“Accounting hacking — arch bugs in MS Dynamics GP” Speaker: Alexey Tyurin Dynamics GP is a large and powerful accounting/ERP solution by Microsoft, which is very popular in North America. In this talk, it will be analyzed by EAS-SEC, and the results will be presented. There will be examples of how the existing architectural solutions of Dynamics GP can be used to attack the system; how one’s privileges can be escalated from lowest to highest; and how full control over the system can be intercepted. |
||
“HR Hacking — bugs in PeopleSoft” Speaker: Alexey Tyurin This talk discloses the detailed analysis of a top-class HRMS by Oracle: PeopleSoft, which has been deployed thousands of times around the globe, conducted by EAS-SEC. This product and the vulnerabilities which were found there will serve as an example to show the importance of complex approach to security. You will see how a mix of middle and low criticality vulnerabilities could give away control over any PeopleSoft system just six months ago. Privileges will be escalated from an anonymous user to the system administrator. |
||
“DBO Hacking — arch bugs in BSS” Speaker: Gleb Cherbov Time for some banking magic. Some features of banking system architecture will be presented using the example of several vulnerabilities in remote banking systems by a leading Russian vendor. Intriguing details of uselessly applied strong cryptography and fine nuances of authentication. Mysterious disappearance and growth of customer savings included. |
||
“Business Intelligence hacking – Breaking ICCube” Speaker: Dmitry Chastukhin Version 1. Business intelligence is essential for any enterprise. This process is based on large amounts of data, which is usually collected over a long period of time. Its results facilitate crucial management decisions which can determine the fate of the company. Is the security of this data worth worrying about? No doubt. Are the technologies used in business intelligence secure? This talk reviews the vulnerabilities of a popular OLAP server called icCube and how an attacker can use the query language called MDX to compromise the OS of the OLAP server along with all business data. Version 2 Yo guys! I’ve learned a new acronym: MDX. Ever heard about that? No? What about OLAP? Me neither. So why don’t we hack this mysterious stuff? People do love talks about hacking mysterious acronyms. This just might get me to a conference like BlackHat or to ZeroNights (at least to FastTrack). I will brag about OLAP and MDX, show a couple bugs in icCube and get a free meal at the event. Cool, nah? |
||
“EAS-SEC: business application security deployment guideline” Speaker: Alexander Polyakov This talk is about the results of the EAS-SEC project. This project has two directions: critical system security operation guideline and critical system security development guideline with respect to business applications. This talk is related to analyzing business application development and operation. A list of key business application security issues will be presented for all levels, from network to specific application issues. Also, an SAP security guideline will be presented as the first step of this project. |
||
“EAS-SEC: business application security development guideline” Speaker: Alexander Minozhenko This talk is dedicated to the latest EAS-SEC findings. This project has been a part of the OWASP consortium for 3 years under the name of OWASP-EAS. But it has received a new life now and broken free of Web constraints. This talk will feature a security development guideline and a list of nine key business application security flaws, from code injections to hidden data breach channels. The main thing is that you will see the examples of real vulnerabilities found by manual analysis and automated tools in SAP systems, including, of course, defense methods. |
||
“Dev system hacking — arch bugs in SAP SDM” Speaker: Evgeny Neyolov Why break critical systems themselves when you can instead attack application deployment servers: the source of code for all other systems? In SAP ERP, it is done by NetWeaver Development Infrastructure, which is comprised by SDM, DTR, CBS, and CMS. Isn’t it a perfect target for an attack? Who cares about the security of deployment server when there are dozens of servers and thousands workstations? This is why those solutions have architectural vulnerabilities allowing anonymous code injection into production servers. As a result, malicious code goes to all selected systems, allowing control over each of them. |
||
“WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS” Speakers: Alexander Bolshev, Dmitry 'chipik' Chastukhin Let’s take a look into the place where critical data is stored for further analytics afterwards. It’s Business Warehouse (BW) and Big Data. Classic online transaction processing systems (OLTP) are not quite suitable to process big data, so they were replaced by OLAP with its multi-dimensional structures. This technology is present in almost all Business Intelligence applications including key vendors like Microsoft, Oracle, and SAP. All the critical corporate data in one place, well… isn’t it a sweet target for an attacker? The OLAP technology has brought a lot of new terms and concepts into the world: OLAP cube, measures, dimensions, XMLA, and the MDX language, which is used for requests to multi-dimensional data structures. In today’s Business Intelligence (BI) marketplace, most OLAP servers and almost all BI clients talk in MDX. This talk will describe in detail all the entities of this technology and especially the MDX request language. The talk will also feature an overview of possible MDX-related attacks as well as an overview of code injection, data retrieval and update vectors. Moreover, I will show some examples of the systems that can be exploited by MDX-related vulnerabilities, their system-related differences, post-exploitation vectors, and a cheat-sheet with a tool for simplifying MDX Injections |
||