Solved

Security Java Prevent Memory Track/Sniff

Posted on 2009-05-07
11
306 Views
Last Modified: 2013-12-04
We handle credit cards on Windows desktop (Not Web).
I need to know if there is a way to prevent hackers from tracking or sniffing the memory of our program to steal card numbers.
We obfuscate the jar of our application and create and executable to execute 3 applications (classes with main method) in the jar, which are the only ones that are not obfuscated. Does signing add to our security?
I'm aware of sniffers that install in a PC and steal things like passwords and credit cards. I doubt there is much I can do about that (but if there is I'd like to hear about it!)
So, my question is restricted to Java security, but I'd certainly entertain paying for extra information on how to increase security in general.
0
Comment
Question by:RNMisrahi
  • 6
  • 5
11 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 24333428
> .. for extra information on how to increase security ..
ensure that your software clears all variables containing your secret information, also ensure that your software does not have references to objects or methods containing such information or loops and hence prevents the garbage collector to free the variables at all
0
 

Author Comment

by:RNMisrahi
ID: 24334591
Thanks ahoffmann.
I sure clear the variables after they are used and I don't expose any methods that could retrieve them.
I don't know though how I can control what remains in memory and if it can be traced/hacked with some 3rd party tool while the app is running.
Also, why would loops prevent the garbage collector from disposing it?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24334633
> .. why would loops prevent the garbage collector from disposing
there is a known issue in JVMs that variables declared in scopes can be recycled only when the surrounding method/function exits, hence if you have a long running loop it never frees its variables
0
 

Author Comment

by:RNMisrahi
ID: 24334721
Thanks again ahoffmann. Your information is useful, and I make every effort to stay away from obvious and not so obvious mistakes.
Since the information we handle is so valuable (credit card swipes can be sold at around $20 each) and we're frequently the target of hackers, I want to know if there are out there 3rd party tools or ways to hack the memory of a jar. Things like de-obfuscation hackers, tools that trace the memory, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24334906
You cannot protect against de-obfuscation, a simple memory dumper will be enough also.
So I'd say that serious coding is the best protection for your purpose.

You may also think about splitting your serious data into several variables. Not a protection, but raises the bar ...
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:RNMisrahi
ID: 24495873
I was expecting some more specific information. I think ahoffmann's contribution deserves 250 points.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24501638
specific about what?
0
 

Author Comment

by:RNMisrahi
ID: 24512757
"Serious coding being the best protection" seems too general to me.
I'd like to know if there are de-obfuscators and counter-measures, sniffers and how to detect them, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24512782
simple question, simple answer:
 as long as you (your software) does not control hardware and software of the client, there is no way to stop sniffers, memory dumpers, de-obfuscators, etc. etc.etc.
0
 

Author Comment

by:RNMisrahi
ID: 24512895
As Einstein said "Things should be made as simple as possible, but not simpler."

Is not the simplicity, is the specific answers that I'm looking for.
As I said, I'm willing to go beyond the points and pay for some serious non-simplistic, specific answers to our concerns.

If there is something there please describe, we don't want to waste anybody's time.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24514127
sorry, no more ideas (as I'll try to be as simple as Einstein said:)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now