My Channel Was Deleted Last Night.

[Foxy2122]

Seems that the aftermath still lingers around huh

 

[MisterJ3012]

6 minutes ago, Foxy2122 said:

Seems that the aftermath still lingers around huh

 

Only a caching problem it isn't mentioned in the original description

[Jshsysy]

Does anybody know what the attack vector was exactly other than the fact it was infected zip file? An executable hidden within a Word file macro or something similar?

[CurryMantou]

Two lessons: Don't open suspicious emails. Wear pants.

[Jason 57]

I was curious when I saw a notification about this Tesla thing on LTT and some of the other channels. Sadly, I didn't think to investigate. I had a long day by that point.

I am glad that the LMG team was able to recover from this. 

[Gokul_P]

13 minutes ago, Jshsysy said:

Does anybody know what the attack vector was exactly other than the fact it was infected zip file? An executable hidden within a Word file macro or something similar?

Somebody opened a executable thinking it was a pdf. (Their Show Extensions was off and .pdf.exe file showed up as .pdf)

[CoolJosh3k]

From the sounds of the video, it was a MyDocument.?fdp.exe where ? is a special character that tells Windows to show it to the use as MyDocument.exe.pdf.

 

An executable icon is then embedded that matches that of a typically seen pdf icon.

 

Even if you have it set to show files extensions, it could be tricky to notice.

 

The user thinks it just failed to load the document, since nothing appears to happen. In reality, it just ran some malware in the background that went about doing its thing.

A copy of the session ID (stored in a cookie) for the currently active YouTube session (and all other website sessions) is sent to the attacker. Then the attacker uses this session ID in place of all other authentication, which still works if the website trusts the new device/address being used.

 

As I understand it there are 3 ways to greatly reduce the chances of this happening:

 

1. Don’t use Windows. Use a platform is much more resistant to malware, such as a Linux based platform.

If using Windows:

2. Log out the website/application when you are done.

3. Use a hardware key in place of an Authenticator code

[Spotty]

How many videos is this now where Linus has been caught on camera naked in his house? If only there was a really cool store that sold pyjama pants...

https://www.lttstore.com/products/pj-pants

[smoike]

10 minutes ago, Gokul_P said:

Somebody opened a executable thinking it was a pdf. (Their Show Extensions was off and .pdf.exe file showed up as .pdf)

WhiteAirLock probably is on the money.

 

This video went onto my suggested list out of nowhere the other day, maybe this is why...

[StyleTec]

Hi everyone,

 

have seen the video and read about the root cause. I am sure they think about possible solutions for malicious attachments to be blocked in the future. And I am here to share my knowledge and even more.

 

A couple of years ago (end 2015), I started developing a transport agent for on-premise Exchange Servers for my customers (I am a consultant), that utilizes the widly know YARA engine by Virustotal, to check mail attachments for specific file indicator, that could be used by possible malicious code droppers. Unlike classic anti-virus engines, it does not rely on pattern or behaviour matches, as attackers are known to bypass those checks with sometimes clever tricks in the past.

 

Example of what my ruleset is doing:

Having an Office document with an OLE object, will raise a red flag, as the OLE object might be something harmless, but could potentially be a malicious object.

Same goes for lets say PDFs with Javascript.

Basically all flags from common file types, that could potentially be used to drop malware, are covered by this ruleset.

 

I am not aware of the mail infrastructure at LMG, but the YARA engine can also be unsed in other setups aswell, with some overhead on how integrate the engine properly.

 

So if there is any interest in more of this, let me know.

[Irukandji]

4 minutes ago, Spotty said:

How many videos is this now where Linus has been caught on camera naked in his house? If only there was a really cool store that sold pyjama pants...

https://www.lttstore.com/products/pj-pants

I would had a kill switch button by the bedroom door. When pushed, all of internal cameras stop recording.

[s3r4pH]

A VPN connection can prevent session cookie hijacking

 

You even do not need a VPN provider for that as long as you can install SSL and a proxy like squid on a server or other PC.

Then you can use maybe putty to establish a SSL connection to this machine.

 

This is called transparent proxy or inline proxy

[CoolJosh3k]

13 minutes ago, Spotty said:

How many videos is this now where Linus has been caught on camera naked in his house? If only there was a really cool store that sold pyjama pants...

https://www.lttstore.com/products/pj-pants

When you just wanna listen, but your eyes keep drifting toward the strawberry.

[CoolJosh3k]

3 minutes ago, s3r4pH said:

A VPN connection can prevent session cookie hijacking

Since when does a VPN encrypt your cookies and session ID?

[DrHax34]

1 hour ago, SamuYoung said:

Hi Linusteam,

 

in my company we are using Okta for protect our account for all types.

It's perfect for managing sessions and cookies in the easy way.

Try to give it a shot!

 

And if you need more info you are free to ask.

 

I'm pretty sure you can't use external IdPs with youtube account. If you can, there are more alternatives apart from Okta like AzureAD, Auth0, etc.

[s3r4pH]

12 minutes ago, CoolJosh3k said:

Since when does a VPN encrypt your cookies and session ID?

A VPN conceals your IP address and is a good protection if someone tries an attack.

[Arika]

32 minutes ago, Spotty said:

How many videos is this now where Linus has been caught on camera naked in his house? If only there was a really cool store that sold pyjama pants...

https://www.lttstore.com/products/pj-pants

i do hope it was Linus that censored the video before handing it off to the editors.

Not sure how i'd feel about seeing my boss's junk

[danwat1234]

11:15 I'd think the scammers would use a VPN with a Canadian server though. Got to have a 'log out of all devices' button with your tools my understanding is that would have nuked their access?  I go to myaccount dot google -> security -> my devices -> I would have to sign out 1 device at a time.

[Spotty]

3 minutes ago, s3r4pH said:

A VPN conceals your IP address and is a good protection if someone tries an attack.

This attack does not require knowing the targets IP address. VPNs do not protect you against malware, phishing, or hacking. A VPN would not have helped at all.

[YoungBlade]

I love that the team had @CPotter be the one to post this to the Forums.

 

Great job everyone at LMG and great job to the mods here. I noticed @Spotty in particular was working hard to keep things under control here, like removing the effected channels from the sidebar, and I'm sure other mods were involved, too.

 

And, so far, good job Google in getting this handled quickly. But let's hope we can continue to praise them in the coming days, and that they work on solid mitigation strategies instead of just playing whack-a-mole as these attacks continue.

[Arika]

18 minutes ago, CoolJosh3k said:

Since when does a VPN encrypt your cookies and session ID?

around the same time that everyone suddenly became a self proclaimed cyber security expert while LTT was down and offering their "services" for free to try and prevent this happening again.

 

if someone is offering such services for free, chances are they are not actually in that field or know what they are doing.

[s3r4pH]

2 minutes ago, Spotty said:

This attack does not require knowing the targets IP address. VPNs do not protect you against malware, phishing, or hacking. A VPN would not have helped at all.

Dude, it is a common method to minimize the risk of this. Go check this on Youtube please

[Zarkex]

I wonder why Google doesn't disvalidate sessions based on approx. distances between login locations by for example IP addresses like they already do for normal log ins.

[Required]

Why not use Kaspersky + a Propper Firewall System who can all E-Mails first thats how I try to prevent such thinks.

[MauricioARG]

Knowing that his happened, then, how can we be protected about malware files if already have our Antivirus and Firewall running? No one will close all sessions before turning off PC.