36 idiots running SAP under attack after flubbing 2010 patch The United States Computer Emergency Readiness Team has taken the unusual step of enumerating just how many organisations have a particular problem, by calling out “36 organizations worldwide are affected by an SAP vulnerability … that was patched by SAP in 2010.” You read that right: 2010. US-CERT is relaying research …
Applying a patch in the SAP world isn't really like applying a Windows Update. Everything has to be regression tested on a copy of the system with the patch applied. Then a downtime window has to be identified, and patching these things isn't necessarily quick. The more SAP products you use, the further your system landscape will spread. There are development, QA and production servers (potentially, plus others) for each major component you're using.
Of course, I'm not excusing the failure to apply the fix for the security flaw. But "child's play" is the wrong way to describe it. There will be a 6 month project plan that goes around the application of a set of patches. Quite often, it's one of the things that gets left by the wayside just because it's so complicated. Additionally, because SAP's Maintenance Optimizer feature in SAP Solution Manager is currently broken (see SAP Note 2305937, https://service.sap.com/sap/support/notes/2305937 - SMP login required) it's currently very difficult to apply the patch in a way most SAP sysadmins are used to, requiring them to familiarise themselves with SAP Maintenance Planner, a horrible HTML5 thing that's got about half the functionality of the Maintenance Planner which leaves it difficult to keep systems in sync.
If any of these companies want a hand applying the patch, I can certainly help.
It's a choice, isn't it.
Either the enterprise decides to 'go down' for a time to get everything patched and up-to-date and risks pissing off customers when it all goes tits up, or it takes the risk of a security breach. No brainer, you take the risk of a breach because the financial hurt from a badly applied update (and the cost of updating) far outweighs the one from a security break, if it ever happens. I say this after hearing Dido Harding on the radio this a.m. gushing about TT's last quarter and how the business is bouncing back...
I don't see this changing any time soon. Probably until companies are forced to disclose *how* they were breached and, after that, the first successful class action suit from people who's data was stolen via an exploit that should have been patched years back.
Not holding my breath mind you...
Used correctly, it's magnificent, especially in larger companies. If you're a major supermarket, having a programme which complies with all known EDI standards for electronic tender agreements probably saves you the upfront and maintenance cost of SAP in year one. Sure, there are competitors, but there are reasons why SAP is reassuringly expensive - it's because you can get rid of 90% of your staff if you use it "properly".
Of course, few companies ever get that far.
Choose no life. Choose sysadminning. Choose no career. Choose no family. Choose a fucking big computer, choose hard disks the size of washing machines, old cars, CD ROM writers and electrical coffee makers. Choose no sleep, high caffeine and mental insurance. Choose fixed interest car loans. Choose a rented shoebox. Choose no friends. Choose black jeans and matching combat boots. Choose a swivel chair for your office in a range of fucking fabrics. Choose NNTP and wondering why the fuck you're logged on on a Sunday morning. Choose sitting in that chair looking at mind-numbing, spirit-crushing web sites, stuffing fucking junk food into your mouth. Choose rotting away at the end of it all, pishing your last on some miserable newsgroup, nothing more than an embarrassment the selfish, fucked up lusers Gates spawned to replace the computer-literate.
Choose your future. Choose sysadmining
Alternatively, chose a RangeRover, a house in the banker quarter in St Albans and a 1000£ suit and pretend to be an ERP software consultant.
I see you've never actually used OS/2, which was quite the battleship.
Novell Netware, OTOH, had such bad security holes, I found 3 "gets ya supervisor" during a weekend look through their API docs. Stuff was designed with holes in it.
EDIT: and I'll never forget when Drew Major came to our uni and syscon kept flashing "PLEASE WAIT" while pulling up the user list.
"How many users you have?"
"Oh about 3500 on this server"
"Whups, I put a bubble sort in there, that's why it's so low. Never expected that many"
Our Data Structures & Order Analysis instructor was there. The *look* on his face...
Having done battle with patching in an enterprise environment for years, it's very understandable why this would have been missed. My security team is always ready to demand patching ASAP, but the admins and customer support are always on about "up time", "reliability & availability", "regression testing", and other non-sensical terms. Enough with the hand wringing... Just patch the damn stuff and let God sort it out, I tell them.
No worries, they will ALL be learning how to patch their shit soon enough. No need to list who they are, finding them is now trivial; they are outward facing web-craps with known ports. They are being scanned while I'm typing this. Now, for these brain-trust sites, finding they are compromised is another kettle of fish entirely. They might not find out for some years, or six, or more. You are absolutely correct in saying that uptime trounces security, when the morons making the (bad) decisions are not yet hacked. Give the security community time, these idiots will be found, hacked, and hung out to dry in some dark Internet back-alley. And I say; go hackers, go! This is the ONLY way to teach them "the lesson." The ONLY way.
They have been advised, they have been warned. Now, it's time to break-in and say Hello, World!
Why not name them so someone at the affected companies can bring some pressure to bear on their IT Staff?
Double-edged sword obviously. It also gives the bad guys a heads-up on who's left the backdoor unlocked. They can probably exploit it faster than the company can patch.
I would hope that the companies were at least notified...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
