?
Solved

Security Java Prevent Memory Track/Sniff

Posted on 2009-05-07
11
Medium Priority
?
325 Views
Last Modified: 2013-12-04
We handle credit cards on Windows desktop (Not Web).
I need to know if there is a way to prevent hackers from tracking or sniffing the memory of our program to steal card numbers.
We obfuscate the jar of our application and create and executable to execute 3 applications (classes with main method) in the jar, which are the only ones that are not obfuscated. Does signing add to our security?
I'm aware of sniffers that install in a PC and steal things like passwords and credit cards. I doubt there is much I can do about that (but if there is I'd like to hear about it!)
So, my question is restricted to Java security, but I'd certainly entertain paying for extra information on how to increase security in general.
0
Comment
Question by:RNMisrahi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1500 total points
ID: 24333428
> .. for extra information on how to increase security ..
ensure that your software clears all variables containing your secret information, also ensure that your software does not have references to objects or methods containing such information or loops and hence prevents the garbage collector to free the variables at all
0
 

Author Comment

by:RNMisrahi
ID: 24334591
Thanks ahoffmann.
I sure clear the variables after they are used and I don't expose any methods that could retrieve them.
I don't know though how I can control what remains in memory and if it can be traced/hacked with some 3rd party tool while the app is running.
Also, why would loops prevent the garbage collector from disposing it?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24334633
> .. why would loops prevent the garbage collector from disposing
there is a known issue in JVMs that variables declared in scopes can be recycled only when the surrounding method/function exits, hence if you have a long running loop it never frees its variables
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:RNMisrahi
ID: 24334721
Thanks again ahoffmann. Your information is useful, and I make every effort to stay away from obvious and not so obvious mistakes.
Since the information we handle is so valuable (credit card swipes can be sold at around $20 each) and we're frequently the target of hackers, I want to know if there are out there 3rd party tools or ways to hack the memory of a jar. Things like de-obfuscation hackers, tools that trace the memory, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24334906
You cannot protect against de-obfuscation, a simple memory dumper will be enough also.
So I'd say that serious coding is the best protection for your purpose.

You may also think about splitting your serious data into several variables. Not a protection, but raises the bar ...
0
 

Author Comment

by:RNMisrahi
ID: 24495873
I was expecting some more specific information. I think ahoffmann's contribution deserves 250 points.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24501638
specific about what?
0
 

Author Comment

by:RNMisrahi
ID: 24512757
"Serious coding being the best protection" seems too general to me.
I'd like to know if there are de-obfuscators and counter-measures, sniffers and how to detect them, etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24512782
simple question, simple answer:
 as long as you (your software) does not control hardware and software of the client, there is no way to stop sniffers, memory dumpers, de-obfuscators, etc. etc.etc.
0
 

Author Comment

by:RNMisrahi
ID: 24512895
As Einstein said "Things should be made as simple as possible, but not simpler."

Is not the simplicity, is the specific answers that I'm looking for.
As I said, I'm willing to go beyond the points and pay for some serious non-simplistic, specific answers to our concerns.

If there is something there please describe, we don't want to waste anybody's time.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24514127
sorry, no more ideas (as I'll try to be as simple as Einstein said:)
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Make the most of your online learning experience.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question