RE: Credentials held unencrypted in memory during runtime
From: Feldhacker, Chris <Feldhacker.Chris_at_principal.com>
Date: Mon, 11 Apr 2011 12:15:16 -0500
I would agree that it is a security vulnerability, but, yes, the risk is low.
It would be a "Sensitive Data Protection Vulnerability"
Example of other programs that go to lengths to protect in-memory sensitive information:
I read an article a few weeks ago around the time of the RSA incident that mentioned the fastest growing threat in recent months is actually advanced persistent threats that perform in-memory scraping to capture credentials (sorry, can't find the exact link again else I'd provide it).
Yes, if a system is compromised then you've got problems, but that's the whole point of a defense-in-depth strategy -- protections in one layer or area can help minimize the impact of a breach in another area should one occur. Most programming language frameworks or APIs return sensitive data in mutable character arrays rather than immutable types specifically so the data can be overwritten as soon as it's no longer needed to avoid having sensitive data left floating around memory...
FWIW, I'd vote for this bug.
On 11.04.2011 14:08, Annamalai wrote:
You have a very strange definition of "security issue".
Here are a few pointers for you:
So next time, don't cry wolf unless your absolutely sure there's a wolf.
-- ___ oo // \\ "De Chelonian Mobile" (_,\/ \_/ \ TortoiseSVN \ \_/_\_/> The coolest Interface to (Sub)Version Control /_/ \_\ http://tortoisesvn.net ------------------------------------------------------ http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2718903 To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org]. -----Message Disclaimer----- This e-mail message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply email to Connect_at_principal.com and delete or destroy all copies of the original message and attachments thereto. Email sent to or from the Principal Financial Group or any of its member companies may be retained as required by law or regulation. Nothing in this message is intended to constitute an Electronic signature for purposes of the Uniform Electronic Transactions Act (UETA) or the Electronic Signatures in Global and National Commerce Act ("E-Sign") unless a specific statement to the contrary is included in this message. While this communication may be used to promote or market a transaction or an idea that is discussed in the publication, it is intended to provide general information about the subject matter covered and is provided with the understanding that The Principal is not rendering legal, accounting, or tax advice. It is not a marketed opinion and may not be used to avoid penalties under the Internal Revenue Code. You should consult with appropriate counsel or other advisors on all matters pertaining to legal, tax, or accounting obligations and requirements. ------------------------------------------------------ http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2718906 To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].Received on 2011-04-11 19:15:28 CEST
This is an archived mail posted to the TortoiseSVN Users mailing list.