SAP Security In-Depth Publication: The risks of downwards compatibility (Vol 1)

SAP Security In-Depth is a periodic publication which delves into innovative security aspects of SAP business solutions. In each release, a different subject is analyzed from an objective perspective, reviewing and presenting a comprehensive assessment of the involved risks for the critical business information and the different mitigation strategies that would allow corporations to protect themselves from financial frauds and other information security attacks.

The following volumes are already available for free download:

2009-11-25 - Volume I: The risks of downwards compatibility

Abstract
SAP has implemented different password hashing procedures along its history.
While each new version has increased the security level of the hashing scheme, some backward compatibility aspects not considered in the implementation phase may provide room for practical attacks over the users’ stored credentials. Through the exploitation of these weaknesses, malicious attackers would be able to escalate privileges over vulnerable systems and perform business processes on behalf other users.
This volume details the evolution of the hashing mechanisms developed by SAP, analyzes the different risks of attacks to this sensitive information and provides practical solutions to protect the company’s SAP platform, effectively decreasing business fraud risks

TABLE OF CONTENTS
What is the SAP Security In-Depth Publication?
Executive Summary
1. Introduction
2. SAP Password Cracking
3. The Risks of Downwards Compatibility
4. Protecting SAP Password Hashes
5. Conclusions
6. References