Solved

Security Java Prevent Memory Track/Sniff

Posted on 2009-05-07
11
304 Views
Last Modified: 2013-12-04
We handle credit cards on Windows desktop (Not Web).
I need to know if there is a way to prevent hackers from tracking or sniffing the memory of our program to steal card numbers.
We obfuscate the jar of our application and create and executable to execute 3 applications (classes with main method) in the jar, which are the only ones that are not obfuscated. Does signing add to our security?
I'm aware of sniffers that install in a PC and steal things like passwords and credit cards. I doubt there is much I can do about that (but if there is I'd like to hear about it!)
So, my question is restricted to Java security, but I'd certainly entertain paying for extra information on how to increase security in general.
0
Comment
Question by:RNMisrahi
  • 6
  • 5
11 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
Comment Utility
> .. for extra information on how to increase security ..
ensure that your software clears all variables containing your secret information, also ensure that your software does not have references to objects or methods containing such information or loops and hence prevents the garbage collector to free the variables at all
0
 

Author Comment

by:RNMisrahi
Comment Utility
Thanks ahoffmann.
I sure clear the variables after they are used and I don't expose any methods that could retrieve them.
I don't know though how I can control what remains in memory and if it can be traced/hacked with some 3rd party tool while the app is running.
Also, why would loops prevent the garbage collector from disposing it?

0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. why would loops prevent the garbage collector from disposing
there is a known issue in JVMs that variables declared in scopes can be recycled only when the surrounding method/function exits, hence if you have a long running loop it never frees its variables
0
 

Author Comment

by:RNMisrahi
Comment Utility
Thanks again ahoffmann. Your information is useful, and I make every effort to stay away from obvious and not so obvious mistakes.
Since the information we handle is so valuable (credit card swipes can be sold at around $20 each) and we're frequently the target of hackers, I want to know if there are out there 3rd party tools or ways to hack the memory of a jar. Things like de-obfuscation hackers, tools that trace the memory, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
You cannot protect against de-obfuscation, a simple memory dumper will be enough also.
So I'd say that serious coding is the best protection for your purpose.

You may also think about splitting your serious data into several variables. Not a protection, but raises the bar ...
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:RNMisrahi
Comment Utility
I was expecting some more specific information. I think ahoffmann's contribution deserves 250 points.

0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
specific about what?
0
 

Author Comment

by:RNMisrahi
Comment Utility
"Serious coding being the best protection" seems too general to me.
I'd like to know if there are de-obfuscators and counter-measures, sniffers and how to detect them, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
simple question, simple answer:
 as long as you (your software) does not control hardware and software of the client, there is no way to stop sniffers, memory dumpers, de-obfuscators, etc. etc.etc.
0
 

Author Comment

by:RNMisrahi
Comment Utility
As Einstein said "Things should be made as simple as possible, but not simpler."

Is not the simplicity, is the specific answers that I'm looking for.
As I said, I'm willing to go beyond the points and pay for some serious non-simplistic, specific answers to our concerns.

If there is something there please describe, we don't want to waste anybody's time.

0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
sorry, no more ideas (as I'll try to be as simple as Einstein said:)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now