As I taught Africans from South Africa to protect SAP
Open the column Infosectravel , - we will write notes about trips to conferences and exhibitions on information security around the world such as Kuwait, Africa, Australia, etc. Although European and American events such as BlackHat and Confidence and others, too, will not disregard.
Welcome wishes and comments. The format is completely new, although a couple of attempts have already been ( Kuwait , BlackHat , Confidence ) and we do not yet know for ourselves what will be the result.
It so happened that on the May holidays I went not to rest in Turkey, but to work in Africa :)
In a nutshell, from May 7 to 9, in Johannesburg - the capital of South Africa - the international security exhibition and conference ITWEB was held. This year we decided to take an active part in it, to make a report and to communicate with clients that you don’t often see with your own eyes. The trip seemed all the more attractive because my colleagues, because of the heightened criminal situation in the region, refused to go.
')
First impressions
The first thing I saw when I checked into the hotel was IT. Sorry for the quality of the photo - used for shooting what was at hand.
Great, new stock. And I heard that in Africa the children are starving ... Then there were Maserati and Bentley, but this was no longer so epic.
The first impression of South Africa is apparently no different from America, the same shopping malls, the same buildings and roads, about the same number of African Africans. But I still had two days not to wander around the streets, butto protect the booth at the exhibition from the invasion of zombie mutants about the advantages of our product.
ITWEB is a rather large event. Of course, this is not RSA or BlackHat, or even Infosecurity, but its 50 exhibitors will be typed on it. According to this indicator, the exhibition is much larger than the average European counterparts. Although if you consider that the conference is designed mostly for business, it is clear where so many stands come from. About half of the exhibitors are well-known international brands (RSA, Splunk, IBM, Kaspersky) and other local companies are consultants and resellers. By the way, I was pleasantly surprised that Sensepost, known for its technical surveyors, has its headquarters in South Africa and is successfully developing its second office in England.
Unfortunately, I can’t say anything intelligible about the program, because I didn’t attend any speech except my own, and nothing supernatural was expected, except The Grugq, which, by the way, is from South Africa.
Day two
On the second day of the exhibition, I was pleasantly surprised by the news that our company and I, in particular, won the Hot Companies And Best Products Award awards, which at that time were being presented in Las Vegas .
I won the gold prize in the R & D nomination professional of the year, and our product received bronze in the categories “Information Security and Risk Management” and “Security Software", not bad, especially considering that the competitors were Net Optics, Cenzic, RedSeal, Norman, Application Security Inc and even SAP with the Afaria platform.
In order to celebrate this event, I treated the visitors to the exhibition Beluga. The people at first were slightly surprised, but then willingly joined the holiday.
In general, the exhibition was not particularly impressed: as elsewhere, among the presented solutions, the SIEM and various magic "prevention from cyber attacks and APT" prevailed. It was nice, therefore, to hear from one visitor such a review about us: “Well, at least something interesting, and then cyber-something-there is the same everywhere.”
Report
It is time to talk about the report . This time it was not very technical, as the public was appropriate. And the area that we are investigating lately - investigating incidents and analyzing attacks in SAP - in general, is not at all about vulnerabilities, but quite the opposite: how to detect traces of these vulnerabilities using different log files, traces and other specific things. I'll tell you about the report in general.
Since the topic of SAP security is still new for the region, half of the speech had to be devoted to common things, however, taking into account South African specifics. For example, some figures were presented on the results of scanning the Internet for the presence of open SAP ports this year. In South Africa, as it turned out, quite a lot of information security threats are associated with routers: about 20% of these devices are vulnerable to information disclosure, and 5% - to bypass authentication. As for other services, then, on average, the situation looks worse than global statistics by about 2-3 times (we are talking about unsafe services offered via the Internet).
Actually, the main thesis of the report was: “you will not protect yourself from everything, however, it is necessary to analyze system events in order to quickly detect attacks and react to them as quickly as possible.”
Why is this important for SAP systems? First, the thesis is applicable to any systems. Secondly, about six months ago, the news about how Anonymus broke into the Greek Ministry of Finance after 0-day the vulnerability in SAP and published secret information on the Internet. Despite the fact that no official confirmation of the fact of hacking has been received either from the organization or from SAP, I can safely say that such a scenario is more than likely. And finally, thirdly, how many companies can really claim that they have not been attacked from the SAP system?
On the one hand, even if an event took place, it is unlikely to be made public. On the other hand, the results of our audits demonstrate that a very small percentage of companies have the ability to detect the fact of an attack. Even such a simple thing as logging very few people include. We did a little research, and here are the results: about 70% of companies have a configured HTTP-log for SAP, and then only because it is configured by default. As for other magazines, everything is much sadder there. The percentage of various logs, respectively: Security audit log in ABAP - 10%, Table access logging - 4%, Message Server log - 2%, SAP Gateway access log - 2%.
Looking at these numbers, you understand that it is unlikely that everyone can get a clear picture of possible hacking attempts. More importantly, it is that even with customized logging, only a small percentage centrally collects information in a place inaccessible for modification, and also processes events and has the ability to carry out correlation.
Attacks on SAP Portal and J2EE applications
Now for special cases. In this report, we have examined in detail only the attacks on SAP Portal, since this application is critical because of its accessibility from the Internet and has connections to other systems. In fact, it is the first link in the chain of a possible attack on internal SAP resources.
In general, attacks are reduced to two types of detection. The first one is simple attacks that can be traced in the standard HTTP request log, where headers are stored. The second is more advanced attacks that are contained in POST requests and do not fall into the standard log.
To analyze the attacks of the second type, the simplest option is to configure extended logging of all requests. However, in this case, a huge amount of unnecessary information will be written, including the Cookie and Jsessionid fields and passwords sent in forms. In addition, it is unsafe. Naturally, there are settings that allow you not to save these fields, which you can see in more detail in the report, but still this solution is not the best option if there are no corresponding additional tools to analyze this entire stream of POST requests.
But if you do not analyze the POST request, then what then? Several alternative methods have been shown that are also difficult to call ideal. For example, you can use the analysis of indirect events.
In SAP Portal and WebDynpro applications, all data is transmitted in a huge “POST” sheet of requests reaching hundreds of parameters, and in logs any action looks like a call to the same service with a link to its URL. That is, in the general case, it is impossible to understand what was happening without analyzing POST requests.
Various tricks come to mind, for example. In the portal interface there are various icons that are often found alongside critical actions, including changing the level of event logging or disabling logs, or uploading files to the server. Both can be used by an attacker for attacks such as loading an HTML file with the COOKIE hijacking script into a common directory or trying to disable logging. Such actions create a request to the web server to upload the corresponding icon, which is clearly displayed in the log files and makes it possible to indirectly detect the fact of an attack.
It is characteristic that ordinary users do not load images when performing such actions, since they are already loaded into the browser cache (except for the first time), thanks to which we will see only illegitimate references, which will allow us to talk about a possible attack.
Naturally, there are a lot of nuances and false positives, as well as ways to circumvent such a mechanism, but, firstly, not knowing what it is, you would hardly have guessed to circumvent it, and, secondly, with proper combination with other details, You can set up a quite good system, alternative to full logging, or combine the recording of full logs only in the presence of such events so as not to store all the data.
In general, since the topic is rather new, a bunch of options applied to SAP, and I have just stated the basic things, but my colleagues will probably tell about the others during the presentation at Confidence.
PS
After the conference, I decided to relax a bit by visiting the beautiful J-Bay beach - one of the world's best surfing spots, with perfectly long waves, where you can surf along with dolphins, until the albatros have eaten them. There was no one to shoot me, because only an empty beach with small waves, since in normal times there was no time for filming.
On the coast, the atmosphere is very friendly and relaxed, and the food is very tasty and cheap, so I do not understand why go to Egypt and similar places when there is so much beautiful in the world.
Naturally, there is crime in South Africa. For example, the Johannesburg center is in principle not recommended for visiting, since there is no police there, people are simply killed without any questions. At best, you will be left without clothes with a knife wound and you will tell all your life what kind robbers you have met.
Thank you all, reports from the conference can be downloaded here , wait for the next post from Australia.
Welcome wishes and comments. The format is completely new, although a couple of attempts have already been ( Kuwait , BlackHat , Confidence ) and we do not yet know for ourselves what will be the result.
It so happened that on the May holidays I went not to rest in Turkey, but to work in Africa :)
In a nutshell, from May 7 to 9, in Johannesburg - the capital of South Africa - the international security exhibition and conference ITWEB was held. This year we decided to take an active part in it, to make a report and to communicate with clients that you don’t often see with your own eyes. The trip seemed all the more attractive because my colleagues, because of the heightened criminal situation in the region, refused to go.
')
First impressions
The first thing I saw when I checked into the hotel was IT. Sorry for the quality of the photo - used for shooting what was at hand.
Great, new stock. And I heard that in Africa the children are starving ... Then there were Maserati and Bentley, but this was no longer so epic.
The first impression of South Africa is apparently no different from America, the same shopping malls, the same buildings and roads, about the same number of African Africans. But I still had two days not to wander around the streets, but
ITWEB is a rather large event. Of course, this is not RSA or BlackHat, or even Infosecurity, but its 50 exhibitors will be typed on it. According to this indicator, the exhibition is much larger than the average European counterparts. Although if you consider that the conference is designed mostly for business, it is clear where so many stands come from. About half of the exhibitors are well-known international brands (RSA, Splunk, IBM, Kaspersky) and other local companies are consultants and resellers. By the way, I was pleasantly surprised that Sensepost, known for its technical surveyors, has its headquarters in South Africa and is successfully developing its second office in England.
Unfortunately, I can’t say anything intelligible about the program, because I didn’t attend any speech except my own, and nothing supernatural was expected, except The Grugq, which, by the way, is from South Africa.
Day two
On the second day of the exhibition, I was pleasantly surprised by the news that our company and I, in particular, won the Hot Companies And Best Products Award awards, which at that time were being presented in Las Vegas .
I won the gold prize in the R & D nomination professional of the year, and our product received bronze in the categories “Information Security and Risk Management” and “Security Software", not bad, especially considering that the competitors were Net Optics, Cenzic, RedSeal, Norman, Application Security Inc and even SAP with the Afaria platform.
In order to celebrate this event, I treated the visitors to the exhibition Beluga. The people at first were slightly surprised, but then willingly joined the holiday.
In general, the exhibition was not particularly impressed: as elsewhere, among the presented solutions, the SIEM and various magic "prevention from cyber attacks and APT" prevailed. It was nice, therefore, to hear from one visitor such a review about us: “Well, at least something interesting, and then cyber-something-there is the same everywhere.”
Report
It is time to talk about the report . This time it was not very technical, as the public was appropriate. And the area that we are investigating lately - investigating incidents and analyzing attacks in SAP - in general, is not at all about vulnerabilities, but quite the opposite: how to detect traces of these vulnerabilities using different log files, traces and other specific things. I'll tell you about the report in general.
Since the topic of SAP security is still new for the region, half of the speech had to be devoted to common things, however, taking into account South African specifics. For example, some figures were presented on the results of scanning the Internet for the presence of open SAP ports this year. In South Africa, as it turned out, quite a lot of information security threats are associated with routers: about 20% of these devices are vulnerable to information disclosure, and 5% - to bypass authentication. As for other services, then, on average, the situation looks worse than global statistics by about 2-3 times (we are talking about unsafe services offered via the Internet).
Actually, the main thesis of the report was: “you will not protect yourself from everything, however, it is necessary to analyze system events in order to quickly detect attacks and react to them as quickly as possible.”
Why is this important for SAP systems? First, the thesis is applicable to any systems. Secondly, about six months ago, the news about how Anonymus broke into the Greek Ministry of Finance after 0-day the vulnerability in SAP and published secret information on the Internet. Despite the fact that no official confirmation of the fact of hacking has been received either from the organization or from SAP, I can safely say that such a scenario is more than likely. And finally, thirdly, how many companies can really claim that they have not been attacked from the SAP system?
On the one hand, even if an event took place, it is unlikely to be made public. On the other hand, the results of our audits demonstrate that a very small percentage of companies have the ability to detect the fact of an attack. Even such a simple thing as logging very few people include. We did a little research, and here are the results: about 70% of companies have a configured HTTP-log for SAP, and then only because it is configured by default. As for other magazines, everything is much sadder there. The percentage of various logs, respectively: Security audit log in ABAP - 10%, Table access logging - 4%, Message Server log - 2%, SAP Gateway access log - 2%.
Looking at these numbers, you understand that it is unlikely that everyone can get a clear picture of possible hacking attempts. More importantly, it is that even with customized logging, only a small percentage centrally collects information in a place inaccessible for modification, and also processes events and has the ability to carry out correlation.
Attacks on SAP Portal and J2EE applications
Now for special cases. In this report, we have examined in detail only the attacks on SAP Portal, since this application is critical because of its accessibility from the Internet and has connections to other systems. In fact, it is the first link in the chain of a possible attack on internal SAP resources.
In general, attacks are reduced to two types of detection. The first one is simple attacks that can be traced in the standard HTTP request log, where headers are stored. The second is more advanced attacks that are contained in POST requests and do not fall into the standard log.
To analyze the attacks of the second type, the simplest option is to configure extended logging of all requests. However, in this case, a huge amount of unnecessary information will be written, including the Cookie and Jsessionid fields and passwords sent in forms. In addition, it is unsafe. Naturally, there are settings that allow you not to save these fields, which you can see in more detail in the report, but still this solution is not the best option if there are no corresponding additional tools to analyze this entire stream of POST requests.
But if you do not analyze the POST request, then what then? Several alternative methods have been shown that are also difficult to call ideal. For example, you can use the analysis of indirect events.
In SAP Portal and WebDynpro applications, all data is transmitted in a huge “POST” sheet of requests reaching hundreds of parameters, and in logs any action looks like a call to the same service with a link to its URL. That is, in the general case, it is impossible to understand what was happening without analyzing POST requests.
Various tricks come to mind, for example. In the portal interface there are various icons that are often found alongside critical actions, including changing the level of event logging or disabling logs, or uploading files to the server. Both can be used by an attacker for attacks such as loading an HTML file with the COOKIE hijacking script into a common directory or trying to disable logging. Such actions create a request to the web server to upload the corresponding icon, which is clearly displayed in the log files and makes it possible to indirectly detect the fact of an attack.
It is characteristic that ordinary users do not load images when performing such actions, since they are already loaded into the browser cache (except for the first time), thanks to which we will see only illegitimate references, which will allow us to talk about a possible attack.
Naturally, there are a lot of nuances and false positives, as well as ways to circumvent such a mechanism, but, firstly, not knowing what it is, you would hardly have guessed to circumvent it, and, secondly, with proper combination with other details, You can set up a quite good system, alternative to full logging, or combine the recording of full logs only in the presence of such events so as not to store all the data.
In general, since the topic is rather new, a bunch of options applied to SAP, and I have just stated the basic things, but my colleagues will probably tell about the others during the presentation at Confidence.
PS
After the conference, I decided to relax a bit by visiting the beautiful J-Bay beach - one of the world's best surfing spots, with perfectly long waves, where you can surf along with dolphins, until the albatros have eaten them. There was no one to shoot me, because only an empty beach with small waves, since in normal times there was no time for filming.
On the coast, the atmosphere is very friendly and relaxed, and the food is very tasty and cheap, so I do not understand why go to Egypt and similar places when there is so much beautiful in the world.
Naturally, there is crime in South Africa. For example, the Johannesburg center is in principle not recommended for visiting, since there is no police there, people are simply killed without any questions. At best, you will be left without clothes with a knife wound and you will tell all your life what kind robbers you have met.
Thank you all, reports from the conference can be downloaded here , wait for the next post from Australia.
Source: https://habr.com/ru/post/182180/
All Articles