'Project Mayhem' Hacks Accounting Software - A Rebuttal

The more I read Dark Reading, the more and more I'm starting to notice certain aspects of the new market for hackers. In a recent post on the site - 'Project Mayhem' Hacks Accounting Software, No exploit required for defrauding Microsoft and other accounting systems, researchers at Black Hat Abu Dhabi reveal - they go into detail about this elaborate scheme to create a fake billing transaction in a database.

In my comment about this possible "threat" I mention:

Microsoft should probably use SSL between the client machines and the database and lock down the database so only clients with the appropriate credentials (IP addresses, SSL Keys, and login credentials) would be allowed to make database queries and injections. They might also look at splitting up the database logins, so you have one login for queries and one login for inserts. The tables per client should be named according to the actual company so they're not standardized within Microsoft Dynamics Great Plains across the board. Also the database itself needs to be encrypted (I'm not familiar with the Great Plains system myself) so it couldn't be updated somewhere else and replaced (after the end of business). (One of the things that used to be sort of a standard practice in the 90s was make a copy, hack it offsite, then return it to the system at a later date... so there is no trail.) They might also limit access to the terminal that is authorized to only being allow to make transactions during business hours (like banker's hours for the machine itself).

There are probably hundreds of ways to secure this particular issue. Also from an IT standpoint you would require that all communications to the accounting database come from an accounting computer on the network subnet.

It sounds more like a fail on the Information Technology or Information Systems department's part (or something they wouldn't consider as a possibility).

The problem is more of a human issue. The IT department thinks to themselves that the company only hires qualified people who don't have bad backgrounds. The admins are busy (probably under staffed or better yet outsourced) so they either aren't familiar with the system themselves, don't need to be familiar with the system, or don't have the time to think about all of the possible injections. The idea someone could gain access to the network, have a machine with the necessary tools to actually perform an attack, not have that attack be logged, and do this consistently is a little far-fetched?

Stepping back I see that it makes a great story, but it's just a company trying to get creative with ways of saying "There is no need for our services, but we can prove to you that you need us because we can show you a world of possibilities that are highly improbable, but capable given an enormous amount of funding, interest, and time in the realm of distant possibility."

Another thing, is the people who would have this skill set, the ability to pull off the job, and the ability to collectively network with other individuals and collaborate on something this illegal probably would only ever do this just to say it could be done as a proof of concept. It's unlikely these highly skilled professionals would be unemployed and outspoken enough to say to their other unemployed colleague, "I have a way we could make some money." A little too Hollywood for the real world.

I have a larger thought brewing about these particular "issues" and if given enough time will probably write more about it here and possible in some sort of thesis... unfortunately it's back to my day job for now. Just think, if I had gone to college someone might actually take me seriously.

Until later.