Is virtual memory encrypted, or otherwise out of the reach of hackers?

[jols]

Here is a question I just received from one of our customers:

-------------
I have a question about the security of virtual memory on the hosting system. Is it encrypted? This question was raised by my Banker in relation to hackers gaining access to credit card information on the web server. Our application does not store the credit card information in its database. As soon as the client enters the card info, we pass it off to a secure card processing agency. We've not heard about RAM memory being exposed to hackers, so the only exposure appears to be with virtual memory - if the web server happened to need virtual memory at the time of the credit card transaction.

Can you confirm (or deny) that the virtual memory is somehow encrypted so that it cannot be accessed by hackers?
-------------

Anyone?

 

[richy]

I would doubt it was encypted as it'll then have to load itself into memory to decrypt itself....

Personally, I recommend that if your banker is that worried about security, you consider a dedicated server for that account - meaning that there are no other users/accounts on that server.

 

[webignition]

It makes no sense for a hacker to monitor the swap partition for sensitive data. A particularly sophisticated program would be needed, with full root permission, to even access data on the swap partition at all.

During normal operation, the swap file will generally contain data that are useful to have in RAM, but which are not essential at that instant. The chances of this applying to a live HTTP session within the very very very short time the data resides in RAM is minimal to say the least.

Security concerns, if directed anywhere, should be directed towards the security of session files. These reside in a location that is dead easy to find if you have root access and which may contain sensitive data, dependent on the level of consideration taken by the developer of the application. However, the likelyhood of a decent developer leaving senstive data in session files is remote - nevertheless, this does point more to the ability of the developer than to anything else.

Lastly, it would make little sense for a hacker to monitor the swap file on the off-chance that it might contain some data pertaining to credit card details. It's unlikely that such data will reside in the swap file at all. Conversely, data pertaining to credit card details are likely to reside in RAM, albeit briefly, whenever a credit card transaction is processed. Rounding-off the figures to avoid long numbers of decimal places, I'd say that 100% of credit card transaction details will pass through RAM whereas 0% will pass through the swap file.

Consequently, a hacker would then benefit much more from having a program running that, with a very high frequency, copies the entire contents of RAM to a file and then scans the file for relavant data. This, though, would, more likely than not, stand out like a sore thumb.

With so many other more easy, straightforward and lucrative methods for aqcuiring credit card details, such as phishing scams, direct social engineering or simply old fashioned theft, it's highly unlikely that someone would go to the effort of developing a sophisticated program to try and scrape off credit card details from the relevant user's application.