SAP vulnerability could expose systems to hacking

Related Topics

Wed Apr 7, 2010 3:47pm EDT

* Could leave companies open to sabotage, espionage, fraud

* Vulnerability lets hackers make stealth attacks

* SAP says only vulnerable if customers ignore advice

* Research to be presented at Black Hat Europe conference

BOSTON, April 7 (Reuters) - Companies using SAP AG's (SAPG.DE) business management software could be vulnerable to stealth attacks by hackers if their systems are not properly configured, according to a computer security expert.

The vulnerability could leave SAP's customers open to sabotage, espionage and fraud through so-called backdoor attacks, said Mariano NuÑez Di Croce, director of research and development with computer security firm Onapsis.

The problem is significant because many of the world's largest corporations use SAP's software to handle accounting, manufacturing and other crucial tasks.

"In a typical default installation, anybody can connect to an SAP database, modify standard programs and do whatever they want without detection," said Nuñez Di Croce, who will discuss the vulnerability next week at the Black Hat Europe computer security conference in Barcelona.

SAP, the world's biggest maker of business management software, said that customers were only at risk of attack if they did not follow the company's advice on how to protect their computer systems.

"We believe that if customers follow our guidelines for security, the risk of illegitimate access through a backdoor can be excluded," said SAP spokesman Saswato Das.

The software maker builds several layers of security into its programs. But Nuñez Di Croce said that hackers can bypass those safeguards by manipulating those programs through an attached database whose security settings are not properly set.

Makers of databases that are most commonly used with SAP's business management software include Oracle Corp (ORCL.O), Microsoft Corp (MSFT.O) and International Business Machines Corp (IBM.N).

Once hackers gain access to an SAP system, they could install malicious programs to manipulate critical business processes or steal sensitive information, Nuñez Di Croce said.

Nunez Di Croce, whose company will release a free software tool to help companies protect against the threat, said he was not sure how frequently hackers had taken advantage of the vulnerability. (Reporting by Jim Finkle; Editing by Richard Chang)

Stocks
Markets

Related Quotes and News

Company
Price
Related News
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (1)
andres.riancho wrote:
Mariano Nuñez and his crew at Onapsis [0] are without a doubt the most skilled SAP information security researchers in the market.

With SAP getting more popular each day, and targeted attacks affecting both the public and private sectors, the market is in the need for a solution for securing those installations.

[0] http://www.onapsis.com/

Apr 07, 2010 6:20pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.
See All Comments »