Encryption’s Weak Point Exploited By Data Scraping

Encrypted data is not the security panacea that it is popularly believed to be, according to Ed Skoudis, a founder of InGuardians and its senior security consultant.

It is no secret that encrypted data is revealed as plain text at various stages of its lifecycle and especially when it is called into an application. Hackers are now capable of accessing the data and stealing it through a process known as “pervasive memory scraping”, he said.

Part Of Metasploit’s Expanding Toolkit

Skoudis used this form of attack as one of his topics when pointing out the most threatening attack techniques for 2011 to attendees at the RSA Conference last week. Once a hacker has gained access to a system, he said, they will try a cocktail of attacks to grab information. A good example was the HBGary Federal attack which used SQL injection, rainbow tables to decrypt hashed passwords, simple brute force password dictionaries – basically anything that might reveal something useful.

Speaking at the conference with Rohit Dhamankar, director of security research at TippingPoint and Johannes Ullrich, chief research officer at SANS Institute, Skoudis explained that an increasing number of incidents where pervasive memory scraping has been used have come to light recently. Hackers have successfully stolen “encrypted” data  such as personally identifiable information (PII).

This is partly due to the ready availability of penetration testing toolkits like Metasploit which is supplied by Rapid7 as a security enhancement but widely used as a hacking tool. “Attackers know that data is usually decrypted for processing and they are therefore targeting and capturing it while available in clear text in memory using the memory scraping functionality of Metasploit’s Meterpreter,” he said.

Companies that use end-to-end encryption can get careless because they feel that they are secure. This allows the hacker, who is constantly looking for weak spots, to gain control of systems and probe around.

Limit administrative privileges

Skoudis said, “When the data is decrypted, attackers go into memory and grab the crypto key. Ths allows them to start fetching the PII itself from memory.”

The best protection against such attacks is to ensure that the host is surrounded by strong security and administrative privileges cannot be accessed in the first place, he advised.

Skoudis said the  warning signs that such an attack has been initiated is often when personal information has been leaked. He warned that data leakage prevention is only effective where the leak is accidental and that it is no defence against a determined attack .