Everybody has Access to your DATA!!!

White-collar crime is the fastest growing type of crime in North America, and co-workers and disgruntled employees have many motivations to cause damages or increase their wealth. Especially in the current economy it is every company’s responsibility to keep honest employees honest by preventing opportunities and temptation! The first thing intruders do before taking any illegal action is to get access to another colleague’s user profile for extended access so that the other person will be blamed. Below we will point out how easy this unfortunately is…

We know about one company that lost over $60 Million in a 4 year period. A director used one of his employee’s user profiles and passwords to commit the fraud in the SAP financial system. When the fraud was discovered, this employee spent half a year in jail for a crime that she did not commit. Eventually, her boss was arrested for stealing her password and committing the fraud.

Many executives still believe that passwords are secure!

How can IT experts today communicate to their business management that they have control weakness today without putting themselves in a “bad” position?

We would not want to put anybody in the position to declare that they have significant control weaknesses, but it is a fact that passwords are outdated and they are the weakest link within your controls. In a world of anti-malware scanners it is common knowledge that security threats evolve on a daily basis and that’s why customers must update their antimalware software frequently to be prepared for the latest attacks.

Passwords have been around since the first computers in 1963, and while they might have been fairly secure back then, technology is evolving and is making them more vulnerable on a daily basis:

  • Password crackers get faster and more sophisticated, as well as the computers that run them
  • Hacking tools are now legally sold in stores as Password Recovery tools
  • Physical and logical key loggers have been invented and can be implemented without detection
  • Hidden cameras and even cell phones tape passwords – surveillance cameras are everywhere
  • Algorithms can decrypt passwords just based on sound
  • Users have too many logons and passwords and are forced to write them down
  • Systems require frequent password renewal (forcing users to write them down)
  • Users are forced to create more complex and longer passwords (no choice but to write them down)

Did you know that 7 % of a company’s revenue was lost to fraud in 2008 ?

The so called “occupational fraud” (also known as internal theft) and abuse imposes enormous costs on organizations. The median loss caused by occupational fraud in this 2008 ACFE study was $175,000. Nearly one-quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1billion or more. Participants in the study estimate U.S. organizations lose 7% of their annual revenues to fraud. Applied to the estimated 2008 United States Gross Domestic Product, this 7% figure would translate to approximately $994 billion in fraud losses. Fraud schemes usually continue for years before they are detected. Fraud was mostly committed by upper management or accounting and most of the criminals were first time offenders.

SAP Info reported on Feb 25th 2008: Poor IT Procedures Enabled Société Générale Fraud

Inadequate IT security allowed a trader at French bank Société Générale to make a series of unauthorized transactions that ultimately cost the bank 4.9 billion euros (US$7.2 billion), an internal investigation has found. To prevent a recurrence, the bank should immediately introduce stronger security systems, including biometric authenticationof trading staff, a special committee has recommended in its preliminary report to the bank’s board of directors.

Passwords are Outdated, Insecure and Expensive and offer no accountability!!!

As mentioned earlier, the first functional computers have been around since 1963. Since then, everything has changed on a computer except the way we log onto computers – the password. In the security world there are 3 ways to gain any kind of physical or electronic access:

1. What you know – the password

2. What you have – a smart card, key or token

3. Who you are – biometrics.

Biometrics has been proven not only to be the most secure solution but also the most convenient method for users and the least expensive way to go for the IT department, when considering the cost of password administration. No more password resets, which account to a majority of every companies IT help desk cost. Smart Cards, tokens and keys can still be lost, stolen or passed on to a different person. They still don’t offer the capability to uniquely identify the actual user. The commonly used passwords are very dangerous and offer no protection at all. Especially in a world, where most companies spend millions on compliance issues and they still rely on the (wrong) assumption, that only Joe Smith can log on to the IT system as Joe Smith.

How easy can the intruder get access to “another” user profile to cause damage?

  • Go to the computer while owner leaves or gets a coffee
  • Ask or challenge colleagues (40% admit sharing password)
  • Check the ‘history’ of the first ‘login field’ for password entry
  • Call your helpdesk with a different name or user login to get a reset
  • Try the Default USER: SAP* – Default Password: 06071992
  • Create a fake password login screen that emails password to intruder
  • Look for the password near the computer and in drawers (right upper drawer is your best chance)
  • Look over shoulders of employees when the enter it (the FBI calls it shoulder surfing)
  • Video tape it – watch for people with a cell phone around you
  • Get Emergency password (in some companies at the security guard)
  • Keyboard Click-and-Clack Reveals Passwords (Intruders record the sound)
  • Key Catcher, Password Cracker – Now: Recovery Tools sold in stores
  • Check ‘.INI’ files in Windows which might contain non encrypted passwords
  • Associate with the owner (hometown, car, children, wife, animal etc.)
  • Password Monitoring / Sniffers (transfer from GUI is not encrypted)

Hacking Passwords in older versions of SAP was fairly simple:

There are at least two methods to this attack:

  • Dictionary hack (using common words)
  • Brute force hack (using all possibilities)

ABAP code for both of these can be found in the Internet. The dictionary and brute force attacks are not detected by the system and therefore will not set-off a warning or lock the user. There is a standard SAP module which helps to compare the passwords for the hack. There are also SAP plug-ins available for popular hacking software. The first thing a SAP consultant installed when he started his new engagement with one of our clients was a program that would de-crypt passwords. He was eventually escorted out of the building for importing some code he wrote that messed up end-user access in Production!

Hacking passwords in older versions of SAP is easily accomplished due to the following reasons:

  • Hash values were stored in tables which are viewable by many users
  • The hash algorithms were weak
  • Passwords were not case sensitive
  • The system was limited to 8 characters
  • There were many back doors into an SAP system

After SAP NetWeaver 6.40, the password hash algorithm was changed from MD5 to SHA-1 to make hacking harder – but technology is catching up quickly.

SAP Passwords are not encrypted

Did you know that between the SAP GUI and the server the password is not encrypted? Try any free Password Sniffer from the Internet and you will see all passwords being typed in from any user. A better program will display the SAP User Logon and password together!

The Fact is:

If a person wants anybody’s password and access to anybody’s user profile, they will get it without problems, and statistics confirm that they will use those user profiles with extended authorizations to cause damages!

What about smart cards or tokens:

Smart Cards and Tokens are definitely one step up from Passwords but they can still be lost, stolen, copied, borrowed or passed on to another person. There is still no proof that the actual user was the authorized user any lawyer would use the SODDI defense (Some Other Dude did It) in case of an attempted conviction.

 

Biometrics- More than just a “fancy” replacement for passwords…

 

With innovative technology, biometrics cannot only protect the logon to a computer or an application, but also prevents costly incidents within the SAP system. bioLock is the first technology that can basically protect any mouse click in the SAP system and offer you fraud mitigation within your system. Independent from the actual user that logged on to the SAP system (with or without biometrics), the security team can put an additional biometric “door lock” on any critical function within the SAP system: Common areas are Finance, HR, research or PM notifications. Once a transaction or function – like displaying a balance sheet, creating a purchase order or issuing a wire transfer – is requested bioLock will pop up a window requesting a biometric verification. A finger has to be placed on the sensor in order to proceed. Please contact us for a demo or for more information about bioLock products.

 

VN:F [1.9.13_1145]
Rating: 5.0/5 (1 vote cast)
Fishing for Passwords, 5.0 out of 5 based on 1 rating