Plug your holes... with lawyers!
HAHA! Nice try PwC. You're nicked, mate. Get as many lawyers as you can, and stuff them down the hole! WAY DOWN!!1!
note to self; add PwC to the target list.
A security tool built for SAP systems by PricewaterhouseCoopers has turned out to have worrying security holes of its own. German security research firm ESNC has been analyzing the Automated Controls Evaluator (ACE), which extracts relevant security and configuration data from an SAP system, analyzes it, and generates …
I'm at a bit of a loss to understand this one.. can anyone tell me why an audit extraction app would need anything other than read only access? I can see how it could access and export sensitive data but why would anyone ever give it rights to inject anything into the SAP environment at all?
Agreed, read-only access to the configs and metadata would be sensible, but maybe the ACE software is so badly written that it will only run as the "superuser"? Or maybe reading configs in SAP needs full rights (in which case SAP Corp have questions to answer as well)?
If the audit software has an access vuln itself, it could then be modified to read and change anything.
I'm at a bit of a loss to understand this one.. can anyone tell me why an audit extraction app would need anything other than read only access? I can see how it could access and export sensitive data but why would anyone ever give it rights to inject anything into the SAP environment at all?
Well, duh, it's simply PwC planning ahead. Just do a search for "PwC scandal" and you'll find fun stuff such as what happened at Tesco and Petrobras, things like LuxLeaks and various other tax evasion scandals (which feature that other frequently appearing company when anything dodgy happens, HSBC) - the list goes on and on.
(From the article) "This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money."
By leaving a giant hole, PwC appears to have been planning for the Shaggy defence when caught again, planning to claim "it wasn't us but them dodgy hackers and we're shocked about the evidently shoddy security but that should certainly absolve us from any responsibility (yada yada)".
That also explains why the people who discovered this got a lawyer's letter instead of the reward they deserved - they probably just ruined the purchase of a couple more yachts for management..
Not all security problems are by accident, and neither are badly executed audits.
Because it's just software, and within SAP there is BUGGER all to stop a program from doing stuff once it's running. If you are properly configured some system calls (functions and classes) will check authorisation objects, but if your ABAP is running then your already on the inside and all bets are off. It should have been audited, but that is easier said than done and you can bet most companies don't have the will or resources to do it.
Basically SAP assume that the writer of ABAP knows what they are doing, if the code is shite on the security front (which is usually is) then the result is shite on the security front. Having seen what SAP and most third party vendor write I'm not surprised. It is possible to write good ABAP for SAP systems and have a program with decent security and the right functions, but it's a rare thing to see... To be honest most code I've seen is dire on more than just security: crap usability, crap performance, eats memory like it's going out of fashion and impossible to debug or extend fix. Most companies don't see the code that's on their SAP boxes and most never audit a thing.
I bet PWCs technologists wanted a more proactive technical response, but they got overruled by the dominant business side of the company, who wanted to clamp down on reputational damage and unscheduled delays and expenditures to fix the vulnerability in ACE.
Unfortunately probably the exact reason PWC shystered up. Software will have bugs and these bugs will be discovered by someone over time. The question is it a white hat or black hat who found it. This has been reported by a white hat but what we do not know is if any black hats found it first. To many security incident reports indicate the hack was not discovered until much later. In cases when the hackers leaked information to the dark web was it ever discovered.
So what would happen if they thought that the potential legal action might have an impact on their year end accounts? Would they have to file a report with the securities exchange committee saying "After we found a security hole in XXXXs application and informed them and offered to help, they threatened us with legal action, which may be a risk for our year end accounts".
Obviously they haven't done anything wrong! If there wasn't the threat of legal action, they wouldn't have had to do it, and the bug could have remained undisclosed while it was being fixed. Instead, at least it's existence would have to be disclosed instantly.
Why do people give deadlines anymore, better to say please fix this in a timely manner. If they don't act in a reasonable time then release the vuln anonymously. If the company doesn't fix it then you can still claim you notified them and someone else also recognised the issue, that's what finding vulns is all about, saying that other people are also capable of finding them but not disclosing. Even anonymous posting is better than keeping it to yourself, it warns the public about issues and the company sees that providing a good product is more profitable than hoping vulns don't get discovered and that hushing up subsequent security breaches isn't good business.
"If they don't act in a reasonable time then release the vuln anonymously"
1: They'll still lawyer up
2: Even if you release anonymously past that point they'll still lawyer up on you, on the basis that you probably did it.
The one thing PWC have absolutely guaranteed is that NOBODY will ever bother giving them advance notice of vulnerabilities again.
Further, they've provided ammunition for the camp that argues immediate disclosure is in the best interest.
PWC have a long history of book-cooking and tax-juggling (http://www.bbc.co.uk/news/business-31147276 , http://www.taxjustice.net/tag/pwc/ etc etc) ...so why assume these "features" are actually bugs? Surely "...manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money..." is exactly the kind of functionality you'd want if you're running an operation as shady and disreputable as PWC.
"tax juggling" is, however, above-board, constructed outrage to be consumed by the tax-victimized hoi polloi notwithstanding (one wonders whether they have been promised additional free money by their electioneering representatives? nah, can't be)
Yeah BBC. "PwC promoted tax avoidance 'on industrial scale', say MPs" Shock horror, you don't say. Is that more or less bad than being Ghaddafi? Well, that's what PwC is getting paid for, innit.
And with the usual truthiness of the BBC: " tax havens like Luxembourg". Yeah, no. It's a tax hell like every eurosocialist state.
You may not like it but some people have the means to avoid the state's money grab (while you get saddled with high VAT, LOL!)
I'm not that surprised that something like this has been picked up, there are lots of vendor tools using exactly the same lazy techniques to auto generate code. PwC are unlucky as they are an easy target & their response was pretty crappy. They really should have been whiter than white. There will be plenty of vendors scrambling to check their code now. I would have imagined a fair few of them would have been scanned by VirtualForge who pretty much own the SAP code scanning space. They don't really need to publicise though. You have to also question SAP for remaining to make those techniques available, doing that would likely require a lot of refactoring (and vendors are "encouraged" to not scan SAP code outside of direct collaboration with them)
For those commenting on the tool, ACE is the name of many junior SAP auditors lives. It uses client side ABAP programs to generate extract files which are taken processed separately to identify stuff like segregation of duties conflicts, change control settings, configurable control settings etc. From what I remember it can't be used to make updates though it sounds like the programs could be subverted.
Indeed.
IIRC PwC picked up the remains of Arthur Andersen, the "auditors" of Enron.
And it looks like been infected with some of their old corporate culture.
Like others I'm gobsmacked this needs write authority on anything and I could certainly see someone playing the Shaggy defense if anything happens at any of their clients.
I'm presuming they don't think anyone of any importance in their clients reads El Reg so they won't know.
I think PwC may be surprised.
In the U.K. Deloitte hoovered up the AA audit teams but it varied for other countries.
Putting this into context, this is crappy coding but not uncommon among vendor or SAP code. I would also be surprised if this was remotely executable for any organisations following the standard security guidance provided by SAP.
The really depressing thing is that this is probably the right response. The sort of people who make the decisions to use this sort of software who hear about it aren't going to understand that shooting the messenger is a bad alternative to accepting the message and fixing the problem; in fact, they'd probably do the same thing themselves. And if it keeps the rest of the potential users from hearing about the problem it's served its purpose.
ESNC & PwC aren't in competition. PwC's ACE is an audit support tool. It extracts the information used to audit SAP systems, generally for the purposes of supporting statutory audit. Primarily ACE performs Segregation of Duties reviews. The ESNC products are more focused towards technical security - VAs etc.
The "Rebel Alliance" did not receive authorized access or a license to use the Death Star plans. The plans are not publicly available and are only properly accessed by those with licenses, such as Empire military staff working with trained Empire engineers," said the spokesperson. "The bulletin describes a hypothetical and unlikely scenario regarding a two-meter thermal exhaust port -- we are not aware of any situation in which it has materialized," the spokespersons said.