SecureState Releases Project Mayhem

Researchers Head to Black Hat Abu Dhabi to Detail Ways to Attack and Manipulate Financial Systems

Dec 04, 2012, 08:57 ET from SecureState

CLEVELAND, Dec. 4, 2012 /PRNewswire/ -- If hackers were able to manipulate the world's accounting systems, governments and corporations would be in a frenzy. Guess what? Hackers can and will. SecureState today announced that Tom Eston and Brett Kimmell will unveil Project Mayhem, a proof of concept tool that makes accounting fraud easy and potentially undetectable, at their Black Hat Abu Dhabi presentation on December 5th.

Kimmell and Eston will provide the audience with a demonstration of Project Mayhem attacking the world's most popular accounting system for small to large size businesses, Microsoft Dynamics Great Plains (GP). The duo will release their whitepaper which provides a comprehensive look at how Project Mayhem allows attackers to enter information into an accounting system, enabling mass systems fraud and resulting in devastating and long term consequences for the company that would be very difficult for technical security controls to detect.

With research from the hacking, tech and accounting community, Project Mayhem has a unique multi-team approach, pulling together experienced professionals in penetration testing and accounting. Spencer McIntyre, creator of Termineter, wrote the proof of concept code, with Eston working on the IT attack vectors and Kimmell on the accounting fraud prevention controls. Project Mayhem was created to assist penetration testers in performing attacks and for every attack method addressed, controls are outlined to protect financial systems.

"If an attacker can control and manipulate the accounting system of the company to commit mass systems fraud, changing or manipulating financial data is just the beginning. As professional penetration testers, we must demonstrate more advanced attacks to show real impact to the business," said Eston.

"Even with proper bank reconciliation, funds can be diverted without immediate detection. Fraud attacks like the ones described in our talk and whitepaper could last for months or years. Uncovering a fraud depends on the skills and resources available and whether an audit is performed or not," said Kimmell.

The goal of a public release for this utility is to promote security awareness for accounting controls and ensure that stronger controls are put in place for Microsoft GP and other financial systems in the future. After this initial release, further research and revisions to Project Mayhem will be forthcoming.

About Our Company

The SecureState team is comprised of several specialties including: Advisory Services, Audit & Compliance, Profiling & Penetration, Research & Innovation, Privacy, Risk Management, and Incident Response.

Contact: Sabrina Powers                                              

SOURCE SecureState