Yes, this has been documented in SAP help & SAP recommends to change the default shipped key. I don't consider this particularly newsworthy but then again I am not trying to flog a product!
12 posts • joined 18 Jun 2013
Re: Why "Crypto"?
There is a common misconception with the SAP industrye that traffic is encrypted rather than compressed & obfuscated. SAP recommend that encryption is enabled but <10% of customers actually do it (either using SAP tech or other solutions). It seems that the term has been used to drum up a bit more excitement.
Re: Nice picture ....
It's Crawley. The kit was probably nicked in the time it took the 'tog to press the shutter release and the shutter errrr releasing.
They would have had a good idea that that the patch wouldn't land before the session, pulling out at last minute sounds to me like a publicity stunt.
The ERPScan team do a good job, no need for marketing stunts.
Putting it into perspective it's not like the competition are any better when comparing like-for-like.
Re: Is it just me
When it works it's not unproductive but the rest still apply.
SAP Understands football better than er...football
NFL prediction wasn't quite so accurate
Re: Slow And Painful
SAP have really upped their game in the security area over the last 5 years. While many, many customers subscribe to security by obscurity, the same doesn't apply to SAP.
The problem is that many customers will not invest in securing their assets using standard mechanisms that SAP have provided for years, party because it is, just like you say, an utter faff to patch around release cycles.
Yet another exploit facilitated through too much RFC access. Who woulda thunk it.
Plenty are at it
I've got plenty of clients who have done the same. Set up an entity in a low(sh)-tax location e.g. Switzerland.
Step 1. Transport some staff to Head Office & claim that's where decisions are made, sales happen & risk is taken (therefore where tax should be paid)
Step 2. Set up new companies overseas & transfer manufacturing, service, distribution and local procurement into those companies.
Step 3. Operate tolling system where H/O owns stock & pays local manufacturers to covert raw materials into product & ship on behalf of Head Office.
A few honchos move, lots of people get new contracts in the new companies.
Nothing new here
We've been able to find SAP systems through internet searches since the days of ITS and early SAP Portal. It would have been a trivial matter to try some default user accounts.
Other posters have commented on the reality of the tests & possible scaremongering tactics. For all their sins SAP does generally produce reasonably secure software. The problem is that most of those paid to secure it do not understand how to secure the assets using standard delivered SAP functionality and standard security techniques.
Unfortunately this is no surprise to many of us working in the SAP security field. SAP are working very hard to improve, unfortunately clients are struggling to care.
Some key themes:
1. Security admins main knowledge is around building roles/permission structures and user admin. The technical side is neglected (despite being covered quite well in certification) and there is a big gap.
2. Patching is time consuming and many organisations require full regression testing for each set of patches. Across 20 productive systems (each with a supporting application stack of 2-5 systems) covering a full scope of business processes that comes at quite a cost (though not as much as a breach of course).
3. IS teams rarely talk to SAP teams. SAP has been treated as a silo & there is a disconnect between IS and their SAP counterparts. Many SAP admins do not understand the impact of vulnerabilities, the IS teams struggle to use terms that the SAP guys understand.
Fortunately some people do "get it" and plenty of orgs are doing good stuff & SAP is committed to make it easy for people to do the right thing.
Disclaimer: I work for a company doing security for SAP