Password Managers Now Hackable: Is Anything Sacred?

Passwords- what a hassle.

All the things that make a great password also make them a chore to type in lots of characters, a mix of upper and lower cases, strange symbols, and barely legible codes that are impossible to remember- plus I’m not supposed to use the same password across multiple sites? What?

Of course, just like how cup holders in cars were invented to meet a very real first-world problem of drivers having nowhere to place their coffee or sodas while driving, password managers were created to take all of the fuss out of entering your password. But do they take all the safety out of it, too?

According to IBM Trusteer Researchers, a new configuration of the classic Citadel malware allows hackers to bypass your password manager’s defenses using a targeted approach.

When the malware detects the system is running password manager programs, it immediately begins keylogging. It does this in order to acquire master passwords which are required to view all the passwords stored in the programs. And the rest- including you- are history.

As we like to say, safety and convenience are on entirely different poles. Easy (yet the most commonly used) passwords like abc123 are the least safe, and storing important files on the cloud is convenient but risky. Similarly, there’s no way that hackers wouldn’t notice that users are putting all their passwords in a single location, ripe for the picking.

This poses a huge security risk for organizations. Hackers could potentially send phishing emails to company employees, and by infecting their systems with the malware, acquire passwords used to access all kinds of databases, including the cloud, where companies are storing 33% of their data.

This really highlights the potent threat spear phishing continues to pose to organizations around the world. It doesn’t matter how many millions of dollars you spend on building a strong defense- spear-phishing slips hackers right past those defenses. And it’s not even difficult to do so- on average, only 20-30 malware-infected emails have to be sent to achieve a successful phish.

It’s easy to get caught up in trying to stay breach-free, what with the constant flow of news about the latest data security threats, and the frequent reminder that suffering a data breach is inevitable. However, it’s important to remember that you have other business priorities and that there is a very basic step that you can take to defend against these threats: understanding your risk.

It’s about knowing what you have that hackers want, where it is, and who wants it. It sounds simple enough, but it really isn’t- shadow IT is becoming a large problem in many organizations, where employees are handling data in the most unsafe of ways.

The staff of a modern office in 2014 requires data security awareness, and we’re not just talking about ground-level staff, either- board members should be part of this too. 75% of companies surveyed had not trained their board members, which is a big problem. Now more than ever, board members must have a strong understanding of the importance of data security in order to be capable of asking the tough questions to C-level executives about their corporate security initiatives.

Another effective measure recommended in the Verizon Data Breach Report 2014 is the implementation of two-factor authentication. 2FA stops this type of attack dead in its tracks because a password without an accompanying OTP isn’t much good. A password attached to an account with 2FA is also worth noting on the black market.

As for knowing what you have that hackers want and where to find it, that’s where Ground Labs fits into the picture. Our data discovery tools are designed to find the same things hackers want, with a slice of the effort required.

Data Recon can find over 95 types of sensitive data, including credit card numbers, health care records, and personal information. It searches for all of that in a wide range of storage spaces, so you can efficiently cover all bases and know exactly what you have that hackers want, and where it all is.

Don’t just take our word for it: use Enterprise Recon and start understanding your risk.