Linus Tech Tips, Tech Quickie, Tech Linked channels hacked

[dilpickle]

As expected it was down to user error. And these were some real amateur mistakes.

 

I've always set cookies to clear after every session. And I would never open email attachments I'm not expecting.

 

And I certainly wouldn't be posting personal family videos to test my YouTube channel.

[PointyJackalope]

2 hours ago, imkatz said:

Heya. Even though, thankfully, LTT, Techquickie and TechLinked have been restored, there is something weird..

When searching up Techquickie, the Tesla PFP that the hacker set is still there.

I suppose this is just some cache glitch on Youtube's end, or maybe, my browser is being weird. Just wanted to share.

Lol that is weird

[LogicalDrm]

5 minutes ago, dilpickle said:

As expected it was down to user error. And these were some real amateur mistakes.

 

I've always set cookies to clear after every session. And I would never open email attachments I'm not expecting.

You are also above average with technical understanding. As Linus states in the video, it's not realistic to expect same level from all employees, of even tech company.

 

5 minutes ago, dilpickle said:

And I certainly wouldn't be posting personal family videos to test my YouTube channel.

When did you start using YouTube? LTT has been there from 2008. YouTube was very different back then, and not everyone deletes older videos systematically.

 

So, maybe tone down the patronising?

[Uttamattamakin]

46 minutes ago, leadeater said:

The problem isn't actually restricting it down to a few trusted people, the problem is the inability to give people only the necessary permissions to do specific tasks and nothing else. If you have a responsibility to upload videos to the channel then that is the only permission set you should be granted. Publishing a video to the public should be a separate permission set, unpublishing, deleting, renaming etc etc etc.

Agreed based on what Linus described in the video one door VS a bunch of little doors that open up to all of the gold in the vault.   Each of those little doors as he put it and you said needs limited access.  

 

46 minutes ago, leadeater said:

Being secretive about security measures is not strictly necessary so long as whatever it is you are using, talking platform/service, actually has good security implementations in place. If your security completely breaks down because some key piece of information slips out then you never had any security to begin with, you had luck.

That said, if the only choices are giving someone access to everything or nothing then only giving very trusted people access to everything is a valid option.  It may not be the most functional but it might be all they can do. 

Of course though, if only 4-5 people can post videos that would be a heavy workflow for those people.  Especially since it seems a lot of people pass around multiple versions of every video via Youtube before a video goes live. 

 

[starsmine]

Me who has done accidental session hijacking of a 2fa protected account through poisoned cache via RSS feeds and a shared VPN exit node. 

VPNs could actually make this a worse problem for those who use VPNs fyi because you can SHARE an IP from the POV of the website. 

Here it was malicious and targeted though. 

[Alpena Milch]

• Could he have gone to myaccount[.]google[.]com/device-activity
• Remove all devices except the his computer.

 

Any reason not to...

[Spotty]

1 minute ago, Alpena Milch said:

• Could he have gone to myaccount[.]google[.]com/device-activity
• Remove all devices except the his computer.

 

Any reason not to...

I believe the issue is that there are multiple employee accounts which have access to control the channel, and it was one of those accounts that was hijacked. Linus might not have had direct access over that account or might not have been able to immediately identify which account was being used.

[Slizzo]

Just now, Spotty said:

I believe the issue is that there are multiple employee accounts which have access to control the channel, and it was one of those accounts that was hijacked. Linus might not have had direct access over that account or might not have been able to immediately identify which account was being used.

It just invalidates the session cookie requiring someone to re-authenticate via whatever name/password + 2FA that the account has enabled.  It probably would have cut off access to the bad actor that was trying to gain control of the channels.

[Spotty]

3 minutes ago, Slizzo said:

It just invalidates the session cookie requiring someone to re-authenticate via whatever name/password + 2FA that the account has enabled.  It probably would have cut off access to the bad actor that was trying to gain control of the channels.

Yeah, but it can only be done from the account that is compromised. Which likely wasn't Linus's account but one of his employees.

Let's say one of the writers google accounts is added to the Youtube channel as a manager to allow them to upload videos. Linus can't log in to that employees account and invalidate the session through the device activity page. The owner of the account would need to do that.

 

 

37 minutes ago, japers said:

Some tool has scraped the YouTube URLs when all the videos were un-privated and it included a few hundred unlisted personal videos

 

If any of the mods can reach out to someone directly to let Linus know, thats probably wise.

I saw the reddit post but it has since been deleted by the OP.

[dilpickle]

11 minutes ago, LogicalDrm said:

You are also above average with technical understanding. As Linus states in the video, it's not realistic to expect same level from all employees, of even tech company.

The mistake is Linus's. As he said he needs to provide better training. The YouTube channel is their livelihood so this was never something to be lax about.

 

Anyone who had access to the channel should have been following strict procedures. I wouldn't treat it any different from a bank account because that's literally what it is for his company. 

 

11 minutes ago, LogicalDrm said:

When did you start using YouTube? LTT has been there from 2008. YouTube was very different back then, and not everyone deletes older videos systematically.

I started using it in 2006 and I knew then and now to assume that anything I share on the Internet will be seen by everyone. 

 

11 minutes ago, LogicalDrm said:

So, maybe tone down the patronising?

Yeah sorry no but unlike most here I don't worship Linus or any other YouTuber. I'm not affected in any way by their channel getting hacked but I'm still going to call out foolishness wherever I see it. 

[Guest]

What I really find funny is that, to sell people on their easily-identifiable scam, they chose to attack one of the most tech-savvy youtube channels on the platform. Like, wouldn't it make more sense to attack a channel often watched by less tech-literate people?

[Rex Hite]

Bragging rights.

[vash2695]

Out of curiosity, does anyone know why the browser doesn't do some sort of machine ID check before just openly accessing stored session tokens? I know there would still be ways around this but it raises the skill level required for these attacks pretty substantially.

[starsmine]

17 minutes ago, bluraydisc said:

What I really find funny is that, to sell people on their easily-identifiable scam, they chose to attack one of the most tech-savvy youtube channels on the platform. Like, wouldn't it make more sense to attack a channel often watched by less tech-literate people?

The average linus watcher are more often then not at the bottom of the dunning Kruger curve. 

[Spotty]

23 minutes ago, bluraydisc said:

What I really find funny is that, to sell people on their easily-identifiable scam, they chose to attack one of the most tech-savvy youtube channels on the platform. Like, wouldn't it make more sense to attack a channel often watched by less tech-literate people?

The idea may not necessarily be to target the subscribers of the channel. While I'm sure the bulk of views come from subscribers with a big enough channel Youtube's algorithm will push that content out to a lot of people who might have never watched that channels content before. Since the hijackers often rebrand the channel and delete all of their videos any casual viewer coming across the livestream will just see a Youtube channel called "Tesla" with millions of subscribers without any context clues (like unrelated videos) to give the red flags that it isn't the legitimate Tesla channel.

 

This scam has been running for a while now so it must be working. They wouldn't keep doing it if it wasn't worth their time.

[Kilrah]

23 minutes ago, bluraydisc said:

What I really find funny is that, to sell people on their easily-identifiable scam, they chose to attack one of the most tech-savvy youtube channels on the platform. Like, wouldn't it make more sense to attack a channel often watched by less tech-literate people?

They do both. Someone counted several YT accounts currently being compromised at the same time this morning, and a list  was posted in this thread showing 30 of them in the last 10 days. They just attempt to hit anything they can as you would expect.

[Mikezz]

So I guessed it right, it really was a fake sponsorship offer. 

[goodtofufriday]

So speaking of session tokens, this is what discord told me after I reported a similar attack vector to them.

 

[Rex Hite]

I'm pretty lax about computer-based security for my business. It's just a subject which doesn't interest me. It's an effort vs reward vs worst-case calculation.

Really, it's the credit card and banking security that concerns me. I have to trust the banking websites to do a better job than I could come up with, and credit card security comes down to how much vendors and non-online situations can be trusted.

 

To me hardening one's staff and enacting exacting security protocols and doing all the so-called right things seems a bit tiresome. Insurance is my method to peace of mind. Since I need business insurance to get a commercial lease I might as well put my efforts into making sure it meets most disaster contingencies. Since even savvy people can lapse, and only need to lapse once, I see a lot of security theatre which has more to do with shaming (and product sales) than protection. And shaming, like insurance, is an after-the-fact approach. I'll take the insurance.

 

Obviously not an approach for everyone, and I wouldn't even recommend it! 

 

 

[leadeater]

15 minutes ago, goodtofufriday said:

So speaking of session tokens, this is what discord told me after I reported a similar attack vector to them.

 

When a lower tier support employee says something they shouldn't heh. If that had gotten higher up the chain it probably would have gotten a different response, probably same outcome though. Code change would probably be not insignificant so they don't want to put resources in it. Sure device security is important but device sharing is also a thing, schools, college, university, work, family, computer etc.

[leadeater]

2 minutes ago, Rex Hite said:

I'm pretty lax about computer-based security for my business. It's just a subject which doesn't interest me. It's an effort vs reward vs worst-case calculation.

Really, it's the credit card and banking security that concerns me. I have to trust the banking websites to do a better job than I could come up with, and credit card security comes down to how much vendors and non-online situations can be trusted.

 

To me hardening one's staff and enacting exacting security protocols and doing all the so-called right things seems a bit tiresome. Insurance is my method to peace of mind. Since I need business insurance to get a commercial lease I might as well put my efforts into making sure it meets most disaster contingencies. Since even savvy people can lapse, and only need to lapse once, I see a lot of security theatre which has more to do with shaming (and product sales) than protection. And shaming, like insurance, is an after-the-fact approach. I'll take the insurance.

 

Obviously not an approach for everyone, and I wouldn't even recommend it! 

There's an effort bell curve, some things are quite simple and you are probably already doing them anyway. Simple things like not giving admin rights to computers who don't need it is often an extra easy step that can be achieved. Also turning on Volume Shadow Copy/Previous Versions can help a lot too, along with regular backups which can be done quite cheaply.

 

Insurance is only so good though, it doesn't get back what has been "lost". Risk can never be outsourced, it's the responsibility and determination of the owner but that's not to say insurance is not a valid approach to risk if it's deemed to suitably cover your needs etc.

[LogicalDrm]

52 minutes ago, dilpickle said:

Yeah sorry no but unlike most here I don't worship Linus or any other YouTuber. I'm not affected in any way by their channel getting hacked but I'm still going to call out foolishness wherever I see it. 

You don't have to worship anyone. All I was asking of being decent. Apparently it was too much.

[LunaStar]

Super happy that your channel is back and bigger than ever! I was going to watch a video last night but then found out on YouTube what happened. I went on to the LTT forum and Discord and it was super chaotic! Hope that this never happens again to you or other YouTube channels. Lots of love from the Cardiff, Wales, UK

[Issac Zachary]

1 hour ago, dilpickle said:

As expected it was down to user error. And these were some real amateur mistakes.

 

I've always set cookies to clear after every session. And I would never open email attachments I'm not expecting.

 

And I certainly wouldn't be posting personal family videos to test my YouTube channel.

Although I see why someone would clear cookies after every session I also see why it may have not made much of a difference. The malware was downloaded while the user was logged on. Unless the user had all cookies cleared before opening emails then how would clearing cookies after downloading and executing the malware have solved anything?

 

As far as email attachments go, this is a media company that needs to do business with many clients, including new ones. Even if they didn't do business with new ones, there's always the chance that a legitimate email address from one of their current clients could be hacked.

 

The main thing here was Colton, I mean, the LMG employee, should have noticed something was fishy when the PDF file didn't open correctly. Maybe it wasn't actually a PDF file extension and they should have verified that first before opening it.

 

I'm not saying that things couldn´t have been done better. Even Linus admits to that. But seriously, would it be reasonable to have all your staff constantly delete cookies several times a day, doing so before every time they open an email or go to a different website, etc.? Would it be reasonable to have all your staff double or triple verify every incoming email was expected beforehand before opening them?

[Alpena Milch]

1 hour ago, LogicalDrm said:

You are also above average with technical understanding. As Linus states in the video, it's not realistic to expect same level from all employees, of even tech company.

 

This and...

May be they were/are careful. The scammer needs to be successful only once. The LTT user needs to fail just ONCE (since 2013) for phishing emails and game over. So glad he was very kind towards all employees.

 

PS: To mod: Please tell the editor not to upload raw unedited footage without strawberry to YouTube (as private/unlisted). One never knows..