January 31, 2023
Good morning, everyone!
Log On, Log Off
Question (be honest, now): When was the last time you logged off a website? I mean, really? Is that part of your regular routine? If it's not, it should be. Let's talk about session hijacking today.
What is session hijacking? Wikipedia says:
In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server.
Oooookaaaaay, what's that in plain English? Well, when you log into a website with a valid user name and password, you are authenticated, and a small data file is stored with authentication information, usually a session token, that is passed each time you make a request to that website. This file is often called a cookie. (It's like the rubber wristbands you are sometimes given at hotels or events, that allow you to go out and come back without having to show a ticket each time.) So every time you click on another page of that website, or add something to your shopping cart, the cookie is read and says basically "She's legit, it's still her."
Sometimes cookies are set to expire automatically, after a short period of time, but a lot of times they are not. If the cookie expires, you have to log in again, and some users don't like that. From the vendor's perspective, as long as you have a live cookie, they can use it to keep track of where you go and what you do on other websites, not just their own. So it's fairly common for browsers to have multiple active session cookies at any one time. Why is this a problem?
Session hijacking is a problem. If you have a valid session cookie stored in your browser, and you become infected with cookie-stealing malware, those session cookies can be used by someone else to impersonate you.
Remember that recent LastPass breach? How did it happen? Similar to a recent breach of CircleCI, a software company that makes tools for developers:
The company said in a detailed blog post on Friday that it identified the intruder’s initial point of access as an employee’s laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication.
Ah! This is one of the rare instances where 2FA cannot protect you -- if you have a valid session cookie, after having authenticated via 2FA.
How do you protect yourself?
It's actually quite simple: Log out of websites when you are through! Yep, that's all there is to it. When you check out, click on My Account and scroll down to the Log Out button and click it. (Sometimes you have to click on "Continue Shopping" first, before you can find that log out button.)
If you want to go one step further to protect your privacy, you can clear your browser history and delete all those cookies before you visit another website. It's just a couple of clicks, takes only a couple of seconds, and once you get in the habit, you do it without thinking. I clear my browsers a dozen times a day or more, even on my mobile devices. For me, it's a habit just like turning off the light when I leave a room.
Stay safe online this (and every) week!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.
Have a great week!
Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months
ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺