50,000 companies exposed to hacks of ‘business critical’ SAP systems: researchers

FILE PHOTO: People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic

By Jack Stubbs

LONDON (Reuters) – Up to 50,000 companies running SAP software are at greater risk of being hacked after security researchers found new ways to exploit vulnerabilities of systems that haven’t been properly protected and published the tools to do so online.

German software giant SAP said it issued guidance on how to correctly configure the security settings in 2009 and 2013. But data compiled by security firm Onapsis shows that 90 percent of affected SAP systems have not been properly protected.

“Basically, a company can be brought to a halt in a matter of seconds,” said Onapsis Chief Executive Mariano Nunez, whose company specializes in securing business applications such as those made by SAP and rival Oracle.

“With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.”

SAP said: “SAP always strongly recommends to install security fixes as they are released.”

SAP software is used by more than 90 percent of the world’s top 2,000 companies to manage everything from employee payrolls to product distribution and industrial processes.

Security experts say attacks on those systems could be hugely damaging, both for the victim organizations and their wider supply chain. SAP customers collectively distribute 78 percent of the world’s food and 82 percent of global medical devices, the company says on its website.

Sogeti security consultant Mathieu Geli, one of the researchers who developed the exploits released online last month, said the issue concerned the way SAP applications to talk to one another inside a company.

If a company’s security settings are not configured correctly, he said, a hacker can trick an application into thinking they are another SAP product and gain full access without the need for any login credentials.

SAP said customer security was a priority and the vulnerabilities showed the need for clients to implement recommended fixes when they are released. “Security is a collaborative process, so our customers and partners need to safeguard their systems as well,” it said in a statement.

CRITICAL SYSTEMS

Researchers at Onapsis said on Thursday they were naming the exploits “10KBLAZE” because of the threat they posed to “business-critical applications” which, if hacked, could result in “material misstatements” in U.S. financial filings.

Nunez said he would share his company’s ability to detect the vulnerabilities with other security vendors to help secure all SAP users against possible future attacks. Full details here.

Sogeti’s Geli said he created the exploits to prove the danger of the vulnerabilities and released them online in order to help experts test the security of SAP systems.

He said there was a risk they could be used by malicious actors but not people without technical ability, and it was more important for companies to update their security settings.

“We are just pointing out something that is already fixed for SAP but clients maybe are a bit late on,” he said. “We are trying to push that and say: ‘Guys, this is critical, you need to fix it.'”

 

(Reporting by Jack Stubbs; editing by Georgina Prodhan)

Pentagon creating software ‘do not buy’ list to keep out Russia, China

FILE PHOTO: An aerial view of the Pentagon building in Washington, June 15, 2005. REUTERS/Jason Reed

By Mike Stone

WASHINGTON (Reuters) – The Pentagon is working on a software “do not buy” list to block vendors who use software code originating from Russia and China, a top Defense Department acquisitions official said on Friday.

Ellen Lord, the undersecretary of defense for acquisition and sustainment, told reporters the Pentagon had been working for six months on a “do not buy” list of software vendors. The list is meant to help the Department of Defense’s acquisitions staff and industry partners avoid buying problematic code for the Pentagon and suppliers.

“What we are doing is making sure that we do not buy software that has Russian or Chinese provenance, for instance, and quite often that’s difficult to tell at first glance because of holding companies,” she told reporters gathered in a conference room near her Pentagon office.

The Pentagon has worked closely with the intelligence community, she said, adding “we have identified certain companies that do not operate in a way consistent with what we have for defense standards.”

Lord did not provide any further details on the list.

Lord’s comments were made ahead of the likely passage of the Pentagon’s spending bill by Congress as early as next week. The bill contains provisions that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.

The legislation was drafted after a Reuters investigation found that software makers allowed a Russian defense agency to hunt for vulnerabilities in software used by some agencies of the U.S. government, including the Pentagon and intelligence agencies.

Security experts said allowing Russian authorities to look into the internal workings of software, known as source code, could help adversaries like Moscow or Beijing to discover vulnerabilities they could exploit to more easily attack U.S. government systems.

Lord added an upcoming report on the U.S. military supply chain will show that the Pentagon depends on foreign suppliers, including Chinese firms, for components in some military equipment.

She said the Pentagon also wants to strengthen its suppliers’ ability to withstand cyber attacks and will test their cybersecurity defenses by attempting to hack them.

The Pentagon disclosed the measures as the federal government looks to bolster cyber defenses following attacks on the United States that the government has blamed on Russia, North Korea, Iran, and China.

The Department of Homeland Security this week disclosed details about a string of cyber attacks that officials said put hackers working on behalf of the Russian government in a position where they could manipulate some industrial systems used to control infrastructure, including at least one power generator.

(Reporting by Mike Stone; Editing by Chris Sanders, Bernadette Baum and Jonathan Oatis)

Tech firms let Russia probe software widely used by U.S. government

A general view shows a building, which houses the office of HP Russia, in Moscow, Russia August 30, 2017.

By Dustin Volz, Joel Schectman and Jack Stubbs

WASHINGTON/MOSCOW (Reuters) – Major global technology providers SAP, Symantec and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.

The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.

In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.

But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

Reuters revealed in October that Hewlett Packard Enterprise software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services.

Now, a Reuters review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.

Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department’s intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.

McAfee, SAP, Symantec and Micro Focus, the British firm that now owns ArcSight, all said that any source code reviews were conducted under the software maker’s supervision in secure facilities where the code could not be removed or altered. The process does not compromise product security, they said. Amid growing concerns over the process, Symantec and McAfee no longer allow such reviews and Micro Focus moved to sharply restrict them late last year.

The Pentagon said in a previously unreported letter  to Democratic Senator Jeanne Shaheen that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products.”

Reuters has not found any instances where a source code review played a role in a cyberattack, and some security experts say hackers are more likely to find other ways to infiltrate network systems.

But the Pentagon is not alone in expressing concern. Private sector cyber experts, former U.S. security officials and some U.S. tech companies told Reuters that allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine U.S. network defenses.

“Even letting people look at source code for a minute is incredibly dangerous,” said Steve Quane, executive vice president for network defense at Trend Micro, which sells TippingPoint security software to the U.S. military.

Worried about those risks to the U.S. government, Trend Micro has refused to allow the Russians to conduct a source code review of TippingPoint, Quane said.

Quane said top security researchers can quickly spot exploitable vulnerabilities just by examining source code.

“We know there are people who can do that, because we have people like that who work for us,” he said.

OPENING THE DOOR

Many of the Russian reviews have occurred since 2014, when U.S.-Russia relations plunged to new lows following Moscow’s annexation of Crimea. Western nations have accused Russia of sharply escalating its use of cyber attacks during that time, an allegation Moscow denies.

Some U.S. lawmakers worry source code reviews could be yet another entry point for Moscow to wage cyberattacks.

“I fear that access to our security infrastructure – whether it be overt or covert – by adversaries may have already opened the door to harmful security vulnerabilities,” Shaheen told Reuters.

In its Dec. 7 letter to Shaheen, the Pentagon said it was “exploring the feasibility” of requiring vendors to disclose when they have allowed foreign governments to access source code. Shaheen had questioned the Pentagon about the practice following the Reuters report on ArcSight, which also prompted Micro Focus to say it would restrict government source code reviews in the future. HPE said none of its current products have undergone Russian source code review.

Lamar Smith, the Republican chairman of the House Science, Space and Technology Committee, said legislation to better secure the federal cybersecurity supply chain was clearly needed.

Most U.S. government agencies declined to comment when asked whether they were aware technology installed within their networks had been inspected by Russian military contractors. Others said security was of paramount concern but that they could not comment on the use of specific software.

A Pentagon spokeswoman said it continually monitors the commercial technology it uses for security weaknesses.

NO PENCILS ALLOWED Tech companies wanting to access Russia’s large market are often required to seek certification for their products from Russian agencies, including the FSB security service and Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage.

FSTEC declined to comment and the FSB did not respond to requests for comment. The Kremlin referred all questions to the FSB and FSTEC.

FSTEC often requires companies to permit a Russian government contractor to test the software’s source code.

SAP HANA, a database system, underwent a source code review in order to obtain certification in 2016, according to Russian regulatory records. The software stores and analyzes information for the State Department, Internal Revenue Service, NASA and the Army.

An SAP spokeswoman said any source code reviews were conducted in a secure, company-supervised facility where recording devices or even pencils are “are strictly forbidden.”

“All governments and governmental organizations are treated the same with no exceptions,” the spokeswoman said.

While some companies have since stopped allowing Russia to review source code in their products, the same products often remain embedded in the U.S. government, which can take decades to upgrade technology.

Security concerns caused Symantec to halt all government source code reviews in 2016, the company’s chief executive told Reuters in October. But Symantec Endpoint Protection antivirus software, which was reviewed by Russia in 2012, remains in use by the Pentagon, the FBI, and the Social Security Administration, among other agencies, according to federal contracting records reviewed by Reuters.

In a statement, a Symantec spokeswoman said the newest version of Endpoint Protection, released in late 2016, never underwent a source code review and that the earlier version has received numerous updates since being tested by Russia. The California-based company said it had no reason to believe earlier reviews had compromised product security. Symantec continued to sell the older version through 2017 and will provide updates through 2019.

McAfee also announced last year that it would no longer allow government-mandated source code reviews.

The cyber firm’s Security Information and Event Management (SIEM) software was reviewed in 2015 by a Moscow-based government contractor, Echelon, on behalf of FSTEC, according to Russian regulatory documents. McAfee confirmed this.

The Treasury Department and Defense Security Service, a Pentagon agency tasked with guarding the military’s classified information, continue to rely on the product to protect their networks, contracting records show.

McAfee declined to comment, citing customer confidentiality agreements, but it has previously said the Russian reviews are conducted at company-owned premises in the United States.

‘YOU CAN’T TRUST ANYONE’

On its website, Echelon describes itself as an official laboratory of the FSB, FSTEC, and Russia’s defense ministry. Alexey Markov, the president of Echelon, which also inspected the source code for ArcSight, said U.S. companies often initially expressed concerns about the certification process.

“Did they have any? Absolutely!!” Markov wrote in an email.

“The less the person making the decision understands about programming, the more paranoia they have. However, in the process of clarifying the details of performing the certification procedure, the dangers and risks are smoothed out.”

Markov said his team always informs tech companies before handing over any discovered vulnerabilities to Russian authorities, allowing the firms to fix the detected flaw. The source code reviews of products “significantly improves their safety,” he said.

Chris Inglis, the former deputy director of the National Security Agency, the United States’ premier electronic spy agency, disagrees.

“When you’re sitting at the table with card sharks, you can’t trust anyone,” he said. “I wouldn’t show anybody the code.”

(Reporting by Dustin Volz and Joel Schectman in Washington and Jack Stubbs in Moscow.; Editing by Jonathan Weber and Ross Colvin)