Linus Tech Tips, Tech Quickie, Tech Linked channels hacked

[Jopik]

1 hour ago, Kilrah said:

They do both. Someone counted several YT accounts currently being compromised at the same time this morning, and a list  was posted in this thread showing 30 of them in the last 10 days. They just attempt to hit anything they can as you would expect.

That's just the top 30 hijacked channels in the last 10 days. There are hundreds in total.

[Winterlight]

Does this forum as well get hacked ? Yesterday can't accces not all day. Today still get time to time error code "SSL Handshake Failed Cloudflare Error 525"

[TylerD321]

15 minutes ago, Winterlight said:

Does this forum as well get hacked ? Yesterday can't accces not all day. Today still get time to time error code "SSL Handshake Failed Cloudflare Error 525"

I would put in a bug report. I have personally had zero issues whatsoever accessing the forums throughout all of this.

[dilpickle]

46 minutes ago, Issac Zachary said:

But seriously, would it be reasonable to have all your staff constantly delete cookies several times a day, doing so before every time they open an email or go to a different website, etc.? Would it be reasonable to have all your staff double or triple verify every incoming email was expected beforehand before opening them?

If its literally how I feed my family then yes absolutely that would be the minimum I would do.

[Needfuldoer]

33 minutes ago, Winterlight said:

Does this forum as well get hacked ? Yesterday can't accces not all day. Today still get time to time error code "SSL Handshake Failed Cloudflare Error 525"

Nope. The forum just got inundated with people reporting the channel hijacking, all thinking they were the first to notice.

 

I've never seen a forum thread move as fast as this one did yesterday morning. Bravo to the mods and admins!

[WeiSheiLindon]

2 hours ago, bluraydisc said:

What I really find funny is that, to sell people on their easily-identifiable scam, they chose to attack one of the most tech-savvy youtube channels on the platform. Like, wouldn't it make more sense to attack a channel often watched by less tech-literate people?

Like Mr Beast. Boom roasted. 

[PetarNik]

I found leftovers of the Elon Musk scam in one of your yt video description. You should check video descriptions.

 

Just so you can see not wasting time:

 

Video:

 

[LogicalDrm]

6 minutes ago, PetarNik said:

I found leftovers of the Elon Musk scam in one of your yt video description. You should check video descriptions.

 

Just so you can see not wasting time:

 

Video:

 

We have megathread for a reason. Merged. Will forward this to LMG.

[Kilrah]

"We were there" commemorative keyfob, not available now on lttstore.com

 

 

But here's the 3mf

LTTesla_fused.3mf

[Thomas A. Fine]

Session keys should be locked down by both IP address (this is arguable and has downsides for portable users, but should at least be an option that is offered), and by browser identification factors (this one isn't debatable, sessions are linked to browser and should never be used across them... though it is also easier to defeat).

 

The pain of portable users having to log in again when they relocate is worth the added security, and if you are ever offered the option of locking session keys down by IP, say yes.

[leadeater]

39 minutes ago, dilpickle said:

If its literally how I feed my family then yes absolutely that would be the minimum I would do.

If you seriously expect and think employees should and will "delete cookies" serval times a day then you are way out of touch and also have extremely unrealistic expectations. Cookies are not themselves even the problem, shoddy systems that allow these to be misused are.

 

If I suspect an email is potentially not legitimate I go look at the headers and verify that way, I will never expect any normal person to do this, not ever. No amount of training someone will change that for me. I do it because such things are part of my job and I'm used to it, this will never be the case for a video editor and business relationship manager.

 

Employee time has a very real cost, burdening them and wasting their time with cumbersome ineffective processes will in the long run cost more than 24 hours of business outage.

 

There is never one thing that is the solution, user education and training is obviously important but there are many other things that are important too.

[leadeater]

6 minutes ago, Kilrah said:

not available now on lttstore.com

Soon^TM? LOL

 

Yeah, yeah, I know. Trademark. blah blah sighhhh

[leadeater]

7 minutes ago, Thomas A. Fine said:

Session keys should be locked down by both IP address (this is arguable and has downsides for portable users, but should at least be an option that is offered), and by browser identification factors (this one isn't debatable, sessions are linked to browser and should never be used across them... though it is also easier to defeat).

 

The pain of portable users having to log in again when they relocate is worth the added security, and if you are ever offered the option of locking session keys down by IP, say yes.

One of the metrics our MFA and authentication looks at is "impossible travel". If a user's location information drastically changes and it's unrealistic it could be legitimate travel then you get forced to re-auth and do MFA. But of course YouTube doesn't offer this far as I know.

[Spotty]

50 minutes ago, dilpickle said:

If its literally how I feed my family then yes absolutely that would be the minimum I would do.

I find it hard to believe that you would be going about your day, receive an email from somebody you believed was a business associate with a file attachment you were expecting, download the file then proceed to stop all the work you are doing to log out of all of your accounts and clear cookies before opening the attachment.

Even if you did that as soon as you log back in to those services to resume your work the malware could still be running in the background grabbing those session tokens (even if you think you removed it from the system).

 

If you were that concerned about this type of attack you would simply just use a separate machine or VM to open the attachment, which is far more user friendly than logging out of all of your accounts every time you want to open a file (which you might do hundreds of times throughout the day).

[Legitsu]

this entire fiasco could have been migitated by having a button that said "logout all all other sessions" 

 

addionally the entire fiasco could have been prevented entirely if youtube would bother to invalidate session cookies when they are logged in from the the other side of the fricking planet (or ya know when the current ip doesn't match the previous ip. which LITTERALLY every other platform does) 

 

googles technical team once again proving they make the most brain dead decisions for no explainable reason  

[Gat Pelsinger]

Linus explained how their security was compromised, by letting the hackers get access to the session token, but then after all the damage that was done, like mass deleting videos and making unlisted or private public, and then later their channels get terminated, how did they get it running back again with all videos in place, with no damage down? Like nothing had ever happened before.

[Nilekhet]

Long time lurker, first post.

 

Linus tech tips is a fairly large enterprise. What you need is a SOC. A security operations center, where things like SIEMs are setup to manage all the alerts raised by all the security devices. In modern Cybersec, we use several different kinds of systems that raise several different kinds of alerts. The issue with that approach is that there is just too many alerts being raised across the enterprise, which is why we use a SIEM like Logstash or Wazuh. They keep all the alerts in one place which can be then triaged. The triage process needs to happen and must be done by a SOC analyst. In modern day large multinational banks we see SOCs with over 200 internal employees.

 

Let me know if you need ANY help setting up proper security measures around your enterprise.

 

[Drazil100]

10 minutes ago, Spotty said:

If you were that concerned about this type of attack you would simply just use a separate machine or VM to open the attachment, which is far more user friendly than logging out of all of your accounts every time you want to open a file (which you might do hundreds of times throughout the day).

I agree. Though still imperfect I think it would be reasonable to have machines dedicated to the sole purpose of managing sponsorship emails. If you want to be extra paranoid you could even have those machines on a separate network so they can’t directly interact with any of the machines that have access to anything sensitive. 

[KinGuiN]

23 minutes ago, leadeater said:

Soon^TM? LOL

 

Yeah, yeah, I know. Trademark. blah blah sighhhh

Just hit Elon up, you guys know each other well, right?? You even let him stream on the main channel yesterday....

[Legitsu]

ill say this about employees and security 

trust nobody ever

give nobody any access they don't Absoutely need if privliaged access is intermittently required. enable/disable policy for them as-needed or use a alternate access method if available

 

apply addional restrictions on who has access to what based on their level of technical competency

 

an example might be that if a user doesn't know what a anti-virus is maby they should not have free reign on the server

 

yes yes nobody can be expected to keep up on the current zer0days but executable pdfs date back to windows xp. come`on folks get with it  

 

USE Acrobat Readers GOD DAM PROTECTED MODE AS YOUR DEFAULT! (Seriously this makes me reeeeeee) and would have stopped this attack dead. ... probly 

 

https://helpx.adobe.com/reader/using/protected-mode-windows.html

 

 

[Taf the Ghost]

7 hours ago, Dracarris said:

yeah, plus he has cameras all over his private home, indoors, to record the nude 24/7.. I'd say, a little suspicious

Linus has taken "Tech Porn" to a different level, lol.

 

Or he was just in boxers and sitting in his chair just made little Linus visible. But the blurring all of it just makes for a better video.

[DigitalGoat]

8 minutes ago, NvidiaFirePro6900XXTX3DPRO said:

Linus explained how their security was compromised, by letting the hackers get access to the session token, but then after all the damage that was done, like mass deleting videos and making unlisted or private public, and then later their channels get terminated, how did they get it running back again with all videos in place, with no damage down? Like nothing had ever happened before.

It is down to how the backend works, deletion doesn't happen straight away, other stuff is managed by YouTube, Google and just needs re enabling. I doubt they will divulge the exact methods used as that would just give the 'hackers' more power to disrupt things.

[Middcore]

45 minutes ago, NvidiaFirePro6900XXTX3DPRO said:

Linus explained how their security was compromised, by letting the hackers get access to the session token, but then after all the damage that was done, like mass deleting videos and making unlisted or private public, and then later their channels get terminated, how did they get it running back again with all videos in place, with no damage down? Like nothing had ever happened before.

 

YouTube just put everything back. Easy-peasy, mes amis. 

 

They could do this for anybody who gets hacked. However, if a channel is below a certain threshold of viewership, YouTube loses money by assisting them in any way, so they choose not to. YouTube will move heaven and earth for channels with as many subs as LTT has, though. 

 

Remember that YouTube creators are not customers, they are the product. You don't pay for a vet for a cow that doesn't produce any milk. 

 

edit: added quote to show what this was a reply to after threads got merged

[Gokul_P]

First Nothing was ever deleted all public videos was Unlisted and even if it is deleted There is plenty of backups on googles hand. Deletion isn't permanent on anything and youtube don't want to delete the videos that is making tons of money 

[guiohme]

when watching the lastest video, i couldn’t stop thinking about this function that apple introduced a little while ago. google should introduce something like that, maybe not as severe but something that can lockdown a youtube channel in the event of a situation like this (ex: terminate all active session token, remove all permissions, a history of what changes were done to the channel recently, requiring an update on the security information, etc…).