My Channel Was Deleted Last Night.

[Spotty]

16 minutes ago, YoungBlade said:

Great job everyone at LMG and great job to the mods here. I noticed @Spotty in particular was working hard to keep things under control here, like removing the effected channels from the sidebar, and I'm sure other mods were involved, too.

I can't take credit for that. The whole mod team was involved and were really quick to act. We've got a pretty good team of mods

[lukas3428]

So are any videos permanently lost?

[Zarkex]

11 minutes ago, TechlessBro said:

They can also setup proxy on the same PC so session and fingerprint matches. Also any third party app uses API key access so it never steps up to MFA as that’s for the third party app to handle.

They only had momentary access to the PC, and it seems like a Rootkit or any other remote exploitation malware wasn't installed as that would've been most likely detected by their antivirus.

[s3r4pH]

I also would suggest using noscript or something like this for defending cross side scripting

[kumicota]

@LinusTechThe PDF problem is well known and for some reason the only browser who has mitigations against it is Firefox but it's not implemented in a good way. So if you're interesting into improving your security a bit by using it, here's how can you do it:

 

On FF there's two settings that you need to change, but they're available only on `about:config`. The first one is `pdfjs.enableScripting` and you set it to `false`. by doing that you disable the ability of pdf's to run scripts(which is the main cause of the session hijack).

 

The other one is `enableXfa`, I don't know a lot about xfa, so I can't give you a good explanation for it but it's a proprietary pdf extension that can lead to the same problems.

 

Unfortunately, chrome doesn't has any mitigations or options agains it

 

 

Edited March 24, 2023 by kumicota
improvements

[Vishera]

3 hours ago, aaradorn said:

Really interested to see how this happened, social hacking? Spear-fishing? Exploit in youtube? Used an editor account?

In the video Linus said someone on their team downloaded malware from a fake/malicious sponsorship offer.

 

An easy way to protect yourself against such attacks is to use a virtual machine dedicated to opening files from those sponsorship offers and nothing else.

[Vishera]

3 minutes ago, TechlessBro said:

Not if the VM has logged into YT.

As i said the VM has to be dedicated to opening those files and nothing else.

Also it would be better if the OS image is a Live CD, just in case there is malware that is undetected and lingers

[CotrolNode]

Sounds like role (sales, content creation/upload, design, writing) based systems, or VMs, may be in order to prevent this from happening at this scale in the future unless another way of preventing this attack is found. It would be nice if YouTube/Google were to allow an account holder to disable the session-based tokens, or severely limit the actions that can be done when authenticated with such a token.

[Vishera]

3 minutes ago, TechlessBro said:

How would you detect it? No AV finds it.

With time they will.

It's a cat and mouse game.

5 minutes ago, TechlessBro said:

It still has to be transferred to the network for the rest of the teams at some point.

With VMware you can transfer it through the network to the host and then drag it to the VM and the flie would transfer to the VM.

[Vishera]

4 minutes ago, CotrolNode said:

Sounds like role (sales, content creation/upload, design, writing) based systems, or VMs, may be in order to prevent this from happening at this scale in the future

Or they could use both to harden their security.

[s3r4pH]

If this happens due to a browser attack, you can also use a sandbox browser.

(you can read your mails there to protect against malicious attachments)

 

[StyleTec]

38 minutes ago, TechlessBro said:

With url shortened and redirects that home made tech doesn’t work well anymore. The code can be downloaded by the first download that was only a link in the email. Even downloads can be in parts and different code languages.

 

These things move fast now and the techniques change monthly.

current one is JavaScript in PDF, so needs to be patched fast.

 

Maybe we’ll get a future video with all the patching and reviewed AV settings etc. as well as some mention of process and access changes.

 

 

Yeah I know, that attachment filtering can be bypassed via links. That was not the point of my post.

 

I was just saying, that I made a solution for classifying attachments based on their potential maliciousness for all common file types, that can be used by a general Windows computer with Office and some other default tools installed.

[Vishera]

2 minutes ago, TechlessBro said:

exactly cat and mouse with a fixed solution like VM.

host still has to copy it to server/network.

It just adds complexity and more attack surface of a VM etc and no actual protection.

 

Or they could have an email account dedicated to this, then the attachments would be sent by e-mail to that e-mail account and then log-in to the dedicated e-mail account from the VM.

[StyleTec]

Just now, TechlessBro said:

Yeah and 5-10 years ago that would have done something.

 

You just strip and rebuild attachments in the cloud email service now.

Why filter when you can just remove any active content outside your network.

Because it is a way more complex process of rebuilding attachments with active elements removed, than just identifying those elements. I bet, most cloud services are not even capable of removing or detecting all possible active (or non-active, but also dangerous) ways that exist in typical file types. It is like identifying a PNG from its header magic bytes or reading and altering it. If all cloud filters would be doing this work great, we would not see such amount of attachs by just attachments today.

[Vishera]

6 minutes ago, s3r4pH said:

If this happens due to a browser attack, you can also use a sandbox browser.

I noticed that in Safari in incognito mode every tab is sandboxed.

[StyleTec]

1 minute ago, TechlessBro said:

There are a few that do it very well. One still has 100% success and USA government etc use it.

also they sandbox the attachments and downloads as well.

I bet my ass off, that I will get you code through those systems. 100% success is a sales number? Nobody belives 100% in a detection system. If you are using a whitelist and only talking about a small number of file types that will be accepted by the mail system at all, okay. But having so many possibilities as a basic Windows install, no way.

[s3r4pH]

1 minute ago, Vishera said:

I noticed that in Safari in incognito mode every tab is sandboxed.

Yes. But I would recommend a service like browserling. Such provider basically stream from their browser to your browser. It is like VNC.

[darknessblade]

I think the following Might happen as well:

LTT new company policy for computer safely: Control panel -> Folder options -> View ->. ☑ hide extensions for known file types,

Set to: ☐ hide extensions for known file types,

 

-------

This is what I do on all my machines/devices, as there is no reason for the file extension to be hidden at all, it makes finding/detecting malicious files also a lot easier. 

[s3r4pH]

2 minutes ago, darknessblade said:

I think the following Might happen as well:

LTT new company policy for computer safely: Control panel -> Folder options -> View ->. ☑ hide extensions for known file types,

Set to: ☐ hide extensions for known file types,

 

-------

This is what I do on all my machines/devices, as there is no reason for the file extension to be hidden at all, it makes finding/detecting malicious files also a lot easier. 

Yes, this Microsoft "feature" caused problems for decades

[Forky the Forklift]

1. Linus is so tired he spells the Dbrand discount code "FIVEFOOTONE" as "FIVEFOOTOWNE".

 

2. I'm moving that delivery of LTTstore.com underpants onto a lower shelf in the warehouse so Linus can reach them. 

[WigglyRebel]

The most protection you can get for the least effort is phishing training.

 

If you don't already have a system or one in mind: KnowBe4 is the one we deploy and it's pretty neat.

[MohamedTaleb]

I don't really know how often something like opening a pdf and it not having anything happens with you guys when you receive offers, however the fact that you would just go about your day like nothing happened (especially when operating a multi million dollar business) makes you guys or whoever did this seem like you're not that tech savvy more like a regular joe

[s3r4pH]

It is always better to go with a Linux kernel. You can config ptrace. The ptrace() system call provides a means by which one process can observe and control the execution of another process and examine and can examine and modify its memory and registers.

 

Maybe yo can run it in a VM

[T3cube]

I think its funny that a while ago in a tik tok hacks video they doctored some screenshots of the gamers nexus twitter causing steve to panic and change passwords in a rush...but when LTT got compromised steve was the one to inform Linus of the real ongoing attack. 

 

Is it karma? Irony? Coincidence?

Edited March 24, 2023 by T3cube
Spelling is hard

[earthman06]

I NEVER talk about work online because.. well.. its work.
BUT, the company i work at has a solution to the exact issue you described of employees opening malicious files without training and honestly it is working great.
Not gonna say my company name bec im not interested in publicity and whatever, but the term you should be looking for is CDR.