I read about a new variant of the Citadel malware that's designed to compromise password management and authentication products. How does it work, and what are the best ways to prevent it? Does it change whether we should allow staff to use self-managed password-management tools?
Passwords were the easiest authentication measure to deploy when multi-user systems first came out. However, once people needed to remember one, the habit of writing passwords down on paper started -- and stuck with us.
While passwords and the writing down of passwords are not inherently insecure, getting people to do so securely is difficult.
When password managers came out, some people were concerned about the inherent insecurity of storing passwords on endpoint computers (some single-sign-on systems have a built-in password manager to create the single sign-on experience for users). Though password managers are beneficial for users to maintain passwords securely, such programs create an additional avenue to capture passwords on a compromised computer.
A password malware variant of the Citadel Trojan that recently came on the scene looks to have the functionality to capture passwords from password managers. A configuration file left behind after a computer was compromised was analyzed by IBM Trusteer researchers who determined the malware had keylogging functionality to capture "master passwords" and ultimately unlock the password manager.
Knowing if this was a targeted or opportunistic attack would be helpful in predicting how soon this functionality will be adopted by non-high resource attackers. As of now, researchers are unsure how the password malware ended up on the infected device.
Regardless, steps can be taken to protect against the Citadel malware. Keeping systems up to date with patches, using a modern antimalware product, running systems with least privilege and being careful of phishing attacks are critical mitigations.
Password managers rely on the underlying security of the system. While multifactor authentication could be used to improve access to the password manager, copying a password from the password manager into an application will still be risky, just like any other sensitive data in memory.
Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)
Check out SearchSecurity's latest malware news and advice
Download this whitepaper on authentication methods