My Channel Was Deleted Last Night.

[darknessblade]

29 minutes ago, s3r4pH said:

Yes, this Microsoft "feature" caused problems for decades

This THIOJOE video explains the issue around it quite well.

 

[s3r4pH]

2 minutes ago, earthman06 said:

I NEVER talk about work online because.. well.. its work.
BUT, the company i work at has a solution to the exact issue you described of employees opening malicious files without training and honestly it is working great.
Not gonna say my company name bec im not interested in publicity and whatever, but the term you should be looking for is CDR.

 

I never heard about CDR, what does it stand for. Can you explain further?

[s3r4pH]

2 minutes ago, darknessblade said:

This THIOJOE video explains the issue around it quite well.

 

Yes I know this issue since 2003 or something like that. Microsoft made me angry so many times

[GodAtum]

Why no antivirus??

[NYCKrash]

Wow...no matter who you are you are at risk of an attack. 

 

Interesting that you were able to get this resolved. That takes a lot of skill, Props to Linus!

[HellAlex]

Even if they limits the number of videos you can delete per single request or number of changes you can do at a single point in time. You can still write a small python script that can perform the same operations in a few seconds just by adding a delay between each request. A standard delay is around 300ms, up to 1 second, so it won't trigger the DDoS detection, if there is such one. 

 

Keeping the session alive is extremely easy, you don't even need the credentials. You just send a refresh token request to the authentication endpoint and you continue do whatever you want. Or until you request invalidation of the session from the same endpoint.

Another feature that some systems use on top of location detection is token origin detection. It is basically identifies you, if you are human or not and it is used together with location detection. In the case of session highjacking, which you experienced, can be used to determine which account was compromised. The way it works is that each client is assigned unique ID, that doesn't have anything in common with your credentials, nor the session you have open, its sole purpose is to identify the device.

How you can protect yourself from such thing in the first place? - Zero trust policy! What this means is that you can have access to working resources, only from inside the working space, either through the usage of VPN or secure proxy or authentication certificates or combination of the stuff mentioned. Everywhere else, you need to 2FA authenticate and indentify who you are and even then you don't have access to all resources, just the part that is read-only.

Another layer of protection would be scanning clients on the users' machines - McAfee, Carbon Black or others, that perform sanity check and compare the state of the system with a remote virtual one, which is in healthy state. Thus catching in action when something goes out of the rails.

[s3r4pH]

14 minutes ago, GodAtum said:

Why no antivirus??

I think everyone uses AV software. The best way to get of this attacks is to use a VM. In this VM you should use the Browser either for only accessing your "work" like youtube, or to open mails and accessing other sites, that maybe harmful. When completely separated and using VPN you should be pretty safe.

[GodAtum]

2 minutes ago, s3r4pH said:

I think everyone uses AV software. The best way to get of this attacks is to use a VM. In this VM you should use the Browser either for only accessing your "work" like youtube, or to open mails and accessing other sites, that maybe harmful. When completely separated and using VPN you should be pretty safe.

But surely Av would stop the malware that hijacked the cookies?

[s3r4pH]

1 minute ago, GodAtum said:

But surely Av would stop the malware that hijacked the cookies?

Yes it should, but you are never safe against zero day exploits at all. This is why you can sell this holes in the deep web for a good amount of cash.

[Devtroy3r]

Hey,

 

i would like to discuss some software that could had save you some pain. Did you ever hear about ssl inspection and crowdsourced ip blocking. 

In an Network an Size like your business runs on you should consider working in secured infrastructure. And it’s something for really interesting content. I don’t sell anything im just an enthusiast. LoL

[Fyndir]

Coming soon ltt dressing gown to spare the editors! (actually I think you might say robe in north america?  Not sure.)

[s3r4pH]

OK i searched for CDR and it is very cool I think.

Data Sanitation Service

Advanced threats are constantly evolving to find ways around traditional security signature-based and reputation-based prevention measures.

Content Disarm & Reconstruction (CDR) strips all active content from files in real-time, creating a flat sanitized file. All active content is treated as suspect and removed. CDR processes all incoming files, deconstructs them, and removes all elements that do not match firewall policies. CDR can fortify your zero-day file protection strategy, by proactively removing any possibility of malicious content in your files.

 

But I think it is very expensiv.

[sub68]

I am amazed you guys wrote, shot and edited this video within 24 hours well done.

Also I am happy with the mod team here as @Spottysaid its a team, but he bust his butt moderating that thread along providing the entire fourm with current updates.

 

[Kid.Lazer]

5 hours ago, WhiteAirLock said:

I was right, this was probably a fake pdf file.

If you have file extension enabled, the filename would be something like sponsor.exe.pdf but if you don't have file extensions enabled, the file would be displayed as sponsor.pdf 

 

Here's how this works YouTube link

And to be honest, my old steam account was almost hacked that way but luckily Valve reacted and notified me about the sudden change of location and logged me off from all devices.

I tried to run a Macro which was named antiAFKkick.ahk but with file extensions enabled, the file name turned out to be  antiAFKkick.exe.ahk 

You actually have that backwards, a "sponsor.pdf" file would appear as "sponsor.pdf.exe". Nevermind, I watched that video and see how they can be reversed. Interesting!

 

What's more interesting though, as a techie person anyway, is that anything showing a file extension is a huge red flag. In the modern era of them always being hidden by default, if you see an extension that looks "normal" there's a 99% chance that it's not.

[Spotty]

5 minutes ago, Kid.Lazer said:

You actually have that backwards, a "sponsor.pdf" file would appear as "sponsor.pdf.exe".

Watch the video they posted a link to.

 

[Kid.Lazer]

2 minutes ago, Spotty said:

Watch the video they posted a link to.

Yeah, I already did that.

[Harsha Vardhan]

Better solution would be using sand boxed environment for youtube upload mount a local drive to that enviroinment/ VM

[Spotty]

Just now, Harsha Vardhan said:

Better solution would be using sand boxed environment for youtube upload mount a local drive to that enviroinment/ VM

If you isolate/sandbox the system that is uploading videos to youtube then it only stops them from hijacking the Youtube channel. The computer that the malware was on would potentially still expose other sensitive data and accounts. It would make more sense to isolate/sandbox the system that is downloading the files from potentially unknown sources that way even if the system is infected it doesn't have access to any other data or accounts.

[spacekid972]

6 hours ago, tartan said:

how many times do think linus had the heart dropping feeling last night?

precisely 22.879

[Hazz3r]

Do Linus Media Group not have Cyber Incident Insurance to cover for this type of thing? I have no idea how much adsense money was lost from the outage but I can't imagine it's negligible. Seems a little bit brave given the size of the company not to insure yourself against hacks and such.

 

There's a lot of providers out there, and a lot of them will provide their own training material and tests for your employees, where employees passing tests adds discounts to the monthly premium.

[frog water]

As really thinking about it their are easy possible security features that you think should be in place that aren't , kina makes you wonder why aren't they a thing and what is more important to youtube .

[SamuYoung]

4 hours ago, DrHax34 said:

I'm pretty sure you can't use external IdPs with youtube account. If you can, there are more alternatives apart from Okta like AzureAD, Auth0, etc.

Sincerely i don't know about youtube but maybe the application that they are using for the content creators have some external idp feature. In any case they can use it for secure gsuite and more apps.

 

In any case the actual solutions are Okta Workforce, Auth0 (more for b2c applications and it's an okta product now), AzureAD and Ping Identity (ofc there are other more but i'm talking about the most famous and Gartner reviews).

 

All depends on what you need.

[coonwhiz]

When changing a password, why isn't there an option to log out of all current sessions? It would basically force all session tokens to be invalid and stop this dead in it's tracks.

[KazInVan]

Zipped malware can slip through mail filters, but a good anti-malware tool on the endpoint should have caught that crap once triggered.  Anyone know what was running on the endpoint?

[The_CJ]

Points that might be interesting or helpful, (Obviously would have been better if I'd posted this last week)

1) We use Panda Systems Management security software that does not allow you to run any software that is not on the approved list, even if you unwittingly download an innocent looking file that turns out to not be innocent then it will get blocked and your Tech team get notified

2) Outgoing firewall with rules that a) automatically update and b) include known sites and addresses involved in malware so that the outgoing traffic can be blocked.  You're never going to 100% block everything but any improvement is an improvement, or better still, some form of ML based rules that understands where you normally connect to and raises an alert for out of the ordinary traffic.  Something like this https://shop.opnsense.com/product/etpro-telemetry/ might be a good place to start (not affiliated)

2) That was very brave knowing your systems were compromised yet not putting pants on first!  Not sure if your home surveillance has remote access that uses session ids like youtube but you could have got more videos back on youtube than you were expecting...

 

Hope the rest of the process goes well.

C