it should adress the fixes in a timely manner. like Microsoft with their “Patch Day”. Large companies will slowly recognize the need to work in this way.

        But this can’t be part of this blog. Thanks again for taking part in this discussion

        Holger

        (0) 
        1. Martin Voros

          Hi Holger,

          fortunately, SAP has a program for responsible disclosure. They do not pay bug bounty but that is for another discussion. They also have patch Tuesday. It is every first Tuesday of month. SAP significantly improved handling og bugs in recent years.

          Cheers

          (0) 
          1. Holger Stumm Post author

            Hi Martin,

            thanks for sharing. As I found out every day, you are never too old to learn something new.

            As for the patch day – seems our basis guys are really working in silence – they never told me. Need to check if they keep this secret or if they don’t know 😉

            (0) 
        2. Frank Buchholz

          How to report a Security Issue to SAP

          http://www54.sap.com/pc/tech/application-foundation-security/software/security-at-sap/report.html

          I agree, that sometimes the overall processing time until a security note gets published is longer than you might expect, but of course you can request a status report from SAP Product Security Response Team, secure@sap.com, at any time.  

          SAP does not pay for vulnerability reports, however, we are pleased to publish credits on SCN:

          Acknowledgments to Security Researchers

          By the way, this spring, Andreas Wiegenstein had analyzed this page:

          Statistics document: SAP Security know-how is a scarce resource

          Kind regards

          Frank Buchholz

          Active Global Support – Security Services

          (0) 
          1. Holger Stumm Post author

            Hi Frank,

            thanks for this great links.. As more as I learn from all these cvomments (also on the other discussions) security needs really to get out of the shadow. (Like the example of only a few companies to serious security bug findig and reporting)  Even my customers are starting to get security-conscious more and more by the day.

            (0) 

Leave a Reply