Security Watch

Keeping Track of patches and hacks in the IT security world.

Say It Ain't So, SAP

What I particularly like about Oracle's lawsuit against SAP, wherein Oracle charges its rival with "corporate theft on a grand scale," is that it fits in so well with the current rash of news about hijacked accounts.

Oracle filed suit on March 22, claiming its business software rival used customers' online access codes to steal copyrighted software. Oracle claims that SAP has gained repeated and unauthorized access to its password-protected customer support site, where Oracle claims that SAP copied thousands of copies of copyrighted Oracle software and other confidential materials onto its own servers.

Oracle's lawsuit maintains that SAP managed to pile up a "storehouse of stolen Oracle intellectual property," which it used to offer cut-rate support services to Oracle customers, thereby luring them off of Oracle and onto SAP products.

If what Oracle says is true, this is identity theft on a grand scale. It takes the current rash of consumer-based account hijackings and inflates it so it fits into the world of behemoth corporations.

Recently, eBay users have been suffering hijacking of their accounts as hackers co-opt their names and reputations, run auctions of nonexistent goods, pocket the money, and move on. They've also had to endure being taunted by hackers who like to boast about how easy it is to hack eBay, and a handful of eBay customers have had their most private information posted online.

This week, social engineering in which Microsoft support staff are being talked into handing over personal information—in violation of Microsoft's own privacy policy, mind you.

In the cases of both eBay and Microsoft, the corporate entity has claimed that its customers are being tricked into handing over personal information, saying users are being talked out of identity details in game-related situations, in the case of Xbox Live users, or having it phished away from them, in eBay's case.

These cases are difficult to analyze because they boil down to who you believe. Do you believe the astute, computer-savvy eBay user who swears he or she would never fall for a phishing scam, or do you believe eBay, which maintains that its databases have not been breached? Do you believe Microsoft when it says gamers are handing over personal information, or do you believe the accounts of the hackers themselves, who post details about how they talked Microsoft support staffers out of that information?

As legendary forensics authority Jim Christy said to me during recent eBay reporting, it's impossible to tell where information is coming from without physical access to a hacker's systems for a full forensics examination.

Oracle's account hijacking case differs in that there appears to be a smoking gun. The lawsuit claims that SAP employees used log-in credentials of Oracle customers whose support rights had expired or were on the brink of it. Oracle says it first noticed something was up when it noticed an unusual level of activity on its systems near the end of 2006 that didn't resemble the activity displayed by authorized access by customers. Oracle also claims that SAP downloaded an average of 1,800 items per day for four straight days using one customer's credentials—a far cry above the average 20 downloads per customer per month.

What could be the smoking gun is an Internet address in Texas that's registered to SAP's wholly owned subsidiary TomorrowNow, founded by former PeopleSoft executives. Oracle claims that the downloads originated from this site, not from that of any customer.

Following Oracle for any amount of time engenders skepticism about its claims, to put it lightly. At the same time that SAP's SAPPHIRE user conference was going on last May, Oracle boasted that 500 customers had selected Oracle over SAP. It turned out that at least some of those customers had been the subject of PeopleSoft case studies that Oracle inherited when it purchased that company. At the time, an Oracle spokesperson couldn't say if any of the customers had actually migrated, although Oracle's press release hyped its OFF SAP migration program.

But if Oracle's charges are in fact valid, SAP is an idiot. As BusinessWeek pointed out last March, SAP has been the winner so far in the rivalry, capitalizing on the customer uncertainty Oracle created with its long list of acquisitions. Oracle has been growing by acquisition, the article pointed out, and needs time to integrate. Judging by the stream of Oracle employees I've talked to recently who have jumped ship, that integration hasn't been going too well, either—sources have told me that Oracle is choking on the Siebel acquisition, which dwarfed the PeopleSoft acquisition, even though the latter caused more agitation and legal tussling.

SAP, on the other hand, has grown organically, as BusinessWeek has pointed out. If the German company is going to give itself a black eye through something like corporate thievery, it's in danger of squandering some portion of the good will that it's maintained on the part of enterprises through this bitter, longlasting rivalry with Oracle.