This alarming assessment comes from researchers who have created a way to track sensitive information through computer memory. They hope their results will convince programmers to work harder at making computers more secure.
As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords.
But even that is no guarantee of security. When you type in a password, it is stored in random access memory (RAM), where it is held temporarily until other data overwrites it or the computer is switched off. But every so often, the computer copies the contents of its RAM onto hard disc, where it is easy prey for a hacker, who can read it directly or design a worm to email it back.
The longer sensitive data stays in RAM, the more likely it is to be copied onto the disc, where it stays until it is overwritten- which might not happen for years.
Tal Garfinkel and colleagues from Stanford University in Palo Alto, California, have created a software tool called TaintBochs which simulates the workings of a complete computer system. Within the simulation, sensitive data can be tagged, or "tainted", and then tracked as it passes through the system.
Such tracking is normally impossible on a computer. Next, Garfinkel and his team simulated computers running common software that regularly handles passwords or confidential personal information, such as Internet Explorer, the Windows login script and Apache server software.
In a paper to be presented in August at the USENIX Security Conference in San Diego, they conclude that the programs took virtually no measures to limit the length of time the information is retained. Some of the tested software even copied the sensitive information, apparently without restraint (http://suif.stanford.edu/collective/taint.pdf). This is the first time anyone has tried to measure the extent of this problem, says Rebecca Wright, a security expert at Stevens Institute of Technology in Hoboken, New Jersey.
Garfinkel hopes the results will galvanise software developers into action. "The way we are building our systems today is making the impact of an attack much greater than it needs to be," he says.
Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive. So Garfinkel reckons the best strategy is to ensure that data is kept on RAM for the shortest possible time.
One way to achieve this is for all data in RAM to be automatically turned into a string of zeros once it is finished with- something he says could be done with just a few extra lines of code in application programmes Perhaps the ultimate solution would be to encrypt data as it is entered, before it is saved into RAM, and arrange for programs that use it to decrypt it first.
Wright says there is nothing difficult about these strategies and that software writers could put them in place if they wanted to. The main disincentive is that zeroing or encrypting data consumes processing power that could be used for other, more alluring tasks, or simply to make the computer run faster.
But Vern Paxson, a security expert at the independent International Computer Science Institute in Berkeley, California, says that as processors are capable of ever more calculations, we are nearing the point where security measures can be built into systems without compromising performance.
"We are finally getting enough performance," he says, "to throw more computing power at security."
This article appears in New Scientist issue: 5 June 2004.
PLEASE MENTION NEW SCIENTIST AS THE SOURCE OF THIS STORY AND, IF PUBLISHING ONLINE, PLEASE CARRY A HYPERLINK TO: http://www.newscientist.com.
"These articles are posted on this site to give advance access to other authorised media who may wish to quote extracts as part of fair dealing with this copyrighted material. Full attribution is required, and if publishing online a link to http://www.newscientist.com is also required. Advance permission is required before any and every reproduction of each article in full - please contact celia.thomas@rbi.co.uk. Please note that all material is copyright of Reed Business Information Limited and we reserve the right to take such action as we consider appropriate to protect such copyright."
Author: Celeste Biever