Solved

Security Java Prevent Memory Track/Sniff

Posted on 2009-05-07
11
321 Views
Last Modified: 2013-12-04
We handle credit cards on Windows desktop (Not Web).
I need to know if there is a way to prevent hackers from tracking or sniffing the memory of our program to steal card numbers.
We obfuscate the jar of our application and create and executable to execute 3 applications (classes with main method) in the jar, which are the only ones that are not obfuscated. Does signing add to our security?
I'm aware of sniffers that install in a PC and steal things like passwords and credit cards. I doubt there is much I can do about that (but if there is I'd like to hear about it!)
So, my question is restricted to Java security, but I'd certainly entertain paying for extra information on how to increase security in general.
0
Comment
Question by:RNMisrahi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 24333428
> .. for extra information on how to increase security ..
ensure that your software clears all variables containing your secret information, also ensure that your software does not have references to objects or methods containing such information or loops and hence prevents the garbage collector to free the variables at all
0
 

Author Comment

by:RNMisrahi
ID: 24334591
Thanks ahoffmann.
I sure clear the variables after they are used and I don't expose any methods that could retrieve them.
I don't know though how I can control what remains in memory and if it can be traced/hacked with some 3rd party tool while the app is running.
Also, why would loops prevent the garbage collector from disposing it?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24334633
> .. why would loops prevent the garbage collector from disposing
there is a known issue in JVMs that variables declared in scopes can be recycled only when the surrounding method/function exits, hence if you have a long running loop it never frees its variables
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:RNMisrahi
ID: 24334721
Thanks again ahoffmann. Your information is useful, and I make every effort to stay away from obvious and not so obvious mistakes.
Since the information we handle is so valuable (credit card swipes can be sold at around $20 each) and we're frequently the target of hackers, I want to know if there are out there 3rd party tools or ways to hack the memory of a jar. Things like de-obfuscation hackers, tools that trace the memory, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24334906
You cannot protect against de-obfuscation, a simple memory dumper will be enough also.
So I'd say that serious coding is the best protection for your purpose.

You may also think about splitting your serious data into several variables. Not a protection, but raises the bar ...
0
 

Author Comment

by:RNMisrahi
ID: 24495873
I was expecting some more specific information. I think ahoffmann's contribution deserves 250 points.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24501638
specific about what?
0
 

Author Comment

by:RNMisrahi
ID: 24512757
"Serious coding being the best protection" seems too general to me.
I'd like to know if there are de-obfuscators and counter-measures, sniffers and how to detect them, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24512782
simple question, simple answer:
 as long as you (your software) does not control hardware and software of the client, there is no way to stop sniffers, memory dumpers, de-obfuscators, etc. etc.etc.
0
 

Author Comment

by:RNMisrahi
ID: 24512895
As Einstein said "Things should be made as simple as possible, but not simpler."

Is not the simplicity, is the specific answers that I'm looking for.
As I said, I'm willing to go beyond the points and pay for some serious non-simplistic, specific answers to our concerns.

If there is something there please describe, we don't want to waste anybody's time.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24514127
sorry, no more ideas (as I'll try to be as simple as Einstein said:)
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question