Citadel Malware Steals Password Manager Master Passwords

Citadel is the first piece of malware I know of that specifically steals master passwords from password managers. Note that my own Password Safe is a target.

Posted on November 20, 2014 at 9:51 AM • 61 Comments

Comments

uh, MikeNovember 20, 2014 10:14 AM

[off topic] Today, the FBI dishonors itself with more slander against Apple.

I encourage you to contact your government and emphasize that the FBI attacks are (a) unlawful, (b) un-American, and (c) frightfully stupid.

conradNovember 20, 2014 10:36 AM

Time to add a random capcha to the end of the Password Safe password? Kind of like your "Fill in the blank: " requirement to leave a comment.

AlNovember 20, 2014 11:01 AM

So, if I have two factor authentication on my (online) password manager, that should protect me from this, right? At least if they get my master password, they can't get to my passwords yet.

So, apart from not having keyloggers installed, are there any additional actions we can take to protect us if we're using Password Safe or some other offline password manager? Some authentication that doesn't require me to type a password?

That said, if software like this is on your machine, I always assume you're kind of screwed no matter what.

WaelNovember 20, 2014 11:06 AM

I know of that specifically steals master passwords from password managers.
That is expected and not at all surprising! There are ways to fix this weakness. First, an introduction... Passwords are used for presenting credentials to prove an identity. It's something "you know" -- will not dwell too much on that, everyone knows it... Using a TPM can help significantly in this scenario. Typically, the password (or passphrase in this case) of a password manager application will be transitively bound to the platform via the TPM. The passphrase will be used by the TPM to unlock (unseal in TCG parlance) the credentials needed. Stealing a passphrase from the platform is useless to an attacker since the passphrase is bound to the TPM which in turn is bound to the platform it is attached to. Another way to think about it is the passphrase the user enters into the password manager allowes the device to authenticate itself (in an application that needs that -- VPN client communicating with a backend, for instance.) This is an elementary example usecase of a TPM. A more advanced implementation would allow the device to bind the credentials to a platform state (either current or future expected state) as well -- BitLocker does that to some extent (or did, I forgot.)

Basically, this is about multi-entity authentication -- and not multi-factor. The device as well as the user need to be authenticated. This point was alluded to in Device authentication

ApplesNovember 20, 2014 11:14 AM

Since the published articles reference pwsafe.exe, a dumb question would be - are there any repercussions we should know about if we just rename it to a filename of our choice?

In a quick test a renamed exe file opened a pwsafe file ok. Are there any gotchas or is this currently a reasonable workaround?

BenNovember 20, 2014 11:16 AM

Didn't we kind of assume this was happening?

Lots of malware is known to have keyloggers and also to scan the keystroke output for "password-like" strings. Looks to me like that would get PasswordSafe passwords anyway.

DanielNovember 20, 2014 12:11 PM

"Passwords are generally not considered an adequate security solution for important data or online services because easy-to-remember passwords are also easier to guess, reducing the security of the protected data."

Boy, the federal government is really pushing hard to get rid of that pesky password, the one thing the America courts have held--so far--that one doesn't have to reveal to the government.

Hint: if your password is so short it can be easily guessed, try a longer password.

uh, MikeNovember 20, 2014 12:16 PM

@Daniel reminds me of Lessig's _Code_ that explains the other-than-law opportunities for regulating behavior.

Wisdom and hindsight show us that leveraging a Big Brother attitude in America is of limited effectiveness. I hope we are getting back to the balance we lost before Pearl Harbor and 9/11.

ArclightNovember 20, 2014 12:17 PM

What about Passwordsafe with the Yubikey integration? I believe this would defeat the keylogger-style attack.

Arclight

SJNovember 20, 2014 12:24 PM

One thought:

the passphrase is only useful with the password database.

However, if a local piece of malware can monitor keystrokes on the machine, it can likely also find the password database file.

How easy is it for malware to pull the name of the currently-open database file from a running instance of PasswordSafe/KeePass ?

MooNovember 20, 2014 12:40 PM

Just thinking out loud about attacks specifically on tools such as Password Safe etc ...... use them only on an airgapped device. Not the most usable in all scenarios, but it's an option.

By the way ... I wonder if the Android version of Password Safe is at risk .... time to read a bit more!

BearNovember 20, 2014 12:45 PM


And this is one more vindication for the password handling technique I use for my own accounts:

NEVER STORE PASSWORDS IN ANY SOFTWARE, NOR ON ANY COMPUTER SYSTEM AS A FILE.

Nobody can remotely hack a box of filecards that you keep next to your computer.

Captain ObviousNovember 20, 2014 12:53 PM

@ Al
re: Some authentication that doesn't require me to type a password?

On my password safe I use a form of poor man's 2 factor authentication...copy-paste a portion of a complex filename that I can't remember, plus a password I can remember.

If it's just a keylogger and not a copy buffer scrubber it wouldn't catch most of my password.

WaelNovember 20, 2014 12:59 PM

@Bear,

Nobody can remotely hack a box of filecards that you keep next to your computer
They still can extract the passowrd as it's entered. What you want is a solution that renders the passwprd useless on a different device. Or, alternatively / additionally, make the password hard to extract. SecureMetrics has such a solution... Other possibilities include onetime passwords or limited duration passwords.

WaelNovember 20, 2014 1:04 PM

Correction: SECUREMATRIX®.
Can't blame the spellchecker since it didn't catch the other typo ;)

Bob TNovember 20, 2014 1:56 PM

Well, if you've got a keylogger on your machine in the first place all bets are off to what accounts they have access to in the first place.

If you're worried about what they might have if they grab your database and the master password, then name your Amazon account "Purple" under your ecommerce section group that you've named "Guitar Types." Name your Bank Account "Yosemite Sam," or something. Let them figure that out.

EricNovember 20, 2014 4:02 PM

I played with the YubiKey integration, and one thing that jumped out at me was that you can make a "backup key" by copying the "YubiKey Secret Key". Thus to me it *seemed* like what you really ended up with was just 2 passwords - one that you remember, and a 2nd one that drives the YubiKey. By knowing those two pieces of information, a thief could make their own key and break into your safe.

I suppose my concerns are overblown - typically the "YubiKey Secret Key" is something that is only known and entered when one makes the backup key, and not when the thing is actually used. I suppose best practices would be to keep that number written down somewhere or another however.

I could actually start using the thing. I still have one of the two keys on my keyring - I need to find the "backup" key before I start however...

And I would still need to figure out what to do with Android. I rarely use it there, so perhaps the risk isn't all that great.

GodelNovember 20, 2014 5:00 PM

On Windows KeePass has the option of opening a separate desktop just to receive the password. This may make things harder for an attacker.

The free, mouse driven Neo's Safekeys has been shown in recent tests using "drag and drop" mode to be highly resistant to commercial key loggers on the market (but incompatible with a separate desktop as above), but provides no program protection against screen capture.

However Neo's has a "ghost hover" entry mode that I imagine would make it difficult to screen capture, especially if you crank the transparency right up, but also makes key entry a bit of a chore.

GodelNovember 20, 2014 5:13 PM

@ Bear

"Nobody can remotely hack a box of filecards that you keep next to your computer."

But they're freely available to the feds with a warrant, or your teenage children's visiting friends or perhaps your wife in the lead-up to a messy divorce that you didn't see coming, or the guy burglarizing your house.

I'm sure you claim that your physical security is good, but you've just exchanged one kind of threat with another.

What kind of backup plan do you have for your box of cards?

KeyspaceNovember 20, 2014 6:25 PM

Good to see RoboForm isn't on the list but it makes me think how secure these programs actually are. Cost of convenience vs security.

Security_Experts_Who_Cant_Code_Or_RCE_Hard_At_Work_AgainNovember 20, 2014 8:54 PM

Good luck making a secure solution around AttatchThreadInput() or clipboard API, even with a crypto-chip dongle(like IronKey, Kingston XTS and CBC etc..)..

FYI every x86 password manager in existence uses them, and can be inline patched or API hooked even if you remove automated input to sniff out UI classes.. This is all malware devs care about. 2FA, cloud-login, captcha, NT ACL&user for the process all the same..

But hey you guys are the security experts.. More security designs that last as long as people don't do RCE!!!

shadowjackNovember 20, 2014 9:27 PM

"Cost of convenience vs security."
Pretty much. I was going to say precisely and then recalled that we are talking about a keylogger with an admitted preference for logging when a certain executable is running. The only way to fuzz the signal is to use a common string of words while running a word processor and changing the paraphrase to a new paraphrase on each access. That might, just, slightly increase the effort.

Frankly, detection is becoming orders of magnitude in difficulty so the safest assumption is that one is present even while using read only boot media. Sucks.

ManuelNovember 20, 2014 9:55 PM

Bob, in post #5, says "My password manager is a truecrypt volume. Good luck."

I think he might have something there.

If the threat is from keylogging, and if your system drive is encrypted with TrueCrypt, I would assume that no keylogging program could possibly capture your keyboard input as you initially enter your password because that happens before Windows boots.

And if the TrueCrypt volume that you use as a password manager has the same password that you enter to boot your computer, that password is cached and you can mount and unmount the volume at will without typing anything.

What do you guys think about that?

MattNovember 21, 2014 12:03 AM

@Al: What does the second factor actually protect? Most of these online ones with 2 factor auth just use that to protect access to your encrypted container. The container itself is only encrypted with your password (you can't encrypt it with a changing factor). All the attacker has to do is capture your encrypted container (which the online service has sent to your browser after you authenticate with the second factor) from your browser at the same time as they log your password.

If they actually use the second factor for access to every record, then you have protection. I don't know of any that do, as it requires constant online access and is a PITA for the user.

DannyNovember 21, 2014 12:57 AM

The main point everybody seems to miss, commentators here included, is that a password manager is used not to protect you against someone who attacks you, but from the ones who attacks the services you use. Specifically if they stole the database of MD5 password of facebook, and they start attack that at their computers, the password manager will create a long (as in longer then 50 characters) that will be impossible to guess.
And if the attacker managed to install a keylogger on your computer is game over for you already. Because if he manages to do that he can take movies of everything you do, he can sniff your network traffic, he can pretty much do whatever he wants. You are dead in the water at that point. So to me the technique of installing a keylogger seems like a stupid one. I would go with a rootkit instead making you a zombie for me.

ThothNovember 21, 2014 2:06 AM

Put it simply, it pwned your PC that is why it can grab your master passwords or whatever secrets it has in our no assurance devices.

You can do a 2FA or multiple auth but once you decrypt your secrets, you are better off to give away your secrets. They just copy your secrets and phone home happily.

So what can be done ? Hardware protection measures me, Clive Robinson and Nick P have been ranting for so long. Get an isolated chipboard like the Raspberry Pi and so forth with no audio, shielded and do proper OPSEC.

Another temporary method is binary self obsfucation to trick the malware but this is very short term. Might as well segregate and layer your security domains.

There is no easy answer except a secure TCB properly done and used.

Clive RobinsonNovember 21, 2014 3:47 AM

Why are people acting all surprised?

I predicted this sort of thing would happen back in the 1990's and was saying so to various parties with customer money handling systems online --i.e. banks, et al-- back then and more generaly to students and others in 2000 and on this and other blogs several times in the intervening years.

Stop thinking of a password manager as a storage device but an authetication token instead. If you look back on this blog you will see numerous discusions where I clearly state that authentication tokens to even have a chance at being secure have to have three basic charecteristics as an absolute,

1, Work out of band in an isolated side channel.
2, Must go through the human as part of auth comms chain.
3, Devices should be clearly tamper evident.

Password managers running on a general use PC fail all three criteria horribly no if's no but's no maybe's about it, absolutly guaranteed to fail badly, just a matter of time. Oh and smart phones are even worse than PCs in this respect, likewise tablets and pads.

The only thing that suprises me is that it's taken attackers 20years to get here, I guess that demonstrates just how much other low hanging fruit there has been. Which some might sugest that maybe all be it with the speed of an arthritic snail on "mother's little helpers" user security is moving forward, but my guess is it's actually the case somebody wrote it as a "pet project" for "ego food" and has decided to "monetarise" it now that "the dark side" markets are paying more for "accounts" than credit card details.

And for those thinking up new systems for authentication, remember the three points above and observe them strictly or you will fail and worse others will get hurt badly. No if's, no but's, no maybe's, it's just a question of time. And when it happens as it will don't complain nobody told you it was going to happen. In the past I've charged good money for this advice and seen it squandered, but due to the hurt and pain I've seen not following it causes others, I now --as I have done for the past decade or so-- gift it to all who want to listen. And for book writing gurus and educators please pass it on in your works, I also give you the advice free of encumbrance to pass on and request that you do so.

Gerard van VoorenNovember 21, 2014 5:17 AM

@ Clive Robinson

Thanks for your post. Personally I only use the password managers for some silly site login. They want it more and more. I never really trusted them simply because of their nature. Open Source of Closed, it doesn't matter. They are most of the time written in C or C++ anyway.

Now that we start to learn more about the NSA and their ridiculous ideas, their way to deal with NIST [1], you have to come to the conclusion that National Security is more important to them than "citizen security".

Why do I bring that up here?

Responsibility.

If a government department is actively involved in making the security of everyone worse, in order to have gains themselves [2], shouldn't the costs of lost data and money because of that, be paid by that department too?

Now what if the NSA assholes knew about these vulnerabilities and didn't do anything about it?

Also I cannot think about an electronical device that is impossible to tamper with. What kind of certification should such a device have anyway? "Intel Inside", "NIST Approved"? It doesn't make sense anymore now that the word is out.


[1] http://blog.cr.yp.to/20140411-nist.html
[2] https://www.schneier.com/blog/archives/2014/11/the_nsas_effort.html

This EntryNovember 21, 2014 6:09 AM

This seems easily avoidable by the basic principle of "something you know; something you own" (e.g., using a combination of key passphrase and key file, ideally on a removable media).

DelectNovember 21, 2014 6:20 AM

@Gerard van Vooren: Your "Dear Sirs" letter to NIST is excellent. Did you ever receive a reply?

IcefyreNovember 21, 2014 7:06 AM

If you use two factor authentication like the one provided by Lastpass are you still vulnerable?

ThothNovember 21, 2014 7:53 AM

Any factor auth is a gone case if our predictions that all secure devices are also backdoored... Lastpass, Yubikeys or whatever.

Gerard van VoorenNovember 21, 2014 8:39 AM

@ Delect. The letter to NIST was written by Daniel Bernstein (DJB). I am nowhere near involved.

SoWhatDidYouExpectNovember 21, 2014 8:57 AM

This entire discussion reminds me of another scenario worthy of discussion (or massive critique).

That would be the field of "identity theft monitor organizations" (do a Google search of that phrase, without quotes, to see a general list of suitable candidates).

Now, there is an attack point worthy of pursuit. Break into them and you have the goose and all the golden eggs. Who needs keystroke monitors and/or millions of password safe targets to chase? Then again, maybe that conquest is already complete and the keystroke logger/password safe venue is just a red herring (lots of those types of distractions going on out there).

ShiverMeTimbersNovember 21, 2014 9:17 AM

By the way, who trusts “IBM Trusteer”? Are they just another wannabe just like the “out of the blue” guy who “discovered” that a group in a foreign country had amassed 1.5 billion passwords or other such “lone wolf” items/events? Is this another serving of FUD?

Nick PNovember 21, 2014 12:24 PM

"They can't hack into a typewriter. That's all I have to say." Ron Swanson

The Soviets would've applauded him. Albeit for a different reason than he might have thought. Irony is that Russia, who invented attacks on typewriters, is going back to typewriters to stop an opponent with many more potential attacks on them. Lulz.

WaelNovember 21, 2014 1:40 PM

@Nick P,

Albeit for a different reason than he might have thought...
I would claim that different key strokes produce different sound wave signatures, different enough to detect the text typed from afar using a sensitive Mic and some DSP massaging... Too bad they didn't know about "Air-gapped" typewriters then.


Irony is that Russia, who invented attacks on typewriters, is going back to typewriters to stop an opponent with many more potential attacks on them.
Now that they know about acoustic based attacks, they'll place the typewriter in a vacuum chamber, and the person using it will wear a scuba-diving tank while typing :)

Security_Experts_Who_Cant_Code_Or_RCE_Hard_At_Work_AgainNovember 21, 2014 6:08 PM

Put everything in a VM snapshot that you use each session and you only eliminate persistence. Still vulnerable to citadel via dropper and the snapshot becomes compromised..

I like the idea of a simple OLED&PIC hardware password manager with full NAND encryption with no NIC and hash-diff all startup processes and drivers with an "offline" differ or do audited snapshots of partitions on host systems.. Kind of kills most attacks in one basic procedure..

ZaphodNovember 21, 2014 6:20 PM

Clive has spoken - thank you for your free advice.

All; does my strategy of using password safe to record passwords all of which require my personal, memorised 'adjunct' password, to be prepended mitigate this particular attack?

I hope it also solves the 'I don't trust the application not to phone home with all my passwords' probllem.

Z

JimBoNovember 21, 2014 7:02 PM

If its only a key logger, you can easily defeat it with no additional product.

1) open a text editor and your key manager
2) type parts of the user and password in the password box, alternating with random text in the text editor.

Alternatively, copy and past the password from some other source such as a thumb drive. Then there isn't any keystrokes to log.

Of course, a more sophistocated the attack (root kit?) would not be defeated with these methods.

Nino PingNovember 21, 2014 7:49 PM

That Italian spyware drills straight through your AV, silently collects or drops evidence, then silently and cleanly removes itself after logging all your key strokes. YAY! The US employs it along with a bunch of despot tin hat generals and other cretins, like my own government. Fin Fisher was crap, kept getting detected by AV.

anonNovember 22, 2014 7:50 AM

I choose high entropy passwords by selecting strings from my own dictionary, using successive rolls of casino dice.

I then lightly encrypt these passwords with a pen and paper cipher and a memorable key. I type the resulting ciphertext on to blank business cards which I store in my wallet.

Just in case I loose my wallet ... I also store the passwords in a truecrypt volume on a usb stick which is stored in a safe, in my home. I store the key to that volume on another usb stick in another location.

Obviously my wallet isn't Fort Knocks and my pen and paper cipher is necessarily weak so I can quickly decrypt my passwords when I need to ... but unless I run into a pick pocketing code breaker - I think I'm good.

IcefyreNovember 22, 2014 7:51 AM

JimBo that's an ineffective control. Typing in a different application s&p won't defeat a keylogger it will still log all your keystrokes and even in the same order. Copy pasting from a USB drive won't work either necessarily as many keyloggers are part of advanced Trojans which give you access to the target filesystem. You could easily steal the file from the USB drive. Not sure if carrying a USB drive with plaintext passwords is a great idea, not sure about you but I've lost enough USB drives to fill a small truck...

anonNovember 22, 2014 8:40 AM

of coarse, I also use 2 factor authentication, whenever available ... when multiple options are available - I prefer to receive a challenge question encrypted with my public key or a text file I can print off with a list of one time PINs or an option that uses the time based system of the authentication app on my smart phone.

Security_Experts_Who_Cant_Code_Or_RCE_Hard_At_Work_AgainNovember 22, 2014 9:47 AM

@Nino:That's because all AVs are weak signature engines with HIPS engines that only hook NDIS, ATAPI, and PE load routines. You use a FUD solution, which is going for about $800.00 these days, or you can just do a inline-packer using xor, and it gets you past the signature engines and then you basically inject into a native wininet or tcp/ip importing process and call home if even that..

Out of all the advanced malwares like APT kits, TDL, and Rustock, none actually use AV killing solutions. Rustock IMO was the most advanced because of it's ring0 VM, the government APTs actually ripped off methods from TDL and implemented industrial routines and logistics for propagation.

At the time of this writing malware authors don't even have to try to bypass AVs, they just have to avoid signatures. Citadel for example doesn't do anything regarding AVs except block domains of signature updates for just a few vendors..

A lot of these big botnet owners actually have to capital to contract out the work needed to make stable BIOS and ROM solutions right now. I'm assuming they will only do so when their revenue streams take dives from sink-holes and AVs that are designed to actually work..

AlexNovember 26, 2014 1:54 AM

"Nobody can remotely hack a box of filecards that you keep next to your computer"

Your smartphone usually provide this information.

George BDecember 15, 2014 8:49 PM

Everyone laughs at my use of STRIP on a Handspring. Then I ask how do you break into a box with air-gap isolation, and occasionally Hot-Sync'ed over RS-232?

It's the replies to that question that are interesting/amusing....

Nick PDecember 15, 2014 9:16 PM

@ George B

The old Palm password manager thing? I've occasionally thought of doing something similar for reasons you stated. Got my own thing but that's a good one haha.

FigureitoutDecember 16, 2014 1:54 AM

George B
--Probably same as always, breaking in your home when you sleep or at work...Question is do you have an EM shield on it too? Foamed and fans blowing for vibrations and airflow? Also, that's the annoying problem w/ simple protocols, simple eavesdropping...I've got an old cassiopeia PDA which I decided I'm not going to invest in a new Li ion battery for, but can work just by powering w/ 3.7V DC. Any files I save get wiped on power down as the ROM and some RAM is the main thing, too old for bluetooth and I believe no wifi inside chips...wish I can get external programs on it via a CF card to do more than play solitaire and finger-tap a MS Word doc, we'll see...Just a knick-knack until it dies then the "organs" get harvested...

Jose SimoesDecember 16, 2014 5:25 AM

This have been said before, but I challenge an analysis.

I have a string of 32 near-to-random characters, in a post-it glue to by table lamp. I have copies in several sites, including emails I send to my self, my parents house, in my wallet, all around the house, I try hard not to lose it, not to keep it really secret (I call it pepper, that's a joke with paper and salt).

Pepper does not use 1, I, 0, O, etc to avoid confusion, Also thing like }{ that can be confused with a X are avoided. I started with a larger random string and edited it to avoid any potential misinterpretation. I edit it also to include at lest 4 digits, 4 upper and 4 lower case letters.

Each time I need to use a password I past it from my password manager and I type the fist 4 eligible characters from the pepper (not all kind of char are accepted in all circumstances).

Jose SimoesDecember 16, 2014 5:55 AM

This have been said before, but I challenge an analysis (part2)

For example google mail.

It would be nice if they accept a 10x10 matrix of characters you give them (as an option!).

After that they would ask you the characters in 2 or 3 random positions, each time you log in.

BobJuly 25, 2015 8:24 AM

Why was this not in the media more or well publicized? You've got yourself another long term reader here.

dewkAugust 21, 2017 9:42 AM

Typing in a different application s&p won't defeat a keylogger it will still log all your keystrokes and even in the same order. Copy pasting from a USB drive won't work either necessarily as many keyloggers are part of advanced Trojans which give you access to the target filesystem Mobile Strike hack . You could easily steal the file from the USB drive.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.