A Security Aficionado – Interview with Tom Eston

Tom Eston presenting at Black Hat Abu Dhabi

Tom Eston presenting at Black Hat Abu Dhabi

Tom Eston has many years of experience in penetration testing and security assessments. Currently Tom is the manager of the highly skilled Profiling and Penetration Team at SecureState. Tom focuses much of his research on new technologies such as social media and mobile applications.

He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom shares his research and opinions on his blog, Spylogic.net. He is one of the founders and co-hosts of the popular Social Media Security Podcast.

He also has written the popular “Facebook Privacy & Security Guide”, which is used for student security awareness training at several large universities and government organizations.

Tom heads up the OWASP Mobile Threat Model development as part of the OWASP Mobile Security Project.

Tom is a frequent speaker at security user groups and worldwide conferences including Black Hat, DEFCON, DerbyCon, InfoSec World, Notacon, SANS, OWASP AppSec and ShmooCon.

– Tom, your recent Black Hat talk was about security issues with accounting systems and Microsoft Dynamics in particular. You mentioned that in 2010 about 41k of companies used MS Dynamics GP. Do you have any current numbers to understand the scope of the problem?

– Microsoft doesn’t release much information about how many customers use MS Dynamics GP, however, based on data from the recent “Convergence 2013” conference this year (www.calszone.com/2013/04/how-many-companies-use-microsoft-dynamics-erp/) they put MS Dynamics GP as having 43,000 customers. This is an increase from 2010. We also found that at a recent MS there are many major companies using the Dynamics product (www.erpsoftwareblog.com/2013/03/famous-brands-using-microsoft-dynamics-name-dropping-at-convergence-2013/). I find this interesting as many of these companies could be targets since it’s most likely they are using GP as well.

– Your white paper states one can get into MS Dynamics GP through SQL server or through client system. In one paragraph, would you please explain the ways to perform an attack on MS Dynamics GP?

Dynamics GP Network Diagram

Dynamics GP Network Diagram

– There are two ways to conduct this attack. First, you can attack the MS-SQL server directly. There are many ways to do this but typically an attack involves exploiting a misconfiguration on the server itself or by obtaining privileged access to the database (examples: weak SA password, hijack of a privileged domain account). Secondly, you can attack the client running MS Dynamics GP through typical phishing and/or social engineering attacks to gain access to the user’s PC. Once an attacker has this access you can use custom malware (like our Mayhem PoC) to hijack the MS Dynamics GP database transactions and inject our own data to commit fraud.

– Are there ways to immediately detect intruders?

– From a MS Dynamics GP perspective the only way we’ve found that an attacker could be detected would be through the logs on the SQL server or the GP application logs. However, if the attacker has hijacked a legitimate account all logs would appear to be from this user. If data is changed directly in the database then typical database forensics techniques would have to be used. By the time an investigation is launched the attacker will most likely have committed the fraud making these attacks harder to detect. MS Dynamics GP doesn’t have any alerting or monitoring capabilities that we’re aware of to prevent or detect the fraud attacks we describe in our whitepaper. The only good way to detect these types of fraud attacks are through the accounting controls a company should have in place such as reconciling bank accounts.

– That part of you talk where you are explaining how fraud can be committed is really sensitive and may help criminals. Why do you think it wasn’t enough just to show how to get in and let interested parties think of possible post-intrusion scenarios?

– We needed to go to this level of detail to show the specific attacks so that accounting as well as IT personnel are aware of the different types of fraud that could occur. This detail will help from an awareness perspective as well as to help determine what controls could be implemented to prevent these fraud attacks. Much like in penetration testing it is much more valuable to fully exploit a system to show real damage and data compromise.

– Often infosec researches face issues with corporations when they share anything about software security, did you have any issues with Microsoft? Have you contacted Microsoft and shared your findings?

– We’ve had no issues with Microsoft. We didn’t notify Microsoft because we didn’t find a vulnerability in the application or other type of exploit that can be patched. Our malware PoC doesn’t exploit the application; rather, it hijacks the database connections to the MS-SQL server.

– Do you have info about real life attacks/breaches on companies which use MS Dynamics GP?

– No, none that we’re aware of.

– What do you know about current version of MS Dynamics GP – are problems that you found addressed in it? Have they started encrypting at least banking info? Do you know of any exploits for MS Dynamics GP?

Mayhem Malware PoC

Mayhem Malware PoC

– We didn’t identify any problems with the application. The PoC we’ve developed uses standard hooking techniques which can be used with any application developed for Windows. These are the same techniques more advanced malware uses such as online banking Trojans. We are not sure on the encryption capabilities of MS Dynamics GP but any advanced features usually require a third-party add on to be purchased to do functionality not provided by Microsoft Dynamics GP.

– You suggestions of preventing fraud require much additional resources, like logging any changes, periodic confirmation of vendor banking information, limiting number of people who can perform specific actions like entering new customers, and performing not only systematic account reconciliations but customers’ review etc, and really it is too hard for small businesses. Is there a way to automate prevention techniques? Do you have any advice on mechanisms built in the accounting system?

– We’ve suggested that accounting systems should have more automated fraud prevention controls built into the products, at least from an alerting perspective. However, fraud prevention for small/medium size business traditionally relies on standard accounting controls.

– What about other accounting systems like SAP, Oracle, what do you know about similar or different security problems in them?

– Based on research we’ve conducted as well as in discussions with SAP/Oracle professionals these types of fraud attacks could be replicated on more complex systems like these. All that is needed is a deep and intricate knowledge of where these accounting systems store financial data and the workflow to manipulate it.

Read next: A Security Aficionado – Interview with Tom Eston. Part 2

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: