[C3] "Exploiting unknown default accounts in SAP systems"
by Joris van De Vis

Author: Joris van De Vis (@jvis)
Language: English
Country: Netherlands
ate & Time: Wed.. 2, nov. - 13:30 to 14:15

SAP Security... This twilight zone of responsibilities, expertise and complexity within many large organisations. SAP is improving their software, documentation and security guides and customers are increasingly more aware that work needs to be done in this field. However taking action is not the default for many organisations due to complexity, lack of expertise, resources and budget.
Organisations should secure at least the low hanging fruit and prevent the most easy compromises by focusing on just a couple of vulnerabilities.
One of the most obvious and simple precautions is to get rid of DEFAULT accounts. While doing SAP Security assessments over the past years there wasn't a single SAP running organisation that was completely free of SAP default credentials.
Mitigating this used to be a simple task as the list of default users and passwords was limited to only a few accounts for a long time, but that has changed. Welcome to some new SAP default accounts....
A total compromise of a SAP system will be demonstrated in this presentation. Combined with several other vulnerabilities found by our research, these default accounts is all it takes to get easy access to your SAP systems.

Biography: Joris has got extensive experience in the technical and security field of SAP.  In addition to developing and working as a SAP Technology specialist, his main interest lies in the field of SAP platform security. Next to helping business to secure their SAP systems, Joris is also an SAP researcher and reported over 50 vulnerabilities in SAP applications. He has got 15+ years of experience in working for large SAP running companies and helped government departments with implementing and securing SAP landscapes. Joris is co-founder of ERP-SEC, a SAP security focused company based in the Netherlands.