Tracking down rogue states in SAP

Having already identified the top 10 “rogue states” in our last Blog Post, this week we can now go on to analyze whether any payments have actually been made to a bank account in one of those dubious states and if so to what extent. So without further ado – let’s get down to business […]
Do you also pay to banks in “rogue states”?

Not all countries in the world are safe in terms of money payments. Time and again we hear about countries that are not “completely clean” in terms of money laundering and terrorist financing. Of course, these countries are bound by compliance rules when transferring money to banks in such countries. In our small series on […]
Santa was not the only one handling orders for presents…

The past year is a thing of the past and according to a survey conducted by Adobe, 51 percent of Germans intended to order all their gifts online. A majority of respondents cited low prices as the main reason for this mania for online shopping. But what about the orders your company places? Are they […]
Duplicate Payments: I want my money back!

Duplicate payments are always a hot topic. Due to poor organization, invoices being paid twice is something that happens over and over again. Even in well-defined organizations, duplicate payments occur again and again when the volume of transactions is high. In this blog post, I will explain some advanced methods for detecting duplicate payments in […]
Two is always better than one – except when it comes to master data!

Master data controls all business processes. If master data is not maintained correctly, errors are “passed on” to business transactions and something is pretty much guaranteed to go wrong as a result. Similar problems arise if master data in SAP is not unique because duplicate entries exist. This blog post explains what the specific problems […]
Using data analysis to uncover fraud

Over the past few weeks, we have looked at weak password hashes in SAP in quite some detail. Having previously already presented a conceivable scenario for exploiting such a vulnerability, as well as a guide to hacking weak password hashes and the measures to be taken to protect against it, in this blog post, we […]
4½ procedures for preventing weak password hashes in SAP

Of course, we don’t want to leave you out in the cold after the scenario we described last week and the kind of heavy financial losses that can be occurred as a result. For this reason, in this blog post, we will describe how the SAP ICS can be used to take preventive action, or […]
Shockheaded (Hash) Peter: If you play with fire,…

…you will get burned. That is pretty much how you could sum up the lesson to be drawn from the scenario we are going to describe below. If you are aware of the risk of using weak password hashes and do nothing, you shouldn’t be surprised by the damage that can result. The following story […]
The ones which fall through the net: plausibility and SAP security

In some areas of process standardization, compliance and correctness or access restrictions, it is sometimes quite difficult, if not impossible, to assign them to one of the classic processes of purchasing, sales or fixed assets. However, this does not mean that audit questions such as superuser activities, separation of duty conflicts or weekend bookings are […]
Dr. Strangelove or: How I Learned to Hack SAP Passwords

Having covered the system-wide profile parameters necessary for assigning passwords in SAP in our last blog post, we are now going to “get our hands dirty” and show you, step-by-step, how insecure password hashes can be cracked in SAP. Where can I find the password hashes in SAP? As already mentioned in the previous blog […]