Hacking Today: Memory Scraping

Wednesday, March 2, 2011 @ 06:03 PM gHale


There is a new hacking trend out there called “pervasive memory scraping” and it relies on the fact certain areas of Windows memory are only occasionally overwritten so data from software closed on the PC, still remains for some time after.

“The SANS Institute is reported to have spotted evidence of this type of attack methodology on an increasing basis,” said Phil Lieberman, chief executive of Lieberman Software. “This means that, where a Windows PC user loads a secure application to view data, views that data and then closes the application, there is a chance that the data may continue to reside in the computer’s memory for some time after.”

“Put simply, this means that, even if the secure software checks for the presence of Trojans and similar credential scanning malware — and locks down the malware while it is loaded — once the application is closed, the contents of the computer memory can still be subsequently lifted by a remote scanning piece of malcode,” he said.

There is a solution. Users must either use a secure Web browser with a memory sandbox feature, meaning all trace of the viewed data disappears along with the browser as it closes, or secure data should not load on to the computer in the first place.

Secure/sandbox browser sessions are easy to set up and use, but there are restrictions with functionality and interaction with third-party applications on the host computer.

This means the best solution to the problem of pervasive memory scraping is to store and control private data on a centrally-managed basis.

Using this methodology ensures private information remains stored and accessed using a data-centric, policy-based protection basis across all endpoints.



Leave a Reply

You must be logged in to post a comment.