Penetration Testing mailing list archives
Onapsis Research: SAP Security In-Depth Vol. I
From: Onapsis Research <research () onapsis com>
Date: Wed, 25 Nov 2009 13:54:32 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear colleague, The first volume of the Onapsis' SAP Security In-Depth publication has been released. SAP Security In-Depth is a free technical publication leaded by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in the SAP security field, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and the general professional community) to better understand the involved risks and the techniques and tools available to assess and mitigate them. In this edition: The risks of downwards compatibility. "SAP has implemented different password hashing procedures along its history. While each new version has increased the security level of the hashing scheme, some backward compatibility aspects not considered in the implementation phase may provide room for practical attacks over the users stored credentials. Through the exploitation of these weaknesses, malicious attackers would be able to escalate privileges over vulnerable systems and perform business processes on behalf other users. This volume details the evolution of the hashing mechanisms developed by SAP, analyzes the different risks of attacks to this sensitive information and provides practical solutions to protect the companys SAP platform, effectively decreasing business fraud risks." The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid01 Best regards, - -- - -------------------------------------------- The Onapsis Research Labs Team Onapsis S.R.L Email: research () onapsis com Web: www.onapsis.com PGP: http://www.onapsis.com/pgp/research.asc - -------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAksNYUgACgkQz3i6WNVBcDXlQQCeOk+XU4N5EC1CvU1gAwpVvn9M dv4AoNUD0uk9RnhJ8RTYP7DthO2OOFOi =Djv5 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Onapsis Research: SAP Security In-Depth Vol. I Onapsis Research (Nov 30)