* Posts by Wedgie

31 publicly visible posts • joined 18 Jun 2013

Bank had no firewall license, intrusion or phishing protection – guess the rest

Wedgie

Re: What I don't understand...

Agree, as an ex-bank InfoSec bod, this has insider job all over it. Even if the bank is running a COTS platform, a fair bit of insider knowledge would be required to pull off what has been described.

Skills shortage puts SAP projects on hold

Wedgie

Re: Really "skills" issues?

These are mostly skills issues.

Lots of companies are upgrading/migrating from ERP versions to S/4, which is a reasonably chunky piece of work.

Initial take-up of S/4 was slow, hence there aren't that many people who really know how to do an upgrade, especially in a complex environment. Those with the skills are in great demand now but there aren't enough to meet demand.

This isn't exactly a new phenomenon but one thing we know and love about the SAP industry is that "experienced" project managers, implementers, consultants, love to make the same mistakes over and over again.

Spot the irony: India's Reserve Bank says outsourcing and offshoring are risky

Wedgie

There are a few thing at play here.

For a while, Indian govt has wanted to control and have access to payment data, similar to what China has implemented. RuPay was a start but has limited adoption.

Earlier outages at HDFC & SBI enabled the RBI (regulators) to ratchet up oversight, with some of their requirements & practices being ridiculous & nonsensical.

Data localisation was the start, under the guise of privacy it’s putting data where Indian govt can exert more control. RBI decided to flex their muscles by preventing some FIs from acquiring new customers despite agreeing to proposed timelines.

Now they are going for development & operations. This is not about risks & resilience, it’s about access to their citizens data and a degree of control over their finances.

Tax evasion is a big problem in India, but this is the thin end of the wedge.

Anonymous employee review site Glassdoor research: Tech companies dominate the best places to work

Wedgie

A few years back my missus used to run a program at a consultancy firm, the objective was to do well in these surveys.

A lot of effort went into ensuring that only the right types of people were selected to complete the surveys, a population of about 100. Those individuals weren’t coached, coerced, or otherwise encouraged to answer in a particular way, however they were pretty safe bets.

UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs

Wedgie

I don't think that's unreasonable, arguably there are some people in that role with a couple of years of experience covering the pre-implementation period & then living with the beast for almost a year.

You know the drill: SAP has asked Joe Public to name Munich arena so go forth and be very silly

Wedgie

Re: Sappropriate

Whoever downvoted this has no soul.

Probably someone who has chugged the S4 Kool Aid!

SAP can claim to change its culture, but can it convince customers?

Wedgie

Re: Ex-SAP victim

Out of SAP, Oracle & MS, I have found SAP to be the worst by far when it comes to licensing chicanery. Appreciate that’s just one set of experiences and I know companies that have been done over by Oracle & MS too.

Firefighters choke on Oracle's alleged smoke-and-mirrors cloud

Wedgie

Re: Ahhh, the Oracle we all know and love

It's standard practice from what I've seen with the big boys.

Fail licence audit - repay & also buy licenses for new cloudy stuff to the value of the deficit. Kerching, more maintenance fees.

Brit escorts: Without the internet to keep us safe, we'd be totally screwed

Wedgie

Re: Gee Dee Pee (on me) Arr

That would be an interesting examination of the Legitimate Interest concept

SAP customers won't touch the fluffy stuff... so here's another on-prem HR data tool

Wedgie

In a number of respects the SAP cloud products are more attractive than on prem (in particular around encryption & security in general).

It's a difficult one for SAP but one of their own making. Lots of their clients are happy with business suite & the usual add-ons. Tens of millions of people know how to use it (they may not like it but they do know it). Large customers are fully invested and have ecosystems supporting SAP. Cloudify it too much and lots of that value is lost. SAP are desperate to get hosting/support/config revenue off the SI's and into their pockets. From what I have seen customers are keen to migrate their workloads onto cloud but don't want the "reimagined innovation platform" type bollocks that SAP are peddling.

SAP fondlers: IoT? Machine learning? Woah there, we still don't understand licensing

Wedgie

It’s all puff

The reason people aren’t buying into Leonardo is not licensing, it is that it is almost entirely without substance.

Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'

Wedgie

In Big4 it is an "us & them" culture between back office services and advisory teams. Rarely will the two ever meet and when they do there will be great resistance from the back office teams. This is the sort of shit storm that results.

Deloitte goes all gooey for SAP HANA on AWS

Wedgie

Re: So...

I'm pretty certain that use of AWS doesn't preclude comparable secure, performant, reliable services being provided for SAP.

Fatal flaw found in PricewaterhouseCoopers SAP security software

Wedgie

ESNC & PwC aren't in competition. PwC's ACE is an audit support tool. It extracts the information used to audit SAP systems, generally for the purposes of supporting statutory audit. Primarily ACE performs Segregation of Duties reviews. The ESNC products are more focused towards technical security - VAs etc.

Wedgie

Re: "manipulate accounting documents and financial results,"

In the U.K. Deloitte hoovered up the AA audit teams but it varied for other countries.

Putting this into context, this is crappy coding but not uncommon among vendor or SAP code. I would also be surprised if this was remotely executable for any organisations following the standard security guidance provided by SAP.

Wedgie

I'm not that surprised that something like this has been picked up, there are lots of vendor tools using exactly the same lazy techniques to auto generate code. PwC are unlucky as they are an easy target & their response was pretty crappy. They really should have been whiter than white. There will be plenty of vendors scrambling to check their code now. I would have imagined a fair few of them would have been scanned by VirtualForge who pretty much own the SAP code scanning space. They don't really need to publicise though. You have to also question SAP for remaining to make those techniques available, doing that would likely require a lot of refactoring (and vendors are "encouraged" to not scan SAP code outside of direct collaboration with them)

For those commenting on the tool, ACE is the name of many junior SAP auditors lives. It uses client side ABAP programs to generate extract files which are taken processed separately to identify stuff like segregation of duties conflicts, change control settings, configurable control settings etc. From what I remember it can't be used to make updates though it sounds like the programs could be subverted.

SAP fixes gaping authentication bypass flaw after 3 YEARS

Wedgie

I'm not disputing that there are 256-odd systems discoverable with that service.

It has been a slow news month for SAP with regard to reporting security bugs and for the article (not the vendor) to say it is critical is simply not the case. It relates to information disclosure which at worst, could be used to support an attack to be crafted.

Wedgie

A fair bit of hyperbole here. The authentication bug was for an information service & the info that can be gained isn't particularly useful, certainly not a critical prior and not classified by SAP as such.

With regard to giving code to customers - in general it is (with a few exceptions). While it's not open source, it is available to anyone with an SAP system - a lot of customers & partners.

Trumped up lobby group tries to get EU data protection watered down

Wedgie

Re: Can understand SAP having issues

Historically I don't think SAP would have been too bothered, after all where their customers data is is not their problem.

Now SAP are going all out on a cloud strategy where SAP hosts, all of a sudden it can bite them on the bum rather than just their customers.

Most SAP HANA installs poppable with default keys, hacker says

Wedgie

Yes, this has been documented in SAP help & SAP recommends to change the default shipped key. I don't consider this particularly newsworthy but then again I am not trying to flog a product!

SAP crypto offers customers choice of remote code execution or denial of service

Wedgie

Re: Why "Crypto"?

There is a common misconception with the SAP industrye that traffic is encrypted rather than compressed & obfuscated. SAP recommend that encryption is enabled but <10% of customers actually do it (either using SAP tech or other solutions). It seems that the term has been used to drum up a bit more excitement.

Rackspace in Crawley: This is a local data centre for local people

Wedgie

Re: Nice picture ....

It's Crawley. The kit was probably nicked in the time it took the 'tog to press the shutter release and the shutter errrr releasing.

BlackHat talk hibernated over 0-day in SAP's Afaria mobile manager

Wedgie

Publicity

They would have had a good idea that that the patch wouldn't land before the session, pulling out at last minute sounds to me like a publicity stunt.

The ERPScan team do a good job, no need for marketing stunts.

SAP unveils its biggest thing for 20 YEARS: Core suite with HANA

Wedgie

Putting it into perspective it's not like the competition are any better when comparing like-for-like.

Guess who SAP's picked for UK boss? Yep, it's a distie man

Wedgie

Re: Is it just me

When it works it's not unproductive but the rest still apply.

SAP: It was our Big Data software wot won it for Germany

Wedgie

SAP Understands football better than er...football

NFL prediction wasn't quite so accurate

http://www.itbusiness.ca/news/denver-broncos-to-defeat-seattle-seahawks-in-super-bowl-big-data-analysis/46604

SAP NetWeaver flaw spews user tables

Wedgie

Re: Slow And Painful

SAP have really upped their game in the security area over the last 5 years. While many, many customers subscribe to security by obscurity, the same doesn't apply to SAP.

The problem is that many customers will not invest in securing their assets using standard mechanisms that SAP have provided for years, party because it is, just like you say, an utter faff to patch around release cycles.

Wedgie

Yet another exploit facilitated through too much RFC access. Who woulda thunk it.

Hey, G20. Please knock it off with the whole tax loophole thing - we're good guys, really

Wedgie

Plenty are at it

I've got plenty of clients who have done the same. Set up an entity in a low(sh)-tax location e.g. Switzerland.

Step 1. Transport some staff to Head Office & claim that's where decisions are made, sales happen & risk is taken (therefore where tax should be paid)

Step 2. Set up new companies overseas & transfer manufacturing, service, distribution and local procurement into those companies.

Step 3. Operate tolling system where H/O owns stock & pays local manufacturers to covert raw materials into product & ship on behalf of Head Office.

A few honchos move, lots of people get new contracts in the new companies.

Enterprise giant SAP's systems take a probe to the wobbly bits - report

Wedgie

Nothing new here

We've been able to find SAP systems through internet searches since the days of ITS and early SAP Portal. It would have been a trivial matter to try some default user accounts.

Other posters have commented on the reality of the tests & possible scaremongering tactics. For all their sins SAP does generally produce reasonably secure software. The problem is that most of those paid to secure it do not understand how to secure the assets using standard delivered SAP functionality and standard security techniques.

SAP users slack, slow and backward on security

Wedgie

No surprise

Unfortunately this is no surprise to many of us working in the SAP security field. SAP are working very hard to improve, unfortunately clients are struggling to care.

Some key themes:

1. Security admins main knowledge is around building roles/permission structures and user admin. The technical side is neglected (despite being covered quite well in certification) and there is a big gap.

2. Patching is time consuming and many organisations require full regression testing for each set of patches. Across 20 productive systems (each with a supporting application stack of 2-5 systems) covering a full scope of business processes that comes at quite a cost (though not as much as a breach of course).

3. IS teams rarely talk to SAP teams. SAP has been treated as a silo & there is a disconnect between IS and their SAP counterparts. Many SAP admins do not understand the impact of vulnerabilities, the IS teams struggle to use terms that the SAP guys understand.

Fortunately some people do "get it" and plenty of orgs are doing good stuff & SAP is committed to make it easy for people to do the right thing.

Disclaimer: I work for a company doing security for SAP