Programs that put your personal details at risk
TYPING your password or credit card number into a computer is a moment's work. But if you think your personal details disappear as soon as you hit the Return key, think again: they can sit on the computer's hard disc for years waiting for a hacker to rip them off.
This alarming assessment comes from researchers who have created a way to track sensitive information through computer memory. They hope their results will convince programmers to work harder at making computers more secure.
As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords.
But even that is no guarantee of security. When you type in a password, it is stored in random access memory (RAM), where it is held temporarily until other data overwrites it or the computer is switched off. But every so often, the computer copies the contents of its RAM onto hard disc, where it is easy prey for a hacker, who can read it directly or design a worm to email it back.
The longer sensitive data stays in RAM, the more likely it is to be copied onto the disc, where it stays until it is overwritten- which might not happen for years.
Tal Garfinkel and colleagues from Stanford University in Palo Alto, California, have created a software tool called TaintBochs which simulates the workings of a complete computer system. Within the simulation, sensitive data can be tagged, or "tainted", and then tracked as it passes through the system.
Such tracking is normally impossible on a computer. Next, Garfinkel and his team simulated computers running common software that regularly handles passwords or confidential personal information, such as Internet Explorer, the Windows login script and Apache server software.
In a paper to be presented in August at the USENIX Security Conference in San Diego, they conclude that the programs took virtually no measures to limit the length of time the information is retained. Some of the tested software even copied the sensitive information, apparently without restraint (http://suif.stanford.edu/collective/taint.pdf). This is the first time anyone has tried to measure the extent of this problem, says Rebecca Wright, a security expert at Stevens Institute of Technology in Hoboken, New Jersey.
Garfinkel hopes the results will galvanise software developers into action. "The way we are building our systems today is making the impact of an attack much greater than it needs to be," he says.
Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive. So Garfinkel reckons the best strategy is to ensure that data is kept on RAM for the shortest possible time.
One way to achieve this is for all data in RAM to be automatically turned into a string of zeros once it is finished with- something he says could be done with just a few extra lines of code in application programmes Perhaps the ultimate solution would be to encrypt data as it is entered, before it is saved into RAM, and arrange for programs that use it to decrypt it first.
Wright says there is nothing difficult about these strategies and that software writers could put them in place if they wanted to. The main disincentive is that zeroing or encrypting data consumes processing power that could be used for other, more alluring tasks, or simply to make the computer run faster.
But Vern Paxson, a security expert at the independent International Computer Science Institute in Berkeley, California, says that as processors are capable of ever more calculations, we are nearing the point where security measures can be built into systems without compromising performance.
"We are finally getting enough performance," he says, "to throw more computing power at security."
Source: Eurekalert & othersLast reviewed: By John M. Grohol, Psy.D. on 21 Feb 2009
Published on PsychCentral.com. All rights reserved.