Friday, June 7, 2013

Password Decryption Risk for Oracle E-Business Suite

Password Decryption Risk for Oracle E-Business Suite

Unsecured passwords can allow a hacker to access application and database accounts by decrypting their passwords...

We had a great webinar in May in conjunction with Steve Kost of Integrigy.  We covered the risks related to the decryption of passwords.  Three questions for you:
  • Have you applied the new hash password scheme?  If you aren’t sure, read more about it in MOS Notes 457166.1 and 1084956.1).
  • Do you consider the column that hosts the password data in the FND_USER table as ‘sensitive data.’
  • Is your password length for the applications and database less than eight digits?

If you have answered ‘no’ to any of these questions, you need to see our recorded webinar based on the webinar titled “Account Password Decryption, Threat Explored.”  This webinar along with others we have done over the past few years can be accessed at: http://www.erpra.net/WebinarAccessForm.html

Tuesday, May 21, 2013

Oracle E-Business Suite: SYSADMIN must have password expiration set

The risks related to SYSADMIN are often misunderstood.  It is a critical account to leave active, yet we find that many organizations don't set the password expiration days because they fear that the account will be locked and the system will come to a halt (including workflows) if the password expires.  This is NOT the case.  If the password expires it will need to be reset next time someone logs in using that account (just like ALL accounts).  However the processes that run in the background tied to that login will still continue to perform as expected.

This is also supported by Oracle.  Take a look at MOS Note 403537.1.

Find out more about this topic at: http://erpra.net/files/Chapter_7_Excerpt_Use_and_Care_of_Generic_Logins.pdf

As always, if you have questions related to this or other topics, please email me at jhare...at... erpra.net.


Tuesday, April 23, 2013

Webinar, Wednesday April 24, 2013 2:00 ET: Sensitive Administrative Pages in Oracle E-Business Suite: Are You Overlooking This Threat?

Webinar: Sensitive Administrative Pages in Oracle E-Business Suite: Are You Overlooking This Threat?  

Hear from industry experts, Jeffrey T. Hare, CPA CISA CIA from ERP Risk Advisors and Stephen Kost, from Integrigy Corporation. This is the second in a new series of webinars by ERP Risk Advisors and Integrigy Corporation presenting hidden security threats found in the Oracle E-Business Suite. 

Within the Oracle E-Business Suite, numerous pages and forms allow a privileged end-user to enter SQL statements, operating system commands, or modify the application configuration.  Continuing our webinar series on the Hidden Security Threats in Oracle E-Business Suite, this one hour educational webinar will explore the risks associated with sensitive administrative pages and how these pages can be used to circumvent application controls.  We will look at what sensitive administrative pages are, how they can be used to manipulate data or commit fraud, how you can determine who has access to these pages, and what is required to mitigate the threat.



Friday, March 1, 2013

Oracle HAS done some good things in the past few years...

Oracle HAS done some good things in the past few years...

Before I post another scathing criticism of Oracle and their GRC strategy, I thought I'd post something positive about things Oracle has done to their good in the past couple of years.

I follow close a few key MOS notes related to security.  One is the "Secure ConfigurationGuide for Oracle E-Business Suite".  The R12 version is 4035371.1 and the 11i version is 189367.1.  It used to be called "Best Practices for Securing Oracle E-Business Suite".  However, I am guessing the lawyers suggested to drop the 'best practices' in the title because it implies 'completeness' of recommendations.  I agree that these documents haven't been (and are still not) complete so I can't blame the lawyers for presumably getting them to drop the language.  If I was a lawyer, that is what I would have recommended.

Having said this, I'd like to acknowledge a couple of things Oracle has done well.  In 403537.1, they have released a series of scripts  to test for some of the issues identified in this document.  We have not evaluated the 'completeness' of these scripts, but partner firms of ours have and believe there is still many, many gaps.

Oracle has also released a new document (last October) 1334930.1 that 'breaks out' certain material that was previously a part of the 403537.1 document.  In this document, they have released a new powerful SQL script to identify the sensitive access pages (forms that have serious security holes in them like the ability to run ad hoc SQL scripts , OS scripts, SQL injection, etc.).

For auditors and IT professionals that are looking for a good starting point in assessing some of these security issues, Oracle has finally given you some scripts to use as a starting point.

The only caveat is... don't assume that information is complete.  As of this writing, we have identified four forms that allows SQL statements that are not on their list.  There were two others that we had identified in years past that weren't on the earlier versions of their documents that are now included on them.  As we identify new ones, we are uploading our findings into the Internal Controls Repository which is a repository we provide for end user organizations (sign up at: http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/join).

Ok.  So now I can't be accused of never saying nice things about Oracle. The next blog I'll be back to my old critical self.  Have a great day and good luck overcoming Oracle Security Hell - as I like to affectionately call my business life :-)

Your self-appointed Audit Trail Evangelist,
Jeffrey T. Hare, CPA CISA CIA

Friday, February 8, 2013

2e2 - maker of Config Snapshot software has forced into bankruptcy in the U.K.

Not sure if y'all have been following the potential liquidiation of 2e2 - maker of the Config Snapshot software.  Find out more at:
http://www.channelregister.co.uk/Tag/2e2

I have yet to hear from my contacts at ConfigSnapshot to know what the impact will be for customers that are using that software.  Contact me at jhare@erpra.net if you are a customer and have heard anything.

Webinar - SQL Forms in Oracle E-Business Suite - what are they and why should auditors care?

When: Thu, Feb 14, 2013 2:00 PM - 3:00 PM EST

Description:
SQL Forms are forms that accept SQL statements (or portions thereof) withing an application form.  Having access to certain forms give users the abiltiy to execute ad hoc SQL statements (and in some cases OS scripts). In this educational webinar, we will provide examples of how these forms can be used to manipulate data and commit fraud.  We will then discuss policies, procedures, and controls necessary to mitigate the risks associated with these SQL forms.
Register at:

Saturday, January 12, 2013

Webinar Jan 17: Profile Options - What are they and why should auditors care?

Profile Options - What are they and why should auditors care?

Profile options in the Oracle E-Business Suite have significant implications on security and internal controls.  This educational webinar will give you an understanding of profile options, how they are set, and examples of issues when setting them inappropriately.  We will discuss the necessary policies, procedures, and controls needed to properly build and maintain profile options.  Finally, we will discuss audit procedures internal auditors should consider.

Sign up: https://www1.gotomeeting.com/register/741840792

Another one coming up soon:

Feb 12: SQL Forms in Oracle E-Business Suite - what are they and why should auditors care?
Registration: https://www1.gotomeeting.com/register/745316449


Friday, January 4, 2013

2013 will be the year folks learn about Oracle's Skeletons in their E-Business Suite Closet...  
Post #1:  Why portions of Oracle are unauditable and one of the greatest security risks

Welcome to 2013!  Happy New Year to all.  2012 was a great year for ERP Risk Advisors as customers took advantage of our industry-leading expertise to implement and/or strengthen their security and controls for their Oracle environment.  Towards the end of the year I had two customers tell me representatives at Oracle thought I was 'mean' or 'too critical' of Oracle as a corporation.  Perhaps I haven't made my case clearly enough about why I believe Oracle is a colossal failure when it comes to building their applications and their GRC software so I've resolved to have 2013 be a year of transparency.  I intend to be specific about WHY I think Oracle needs to do a better job.  Some of the items will be very detailed and some will be higher level and strategic in nature.

So here goes... I'll start with a big picture item.  A customer buys software from Oracle to run their Enterprise - ERP software like Oracle E-Business Suite.  A judicious buyer would expect a reasonable audit trail to be in place for high risk transactions such that an auditor could review what happened from the inception of the transaction to the present - a fairly basic audit requirement (putting on my CIA and CISA hat).

So... if I were to tell you that an application user with access to a certain form could execute an ad hoc SQL statement or operating script directly from the applications (not using a SQL query tool and a database login), wouldn't you expect that the application would be built to provide a detailed audit trail of that activity, given the risk of that transaction?  After all, some critical transactions within the applications have that functionality - like salary changes for an employee.  So if Oracle understands that some transactions such as salary changes NEED a detailed history, it is clear that they get the concept - that being some critical transactions need to have that history.  So, if they DON'T provide that history for transactions where an application user (like a developer or a manufacturing associate) could execute an ad hoc SQL statement, what does that say?

To me it says whomever is developing such forms is TOTALLY ignorant of the most basic understanding of what controls ALL organizations using their applications needs.  And you as a buyer of their software actually thought they knew how to develop applications.  Silly you... they are a technology company.

Ok.  So now I guess I understand why Oracle thinks I am 'mean' and 'too critical'.

To be fair when I publish a harsh criticism of Oracle, I will also publish a recommendation and some practical steps for my brethren in the internal audit field.

Oracle:  If a form or any other mechanism you are using in the application layer (OA Framework page, concurrent program, etc. etc...) allows a user to enter and execute a SQL statement or an OS script, here is what I'd expect from a controls perspective.  First, a security administrator should be able to TURN OFF this feature - yes - a preventive control should be able to be put in place such that this form or mechanism would not allow the SQL statement or OS script to be executed.  Second, for those objects that a customer wants to use (and therefore, does not turn on the preventive control per #1), there has to be an audit trail of what was done (kinda like you already do in the HR module for salary changes... hint hint).

Auditors: OK.  So if you really want to be freaked out about how 'open' and 'free' Oracle software is, ready MOS notes 1893671. (for 11i) and/or 403537.1 (for R12).  So in these docs Oracle admits this flaw and has had this 'feature' identified for at least 10 year (see May 2002 copyright on 189367.1), but has done nothing about it.  The most recent release of this document (403537.1 with a last update of Oct 2012) no references a document 1334930.1 called "Sensitive Administrative Pages in Oracle E-Business Suite" which now identifies over 50 forms and pages that are 'sensitive' - many of which allow SQL injection or execution of OS script directly from the application layer.  And if your IT department didn't have the foresight to implement an appropriate EXTRA software solution to build an audit trail (as per my #2) above, you have little to no visibility about what users with access to these forms and pages are doing with them.

Jeffrey T. Hare, CPA CIA CISA
Self-appointed audit trail evangelist (maybe now you know why...)
Industry analyst, author, and consultant

About the author: http://erpra.net/leadership.html
About ERP Risk Advisors: http://erpra.net/aboutus.html