http://www.darkreading.com/database-security/167901020/security/application-security/229000524/exploits-target-sap-applications.html By Kelly Jackson Higgins Darkreading Jan 11, 2011 A researcher at next week's Black Hat DC will show how attackers can target an enterprise's Web-enabled SAP applications by exploiting the way enterprises have misconfigured them, as well as some inherent design issues in the enterprise resource management (ERP) apps. Mariano Nunez Di Croce, director of research and development for Onapsis, will demonstrate bypassing authentication in SAP Enterprise Portal, injecting a backdoor into a compromised SAP Enterprise Portal, internal port-scanning via SAP Web services, and exploiting vulnerable SAP Web services. Because SAP apps are becoming more Internet-connected, they are also becoming more of a target for cyberespionage, sabotage, and fraud purposes, he says. SAP's Web-based apps include Enterprise Portal, Internet Communication Manager (ICM), and Internet Transaction Server (ITS), which come with security features. But Onapsis has found via penetration tests that most of its own customers, which include Fortune 100 firms, have not properly locked down their SAP apps, which typically run sensitive business processes, such as finance, sales, production, expenditures, billing, and payroll. "Most customers don't change the default [user and password] settings [for SAP]," Nunez Di Croce says. "Ninety-five percent of them are susceptible to being compromised and to possible espionage and fraud" due to these default settings remaining unchanged, he says. [...] ___________________________________________________________ Tegatai Managed Colocation: Four Provider Blended Tier-1 Bandwidth, Fortinet Universal Threat Management, Natural Disaster Avoidance, Always-On Power Delivery Network, Cisco Switches, SAS 70 Type II Datacenter. Find peace of mind, Defend your Critical Infrastructure. http://www.tegataiphoenix.com/Received on Wed Jan 12 2011 - 00:34:38 PST
This archive was generated by hypermail 2.2.0 : Wed Jan 12 2011 - 00:44:55 PST