New malware attack method directed at password managers

Is 1Password vulnerable to the compromise described in this link vvv ?

http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/

Any recommendations or guidance in order to avoid such things?

Comments

  • Yes, key loggers are a threat to any password based systems, including 1Password. You can mitigate the danger on the Windows version by using the unlock on secure desktop option. I don't known if 1Password has similar options on other platforms.

    In general, the risk of having a keylogger installed on your system depends on how cautious you are with executing unknown software. Windows is the usual, and obvious, target due to it popularity and hence high density of inexperienced users. I'm not sure of the risk level for keylogger installation on OSX, iOS or Android.

  • edited November 2014

    Hi @Superfandominatrix‌

    I've spoken with our security guru about this, and the short answer is that the threat of keyloggers is not new.

    Your best defense is to not get tricked into install them. But 1Password takes steps to help out, too: Watch what you type: 1Password's defenses against keystroke loggers

    Jeff is out of town this week, but he'll likely take a closer look at the research involved in this article soon. :)

  • I was just seconds away from posting this very same article asking for 1Password to comment when I saw this post. I'd love to see a longer discussion about this (even if there is nothing to be done in the immediate future).

  • I'd love to see a longer discussion about this (even if there is nothing to be done in the immediate future).

    What do you think needs discussion?

  • It would a perfect subject for the blog! A description of the vulnerability, what Agile knows about this latest effort described by IBM Trusteer, what can and cannot be done about it from Agile's side, and what can and cannot be done about it from the user's side depending on the platform the user is on. I understand that Agile's initial reaction may be NOT to discuss it because it's a vulnerability that it likely can't address, but users will have questions...as is evidenced by the fact that this post exists.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    This would be a great subject for a blog post, @DATElliott‌, but I don't think I will get a chance to write one today. But here are a couple of points that I might want to highlight in a blog post if it does get written.

    The danger today is no different than the danger the day before yesterday

    The actual "news" is really not much new. There is Windows malware out there does keystroke logging. Citadel is one such thing and it has been around for a while. Because of the amount of data involved, they don't log every key stroke. They just switch on logging when some programs are active. The "news" is that a couple of password managers have been added to the list of programs that Citadel turns on logging for.

    What is genuinely news to me is that they haven't been doing this for a long time. We have always assumed that keystroke loggers would attempt to get the master passwords for password managers. Indeed, it would be foolish of us to not make such an assumption.

    When you design defensively, you don't need to panic on "news"

    We always assume that we are under attack. And we build systems with that assumption in mind. With respect to keystroke loggers, you can get some insight into how these work and what we do in this earlier blog post. Watch what you type: 1Password's defenses against keyloggers

    Quite simply, Citadel doesn't change a thing for us and for our customers.

    Malware

    As I've said in a number of times, once a computer is compromised it is in principle impossible for us (or anyone) to keep you safe. Let me quote from the keystroke logging blog post:

    I have said it before, and I’ll say it again: 1Password and Knox cannot provide complete protection against a compromised operating system. There is a saying (for which I cannot find a source), “Once an attacker has broken into your computer [and obtained root privileges], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

    Citadel is quite old and is well known. It almost certainly is spotted easily by Microsoft Security Essentials (Windows 7) or Windows Defender (Windows 8). Windows Defender is automatically set up and running on Windows 8 systems. Microsoft Security Essentials (MSE) does require that you initially install it. Go and do that now if you are using Windows 7 and haven't already set it up.

    So really our advice doesn't hasn't changed.

    If you are using Windows

    1. Keep your system up to date (Windows Update)
    2. Be selective of what software you install and from where
    3. Run MSE or Windows Defender.
    4. Use Unlock in Secure Desktop on in 1Password for Windows

    On the Mac

    1. Keep your system up to date (App Store software update)
    2. Be selective what what software you install. (System Preference > Security > General "Allow apps downloaded from")

    Reading with a grain of salt

    As I've suggested, there really is no news here. Keep in mind that given the nature news on the web, there is some incentive for people to sensationalize their findings.

    The posting from Security Intelligence refers to Citadel as an "Advanced Persistent Threat" (APT. Yet, the malware analyses that I have looked at don't appear to agree with that assessment. (Yes, it is always possible to quibble about definitions.)

    I haven't been able to find the original report by TRUSTeer's (the makers of TRUSTeer Rapport). So perhaps they do have analysis to support what appear to me as somewhat hyperbolic statements. (This is one of the reasons why I've delayed writing about this. My initial impressions may need to be corrected through further research.)

    Citadel and other Zeus variants are popular toolkits for the attackers. And so these are relatively common in the wild. And as tool kits, they can be configured to do many things. And so I don't want to dismiss the over all impact of these.

    Speculation

    I would very much like to know what versions of Windows the actual Citadel victims of this are running. (If you are using Windows XP, please stop reading this now, and just unplug your computer from the network and don't reattach it until you are running a modern operating system.)

    Indeed – and this is pure speculation – it has crossed my mind that 1Password was not listed among the targets because 1Password 4 does not run on Windows XP.

  • Jeffrey, prefect response. Thanks and I appreciate the time you took to write it. -- Darren (MacBook Pro Retina, Yosemite)

  • I just read this article as well. Very interesting. Your password is only as safe as long as you protect it.

  • This would be a great subject for a blog post, @DATElliott‌, but I don't think I will get a chance to write one today.

    Did you mean to say that you didn't have time to write a blog post or that you didn't have time to write an essay? Your above post would be perfectly adequate for a blog. :)

  • DBrownDBrown 1Password Alumni

    @jpgoldberg‌ wrote:

    it has crossed my mind that 1Password was not listed among the targets because 1Password 4 does not run on Windows XP.

    To be clear, 1Password 4 will run on Windows XP. We don't support the use of 1Password 4 on XP; in fact, we don't recommend the use of Windows XP, at all, for the reasons @jpgoldberg‌ mentioned.

  • I currently use AVG anti virus on my Windows PC. I know running two security applications can cause conflicts. Is having AVG equally as good as having Microsoft Security Essentials as mentioned in the post above?

  • BenBen AWS Team

    Team Member

    Is having AVG equally as good as having Microsoft Security Essentials as mentioned in the post above?

    It isn't really our place to comment on how "good" one 3rd party's application is compared to another, unless directly related to the functioning of 1Password. Sorry we can't be of more assistance on that point, but I'm sure if you do some searching on your favorite search engine with terms like "AVG vs Microsoft Security Essentials" you'll find folks who are happy to share their opinion.

  • Ok thank you for the information.

  • Hi @ScarySulley‌

    I'm glad that Ben's answer helped you out! We're here if you have any further questions or concerns. :)

  • Very much late to thanking you for such a detailed response. Much appreciated!

  • Drew_AGDrew_AG 1Password Alumni

    Glad to hear that was helpful for you! If you need anything else, we're always happy to help. :)

This discussion has been closed.