Software Tricks RAM To Extract Credit Card Info

by CXOtoday Staff    Jun 04, 2004

Sensitive information such as password or credit card number once entered in a computer are no longer safe, thanks to a new software tool called TaintBochs, which can track sensitive information through computer memory.

Developed by Tal Garfinkel and colleagues from Stanford University in Palo Alto, California, TaintBochs is capable of analyzing sensitive data handling in several large, real world applications. Among these were Mozilla, Apache, and Perl, which are used to process millions of passwords, credit card numbers, etc., on a daily basis.

According to information posted on Stanford’s website, the above applications and the components they rely upon take virtually no measures to limit the lifetime of sensitive data they handle, leaving passwords and other sensitive data scattered throughout user and kernel memory.

With people spending more time on the web and hackers turning increasingly sophisticated, the dangers of storing personal information on computers cannot be ignored. When a password is typed, it is temporarily stored in the random access memory (RAM), until it is over written by fresh data. But, sometimes the computer copies the contents of its RAM onto the hard disk where it is an easy prey for a hacker, who can read it directly or design a worm to e-mail it back.

The site claims that currently no methods are available for easily analyzing data lifetime in systems today, and very little information available as to the quality of today’s software with respect to data lifetime.

Apparently, TaintBochs tracks sensitive data by ’tainting’ it at the hardware level. Tainting information is then propagated across operating system, language, and application boundaries, permitting analysis of sensitive data handling at a whole system level.

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive. So, according to Garfinkel, the best strategy is to ensure that the data is kept on RAM for the shortest possible time.

One way to achieve this is for all data in RAM to be automatically turned into a string of zeros once it is finished using simple coding procedures.

Tags: Stanford