Unbreakable Oracle ERPs? Attacks on Siebel & JD Edwards

Presented at AppSec USA 2012, Oct. 26, 2012, 11 a.m. (45 minutes).

Siebel and JDE platforms are a core part of our global business-critical infrastructure. Our credit card numbers, bills, personal information and consuming habits; top-tier companies' business processes and their most confidential information. It's all in there. Despite their criticality, there is still today very scarce public information on how attackers may try to break into these systems and what we can do to stop them, placing the bad guys in a very powerful position. The Auditing and InfoSec industries have been traditionally focused only on enforcing segregation of duties controls, and that's not enough anymore. Join us in this new presentation to understand, through several live demos, how intruders can remotely execute code, steal user passwords and manipulate proprietary technologies to perform espionage, sabotage and fraud attacks, without having a valid user in the systems. Furthermore, you will see how these attacks may be performed over the Internet. Learn how to mitigate these risks, starting by learning how to assess them in your company using the new version of Bizploit, the opensource ERP Penetration Testing framework, to be released after the talk.

Presenters:

  • Jordan Santarsieri - Senior Security Researcher - Onapsis
    Jordan Santarsieri is a senior Onapsis security consultant and researcher. Being also a member of the Onapsis Research Labs, he is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting ERP systems and business-critical applications. Jordan has discovered critical vulnerabilities in SAP software and is a frequent author of the "SAP Security In-Depth" publication. Through his work, he has contributed to the security of Global Fortune-100 companies and defense contractors. He has also been invited to hold workshops and presentations in international security conferences, such as BlackHat DC, Hacker Halted, 8dot8 and Ekoparty. His interests include penetration testing, exploit writing, forensics, data mining and psychology applied to information technology.
  • Juan Perez-Etchegoyen - CTO - Onapsis, Inc.
    Juan Pablo is the CTO of Onapsis, leading the Research and Development teams that keep the Company in the cutting-edge of the ERP security field. Juan Pablo is fully involved in the design, research and development of the innovative Onapsis' software solutions. Being responsible for managing the Onapsis Research Labs, Juan Pablo has also been actively involved in the coordination and research of critical security vulnerabilities in ERP applications and business-critical infrastructure, such as SAP, Oracle and JD Edwards. Juan Pablo has an extensive experience in the information security field, being involved in large research, penetration testing, vulnerability assessment and security implementations projects, among other kind. As a result of his innovative research work, Juan Pablo has been invited to lecture trainings and presentations in some of the most renowned security conferences of the world, such as BlackHat, Source, Deepsec, HITB and Ekoparty, as well as to host private trainings on different aspects of information security for Global Fortune-100 organizations.

Links:

Similar Presentations: