How hackers scrape RAM to circumvent encryption

Encryption might protect data while in transit and at rest, but most organisations don't realise that while data is being processed, it's still vulnerable, according to Verizon
Written by Michael Lee, Contributor

Speaking at the company's media day forum in Singapore yesterday, Verizon Business Investigative Response managing principal Mark Goudie said that the various encryption standards today do a good job of protecting data that is at rest, such as data stored on a server or in transit across a network. But in many cases, data is left completely vulnerable during the processing stage.

"It's hard to process encrypted data. If you want to process the data, you need it unencrypted. We all know that, [but] so do the bad guys."

This has opened up servers to attack by a technique that Goudie calls RAM scraping, which examines the memory of the running web server and extracts data while it is in its processed, unencrypted state.

"If I can do it, and I'm a bad programmer ... professionals can do it far better than I can."

Goudie believes that the technique has been in use for several years, dating back to 2008, but that many organisations are simply unaware and assume that because data is encrypted at rest and in transit, the security of the information is foolproof.

"This is what I hear all the time: 'We could not have possibly been hacked, because we don't store any sensitive data, we just send it off to somebody else.'"

Goudie demonstrated the attack to journalists, using a fictitious e-commerce site that never stores credit card information — a practice that many retailers do when they take payment details and pass them on to a third-party payment processor.

However, the web server must handle the information during processing, and it is here that it appears in the memory of the server in its unencrypted form, allowing Goudie to retrieve the information.

"I grabbed the processes, I found where the memory locations were, I got the memory locations, and I looked through it."

Goudie said that while this demonstrated how easy it is to farm credit card numbers, this is just one application of how RAM scraping could be used.

"I'm not just talking about credit card numbers. Credit card numbers are just the most prolific and obvious examples. Any data that you can make a regular expression out of, like a name or an address, all these things are things you can search for [and] anything that you can search for and find can be pulled out."

Michael Lee travelled to Singapore as a guest of Verizon Enterprise Solutions.

Editorial standards