By Jeremy Kirk
IDG News Service
April 09, 2010
At the Black Hat security conference next week, one presentation will
focus on a way to insert a back door into SAP's ERP (enterprise resource
planning) applications. SAP's business software is often the core of a
company's operations and is used to manage invoicing, human resources,
procurement, and billing, among many other functions.
SAP's software uses databases from companies such as Oracle, said
Mariano Nuez Di Croce, director of research and development for Onapsis,
a company that focuses on penetration testing for SAP systems and others
such as Oracle's PeopleSoft and JD Edwards enterprise applications.
Many companies do not configure the Oracle database correctly, which
makes the SAP system vulnerable to attack. "What we have found is, it is
possible instead of modifying the program you can connect to the
database and modify the code directly in the database," Nuez Di Croce
The problem with SAP and the Oracle database has been known for a few
years, although Nuez Di Croce recently figured out how to slip a "back
door" into a program in the database that can then send data to a remote
hacker. Because the Oracle database does not conduct an integrity check
of the source code, the attack would be difficult to detect.
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!