Re: [Full-disclosure] Google Talk cleartext credentials in process memory

On Tue, Nov 29, 2005 at 11:57:00AM +0100, Jaroslaw Sajko wrote:
> pagvac wrote:
> > Jaroslaw,
> >
> > thanks for your post. You're right, the same issue occurs in *many*
> > applications. However, any vendor that is serious about security will
> > at least attempt to obfuscate the credentials in memory (IMHO).
>
> Thanks for your post too. I think you're right that obfuscation can help
> in some cases. Sometimes the plaintext credentials goes to the Microsoft
> as the part of the crash report. Then if the cerdentials are obfuscated,
> in a correct way, we can prevent Microsoft from collecting our
> credentials. To prevent an attacker from reading credentialas from
> process memory dump we need more complicated mechanism (the dump
> contains all data & code). Therefore cost of implementing the correct
> obfuscation might be uncomparable with the risk of the credential lost
> in such manner. That's why I think the obfuscation isn't necessary. But
> this is of course only my opinion:]
 
If you want to protect the credentials in memory from dumps that go to
Microsoft, why not use CryptProtectMemory() instead of home-grown
obfuscation? This function encrypts the memory with a key that changes
over reboots, so even if you send a dump to MS, they wouldn't know how
to decrypt it.

--
Nasko Oskov
"A hacker does for love what others would not do for money."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/