I read about a new variant of the Citadel malware that's designed to compromise password management and authentication...
products. How does it work, and what are the best ways to prevent it? Does it change whether we should allow staff to use self-managed password-management tools?
Passwords were the easiest authentication measure to deploy when multi-user systems first came out. However, once people needed to remember one, the habit of writing passwords down on paper started -- and stuck with us.
While passwords and the writing down of passwords are not inherently insecure, getting people to do so securely is difficult.
When password managers came out, some people were concerned about the inherent insecurity of storing passwords on endpoint computers (some single-sign-on systems have a built-in password manager to create the single sign-on experience for users). Though password managers are beneficial for users to maintain passwords securely, such programs create an additional avenue to capture passwords on a compromised computer.
A password malware variant of the Citadel Trojan that recently came on the scene looks to have the functionality to capture passwords from password managers. A configuration file left behind after a computer was compromised was analyzed by IBM Trusteer researchers who determined the malware had keylogging functionality to capture "master passwords" and ultimately unlock the password manager.
Knowing if this was a targeted or opportunistic attack would be helpful in predicting how soon this functionality will be adopted by non-high resource attackers. As of now, researchers are unsure how the password malware ended up on the infected device.
Regardless, steps can be taken to protect against the Citadel malware. Keeping systems up to date with patches, using a modern antimalware product, running systems with least privilege and being careful of phishing attacks are critical mitigations.
Password managers rely on the underlying security of the system. While multifactor authentication could be used to improve access to the password manager, copying a password from the password manager into an application will still be risky, just like any other sensitive data in memory.
Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)
Check out SearchSecurity's latest malware news and advice
Download this whitepaper on authentication methods
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.