 Tommy here from Orange Systems. And with all the recent attacks and specifically the Linus one, that kind of triggered a lot of people asking about this, what are session tokens and how easy are they to steal? That's one of the things I want to demonstrate here. I'm going to be doing this in Zen Orchestra because it's really easy to demonstrate how the logins work because they show the session tokens. And there's only one token to manage, but this works the same with really any site that has any persistent login. Google specifically was the one used in the Linus incident, where they use the Google account that's tied to the YouTube account because it just keeps you logged in. But the login mechanism is the same across many, many different services. Think about all your major web services, social media ones, online shopping sites, et cetera. This is really just a balance of security and convenience. Logging in every single time you go to a site is inconvenient. Therefore, lots of these set these persistent tokens, but let's just show you how easy it is to copy a token. And set that session on there. And then we'll talk about ways to defend against it. All right, we're going to start at the sign in page. I have a incognito browser window. I'm using an internally hosted application I have called Zen Orchestra. And what we want to do is press the magic hacker tool F12. And we want to make sure we're on application and we'll scroll down here to cookies and we'll see what cookies this particular site has for us. We've got just a couple cookies in here and, but none of them say token. Token is the one we're looking for in order to be logged in. So we go over to Bitwarden. We're going to fill in my super secure password here, hit sign in. Then we're going to type in my 2FA code and still see there's no token here. Now we have the token and now we're logged in and that token is right here. We can just copy that. We'll copy it to the clipboard real quick and we see it says token. And Zen Orchestra has an option here. If I go here to edit my sign in settings, don't worry about my 2FA. All this will be reset later. Cause this is all just a demo and I can see these different tokens that I have here. Matter of fact, this token right here, I know matches this one. Matter of fact, I can even switch if I want to put this token in, but let's sign out and get rid of the token. So we click sign out here and let's log back in. But this time we're not going to use union password. Let's pretend this is another browser. Double click here, type the word token. Make sure you spell it right. That matters. What's the value? We just paste in the value here, press center. Now nothing appears to have happened because what we need to do now is paste in just the landing page inside. There's right now I'm on the sign in page. Let's just go to one of the logged in pages and that token works. Now what would break this token is going over to here. Matter of fact, let's swap it out and show you that if we use this token instead, so we'll copy that one. And if we refresh the page, we're still logged in. We still have these tokens here, but if we invalidate them, if we delete this token, delete this token. We're still tied in with the session, but those tokens have been invalidated. So I can still go through here and see things. But if I, let's just say refresh the page. Well, I'm not signed in. I tried to go to any page. That token has now been invalidated. So it always keeps bouncing me back to sign a page, even though this token exists. This is the importance of these tokens is that's all they need. Not your user, not your password. And they can't derive necessarily your username, password or anything from these tokens, but they can log in. And in some cases, maybe from that, they'll be able to do other things. So let's talk about how to protect against this. Now, there's not one thing you can do to protect against this, but there's a few things you can do. First, keep your system and browser up to date. This helps mitigate any potential vulnerabilities in your system. Whether you're a Windows Mac or Linux, it doesn't matter. Keep all of these up to date to help slow down or limit the amount of risk or exposure you have. Next is going to be practice principles of least privilege. Do this all the time. Do you need to be signed in everything? Where's that convenience for you versus security? You have to decide for yourself, but generally, and this is even going a little further, you don't always need to be signed into admin level accounts. Matter of fact, some systems may have like admin level versus more basic level, especially with the security systems we deal with. I have admin things Tom does, but Tom doesn't do admin things all the time. So I don't stay logged into any type of admin account. I try to do everything the minimal and only give myself the permissions I need to get the things I need done on a regular basis. And then I will elevate or log in to those other sites as needed and make sure I log out. Matter of fact, I frequently pop open incognito windows just to do those logins. And yeah, that's one of my favorite uses for incognito windows to log into something as privileged to get something minor done and then just close it. And I know those session tokens are destroyed. Be very wary of browser plugins. This is an attack surface that not everyone's always thinking about, but definitely could be bigger in the future. I know they're doing better jobs managing these with the Chrome and Firefox worlds of what browser plugins might be there. But this can be scary because they have access. A lot of them can, I should say, ask for permissions or get access to your cookies for good reasons. But that also means they can be used for bad reasons. So only put the ones you need in there. Email attachments are where a lot of this attack surface happens. The email attachments, especially when you get an email attachment with a password you should be incredibly suspicious of that's not normal. And often a reason you get an email attachment with a password is not for security reasons because they usually put the password in the email. It's so they can evade some of the detection systems because the detection systems aren't necessarily going to read the email, find the password in email and assemble it. Therefore, you're bypassing some of those scanners. And hopefully that's the way they get in is what the threat actors often use these for. Call the person if you get an email attachment with a password, ask them why they did that. And if they said they didn't send it to you, at least you know you've stopped something in the middle. You can actually take your attachments if you want or files that you may find suspicious or questionable and upload them to virus total. This is actually good for really anything. If you're grabbing something from a website that maybe you don't usually grab it from. If you want to just run a check against it, upload a virus total and that's one more check that can be done. That's absolutely free to see if it flags anything in there. It's not a guarantee because it wasn't flagged. It's not a problem, but it's one more layer that you can use in this defense and depth strategy. Now you can go all the way to separate sandboxes. I think that goes a little bit out of scope, but you know, having your email maybe logged into a separate box and some of your critical things are logged into that could be an option as well, something to consider. As far as antivirus and this comes up a lot, I don't spend a lot of time looking at the consumer market when it comes to AV systems, but I will admit I'm surprised at how well Windows Defender AV does. I would have probably been flamed and maybe some will have some spicy comments down below about it. But I actually would tell you today in 2023, Microsoft's actually getting good at Windows Defender AV. And no, a few would have told Tom from a few years ago that he probably wouldn't have believed you. But nonetheless, Windows Defender over the years has actually become a pretty good AV system. On the commercial side, we use Sentinel-1 and Huntress. I've talked about those on my channel before. That's more of a commercial tool that's not made for end users. It's made for us to manage businesses and manage security on there. And it usually goes a little bit further when you get into the businesses because you may be monitoring with SIM tools and other things that you're diving a little bit more in depth. But I think for the most part, the other things I mentioned are pretty good for most of your home users are trying to product against this. And the final thing I'll throw out there is using a browser-based password manager. Some people think this is scary having in the browser. I think the good thing is it's going to, especially for the most people, it's going to be good for matching to make sure you're filling in the username and password on the site. You should be filling in and on. I say that because sometimes you'll see landing pages created. They're actually proxies for nefarious sites. And what they're doing is they're getting in between you and the site and man in a middle attack is what this is referred to as. They're going to proxy the connection to their actual site. This will allow them to generate a session token that they'll get a copy of and then they'll be you again and they didn't have to get on your computer to do that. Those are kind of scary, but generally speaking, browser-based password managers are going to look at the site, look at the URL and only fill in if they match. If they don't match and you find yourself manually putting in a password and username, stop right there. There's obviously something wrong of why these things don't match and you should stop and think critically about it. Nonetheless, love hearing from you. Let me know if there's something more you'd like me to cover on this topic. If it makes sense. If you have hopefully a better understanding of just how simple it is to grab these tokens and copy them and make sure you sign out of everything. Love hearing from you. Leave some comments down below. We're ahead of my forum for a more in-depth discussion and thanks.