back to article Most SAP HANA installs poppable with default keys, hacker says

ERPScan technology boss Alexander Polyakov says default security settings are exposing passwords and root keys in SAP HANA to external attackers. Attackers can use universal default keys to decrypt encrypted passwords used by the in-memory, column-oriented, relational database management system. Polyakov says administrators …

  1. Stretch

    I work with HANA everyday. It stores all its data on disk, ofc it does. How else would it do it? Its loaded to memory as needed.

    Tbh, there are much much more important things to criticise about HANA than default settings being unsecure. The very poor performance and serious bugs in SQL impl. The lack of clustering for rowstore tables. The lack of active active support. The lack of ACID. The downtime required for upgrades, typically a week. The incredible cost. The political sillyness.

    As you point out, the guides already tell you how to do it right.

  2. hfhghg6767

    Yes, no active/active, but you can work around that by pushing more functionality into the application layers, and using synchronous replication. It would be nice if it would come built in from start though, and it is not realistic in all environments to start messing around in the application layers.

  3. This post has been deleted by its author

    1. David Dingwall

      So not a lot has changed then? SAP R/3 releases 1.2, 2.X, and early 3.X did not force OS service account password changes, nor forcing changes to Client accounts SAP* and DDIC in each and every Client. As a consultant we TOLD customers to change them, WE CHANGED them manually where we could, but still there were test and QA systems with copies of production data still running defaults.

      Your typical bang-head-on-concrete-post situation.

      It took a two step product install addition to fix this, and all of a sudden things went very very peaceful for on-call BASIS consultants, and database architects.

      The downside of a product technology swap are all the lessons lost by the old support group not taken on board by the eager new product team.

    2. Wedgie

      Yes, this has been documented in SAP help & SAP recommends to change the default shipped key. I don't consider this particularly newsworthy but then again I am not trying to flog a product!

  4. Anonymous Coward
    Anonymous Coward

    The questions needs to be asked - Why does any product ship with default keys and why can't the key be generated during the install?

  5. Anonymous Coward
    Anonymous Coward

    Looks like SAP has already pro-actively addressed this concern http://scn.sap.com/community/security/blog/2015/06/25/important-information-about-changing-default-keys-in-sap-hana

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022