In light of the recent wave of session hijacking and cookie stealing malware it is beginning to be a scary time.
I work at a company where accessing different management portals is a daily thing and the there are way too many portals that need finessing.
How do you handle this and do you have any good ideas or suggestions? I have been looking at different remote desktop solutions and I’m planning on setting up a virtual machine used only for accessing different management consoles. Working with multiple monitors this does not feel like the best solution.
What kind of “management portals” are we talking about here? Just some websites, or installable software? I’m assuming Windows clients and servers?
If it’s just a website, I’d suggest just using a normal Browser and set it up to clear all cookies etc. on close(firefox/chrome both have an option for this, maybe you can even create a special profile for this and launch a browser window with this profile for a specific website from a desktop icon).
If you have an option to limit the session alive time for your management portals make sure they’re short(maybe half a day).
Session hijacking/cookie stealing requires that an endpoint of a user is compromised. You should put your effort in preventing that, since nothing will prevent malware from stealing your data once it’s running. You can limit the interesting data on the machine before the infection(clear cookies regularly), but after a machine is infected all the data the machine provides is potentially malicious, every credential entered on that machine potentially leaked, and any management portal accessed from that machine compromised as well.
You might not immediately detect an infection, so it’s useful to do basic privilege separation to limit the impact of a compromise.
The best thing you can do is limit the ability of your non-techsavy users to do accidental harm: Make sure that the user can’t UNDER ANY CIRCUMSTANCES download and run ANY untrusted application(Not via download, not via attachment, not via USB stick, etc). This means you need to manage the devices, no BYOD.
You can do so via group policies under windows. Make sure all devices get updates regularly.
If the management portal is some installable windows software, you can use something like Windows Sandboxes or Sandboxie, or a VM. If you go with a VM, there are multiple options for running a remote desktop. You can go with Spice or VNC from the hypervisor or RDP from the guest.
Virtual machines are ok if the host has the resources for them… the problem is always human. Convince and train people that VM01 is for the bank and VM12 is for the email. I was and I did, I don’t plan to tear my nerves more times.
If you’re sure people will use it the way you plan… that’s ok.
But if you want each url/account to be a separate vm, then with a large amount it can start to be extremely tedious, juggling, for example, 20 vm for employees will quickly become a problem … Another issue is whether there is a need to transfer data, even from one vm to another .
Virtualization is cool, but first you have to think about whether you are killing the effect by forcing people into a very inconvenient way of working for them. If a solution is too burdensome, people tend to look for simplifications and the whole elaborate plan collapses.
If you’re using windows and you’re moving away from vm… it’s sandbox + hips + firewall which is my recommendation as always comodo firewall.
This doesn’t completely solve the problem, but with the right strategy and setup, you can seal quite a bit.
A lot also depends on what attack vector we take as the target, if we are talking about the LMG discussion.
In the case of LMG, we are talking about opening a .scr file that pretended to be a pdf.
First of all, every Win should always have file extensions set to visible!
Secondly, you should not use a browser to open files including pdf.
Thirdly, programs like web browser and pdf reader should always be run in a sandbox.
Fourthly, programs in the sandbox should not have access to the disk resources belonging to the web browser so that the cookie cannot be touched.
Fifthly, the browser should have an add-on that clears cookies immediately after leaving the url/closing the tab or restarting.
Sixth, you should always use the logout option! Many sites do not terminate active sessions or have very long timeouts.
Seventhly, no strong password and 2fa will help here, there is also no point in counting on the session per ip on the server side.
I am not afraid of hostile contraband code as some file that an employee will open, I immediately assume that the employee is an enemy. This is how zero trust strategies should be built!
Block and restrict everything. Pack as much as you can in the sandbox and slap with hips rules. Either the hostile code will execute in isolation or it won’t execute at all.
You also need to control network traffic per machine. Each process must have a rule without exception, the pdf reader should not have access to the internet, and the browser should only have tcp 443 other ports as needed but not open like a gate.
Of course, in 2023 it’s hard to limit traffic per ip/domain in the era of clouds/cdn, but if we have relatively constant addresses to which employees connect, it’s even per domain, which allows for example comodo firewall. In this way, we limit the range of motion even more. The enemy not only needs to get to us, but needs a way back to send data… let’s limit this as much as possible.
A much bigger problem than touching cookies on the disk, I consider getting them out of the active browser process. We cannot protect ourselves from 0day holes, and there is a risk that some browser add-on may one day become an enemy and steal cookies/passwords. There have been situations like this.
In addition, if the enemy sends compromised data using an infected browser, we have little chance to detect this traffic in time. The limitation here is if our firewall has rules for the browser not only for the protocol and port but also the ip range or the name of the portal to which the employee can connect. The problem with ip is obvious, with domains the problem is sub domains that we also need to add.
Sandboxing is, in a nutshell, isolation, pseudo containerization/virtulization of resources and processes.
It is supposed to isolate the untrusted program from those parts of the OS to which it should not have access. Is it possible to jump out of the sandbox, yes, if there are errors in the implementation.
Speaking of comodo and sandbox. For example, you can set a small number of applications as trusted and others as untrusted, which will automatically run them always in the sandbox. Then, with the help of hips, we can define how narrowly we want to limit the scope of the program’s operation.
We can create a rule to protect, for example, specific locations on the disk, folders belonging to the web browser. In this situation, any program in the sandbox will not see the contents of these folders, as if there really is nothing there. What follows is that the hostile code is unable to copy/open any file including cookies.
There are more possibilities, it’s just a quick example in reference to LMG…
You mean that sandbox that @wendell made a video once?
It’s rather ok. Only the dynamics of application differs slightly and theoretically it will not be the optimal solution in every user model.
It’s a temporary virtual desktop aka a sandbox. You can use as much as possible, only if this model will suit everyone…
Not everywhere a temporary sandbox without a stateback will suit everyone.
For example, in the comodo sandbox, certain states are remembered, so the user can return to certain data.
A lot here depends on the model of behavior and needs.
Windows sandbox is more of a one time use, run it, do what you have to do and shut it down and let it burn in hell.
It’s hard to say which is better, it’s best to test it yourself.
Theoretically, comodo also has a virtual desktop, but… force the employee to use it all… good luck!
Privately, it’s a matter of your own decision, the problem is always when employees are involved. If something is to actually work, it has to be rather native and without human intervention. Any interaction to ensure security becomes a useless element by definition. The employee will make a mistake/forget and then when the threat appears. Just like in LMG.
The principle is the same, You have to think for them and set everything up for them.
No software will solve problems alone.
Sandbox if you set them the most used programs, at least there is a chance that the OS will survive hostile code, just what we want to achieve… prevent OS corruption, data encryption, data theft.
There is no one-size-fits-all solution for all three.
I would definitely install an antivirus, yes I know many do not like it and believe that it is not necessary, but if you want …
I apply the general rule everywhere and for everyone… control of network traffic per OS, system and applications always up to date, if possible vm environment isolation/separation, sandboxing, containerization, disable services that are not needed. Password manager, 2fa.
In the case of Windows, the first thing I always do after installation is show file extensions!
