Digital Security Digital Security guard Kiber Service

Digital Security – one of the Russian consulting companies in audit area of information security, including in audit area of business applications and ERP systems, carrying out penetration tests and also development of systems of management of cybersecurity according to ISO 27001. The company has certificates of PCI and PA-DSS. In 2009 Digital Security together with ARChE created PCIDSS.RU – Community of professionals in the field of the PCI DSS standard.

Digital Security has the research center DSecRG for search and the analysis of vulnerabilities in different applications and systems and also conducts activity in banking sector on audit Bank Clients and the core banking system, cooperating with ARChE and publishing the found vulnerabilities at the closed forum of Association.

History

2016: 159 vulnerabilities, in that number critical in E-Business Suite are revealed

Specialists of Digital Security 159 vulnerabilities in the different systems were revealed. Notifications on 96 gaps were sent to developers within programs for search of vulnerabilities, and 50 vulnerabilities were transferred to the western vendors in the closed order. Researchers of Digital Security found security of different degree of criticality in resources of the companies Yandex Mail.ru Yahoo Facebook Qiwi VK, Twitter and also 13 vulnerabilities in products of such vendors as Oracle JetBrains Zabbix Cisco Asus Lenovo.

In particular, experts of the company detected in E-Business Suite, key software for business of Oracle, critical vulnerabilities which operation allows to take completely control on a system which often is the main business system of the companies. Researchers were awarded official gratitude of vendor.

In 2016 11 researches were provided to public, including:

• recognition of DGA domains;
• Control Flow Guard,
• the principle of work and methods of a bypass on the example of Adobe Flash Player,
• security of the railroads from open sources,
• architecture of JETPLOW,
• browsers and app specific security mitigation,
• Internet Explorer & Edge,
• research of security SAP NetWeaver,
• security of firmwares on the example of IntelManagement Engine subsystem,
• Cisco Smart Install, opportunities for a pentester,
• security of Oracle EBS.

In 2016 experts of Digital Security submitted 38 reports at 30 conferences in our country (21) and abroad (9).

R&D the center about several directions since 2007, including Application Security, Business Applications, SAP, mobile security, security of telecommunication equipment and processors, BIOS, IoT and firmwares, with an APCS and cybersecurity of the banking sector work. For several years experts prepared a number of the researches which caused a serious resonance in the field of cybersecurity.

2011: Detection of critical vulnerability in SAP ERP core

In July, 2011 it became known that Digital Security (develops the scanner of security of SAP) detected critical vulnerability in a core of the ERP system of the German vendor^[1]. She allows to create without authorization by two requests in the system of the new user and to grant to him the administrator's rights. As for the superuser in a system there are no bans, after that there is available information of all modules ERP, including financial.

As the technical director of Digital Security Alexander Polyakov explained CNews though the error is found in the mechanism of authorization and it is in any installation of this ERP, but for implementation of the attack Java engine delivered with a number of modules should be set. Among them there is SAP Netweaver Portal for creation of the general portal of the customer and also modules for work with ERP from mobile devices and integration with the systems of other vendors (XI). All of them work via the browser, requests for adding of the user and change of its rights are entered into an address bar.

If the malefactor is out of a local network of the company, then for work on such scheme he will need SAP Netweaver Portal set in the company and opened in the Public service network. At standard installation such module can be found normal searchers. For example, through a request in Google "inurl: / irj/portal". So there are systems of the Spanish producer of Portal Empresarial de Navantia warships and the Indian automobile company Tata Motors.

Researchers do not call requests for creation of the user and change of its rights since for vulnerability the patch is not ready yet. "We found this vulnerability 3-4 months ago and at once announced it in SAP, - Polyakov says. - The cycle of creation of a patch at vendor is long, it takes from several months to 1.5 years".

Existence of vulnerability on own ERP installations and the solution at one of customers was checked, he adds. For such checks on penetration (penetration testing) into the companies the program which finds servers of SAP in Network through a request in Google and checks them for vulnerability was written. 'As a result it turned out that it is possible to crack more than a half of available servers' - researchers estimate.

"The bypass of an authentication mechanism occurs without the attack on the 'buffer overflow' type, - Polyakov explains. - In case of ERP it is not too useful to the malefactor. Because of a large number of versions with its help it is only possible to bring down a system, but not to acquire the superuser's right".

"Digital Security as partners of SAP, receive source codes for a research, - the CEO of the DialogNauka which is engaged in similar audit Victor Serdyuk says CNews. - As a result of errors of developers or incorrect setup of vulnerability is in industrial products of any vendor, in this SAP it is not unique. At the majority of the Russian Portal installations it is not displaid in external network, on the intranet the employer can control actions of employees. Despite gravity of a problem it is not necessary to revaluate degree of its criticality".

Notes