February 22, 2011, 8:20 PM — What's "pervasive memory scraping" and why is it considered by SANS Institute security researchers to be among the most dangerous attack techniques likely to be used in coming the coming year?
Simply put, pervasive memory scraping is used by attackers who have gained administrative privileges to successfully get hold of personally identifiable information (PII) and other sensitive data held encrypted in a file system, according to Ed Skoudis, senior security consultant at InGuardians who is also an instructor at SANS events. Evidence of this attack is coming up again and again in data-breach cases, he said.
"Data is encrypted in a file system where it's stored," said Skoudis, who joined with Johannes Ullrich, chief research officer at SANS Technology Institute, to speak at the RSA Conference last week on dangerous attack techniques that appear to be on the rise. Though stored encrypted, the data has to be processed by some application and "if you're processing that data it will be processed in that system unencrypted," Skoudis pointed out.
Although data encryption is widely regarded as good protection for sensitive data — and may be required under regulations — attackers are probing the chinks in encryption's armor to steal it. That's done by taking advantage of the fact that to be processed, data has to be unencrypted, and attackers "go into memory and grab the crypto key" and start "fetching the PII itself from memory." One interesting aspect about this attack is that "the bad guys want to maintain the end-to-end encryption, too."
Pervasive memory scraping is not wholly new — the annual Verizon Data Breach report, for example, two years ago identified what it called a "RAM scraper" attack as something first spotted in the retail and hospitality sectors. The Verizon report described the RAM scaper as a "relatively new form of malware designed to capture data from volatile memory within a system" in order to circumvent encryption controls and "capture data in memory where it must be decrypted to be read and processed." The Verizon report at that time suggested, "The best defense is to keep remote attacks from owning the system."
One of the tools that attackers can use for pervasive memory scraping is the Metasploit Meterpreter, a software module that works with the open-source Metasploit framework. Researcher Colin Ames is credited with having done pioneering work in showing how it's possible to hunt for crypto keys, Skoudis said.