>>>>Yeah it doesn't work like that. Person starts VPN app and it kills all other internet traffic on the machine,enters VPN password, then if all is good they can enter the RSA key. ...so not really something that can be hijacked from the internet as no traffic other than the local intranet is allowed at that point. There are no browser credentials of any use outside the intranet.
>>>>
>>>
>>>First thought would be to check if VPN app started from a VM kills:
>>>a) all access from physical host (including other guest VM) to directory structure available/reachable to "VPN app VM"
>>>b) internet traffic of all other VM running on same physical host
>>>
>>>Snooping can happen via odd paths ;-)
>>
>>In our case none of the machines have VM on them.
>
>Might be hard to verify unless all machines under strict control of IT.

..and that is indeed the case - the machines are really locked down tight.

>>In that scenario I don't know what would happen - never bothered to try it. I know you can capture packets on VM machines but I've never tried to use VM on a machine to capture packets on the same machine while it's connected to a VPN. Seems like it wouldn't do you any good and all you'd see is the encrypted packets.
>
>Directly only via "memory hammered" access seems probable, and that might lead to unstable "leaking" machine as well. But as a VM can map into normal directory and/or .vhd/.vdi can be shared, anything temporarily saved on directory might be compromised - from cookies over browser storage to swap disk.

Yeah I thought of that late last night. Seems like it would be somewhat difficult to do - maybe I'll give it a try just out of sheer curiosity.