Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware’s new target: your password manager’s password


  • Please log in to reply
20 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,696 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:08:58 AM

Posted 21 November 2014 - 07:56 PM

 

Cyber criminals have started targeting the password managers that protect an individual's most sensitive credentials by using a keylogger to steal the master password in certain cases, according to research from data-protection company IBM Trusteer.

The research found that a configuration file, which attackers use to tailor the Citadel trojan for specific campaigns, had been modified to start up a keylogger when the user opened either Password Safe or KeePass, two open-source password managers. While malware has previously targeted the credentials stored in the password managers included in popular Web browsers, third-party password managers have typically not been targeted.

While the current impact of the attack is low, the implications of the attacker’s focus is that password managers will soon come under more widespread assault, Dana Tamir, director of enterprise security for IBM Trusteer, told Ars Technica.

“Once the malware captures this master key, then they can use that master key to exercise complete control over the machine and any of the user’s online accounts,” she said.

Malware’s new target: your password manager’s password

 

.



BC AdBot (Login to Remove)

 


m

#2 Ezzah

Ezzah

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:07:58 AM

Posted 21 November 2014 - 08:27 PM

This can be avoided by creating a on-screen clicking keyboard. I am currently in the development of one such password manager.


mYIGVc5.png


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:58 PM

Posted 21 November 2014 - 09:05 PM

You can always save PWs to an encrypted spreadsheet with an obscure name and hide in an obscure area.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 j4m3s

j4m3s

  • Members
  • 287 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 21 November 2014 - 10:23 PM

Also, any one using a password manager should be using two-factor authentication. That was already true, but now is necessary.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:58 PM

Posted 22 November 2014 - 07:25 AM

Cyber criminals don't have to work hard.

2013 was a wildly visible year for cyber security and online privacy...And yet for all the visibility, punditry, and drama, new data suggests that internet users are still terrible at choosing a good password...

It’s 2014 And Our Passwords Aren’t Getting Better
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:58 PM

Posted 22 November 2014 - 11:31 AM

Not so bad for those of us who's password manager is a metal safe with scraps of paper buried inside. 2 step verification on important accounts will also be worth having now that more viruses are trying to read passwords for online accounts.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:58 PM

Posted 23 November 2014 - 10:15 PM

The addition of an external key file to access your password manager database will defeat the malware. Having the password alone is insufficient.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#8 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 29 November 2014 - 02:12 AM

I like Quiet Man's and rp88's approaches. Keep 'em in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'. In a cellar, with no stairs.

 

Seriously, though - I don't share a lot of these problems, being in a Linux environment. But I also have access to an old external drive that has a USB connector, and uses microdisks (wrongly known as floppies) where you can flick a switch and lock them. Between this and Ezzah's suggestion, wouldn't you be bulletproof?

 

My Acer Aspire AIO running Windows 7 (now nuked and running 3 Linux Distros) shipped with a touchscreen and a virtual keyboard.

 

Or you could use passwords that were specific to the purpose but unlikely to be cracked eg with my bank balance of $2.01, I could use F0rTKn0x201 (damn now they know my pwd)

 

We'll Beat the Blackhats somehow. Keep the faith

 

:wizardball: Wizard

 

BTW - Ezzah, Aussie Aussie Aussie Oi OI Oi



#9 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,696 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:08:58 AM

Posted 29 November 2014 - 04:26 AM

 

I like Quiet Man's and rp88's approaches. Keep 'em in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'. In a cellar, with no stairs.

Don't Laugh Watch. Use a broken key board for this, Like I did.

 

Video Not My Work.

http://youtu.be/mZIlBQI53E0

 

Finished watching? Still think its funny?


Edited by NickAu1, 29 November 2014 - 04:33 AM.


#10 NullPointerException

NullPointerException

  • Banned
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 AM

Posted 29 November 2014 - 06:31 AM

It's not surprising. I still don't think I should keep a long, uncrackable 36-character password for Lastpass. It's a simple, slightly obfuscated password. I do take precautions to not infect my system in first place. If it's a brute-force attack over Lastpass, it is their responsibility to keep my password secure.



#11 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 29 November 2014 - 04:29 PM

 

Finished watching? Still think its funny?

 

Yep ...and Yep! But the Topic Subject Matter I take seriously, as do you, understandably, to venture outside "Linux Land", lol.

 

Cheers, and keep'em comin'.

 

:wizardball: Wizard



#12 Ezzah

Ezzah

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:07:58 AM

Posted 05 December 2014 - 06:01 AM

@wizardfromoz, Oz Oi Oz Oi, Oz Oz Oz, Oi Oi Oi!

 

Back onto subject, a onboard keyboard easily bypass keyboard hookers (key-loggers and the like). Taken from my software in development.

 

tO7Vf7m.png


Edited by Ezzah, 05 December 2014 - 06:02 AM.

mYIGVc5.png


#13 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:58 PM

Posted 05 December 2014 - 10:18 AM

 

@wizardfromoz, Oz Oi Oz Oi, Oz Oz Oz, Oi Oi Oi!
 
Back onto subject, a onboard keyboard easily bypass keyboard hookers (key-loggers and the like). Taken from my software in development.
 
tO7Vf7m.png

 
It can beat hardware keylogging devices, but not software ones. Some RATs can take screenshots to spy on this kind of keyboard.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#14 Ezzah

Ezzah

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:07:58 AM

Posted 06 December 2014 - 12:29 AM

It would be a good defense on most simple keyloggers, as it bypasses the actual software keyboard driver (a tendency for most keyloggers to hook), and inserts characters into the text-field in an unconventional matter. Either way, it is still much better than typing directly from your keyboard. The program is also protected with a SecureString function to prevent other programs from sniffing the program while it's in memory, and stealing stuff that passes in between, or what they would return is just unreadable gibberish. 

 

Taking screenshots would be redundant, unless you recorded the screen, which in the grand scheme of things is way too difficult for a hacker to do. RATs are designed for small number use, in specified attacks on people they most likely know. Larger schemes like botnets, will not even have functionalities such as keylogging, they're majorly just botherders and used for sending mass DDoS attacks. 

 

There is no safe solution of anything. Copy/pasting can easily be event-logged by a malicious program. Having a program like keyscrambler, can still be unhooked by rootkits and whatnot, or simply capture keystrokes at an even lower level. Frankly, malware wins in this case, the best way is to ensure one never gets onto your computer in the first place.

 

Now that aside, the actual storage of the information is quite secure, even if it was stolen, it is obviously encrypted, and the hacker is still unaware of the encryption process used, nor the password (and even if they knew the password, they wouldn't necessarily be able to decode the information immediately). This is where the program would be disassembled to the Assembly level and re-built, where there are no .NET dependencies, and then obfuscated for further hard dissassembly or deobfuscation. 


mYIGVc5.png


#15 Ezzah

Ezzah

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:07:58 AM

Posted 06 December 2014 - 01:10 AM

I am debating whether or not I should include a better on-screen keyboard, as well anti-screen capturing technology with CP protection. Pretty much when the application is open, CP will only be allowed through the application. All other processes are oblivious with any changes made with the clipboard, this would obviously involve with hooking (more complicated). 

 

Or it could just be used compatible with something like Oxynger Keyshield (http://www.oxynger.com/compatible-applications.html), which already covers all three-bases of protection. (API-based, kernel, and hook-based). Anyway, it seems my keyboard already bypasses API-based and hook-based, haven't got a kernel keylogger to test though :/


Edited by Ezzah, 06 December 2014 - 01:41 AM.

mYIGVc5.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users