Dr. Vaman Ph.D CISA CGEIT

SAPocalypse – Anonymous Hacker Group Targets SAP systems – a Paladion View

In Enterprise Risk Management, ERP Enterprise Resource Planning, SAP Security on November 10, 2012 at 7:57 am

Anonymous Hacker Group Targets SAP systems

Hackers from the Anonymous group have claimed to have hacked & leaked Greek Ministry of Finance confidential documents, passwords and logins. The purported hack was to protest the worsening economic conditions in Greece, which has seen tough austerity measures, according to a document posted on AnonPaste

(http://www.anonpaste.me/anonpaste2/index.php?96dca2501712c2bd#7zC3Gk22bl9xGtQbWaaWEeEu46UElidVHWqL/lUNV+0)

Besides the attack itself, which is yet to be confirmed, one of the most distinct aspects of these news is in the very last paragraph of the Hacker group’s message, where they claim: Quote

“We gained full access to the Greek Ministry of Finance. Those funky IBM servers don’t look so safe now, do they… We have new guns in our arsenal. A sweet 0day SAP exploit is in our hands and oh boy we’re gonna sploit the hell out of it. Respectz to izl the dog for that perl candy.” Unquote.

Mission critical Enterprise Business systems such as SAP is gaining focus due to emergence of targeted attacks and adaptation of cloud and mobile technologies that exposes SAP services to the Internet. The SAP ecosystem is complex and needs a comprehensive security strategy design & monitoring incorporating process and technology controls.
SAP ERP and Extended ERP solutions such as SAP SCM, SAP CRM, SAP SRM are the core business platform for many global organizations. The Business Critical nature of the SAP system, and the risk of a Single-point-of-Failure, it is important to manage the SAP risk by enhanced SAP Application & Business Infrastructure Security & GRC framework, policies and Security applications. The SAP ecosystem is complex and needs a comprehensive security framework incorporating process and technology controls.
• SAP has published over 5000 pages of Security and GRC Guidance, over 2600 Security Notes and Patches to secure the SAP Platform but it is practically impossible for an organization to understand the SAP Security guidelines and keep pace with the ever changing Security scenarios.
• It is to be noted that SAP as a Vendor takes 6-18 months to release a Security patch from the time the vulnerability is discovered or reported. So Your SAP platform may not be secure during this patch fix period!

So What do we do?

Assessment & Remediation Services
A full review of your security architecture and SAP business Infrastructure ( BASIS/ NetWeaver/ EP/ OS/ DB conducted by Paladion’s expert consultants can provide insight into vulnerability in your SAP Design & Configurations. Paladion’s experts can then provide recommendations to mitigate those risks or implement the required security architecture changes because we constantly monitor for emerging and known SAP vulnerabilities (http://www.sdn.sap.com/irj/scn/index?rid=/webcontent/uuid/50316177-762d-2f10-0993-a2206cc349b4)


SAP Penetration Testing
Penetration testing is a process simulating the attack on the SAP system as seen by an attacker that can help demonstrate how easy it is to gain access to SAP mission critical data or check the effectiveness of security configurations and parameters implemented.

Penetration tests enables finding potential system breaches that would enable an attacker to gain access to business critical data or exploit vulnerabilities motivated by espionage, fraud and sabotage. Paladion consultants are both qualified penetration testers who assess various software from the largest companies, Banks etc, and SAP security experts.

We recommend this service for SAP Customers:
If your company takes the first steps on the long journey to improve security of SAP solutions and chooses to explain to the executive management how important it is to invest in security by showing the way an attacker can gain unauthorized access.
If your company determined the processes for information security management and began implementing the measures for the system security control to assess the effectiveness of these measures.

SAP Security Assessment
To protect the system correctly, you need to know what to protect against. We are well aware, in great detail, of the way SAP systems are attacked and we can help you to analyze your system effectively for security gaps at both stages of development and production run. We can make a comprehensive assessment of your system by checking its security at all the levels, from landscape architecture, network settings and OS configuration to the technicalities of DBMS configuration and different kinds of SAP components. Significant attention is paid to the security of client workstations (SAP Frontend) and Web services, which is considered to be one of the critical elements but is, unfortunately, less secured. The following checks are conducted during the assessment:
• Assessment of network settings and landscape architecture;
• Assessment of OS security with SAP components deployed;
• Assessment of DBMS security with SAP components deployed;
• Assessment of SAP NetWeaver security;
• Internal assessment of access control;
• Assessment of SAP components:
o SAP Message Server
o SAP Gateway
o SAP Portal
o SAP ICM/ITS
o SAP Router
o SAP GUI
o Etc.
Deep Dive assessments will include –
• Review available authorization policy documents, check whether policies are being followed and review process efficiency and adoption,
• Access by users or user classes and by support and service provider, we analyze reporting and check on effectiveness of housekeeping & operational security processes
• Segregation of duties definitions and conflicts, incident response processes, and consider compliance issues if relevant
• Methods and controls for bespoke programs, transactions, authorizations etc.
• Use of table access, access to restricted objects, use and process for all known super users and categories of “power” users
• Best practice for key system parameters and password mechanisms
• Review authorization team operations, training requirements and advice on opportunity to reduce security costs through automation and process improvement

Advertisements

Cloud Computing is dangerous – doesn’t mean it’s not worthwhile!!!WOW!

In Enterprise Risk Management on August 9, 2012 at 7:08 pm

In my last Blog “Collapse of Complex Systems – Your Enterprise Systems are nearing Extinction” I promised to write about possible solutions – if you also share my views that your ERPs and other Enterprise Systems are nearing EoL – End Of Life and consuming too much space, energy and money… returning a pathetic ROI. 

One option could be to look at Cloud Computing! But caution! There is a lot of Hype around Cloud Computing and you will see Gangs of IT guys moving in love with Cloud Computing with their heads on the clouds!

Be careful! Don’t decide anything fast because IBM/ SAP/ Oracle said so etc stories. The same guys sold you the white elephants – remember?

1. CIO/CTO – Create an asset list – a list with all your IT systems ( I know you don’t have one!)

2. Have brain-storming sessions / water cooler discussions with business guys – how they feel about current affairs and their pains etc

3. Pick and choose – a Pilot – say your CRM system ( pick the Enterprise Function/system that will benefit most from cloud computing advantages..say move a slice of your low hanging fruits) Never go by Gartner Magic Quads and Forrester Reports – all these analyst reports are – a. biased b. paid marketing c. hype

4. Explore various Cloud options – choose what works for you ( negotiate with IBM/SAP or your Vendor to get the best deal – ask them what will you do with the white elephant they sold you?)

Do not believe the story that Cloud Security is better – step up / step down security blah blah – there is no such a thing as Cloud Security as of now – its an evolving subject! Look at what Shawn Drew says about Cloud Computing – . WOW! Shawn admits Cloud is a dangerous place to put your head in – but then he says it is worthwhile – for what? To get your head chopped? or It is worthwhile for Cloud Computing Vendors! may be…

5. Wait & Watch for a year – look at the SLAs, the Cloud Providers Security, His behavior, Cost, Operational aspects, How many go out of business, and make your own Capability/ Maturity/ ROI calculations

6. Also consider you and your IT Teams have a family! If you put everything on the Cloud and close your data centers and IT Depts.- what will you do? You can not accept a posting in the Supply Chain warehouse as CWO – Chief Warehousing Officer? Can you? Or you and your team can take an early retirement and start an NGO for fighting Environmental Impact of Cow Pollution (Cows emit Methane & Ammonia by belching and Farting! its a major pollutant- worse than Carbon Dioxide ) etc…What will happen to the poor CISO? ( see now it has become a major family and existential problem!)

Pick a few good CIOs and ask for their cloud plans and be honest and then wait – yes wait for some more time – Cloud should come out of the clouds! More mature players will emerge and more competition will bring better cost structures, deep services etc. Be one step behind the Leaders – the so called early adopters – count how many are alive, How many got hacked, how many are dead. Also take an inventory of Fired CIOs looking for an opportunity – Talk to them, they will tell the truth! That will give you the right picture.

One smart move you can make – first try using the cloud for your DR – yes – BCP etc and Disaster Recovery. Just keep a critical business application ready in the cloud – without stopping your current operations. It may be a bit expensive – but you can get a deal if you say it is only a DR system.

What is this? Prudence and Patience.

What is the Great Steve Wozniac thinks about Cloud Computing?

The Apple co-founder expressed some concern at people moving their data and applications onto remote public servers.

“With the cloud, you don’t own anything, you already signed it away,” said Wozniak. He then expressed concern at the lack of control that people have when they move data onto the cloud and predicted that there would be a lot of “horrible” problems in the next five years, calling the potential situation “horrendous.”

Do you want to find your self in a Horrendous situation? NO.

Read Wozniac Here: http://midsizeinsider.com/en-us/article/wozniak-off-base-with-cloud-computing-co

The Full story ( for those who are too lazy to go to that website!)

The cloud seems to be becoming a polarizing force within the technology industry. Its proponents are lauding its virtues while its detractors lament the loss of the way things were and warn of dangerous times ahead. Apple co-founder Steve Wozniak recently wandered into the discussion about cloud computing, expressing concern about data ownership and the loss of control. While his comments may have some merit, overall the fears about data control are severely overblown.

Wozniak on the Cloud

After a recent performance of Mike Daisey’s “The Agony and the Ecstasy of Steve Jobs,” Steve Wozniak took some questions, and the conversation eventually steered toward the cloud. As reported inChannelnomics, the Apple co-founder expressed some concern at people moving their data and applications onto remote public servers.

“With the cloud, you don’t own anything, you already signed it away,” said Wozniak. He then expressed concern at the lack of control that people have when they move data onto the cloud and predicted that there would be a lot of “horrible” problems in the next five years, calling the potential situation “horrendous.”

While one could raise some questions regarding these statements and Apple’s current set of service offerings, Wozniak hasn’t really been involved in Apple’s business decisions in a while, so that comparison would be unfair. The reality is that Wozniak’s comments are just one of many as people speak out about the dangers inherent in cloud computing, but just because something is dangerous doesn’t mean it’s not worthwhile.

The Realities of Cloud Computing

Steve Wozniak’s comments could be looked at as a question of cloud security, and he would be far from the only person to question it. Moving storage and application data out of a dedicated data center and into the hands of a service provider means that an individual IT manager has significantly less control over the security protocols surrounding that data. The question now is, is this really a bad thing?

For an effective IT manager who remains up-to-date on risks, enforces strict password controls, and continuously reinvests in security software, their data will certainly be less secure in the cloud than it would be on their servers. However, this doesn’t describe very many IT managers.

Whether through lack of funding, lack of time, lack of people, or just a lack of knowledge, most internal systems remain ridiculously unsecure. This is especially true in many midsize businesses, where resource commitment remains a significant barrier to full system control.

In situations like these, the security of a cloud provider may be a step up instead of a step down. Reputable cloud providers will have teams of people making sure that all the latest patches are in place, that the newest risks are known, and, most importantly, that the employees with wide system access have been properly trained in security measures.

While small amounts of mission-critical information may still be safer on locked-down internal systems, the main chunk of day-to-day information for many midsize businesses may really be more secure on outside systems, creating a cloud solution without any real drawbacks.

Now, Wozniak’s comments may also be referring to the actual ownership of the data, claiming that cloud computing contracts really move data ownership to the cloud provider, or, at least, that the control of the data is a reflection of ownership. The industry is still small enough to be self-policing in this regard, as any mishandling or intentional misappropriation of a company’s data would spell the end for the cloud provider and wrap its leaders into court battles for years.

Data security in the online world has always been a balancing act between security and availability. In the early years of the cloud, availability won out, since this was a large part of the allure of the cloud to begin with. As time progressed and cloud adoption rates have to run into a wall of security fears, cloud providers have taken several steps to increase data security and provide IT managers with piece of mind.

The reality is that the benefits of the cloud currently far outweigh the risks. Midsize businesses who continue to internalize all their IT operations run the risk of being left behind by competitors taking advantage of the scalability and big data capabilities in cloud solutions. Yes, there are always risks when handing over your data to a third party, but is a truly “horrendous” situation just on the horizon. No.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us onFacebook. Follow us on Twitter.

$440Million Gone in 45 Minutes! Knight Capital Magic Trading Software!!!

In AUTHENTICATION, IT Security, Secure Development Lifecycle, Software Testing & Security on August 8, 2012 at 7:19 pm

A Trading Software that goes berserk & almost Bankrupts Knight Capital. Total loss $440Million! In 45 Minutes!

Here is HOW it happened

Knight Capital, a firm that specializes in executing trades for retail brokers, took $440m in cash losses Wednesday due to a faulty test of new trading software. This morning reports were calling it a trading “glitch”. The broad outline of the story is here and more colorful, bloody details are here.

Briefly, here’s what happened: Knight Capital’s worst day in IT started Wednesday morning with a test run of its new trading software. The company set up the software to work with only a few stocks. They also set the buy/sell points well outside where the markets were currently trading to ensure that nothing would actually execute.

But somehow – and this will probably be the subject of several lawsuits, books, and maybe even a Broadway musical – the software didn’t behave as expected. It went out and did what it was designed to do: execute lots and lots of trades very, very quickly.

Unfortunately, the trading algorithm the program was using was a bit eccentric as well. Knight Capital’s software went out and bought at the “market”, meaning it paid ask price and then sold at the bid price – instantly. Over and over and over again. One of the stocks the program was trading, electric utility Exelon, had a bid/ask spread of 15 cents. Knight Capital was trading blocks of Exelon common stock at a rate as high as 40 trades per second – and taking a 15 cent per share loss on each round-trip transaction. As one observer put it: “Do that 40 times a second, 2,400 times a minute, and you now have a system that’s very efficient at burning money”.

As the program continued its ill-fated test run, Knight’s fast buys and sells moved prices up and attracted more action from other trading programs. This only increased the amount of losses resulting from their trades to the point where, at the end of the debacle 45 minutes later, Knight Capital had lost $440m and was teetering on the brink of insolvency.

Now what is more interesting than this major screw-up are the reader comments & the theories of how this happened!! Some say Chinese Hackers did that, Some say Iran and some say bad code and bad testing….Hilarious but makes you stop & think!!

Here are some samples:

This is a test.  Repeat.  This is a test.

Once we get you use to this, you’ll understand how a mishap like this can wipe your bank account out.

Oh, sorry, you can’t get it back, we don’t know where it went.

You can bet the Farm that once the software problem arose, every affected IT department (probably dozens) went into scramble mode to find the problem and point fingers saying “It’s not us”. Lots of shouting and angry phone calls demanding answers and politcal fallout behind the scene.  Remember this was headline news on CNBC.  A bunch of folks just got fired at Knight Capital is my guess.  Customer as a Beta Tester? Not in this environment.

To your point. If the algo was going nuts last night, why not kill the program? Why wait so long? Your right, something else is happening under the covers. Could be a virus, malicious code purposely written to inflict damage. Revenge? Could also be a coverup for other trading losses.

Even the most junior of coder couldn’t fuck up code this badly.

This is a hit, plain and simple.

A smart group of algo traders / coders shorted “KITE” and then dropped this little trojan into their system.

Game Over, who’s next. Be afraid. 3 G’s is right.

Daily Bail – How about – maybe you are very close (the Chinese did it). How about, the reason China Cord Blood went up several X was because (the Chinese did it) it was hacked from Guongdong and the greedy hackers were greedier than they should have been. Instead of hacking into Knight and placing trades on say, American and Israeli companies and planting the seed that the smartest Iranian did it, maybe they made a boatload of money, but knew they could double it because they were already long a native stock?

I’m probably crazy, but what I hear is that the Chinese have hacked so far through some firms that that can be done is to have the problem covered with tar paper by the NYSE and others.

Chinese hackers? No way. If that were the case, every time I checked my routers, I’d notice that ports up and down my router were being randomly pinged – all by Chinese IP addresses – or at least 95% from China, and that it happened several hundred times each day.

Oh, shit, wait – that is what I see when I review my router log.

Knight got the whack this time. More coming soon.  Looking back sometime in the future, the flash and this may become known as the straws that broke the camel’s back and the timing of PIMCO’s statement might become legendary. How many investors would there be if we all knew we weren’t just getting hosed by our brokers, who had the list of all the limit orders in front of them and all other GTC trades, but that the Chinese were hacking these guys? It’s more rigged than a Macao casino!!!

We’re FUCKED! (Oh yeah – let’s give those Chinese kids scholarships to MIT – that should help us. Let’s sell Lenovo to them – they probably couldn’t learn anything from owning the original IBM computer company. Let’s give them all our plans because they can build everything at 1/10th the cost – they won’t fuck us in the end.)

Why do deals with the Chinese all seem like the first deal street kids do with drug dealers?

Can you say “Flash Crash” – No , you say – “Frash Crash”. BITCHZ!

Your are way too innocent for this site. If they were hacked do you believe that they would tell the sheeple? NO WAY, it would be hidden like you can’t imagine with the complete complicity of the US government.

Otherwise, imagine the panic it’d create worldwide if the NYSE could be affected the way it was by rogue hackers that could be sitting in Iran or China.

This type of hacking could be lot more effective weapon than any neutron bomb that couldn’t possibly be used in today’s world, thus making them only “capital cost” that doesn’t produce anything tangible.

But the only way you’ll ever find out is by seeing the USA take NO real action against IRAN or CHINA when it’s obvious to all that it should. That will tell you that they have the USA by our neck.

Until next time,

Engineer

Note: never expect positive proof for sensitive news, you will need to infer them from the actions of the powerfull .0001%

I have worked designing and implimenting secure financial systems as a lead architecht and as a project or program manager for 20 years. I’ve worked at or with FDIC, OCC, the Fed and BAC. Done some smaller consulting with a couple of smaller banks and with some other financial groups. That and I have done work for Homeland Security and the Department of Defense.

One thing I have learned is that no matter how good you think that your security is….someone with time, resources and determination can find a way in. If hackers can get to the plans for the MX Missile they can get to an HFT algo.

AND, just as with any form of terrorism, they only need to get lucky once, you have to be perfect in defence every time.

How many of these HFT’s are out there?

What is the probability that at least a few will be vulnerable.

How many would you need to take over to execute a phased attack? Three? Four at most.

If you are the atacker, you do not even need to successfully mess up the trades or stock prices permanently. From the attackers perspective it makes no difference if the NYSE backs out or invalidates trades.

ALL that matters is that the very act of doing it completely undermines the trust in the market such that even the pros will not trade without a serious level of fear. Not to mention, that multiple attacks would see the regulators and congress scream to destroy and outlaw HFT and so take a huge chunk out of profits from some big players.

 

Been there, seen it happen. No one created it “intentionally”. Programming errors can have unpredicable consequences. And yes, it can take hours to figure out the issue and pull the plug because the complexity and lack of knowledge.  I was in that industry for 30 years.

A system can have hundreds of software components each with multiple versions. It’s very easy when you package something together to pull the wrong version. There is actually configuration software to help you manage the process of assembling a system for production, but again if you label something incorrectly a month later it can come back and bite you because the version numbers changed, and you overwrote one tiny module of the current version with a prior one, etc. It can take days to track that down.

Programmers (aka Developer) are a lot “dumber” than they used to be. They do much less today. No more design, no more testing. Just get handed a spec with a delivery date. Write code, hand off, done.  Somebody else tests it. And it has to interact with other code segments, which the “Developer” has no access to. Somebody else has to find all the problems before it’s placed into real-time service, and work with the Developer to solve them. And if they don’t…you can have a disaster like you did today.

Could even be a spec (design) error. Todays “Developers” are trained not to think, just code to spec and deliver. In other old days you actually had to understand the business. Not anymore. So, if somebody just verified this met the spec and signed off and then went live, well, they all probably just got canned for not catching a problem the Spec had.

… and the really funny bit is that the specs are usually crap, because the technical analysis they were based on was crap, because the business analysis it was based on was crap. One is more likelly to win the lottery than to find a Business Analysis document that doesn’t contain contradictory requirements.

The Business Analysts are ex-sales types that don’t know shit about an organized, structured gathering, analysis and validating of business requirements …

The Technical Analysts don’t really exist and instead are some senior coder or other who has never worked in more than one or two systems and never saw enough to really know just how many ways there are to fuck up a system design …

The Programmers are some cheap guys in India who went into coding because you make a lot of money as a Programmer over there and have ZERO natural ability for it, while the few really good ones have been promoted to Project Managers (which they suck at) because over there the salary framework is so completelly screwed that an exceptional programmer makes less than a crap project manager (and, trust me, the management style in India is ridiculously bad).

It’s a damn near perfect shit-in-shit-out system.

In my experience, the way Investment Banks try and make up for this is to use at least 3x more people as a Tech company would for the same results (I’ve worked in both industries).

everybody jumps to the conclusion of a rogue algo and millions of losses, but what if this was a (second) test of a (new) algo and it performed as expected? Or the algo has been working successfully for some time and now got exposed for some reason?

Some stocks were bid up, others sold down – what if the net result of these 30 minutes of crazy trading was in fact ZERO, for instance two bots playing 148 pingpong games simultaneously in concerted action? e.g. Bot A flings stocks to Bot B in 100 share lots, increases the price at some subpenny step and then Bot B flings it back to Bot A at the same increment, then this loop is repeated non-stop until a new increment is added – intermittedly some real trades are executed with the “outside world”, most probably at a small gain or a zero balance. Some stocks traded millions of shares where on a normal day a few thousand are exchanged only. How can we conclude here that the number of trades was all REAL?

Meaning they can move any stock to wherever they want in just minutes, the price of a stock no longer matters – the real gains may have been taken in derivative plays that depend on the level reached by the manipulated stocks. Meaning this was not uncontrolled but planned. And this type of manipulation could have been going on already for months, if not years. If this is true, they may very well have shorted their own stock, offsetting the loss of company value by a multiple gain in a leveraged derivative play.

After Draghi spoke, the whole market moved up parabolically and subsequently sudden non-stop buying frenzies were unleashed on no additional news, pushing indices further up – by whom or by what? There were no drops, like everything was bought above a certain ask price along ever higher support lines. This was partly short squeeze driven, but perhaps the above scenario was running? Derivative interest and currency plays paid out big time last week, for those in on it at least…

I agree it doesn’t make sense that this firm let this happen without noticing it for 30 minutes – i mean, they all went for coffee?

smells like bullshit yes

Source : http://www.theregister.co.uk/2012/08/03/bad_algorithm_lost_440_million_dollars/

http://www.zerohedge.com/news/what-happens-when-hft-algo-goes-totally-berserk-and-serves-knight-capital-bill?page=3