Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Security Java Prevent Memory Track/Sniff

Posted on 2009-05-07
11
Medium Priority
?
326 Views
Last Modified: 2013-12-04
We handle credit cards on Windows desktop (Not Web).
I need to know if there is a way to prevent hackers from tracking or sniffing the memory of our program to steal card numbers.
We obfuscate the jar of our application and create and executable to execute 3 applications (classes with main method) in the jar, which are the only ones that are not obfuscated. Does signing add to our security?
I'm aware of sniffers that install in a PC and steal things like passwords and credit cards. I doubt there is much I can do about that (but if there is I'd like to hear about it!)
So, my question is restricted to Java security, but I'd certainly entertain paying for extra information on how to increase security in general.
0
Comment
Question by:RNMisrahi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1500 total points
ID: 24333428
> .. for extra information on how to increase security ..
ensure that your software clears all variables containing your secret information, also ensure that your software does not have references to objects or methods containing such information or loops and hence prevents the garbage collector to free the variables at all
0
 

Author Comment

by:RNMisrahi
ID: 24334591
Thanks ahoffmann.
I sure clear the variables after they are used and I don't expose any methods that could retrieve them.
I don't know though how I can control what remains in memory and if it can be traced/hacked with some 3rd party tool while the app is running.
Also, why would loops prevent the garbage collector from disposing it?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24334633
> .. why would loops prevent the garbage collector from disposing
there is a known issue in JVMs that variables declared in scopes can be recycled only when the surrounding method/function exits, hence if you have a long running loop it never frees its variables
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:RNMisrahi
ID: 24334721
Thanks again ahoffmann. Your information is useful, and I make every effort to stay away from obvious and not so obvious mistakes.
Since the information we handle is so valuable (credit card swipes can be sold at around $20 each) and we're frequently the target of hackers, I want to know if there are out there 3rd party tools or ways to hack the memory of a jar. Things like de-obfuscation hackers, tools that trace the memory, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24334906
You cannot protect against de-obfuscation, a simple memory dumper will be enough also.
So I'd say that serious coding is the best protection for your purpose.

You may also think about splitting your serious data into several variables. Not a protection, but raises the bar ...
0
 

Author Comment

by:RNMisrahi
ID: 24495873
I was expecting some more specific information. I think ahoffmann's contribution deserves 250 points.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24501638
specific about what?
0
 

Author Comment

by:RNMisrahi
ID: 24512757
"Serious coding being the best protection" seems too general to me.
I'd like to know if there are de-obfuscators and counter-measures, sniffers and how to detect them, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24512782
simple question, simple answer:
 as long as you (your software) does not control hardware and software of the client, there is no way to stop sniffers, memory dumpers, de-obfuscators, etc. etc.etc.
0
 

Author Comment

by:RNMisrahi
ID: 24512895
As Einstein said "Things should be made as simple as possible, but not simpler."

Is not the simplicity, is the specific answers that I'm looking for.
As I said, I'm willing to go beyond the points and pay for some serious non-simplistic, specific answers to our concerns.

If there is something there please describe, we don't want to waste anybody's time.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24514127
sorry, no more ideas (as I'll try to be as simple as Einstein said:)
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question