SAP makes programs that utilizes almost every company in the world to process sensitive information. The software for years had a major security hole.
It’s a big word that the hacker Andreas Wiegenstein has used for this threat: Skyfall. It sounds like a great calamity. The sky is falling, as almost in the same James Bond film. In fact, the matter Skyfall potential had to much damage – in digital heaven as it were. Over several years, all of the German software company SAP customers were affected by a serious vulnerability that was supposed to be so obvious to experts such as the blue sky. But just remained undetected until Wiegenstein and his colleagues raised the alarm. Weighing stone is one of the good guys, those hackers called White Hats . He makes his Heidelberger company Virtual Forge gaps attention and earns his money. “The vulnerability is critical”, the Federal Office for Information Security (BSI) confirming its realization. From an incident “very high priority”, also speaks Gerold Hübner, SAP security chief. After now all the gaps are filled, this case can be traced.
SAP know many just hearsay, it is the people not as present as Microsoft or Facebook, but equally important. With SAP software companies are completely controlled: The personnel administration, the products in the camps, the accounting, the Online Store, the travel expenses. Virtually all major corporations and large institutions in the world to use parts of this software: Coca-Cola, NASA, Daimler, Pfizer, General Motors, BP and RWE, to name a few. Half of all global financial transactions passing through SAP programs. SAP from the Palatine Walldorf is the global market leader for such software that is much more complex than a writing program on the PC or any iPhone games.
Of course, SAP programs shall be kept up to date, and the computer specialists in-applying companies need from time to additional programs for new features. With SAP updates on the Service Marketplace are handled, a website with programs that can be downloaded by clicking. This works much like an app store. And here’s the security issue: the update process. For years he was especially simple, thereby also specially dangerous because SAP had this process not always protected. Attackers would be injected to this update process and can install malicious software to retrieve sensitive customer information: about human and financial data, plans, documents and orders or chemical formulas. Everything just what is stored and processed in the SAP system. Six years was open this gate. Although this method only the best hackers do something, but the BSI announces: “. Such a gateway makes it simple, that is undisputed” This seems to be the name Skyfall, the name for which is Wiegenstein decided not to be misleading.
Perfect a program from being secure ever, it is too complex
data be sent on the Internet, are open by default, like a postcard. Hackers can therefore tap data traffic and possibly intercept data packets, equip them with malicious software and smuggle in foreign companies. Such an attack would have been possible even with SAP Downloads, says Sebastian Schinzel, IT professor at the University of Münster, of the Skyfall gap with uncovered: SAP it turned its users freely to waive Encryption who know even ordinary users the small castle in the Internet browser window displays about when communicating protected by his e-mail provider. Without protection hackers could observe the requests and can replace new software products from SAP by altered. to not use “https”, the technical term, that was the first problem. “A relevant step was thus unencrypted” says Wiegenstein. Normally modern computer systems noted also such manipulations because downloaded software packages are provided with a digital signature, so a signature: If the Windows PC or Mac invites a new update, the computer checks whether the software was published by the manufacturer and not has been changed. But here was the second problem: “The Signature at SAP is not automatically considered” says Professor Schinzel. That you’ve actually overlooked – “until we were just made aware,” says SAP security chief Hübner. He was on a business trip in Nice, when he learns of the German researchers at October 15, 2015 from the case. Several hundred people working for him, consider at any stage the software programs on vulnerability, and this he committed repeatedly external security experts as Wiegenstein. Such people have a different perspective, see mistakes that escape their own programmers. Perfect hedge nevertheless can be nothing that white Hübner, which applies to all software programs from any manufacturer. Especially as the most important SAP software from 319 million lines of code there. Errors creep in as a necessarily. Always therefore involves the most extensive minimizing risks. Rasch looked Hübner So the first documents on the computer through – and forwards them immediately to Sid Rao continued, the head of the ready-hour SAP Security team. “On October 22, we then notify our customers”, on 30 October, the first updates were then were delivered to fix the gap, says Hübner. This was “very rapidly, applicable in such cases, of course, not the eight-hour working day.” Only two weeks ago then, in mid-March, reported Wiegenstein and his two colleagues at a security conference in Heidelberg in the art of the case. The hacker pride dictates restraint so that the gaps can not be used by malicious hackers.
Edward Snowden documents show that the NSA exploits those vulnerabilities
But it was fast enough in the face of a gap that has existed for six years? Is it not possible that was broken at this time in some groups? “To our knowledge there have been no attacks on this job,” says Hübner. It admits that it does not exclude, but there was absolutely no evidence. Good settings for virus scanners could detect any tampering in the downloaded software packages with great certainty, the SAP-man believes. “A very interesting” case, however, says Joris van de Vis, also white-hat hacker who earns his money by SAP and to make their customers reveal security holes. But, says of de Vis: “It is not the most critical vulnerability.” The conditions are so high that there are few attackers who are able to exploit the vulnerability: mainly government intelligence agencies. Also BSI and security researchers call Schinzel especially intelligence as a possible attacker. In the documents of the whistleblower Edward Snowden appeared films, where such attacks by the American secret service NSA are described.
The sensitivity of the case, both for SAP as well as the industrial world and in Germany, shows because no DAX company wanted to talk about the gap. Only the Telekom subsidiary T-Systems, the SAP systems running for a third of the DAX companies, explained: They had noticed the vulnerability, but not classified as particularly serious. What probably is also the fact that T-Systems always pays attention to encrypted connections and checks the downloads signatures. How widespread this behavior when the total of 300 000 customers of SAP, is unclear. When sat together computer scientists in Heidelberg two weeks ago, turned university professor Schinzel the question: Who checks the “digital signature” on downloads? Nobody answered.
No comments:
Post a Comment