Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Securing encrypted data in RAM vs MSSQL

Re: Securing encrypted data in RAM vs MSSQL

From: Toro, Daniel <tcvx_at_taconvino.cl>
Date: Thu, 01 Jul 2004 12:32:50 -0400

Related to point 3.A below: Is it really necessary to delete the data if
it's encrypted with a one-way encryption algo like MD5? There's no way to
recover data from the message digest produced by MD5 that I know of. Of
course, I don't know everithing. :-)

On Thu, 1 Jul 2004 09:24:55 -0400, Stan Guzik <SGuzik_at_ImmediaTech.com>
wrote:

> See reply below.
>
> Good Luck,
> Stan
>
> -----Original Message-----
> From: Dave Andrews [mailto:dave_at_pint.com]
> Sent: Wednesday, June 30, 2004 8:52 PM
> To: webappsec_at_securityfocus.com; forensics_at_securityfocus.com
> Subject: Securing encrypted data in RAM vs MSSQL
>
> Hello All,
>
> Is anyone aware of a way to store encrypted sensitive data in RAM for
> access via a web application using ASP?
>
> 1) You can create an ActiveX EXE that will remain in memory. When the
> web application loads instantiate the ActiveX EXE and access it like any
> other dll.
>
>
> It would be posted in the same
> manner.
> Is storing in RAM preferable to using an encrypted database, in this
> case SQL 2000?
>
> 2) It depends on the application and network environment. This is a
> difficult question to answer not knowing more details.
>
> Is there anyway to securely delete or timeout the data after a certain
> period of time?
>
> 3) A. If you store the data in memory you can kill the instance of the
> object and the memory will be released. Depending on the type of RAM
> you have the data may or may nor remain on the chip for a short period
> of time.
>
> B. I'm not sure how to easily delete data from a SQL Server DB and not
> have it recovered by a forensics tool. A difficult way of doing it is
> to compact the SQL Server DB which will shrink the DB file size and then
> use PGP Freespace Wipe to permanently delete any residual data on the
> hard drive. This is a good question, anybody know of a better way?
>
> C. PGP Wipe is a good tool with API support to delete files so a
> forensics tool can't recover the data.
>
> If you discard the data are there potential problems with California SB
> 1386 and being able to track intrusions and possible data compromise?
>
> I'm not a developer, but want a better solution than what the developers
> and client have proposed.
>
> Thanks in advance
> Dave Andrews
> PINT, Inc
> 2105 Garnet Ave. Suite E
> San Diego, CA 92109
> TEL 858.270.2086
> FAX 858.270.0410 

-- 
TCV
Received on Jul 01 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]