The Malware that hacked Linus Tech Tips
Ғылым және технология
Linus Tech Tips recently was hacked by a redline infostealer pdf/scr file in a malicious sponsor email. I myself have been receiving a ton of such fake sponsor emails and in this video we look at the attack process. Get Crowdsec for free: www.crowdsec.net/?mtm_campaig... (sponsor)
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact
Пікірлер: 3 000
Imagine people who send malicious emails to someone named "The pc security channel"
@chirukun
Жыл бұрын
this is more like a declaration of war
@chosentokill6148
Жыл бұрын
they're getting cocky :D
@Tathanic
Жыл бұрын
Automated
@wlockuz4467
Жыл бұрын
I mean they did it to a channel called "Linus *Tech Tips* " and it clearly worked so why not!
@cedricsonaquevido1565
Жыл бұрын
roll of the dice except its 100 sided
File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.
@bgill7475
Жыл бұрын
Yeah, it’s strange Windows hides them by default. Makes no sense.
@fusseldieb
Жыл бұрын
The problem is that tech iliterate people rename a file and then accidentally remove the extension. It doesn't highlight the extension by default, but I've seen it happening a couple of times with other ppl.
@bgill7475
Жыл бұрын
@@fusseldieb Windows will warn you though if you try to do this.
@torsten_dev
Жыл бұрын
It's times like this you really appreciate the execute permission bit on Linux.
@FlorinArjocu
Жыл бұрын
There is a solution even for that, the right-to-left writing system. A file named for instance filename.exe.pdf can be actually a .exe if the character announcing the r-to-l is before "exe". I'll try finding the clip with this. I daily drive linux and don't care a lot about these; but on Windows I could have seen myself being fooled by this (not the .scr, as I made a few programs and even screesavers when I was in highschool, many years ago). LE: found it on ThioJoe's channel - kzread.info/dash/bejne/oH2XtK1thsLApsY.html
The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.
@ticenits1926
Жыл бұрын
That and the fact that the domain was Eastern European. The author of this video wants to act like that's totally common and no big deal but it's not. If g fuel is reaching out to you from the Czech Republic you should damn well know better.
@khoroshoorange
Жыл бұрын
Or maybe dont use File Explorer in the First place... Use smth that is more intelligently designed like total Commander
@davidfrischknecht8261
Жыл бұрын
@@khoroshoorange Whatever floats your boat.
@superbasyboy
Жыл бұрын
That's the case in this example, if the PDF was 'alone' in a folder you wouldn't look twice at a .pdf
@Theunicorn2012
Жыл бұрын
The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.
Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.
@prodKossi
Жыл бұрын
Same here, you should check out Professor Messer if you havent already, hes got a free video series on how to pass 💜
I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.
@lolcat69
Жыл бұрын
Facts, that is why I always activate the config to enable that
@MrHendrikje
Жыл бұрын
It's a pain to keep having to turn it on on every single machine I use that is new. I meaninly use it quickly be able to make back up of files so I can just aad .bak to the name or .orig. this onely works if File extension names are enabled.
@CD-vb9fi
Жыл бұрын
That's not even the bad part of all this. MS is now active in keeping you out of some sections of the OS. You don't even know if MS is collecting these tokens or not or for what reason either. I assure you... they can and do if the right people in authority request it. Nothing on a machine is secure.
@DickCheneyXX
Жыл бұрын
That's how you can spot computer literacy at a glance.
@Sierra-Whisky
Жыл бұрын
A file name is just what it is. It doesn't tell anything about its content, just as your name doesn't say anything about your personality. Changing a .xls to .jpg doesn't make it an image, just as changing my name to yours doesn't change my personality to become yours.
Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.
@defnotatroll
Жыл бұрын
It's baffling to me that AVs don't automatically flag these files or warn the user when the scams have been happening since august last year at least
@robertgarrison1738
Жыл бұрын
EDR solutions like Crowdstrike DO this. This is a matter of the Linus team cheaping out on InfoSec tools.
@robertgarrison1738
Жыл бұрын
@@kaineuler EDR like CS, CB, or S1 do not care about file size. They monitor every single process/thread/command/execution that's running in realtime, so if it catches something it finds sus (which this absolutely would,) it will catch it, regardless of file size.
@kaineuler
Жыл бұрын
@@robertgarrison1738 I'm talking about windows defender or other basic antivirus.
@robertgarrison1738
Жыл бұрын
@@kaineuler Ah, yeah no, those can't be trusted in 2023 when it comes to proactive monitoring. Those AV's are solely reactive, and by then the damage has already been done. I see this daily at this point in my line of work.
Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.
Great video! It was my first time watching a video from you and as an IT professional transitioning into the cybersecurity field, this was a very informative video! btw, in the scroll history it says "Crowdsack" instead of "CrowSec". Just wanted to let you know. Again great video!
Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers
@SEMIA123
Жыл бұрын
If you're talking about the fire Colton thing, it's an ancient channel meme, Colton has been "fired" hundreds of times. Colton gets blamed for everything and this time it might actually have been him so the meme came back hard. He won't go anywhere though, dudes been there since day 2.
@jacquesfaba55
Жыл бұрын
I agree, it’s Linus’ fault here for making his employees use Windows
@MrHendrikje
Жыл бұрын
A company I worked for was hacked due to a security flaw that was introduced in a Microsoft Exchange Server update.. when it was brought to light he quickly rolled back but by then it was already too late and got hacked around the time people were looking for chocolate eggs a certain bunny had been littering.
@anxiousearth680
Жыл бұрын
@@SEMIA123 Yeah lol. When I found out, that was my first thought. "Oh well, Colton's getting fired for the 22nd time I guess." Especially ironic considering the origin of that meme includes iirc him almost getting the channel banned or something and then getting 'fired'.
@Wr41thgu4rd
Жыл бұрын
@@jacquesfaba55 He should probably keep people who have access to anything even remotely import to only those who terminally live inside a computer. Having Windows is not an excuse to fall for a phishing attack. The only excuse is incompetence. Not opening an executable through email is like computer literacy 101.
the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening
@o-hogameplay185
Жыл бұрын
exactly. i dont dont do anything like working with sponsors or anything, but last year in the university we had a homework in java programming (basically a game) and our teachers being lazy, we had to grade each others code (everyone gets 5 random people's code). and i specifically set up a vm in case anyone would put malware into it (you would think "oh, they are not stupid to put malware in it, just think about the backlash" but no. seeing how many programming students fall for free dc nitro scams, i will not take a risk)
@MAST
Жыл бұрын
Maybe that person manage youtube videos, thumbnails, tags, descriptions, tags etc. multiple videos at ones. That kinda apps are most needed. If it was just about editing videos, then they would have done it on an offline machine.
@kkgt6591
Жыл бұрын
Maybe it was Linus himself.
@kmcat
Жыл бұрын
@@Preetzole A Remote Desktop for YT account actions.
@MAST
Жыл бұрын
@@kkgt6591 I don't think Linus do those kind of things, I think he is only directing, managing now and prolly he employs PR, marketing, social scientist something, which prolly knows better what works.
LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But KZread’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them. Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,
A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.
@hammerfist8763
Жыл бұрын
The only extension that matters or is actually an extension, is the last one. I fully agree that better file level security is part of the solution, and that begins with not allowing a file to be named .pdf.scr or .pdf.exe.
@Conserpov
10 ай бұрын
Why would anyone who's not a complete noob use Explorer as a file manager at all, let alone with hidden extensions?
@thepwrtank18
8 ай бұрын
"You are attempting to open an application file with the file extension [.ext] in front of it. Are you sure you want to open this application?" [info of application, name, publisher etc]
An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.
@NelielSugiura
Жыл бұрын
I certainly use it to send stuff to myself to bypass such scanners. But that is from me to me, so I know what is going on... but it is a fairly obvious bypass all around because no AV tool out there can decrypt it (yet) to scan.
@nwerd7584
Жыл бұрын
Thats probably the biggest thing here and 99% of tech channels ignore it, im not sure they even know why scammers use the pw/encryption function in the first place.. Theres no need to ever require this unless you encounter it the way I do. From piracy and trying to download unsigned cracks etc. But scammers also use them when a game first comes out to try and trick the normies, but those are the types that dont want yu to have a pw because theres nothing in it, they want you to do surverys for a non existing password.
@powerpc6037
Жыл бұрын
I agree this is also a giveaway. Any normal company doesn't zip a pdf file so there should be no need to extract it. And even so, a huge zip file to only hold a single pdf file is suspicious. On top of that, even when file extensions are hidden (as the other files didn't show any extension) and this one did show the .pdf extension, you should be aware this won't be the true extension otherwise it was hidden as well so you can be sure there is another extension behind it making the .pdf visible. Also, in an email, look for obvious spelling errors like the first one that was shown: "We are sells energy drinks", this is a dead giveaway this was translated instead of typed and should be treated as suspicious. So Linus (or his staff) made 4 mistakes that led to this tragedy: 1. Ignoring obvious spelling mistakes (if he received such a misspelled email) 2. extracting a huge zip file to get a simple pdf to state an agreement 3. ignoring the huge filesize for a simple pdf 4. running it with a visible file extension when extensions are hidden
@asdfasdf-mn8iu
Жыл бұрын
@@powerpc6037 That the extension is shown despite extensions being hidden was confusing to me as well. Although, if you spend about 30 sec on this file, you might easily miss that.
@towesc
Жыл бұрын
Absolutely, a red flag with a fog horn.
I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe
@fusseldieb
Жыл бұрын
That's probably why they did it.
@GYTCommnts
Жыл бұрын
You need to watch a ThioJoe video explaining why file name extensions only it's not bullet proof. To summarize, there is a technique that exploits reverse reading languages to show a different extension at the end. Windows should stop dumbing some things and file extensions should be showed by default, and must be the last thing on a filename NO MATTER WHAT. But for now, it's not the case and it's ridiculous.
@tehjamerz
Жыл бұрын
n00b
@tryanotosehatsantoso8302
Жыл бұрын
@@MANTISxB but the thing is sometime they send video file too... so if you are not carefull seeing the size... you will presume the big file ZIP is came from the vids
@b4ttlemast0r
Жыл бұрын
Yeah, I hate the fact that showing file name extensions is not the default on Windows. Makes it a lot easier to disguise executables as harmless files.
This video is so fantastic, I gasped a few times when you showed the properties and HEX... Good job!
I'm glad you mentioned the fact that the PDF is usually not sent in the initial email, but rather a follow-up email and the fact that many legit companies use third-party PR firms to reach out for sponsorships. After hearing those two facts, it's no wonder someone who works for a big KZread channel would fall for this, especially if they get dozens if not hundreds of legitimate offers every single day with no discernable difference up front. Having a sponsorship manager with complete and total access to the KZread channel was a serious blunder on LMG's behalf though, and the hack would have been mitigated had that not been the case, so I hope they've learned a lesson from that. Imagine being a solo creator dealing with this though. Answering dozens of emails from potential sponsors while also working on your own content. You wouldn't have a buffer from this kind of attack, unlike LMG would.
@aoeGamingAEGIS
Жыл бұрын
step 1: explore & gain trust
Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.
@guitarszen
Жыл бұрын
They should really stop being a company and putting out that virus, windows.
@PizzaInGame
Жыл бұрын
maybe the reason microsoft create that fituer because for people like us, who know the meaning of extension the hide thing is useless, but for people who doesnt know, mostly they will rename their file wrong (like delete the extension) but i agree with you, they need to update the system like,..they can just show the extension but not editable when rename the file
@robloxfan4271
Жыл бұрын
Agreed
@richarda3659
Жыл бұрын
It's optional, you can turn it off, and it's there because that's how Apple does it. Maybe Microsoft should prohibit changing a file extension by renaming the file, and only allow it in the Properties dialogue. And also, Windows should prevent multiple file extensions when any but the last is an executable file type. So something like ".pdf.old" is permitted, but ".pdf.exe" is prohibited.
@HollywoodCameraWork
Жыл бұрын
@@richarda3659 Of course you can turn it off, but it's on for 99.999% of Windows users. It's the default setting from hell. And no, Mac doesn't do this. Mac has 4-character file types and creator that can't be downloaded from the internet. The risk doesn't exist in the same way on Mac. And Mac notarizes executables. Not even a comparison.
The bit that suprised me was that LTT had a PC with both KZread account access and was used to process incomming offers, I would have thought the two should be kept well apart
@tomatobrush3283
Жыл бұрын
Yea running vmware workstation and opening suspicious emails on a vm can go a long way to protecting your PC, definitely a hassle to maintain though.
@tegneren
Жыл бұрын
They said that sponsored videos are uploaded by the marketing department, so that would be why
@nwerd7584
Жыл бұрын
Linus is barely even at the warehouse unless he has to be in the video.
@johncarter3227
Жыл бұрын
@tegneren but still that doesn't mean that one system should be used to process both stuff. LTT is a large organization and they can afford to have an isolated system to process outside information, before it enters the main server. Anyways they learned it the hardway!
@fabricio4794
Жыл бұрын
This guy (LTT)is an Amateur and Arrogant Rich Boy...nothing than a Microsoft Employee that did a anti-linux rally and then his Secure Windows was Bombed till the ground....
I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.
@AegisHyperon
Жыл бұрын
1601 is the first year of the Gregorian calendar cycle that was active when Windows was designed
@flubnub266
Жыл бұрын
Completely reasonable interpretation, but those aren't the dates of the data, but rather the actual data being interpreted as dates. So because most or all of the data aren't dates, they naturally appear as nonsense when interpreted as such.
Good video. I think it would've been neat if you added a section to these types of videos where you do some sort of sandboxing of the file, to show what it's actually doing. I'm sure you've heard of it, but Any Run is an example of an interactive open sandbox solution to do this in, another is Hybrid Analysis though it doesn't provide interactivity it still shows screenshots and breaks down the activities it performs. It would be neat to get an idea of the scheduled task creations, additional sub process executions, network traffic to threat actor domains and IPs, etc.
I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.
@takatamiyagawa5688
Жыл бұрын
I don't know how people function with file extensions off. Sure, there's no guarantee that the contents of the file match the extension, but it seems to be at least an indication of what windows will attempt to do with the file if you open it.
@rusl1rusl
Жыл бұрын
Nowdays hackers use special characters to reverse filename to make it look like a legit file even with „show file extentions“ on
@powerpc6037
Жыл бұрын
Even if file extensions are disabled, you should be able to see there is something wrong. All other files don't have the extension visible and this one did show the .pdf extension, so there should be another extension behind it, making the .pdf visible.
@greatveemon2
Жыл бұрын
anyone doesn't look at the details of the file before clicking nowadays, I guess? I have all my download as in detail view showing off the file type. I've been freaking using this account as old as youtube and i'd never been hacked.
@PeppermintOSC
Жыл бұрын
@@greatveemon2 since 2006?
In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)
@phir9255
Жыл бұрын
Should've immediately logged out
@deuspax
Жыл бұрын
let's don't blame windows in the most gratuitous way, if feels a malware the OS starts to scream and puts the harmful file in carantine mode, in order to make it work you have to get in security panel and to give the proper rights - which probably the employer did
@flameshana9
Жыл бұрын
How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?
@flameshana9
Жыл бұрын
How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?
@88porpoise
Жыл бұрын
@@flameshana9 I suspect in this case it was identified as suspicious and generated a message but didn't have enough confidence that it was malware to lock it down. You can decide what actions an AV takes on a file given the risk level determined. And they basically said that the number of false positives they would get at the level of security which would have locked down this file would be too large to manage without seriously harming their business (probably far more than the hijacking and one day of outage did). And, yes, every single business (and person) makes the decision to accept some degree of risk in various formats to facilitate operational efficiency. The question is how you balance the two.
They hacked the channel and they didn’t even rename it “Linus Tech Tits,” What a waste.
I watched a few other videos on this topic but idk why your explanation just sticks better in my brain lol
I understand the dangers true scr files also start up just like exe files. But the fact that KZread doesn't have the security in place when they don't ask you to log in again when you change the password or the channel name is baffling to me. Or delete lot off files... crazy
@alouiciouswrex7141
Жыл бұрын
I would assume they could tie the session token to the current IP address, and if the session token is suddenly used by a different IP they cancel all sessions and request signing in again.
@johndododoe1411
Жыл бұрын
@@alouiciouswrex7141That IP check would frequently get overboard when home ISPs and online proxies frequently change peoples public IPs. Same thing happens when facebook sends out an alert after every log in with an updated browser.
@EvanOfTheDarkness
Жыл бұрын
@@alouiciouswrex7141 That would not work with smartphones that go in and out of Wifi range, and use mobilenet when there is no WiFi. The best you could do is time and location. That's why banks invalidate sessions (log you out) after 5-10 minutes of inactivity. Most websites log you out on a device after a week or so. But youtube/google never does it, since if you are not logged in it's harder to mine your data. The worst part is that (when done right) stealing the environment essentially makes this indistinguishable from the original browser, making it a "trusted device".
@alouiciouswrex7141
Жыл бұрын
@@EvanOfTheDarkness Fair point, I hadn't considered mobile devices
@eddielegs344
Жыл бұрын
@@EvanOfTheDarkness or mac adres for mobiel devices
A 770Mb PDF file would be a major red flag. I think the largest genuine PDF file I've ever seen was less than a hundred megabytes and that contained full color images.
@kayvanwonderer
Жыл бұрын
No i have seen 400mb pdfs. You obviously a noob.
@HexRox
Жыл бұрын
The problem with a very fast internet connection is the employee probably didn't get a look how big the file and just automatically check the content after it's done downloading
@meneldal
Жыл бұрын
@@HexRox The file is full of 0s, the zip archive would be actually quite small.
@dismiggo
Жыл бұрын
Even that is small, I would say. I made the yearbook for my class, and that is around 200MB. So I would be careful with blanket statements like that.
@0xD1CE
Жыл бұрын
@@dismiggo A yearbook is different than an agreement form..
Microsoft need to, as others have said, show file extensions by default however, they also need to block .SCR files by default too as well as Defender being a bit more advanced and able to block and warn about files with double extensions, such as .pdf.exe
First "trick" that my friend taught me on my first PC was how to see extensions and how to see hidden files. It's the first thing I do after reinstalling windows.
@jinxterx
Жыл бұрын
Your friend is a true friend.
@Fredaffinity
Жыл бұрын
@@jinxterx Yeah he is a true friend for sure. And this feature saved me several times.
Thio Joe has recently done a couple of videos about this and similar attacks. And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension. That will keep you on your toes. And Thio Joe discussed that too.
@hiru92
Жыл бұрын
yes, i saw that video 😁
@richarda3659
Жыл бұрын
Yes, there's some kind of hack involving right-to-left languages.
@serena-yu
Жыл бұрын
Interesting. It's U+202E
@slamscaper128
Жыл бұрын
Pretty sure .scr is one of those superhidden extensions, like .lnk and such. In this case, they didn't need to use that special command.
100% this all ramps down to the fact that even if you're a manager on the channel you can't create community posts. You can upload videos, delete videos, whatever you want. You can't make community posts. You have to be logged in from the "main" account. It's the worst.
@fltfathin
Жыл бұрын
weirdly it can be delegated via API which means if you have the capacity you can "relay" the intent with custom local tool/ web service
@wadimek116
Жыл бұрын
They could use clean virtual machine or server for posting only
@dontaskiwasbored2008
Жыл бұрын
That is 100% not at all what this ramps down to lmao.
@EpicMiniMeatwad
Жыл бұрын
@@dontaskiwasbored2008 True, but cool API fact.
@helloitismetomato
Жыл бұрын
KZread Studio is just *incredibly* poorly designed. It's an absolute disgrace, especially since it took them absolutely forever to create and they had a very lengthy (multi year!) feedback period that they literally did not do anything with. In KZread Studio you either have too little access or way too much access. If you're an editor you can't even edit a playlist (because that can only be done in the main site, and they simply didn't bother to implement in in Studio!) As someone who's been a professional in this space for half my life it's actually OFFENSIVE to me how poorly designed it is. They literally just didn't bother doing it anywhere close to properly. Everything about it fucking sucks ass from the UI to the core functionality.
Channel notification on now , i want to be updated with all these stuffs :D
Thank you for letting me know about the screen saver file extension and how they can run as an application. I didn't know that.
I was patiently waiting for your take on what happened, well delivered!
I feel like at this point, proper security protocols would be to have a separate machine that exists exclusively to open emails and doesn't have access to anything except the email account.
@johndododoe1411
Жыл бұрын
Except that many attackers want control of your recovery e-mail only (in that phase).
@eveleynce
Жыл бұрын
@@johndododoe1411 you can have emails forwarded to an unattached proxy email for this purpose, using something like POP so they're deleted off the first address as soon as they're sent to the second one, then you'd have to intentionally send it BACK to the first email for them to have access to that one
@takatamiyagawa5688
Жыл бұрын
They're running a youtube channel, not a military base.
@luka188
Жыл бұрын
@@takatamiyagawa5688 If your youtube channel is your livelyhood, you may as well go the extra mile to protect it well, because if you lose it, you basically lose everything. At least in case of Linus Tech Tips and bigger channels, it's possible to recover this even after a hack happens, but it takes a lot of effort regardless and taking extra security measures to prevent this kind of thing is very worthwhile.
@nwerd7584
Жыл бұрын
mental outlaw has been saying for months and months if not years to go buy a shitty chrome book and use that to answer the business email.. Whats even worse is a lot of these losers use their personal email to get business emails, which has secured future fuckery. They SHOULD have a email solely for sponsorship offers, and you should only use that email on that latop. Unless you can have a braincapacity above a 5 year old and just not click them. Greed is what makes people fall fr this shit. Being content doesnt leave you with shady business.
Great coverage,thanks for sharing,you explain it very well and this is what people need
There was a virus at our school that uses scr. It got everywhere. If you plug a usb into a computer, it would copy itself to it, then set all your folders to hidden + system, then create lnk files to match the name, set the link target to the malware on the stick, add an autorun.inf file to the stick. Hidden and system meant you wouldn't see the real folders unless you turned on both show hidden files and show system files. Show system files was a bit hidden and it warns you not to do that. A clear giveaway that your usb was infected was that all your folders turned into shortcuts that had that little arrow thing in the corner. I removed the virus from a lot of computers and fixed the usbs of who ever lended me their flash drives.
im not a security specialist, but i spend most of my time on Linux primarily for the lack of tracking but also i generally dont have to worry about any windows based attacks. If i worked for a big YT channel I would certainly use linux for emails and almost anything else that didn't require windows. and if i DID have to use windows, id open a fresh VM just for internet and emails and never log into anything important. Im actually surprised these content creators even use windows, I assumed they all used Macs, since they pretty much all use iphones as well.
@Armand79th
Жыл бұрын
Well, a bunch of amateurs will amateur.
@AkiraElMittico
Жыл бұрын
This is one of the reasons why I'm on Linux 100% since 2007, and never went back to windows, not even for work.
Good thing for them they got it resolved quickly and got support trough their other business ventures to alleviate the lack of adsense when the channel was down. But they definitely have been a bit too lax on their security. Apparently their security software solution was set to a less secure settings due to too many false positives. They really did get to feel how having their policies leaning more towards convenience is a bad idea. That being said, how youtube does not require 2FA for sweeping changes to a channel is down right mind boggling. If you change the channel name and change the status of the majority of your video catalogue there should be some alarm bells ringing no?
@MAProsper
Жыл бұрын
While I agree, there are also issues with having security settings too strict, as they might leed to users circunventing them so they can do their job. Now insted of some security, you have none. So, since they said they couldn't handle the amount of false positive they settle for that. Was it the best idea? No, but they did what they thought was right. It seems that looking forward they should look into how to handle better the false positives or alternatives software suites. That beeing said, as you also said, Google not reauthenticating users attempting to do massive changes on the channel seems like a big mistake on their part.
@mechwarrior83
Жыл бұрын
The fact the Google will allow login from a cookie and then change password + 2FA *without* confirmation from either is downright neglectful.
@Pandaptable
Жыл бұрын
@@mechwarrior83 you clearly do NOT understand how logging in from a cookie works. It's not that google "lets" them. It's that you're essentially just copying how they logged in, and it's the same session in essence.
@rezwhap
Жыл бұрын
@@Pandaptable So confidently incorrect. They could force a reauthentication even with a valid session. Many services do for important changes.
@xX_MC_OvU_PvP_YT_Xx
Жыл бұрын
You sound too invested in them personally.
Good video with some cool insight. Linus explained that only certain people have access to the channel, and even those people have limited access to certain things. Would be a good wake-up call for new protocols or software to prevent something like this from happening again.
@dzenacs2011
Жыл бұрын
New protocol - dont click and open unknown files like you are 7 year old first time using email
I worked for a state company, and they actually had put in place such severe restrictions that did not allow anyone without privilege to open any file except those permitted such as .pdf and word docs. Ontop of it all, the computers were thin clients connected to large array of servers, their sessions were all temporary VM's that would delete its instance after each use, all your files were stored on cloud essentially connected to your user account and constantly scanned, it was the most ridicules security setup I ever seen in my entire life, they also had automated software that scanned files developed in house to check if the files they received on email were proper or not, all happened in the background, I cannot say what state company it was you can probably already tell that stuff like this, is not just any ordinary mom and pops office job. But in hindsight, its not that much work to setup something similar for a small business with virtual machines and auto scanners checking files beforehand or loading files isolated from the system. The funniest thing from that job is how the tech got so tired of trying to fight the spam emails, they designed a DDOS program that would just automatically target the IP source of these spam mails and dedicate a small server just to run that script day and night, it worked but when the boss found out, man he was not happy knowing there was a server using 5kW of power everyday just to reverse uno email spammers LOL, I think they replaced that with an AI which was good enough to detect most of them and filter it out, that was right at the end when I left I never got to look at it because it would be handy to have something like that running in my basement.
Good information. Was kinda hoping for a bit of code breakdown, but this is my first time visiting the channel, so I'm not sure how deep you go. Either way, Thank you for putting such good info and good recommendations out there.
@pcsecuritychannel
Жыл бұрын
There are more in depth videos on the channel. :)
At my company, we've been using a 'viewer' to 'checkout' files and virtually view them. Picture it as a way to look at documents in a secured environment using a remote external viewer. Validated sites been using this almost 25 years now. If things are isolated and viewed indirectly, that would probably halt the brakes on a lot of problems.
best video in this regard- can you make a video about these session tokens?
very cool malware honestly whoever made it was quite smart to make it a large file i also noticed avg programs don't scan larger files and good execution with the email and pdf.scr honestly might have even caught me off guard if i had a youtube channel
Most malware is targeted at Windows, sandboxing public parts of interacting with the world in virtual machine could prevent that
There are also samples that seem to use actual code instead of empty spaces. It appears that these samples consist of a bunch of randomly generated functions that will be called upon launch. However, if you remove them to reduce file size, the program will become corrupted and you won't be able to run it.
I always assumed everyone displayed file extensions. I'm also surprised he uses email on a admin account.
some companies don't allow the download of pdfs from emails in office PCs. Only option is to open in preview mode, click on print and save as pdf.
I always thought that keeping session cookies in plain text on the storage device was a bad idea. The information should be encrypted by the browser.
@bluemeriadoc
Жыл бұрын
or just don't let applications (like screen savers) read any arbitrary data on the disk. especially web browsers
@andresilvasophisma
Жыл бұрын
@@bluemeriadoc BUt you could still read it with regular executable programs.
@rohanjamadagni
Жыл бұрын
Would you be okay entering a password every time you launch the browser?
@bluemeriadoc
Жыл бұрын
@@rohanjamadagni maybe, but it's not necessary. you can leverage the operating system to encrypt based on the computer's password or protect the address space, or both
@rohanjamadagni
Жыл бұрын
@@bluemeriadoc encryption only works when theres a password attached to it. If the browser can launch without needing a password, the hacker can just steal all the app data of the browser and launch it in their system regardless of what the os does. Windows doesn't have strict permission checking for files and even if it did if the program got admin access, it's basically useless. The only way to fix this is to have your whole browser password authenticated, kind of like how password managers are as browser extensions. From a website pov, you should have implemented uuid checking or some hashed hardware Id checking in the cookie, again this should be implemented by browsers as it would be a security risk to allow websites to detect a hw id. Overall, I'd say from a developer perspective these kinds of attacks are really difficult to mitigate without making the ux of the user worse.
Sounds like it's time to sandbox certain functions and create a VM to open attachments and possibly get an antivirus that will scan large files. Also, I don't think it's hard to create a script to do some rudimentary analysis of files to display size, possible padding, extension, etc to alert to a Trojan horse file.
Great video. Would it make any difference if you were to open these files if they're being send through google drive for example? Like the quick view in Gmail? Or would that also be enough to activate it?
Your videos are security education. Fully fledged bytes of security education that are dispersed, unorganized by topic. Just glad you exist bro
Just realised, another red flag is when you see a .PDF extension while you have show extensions disabled.
@takatamiyagawa5688
Жыл бұрын
The sort of person that has file extensions disabled probably isn't paying attention to the end of the file's name,
@Hyxtryx
Жыл бұрын
@@takatamiyagawa5688 And wouldn't think anything of it, even if they did notice it. It's also possible that the person has extensions enabled on their home computer, but disabled on their "LTT work" computer, and missed it because of that. Or maybe it was a new install and somebody forgot to change the setting.
Don't know if it was mentioned here but they did say their antivirus detected the malware but it wasn't fully set up to high enough level to deal with it yet as they were in the process of setting up a bunch of systems too I think
@willwunsche6940
Жыл бұрын
@@asksearchknock that's kind of super out of context though and not what he said. Obviously it makes sense in certain situations. And while it's probably blasphemy to say this on a malware channel I think he's probably right for most average people.
Thanks for the explainations!
the problem is that you should always, ALWAYS make the file extensions visible. in fact this kind of thing is easy to detect. windows can have some sort of a warning for this sort of file names added. so it saves a lot of users from running executables by mistake.
@Gargantura
Жыл бұрын
how do you activate it?
@darthnegativehunter8659
Жыл бұрын
@@Gargantura depends on the version of the windows but a quick google search will give you the answer. i usually do it by control panel and folder options. then there should be a checkbox somewhere to make em visible.
@Gargantura
Жыл бұрын
@@darthnegativehunter8659 aight thanks
I'm going to be honest, if a channel is advising you to "just use virustotal instead of an antivirus" I'd immediately look for their history as a cyber criminal lmao
@YRDY
Жыл бұрын
Yes, It may help criminals more than users..
@aoeGamingAEGIS
Жыл бұрын
never use antivirus, just move linux, lol
@vonKarma1186
Жыл бұрын
@@aoeGamingAEGIS (will only be effective until linux marketshare increases to the point it'll be worth making linux malware, even then i'd still be careful with downloaded files on linux, by lowering your guard you increase your risk of getting hacked by a lot which is why i still triple check downloaded files as a linux user myself)
@chrisdawson1776
Жыл бұрын
@@vonKarma1186🤓
@AttilaAsztalos
Жыл бұрын
Totally DO use an antivirus if you want to throw 95% of your machine's performance away 100% of the time vs. that one time when you should have had the common sense to realize whatever you just downloaded should at least be checked by virustotal.
Imagine it was named: "LinusWare"
@flameshana9
Жыл бұрын
They totally should sell new underwear with that branding on it.
When it comes to emails as a way to sneak malware in your system having good spam filter can help too mostly because emails containing potental malware are automaticaly sent to spam folder and you don't get notified.
Thanks for the explanation. Can't wait to use this example in class.
Great breakdown of the situation. It blows my mind that things like this still work, but it as we see time and time again it: session stealing is very much still a lethal and viable technique. Nice breakdown and hopefully this is a reminder for the tech-oriented user to pay close attention to what they open... All it takes is letting your guard down for a quick moment to get caught by these things, and it really can happen to anyone, even the security-minded user.
@richarda3659
Жыл бұрын
Why aren't the session tokens encrypted and only readable by the issuing web browser, based on the browser's internal ID?
@dealloc
Жыл бұрын
@@richarda3659 Encryption doesn't matter when malware runs on _your_ computer. Where would you store the key? If your OS has access, then malware can find a way to gain access as well. Even if a hardware TPM or Secure Enclave was present. And aside from encryption being resource intensive to do (and battery hungry), it also would be highly ineffecient if your browser is already running, as that data would be in memory, unencrypted, anyway.
@jebactychpolicjantow5497
Жыл бұрын
it's not "the technique", the attack vector was someone being dumb. anyone with an RCE can do anything on the machine that you can do.
@jebactychpolicjantow5497
Жыл бұрын
@@dealloc the key does not have to be locally present nor does it have to be static; it can be a calculated value either based on datetime or another system similar to RSA tokens. there is also no need to "store the key" since you can input it every time, e.g. biometric keys. encryption is not resource-heavy, every layer 4+ connection you make has TLS over the top of it. it feels like everyone on here is just making guesses as to how computers work without understanding the stack. scowering memory is not a reliable vector of harvesting tokens.
Okay that zero padding thing is outright negligence on the part of malware scanners.
@dealloc
Жыл бұрын
Yes and no. You could probably come up with ways to determine a file as being potentially unsafe by looking at random bytes in a file to determine whether it contained zero padding or not. But that would likely also issue a ton of false positives. And zero padding is not the only way to circumvent it. It could just be a bunch of random data as well-it's now much harder to determine what the file is. There are anti-malware that does this kind of analysis already, when you run a full scan or manually select a file for a scan. But while in the background, you don't want it to do a full scan and take up all your resources and potentially battery. So it's both a user error and a problem of detection. If you are uncertain about a file, manually scan it with your anti-malware software at least.
@DylanDurdle
Жыл бұрын
Agree. Doesn't take much effort for a virus scanner to pass through the file with a trimmer to validate 99% of it being empty space. But of course, if they were to do that then the hackers would just start padding files with random noise, defeating trimming it .
Little tip, use the "details" view of the files, it tells you more information about the files that live in your downloads folder. Like the size precisely.
apart from file-extensions being displayed I _always_ have the preview window open. If I don't see a matching preview to the file I have, when I know it is capable of displaying a preview, this file gets analyzed or deleted outright. And I did actually develop the habit of crossreferencing the file size. A picture of 500x500 wihch is several mb in size goes in the trash.
I'm actually more surprised that malware detection suites aren't robust enough to detect these types of attacks. A surface level check of RTL/LTR manipulation of the filename to hide the extension would catch this as a suspicious file. There aren't any legitimate use cases to use this hack in the real world, so it's pretty safe to say anything hiding the extension like this is likely to be malicious. Similarly, checking a file for padding is fairly easy to do, and doesn't require a lot of resources realistically to do so. Shrinking the file for an in-depth scan is also possible using sparsification, but thats a but more resource intensive - and only works on zero padded files directly.
@LordSStorm
Жыл бұрын
Filetype manipulation can be accidental.
@o00nemesis00o
Жыл бұрын
Some foreign languages are RTL, so yes there are legitimate use cases for the character appearing in a file name
@ZeroX252
Жыл бұрын
@@o00nemesis00o but not in the extension, and that's pretty easy to check for.
@ZeroX252
Жыл бұрын
@@LordSStorm windows warns users when changing the extension, and in this case the user could undo the mistake or make the logical conclusion that the file is or is not suspicious.
Im learning a lot, thanks for all this videos 👍🏼
@jamesjross
Жыл бұрын
Like how to monetize someone else's misery?
This is a good video thank you for the information and keep up the good work
this kind of thing must explain a number of obviously hacked youtube channels i've come across
@vakho30
Жыл бұрын
At first I've thought that those channels sold their souls to devils for quite a lot of grands but then I realized that most of them might have been hacked like Linus.
Linus said their corporate anti-malware program caught it, but it was only a notification. Because no one was constantly monitoring the dashboard, the malware slipped through.
@fabricio4794
Жыл бұрын
i Hope More Malware builders test on LTTs Ecosystem.....i hate that guy·....
@RickMyBalls
Жыл бұрын
@@fabricio4794 what's with the retarded captialisation?
@DatKakashii
Жыл бұрын
@@fabricio4794wait why lol
@Stormlywing
Жыл бұрын
not like they can get Remote tools to check for them because of one thing Being too famous is asking for problems ----------------------------------------------------------------------- he get out of the shower to check his channel Not getting dress like an fother does If I was an kid I would be outside because of the noise from an hacked channel to scar kids as well
Sadly Linus got caught here by ignoring his cyber security expert Luke. On the WAN Show Luke pointed it out that he told Linus the EXACT account and method of the hack but Linus responding "I'm focusing" and ignored the entire message. Luke then had to reach out to Linus's wife to get access to accounts (as he didn't have permissions to do what was needed, which is an issue). He offered to RDP into Linus's PC to do it but Linus was too focused combating the attack vector he thought it was (SMS/Password) to listen.
@jmckey
Жыл бұрын
Yeah, Linus talking about his being woken in the middle of the night and ADHD, plus the severe crisis is understandable, but it still shows a SEVERE flaw in their disaster management preparedness and lack of processes. Linus himself seems to need training in how to manage a crisis and delegate better. I took a whole class in my tech master's on crisis MGMT and we workshopped stuff having to perform as a team in front of our class to fix a problem live. Cool stuff and teaches you to communicate and calm down first THEN tackle the issue so you are being the most effective.
@engineeingnerd
Жыл бұрын
@@jmckey Google is more faulty for it
@jmckey
Жыл бұрын
@@engineeingnerd for sure, Google HAS to change how they secure logins and manage cookie sessions but there HAS to be process changes in the meantime at LTT to prevent something like this happening again.
@fabricio4794
Жыл бұрын
A Arrogant Adult imature Freak like Linus,ever hated and refused Linux,and now he got what he deserves beeing an annoying windows fanboy
@Armand79th
Жыл бұрын
Well, yeah... Linus is an amateur and a shill, not an IT Tech by any assessment worth a piss. Hardly surprising they got hit like this.
This is fantastic info. Great vidya m8
The size of that "PDF" already threw me for a loop, considering how many files I manage on a daily basis 9 times out 10 I would know if it's sketchy or not then again i can understand that some people arent always focused when reading emails, hell i ignore half of mine.
For PDF's there luckily exists an FOSS tool called Dangerzone which cleans the PDF up inside a sandbox (basically acting like a virtual printer, converting the pdf to pure pixel data and then making that into an clean PDF) which can be handy for when you **have** to open up a PDF (contracts for example) but can't trust the source.
@UnknownString88
Жыл бұрын
Thats cool
@phir9255
Жыл бұрын
Or just open in Chrome
@cook_it
Жыл бұрын
@@phir9255 While chrome does open PDF's in a sandbox which _should_ be secure that still doesn't solve all the other problems like "You opened an executable instead of a PDF".
@phir9255
Жыл бұрын
@@cook_it True, people should enable visible extensions
@cook_it
Жыл бұрын
@@phir9255 Absolutely. But even then if there are other exploits like a sandbox escape in chrome you still get into problems. With dedicated software like Dangerzone you would first need a exploit on LibreOffice or GraphicsMagick, then if you're on windows an VM escape from Docker Desktop or for Linux a container escape exploit, which is harder than a sandbox escape but still potentially possible. tl:dr Security is hard and mistakes can always happen. Never rely on a single software to keep you safe.
This crap is out of control, i get emails from amazon, walmart, Netflix, etc, all sketchy as hell.
having the file extension on windows explorer enabled as well as "ask where to save a downloaded file" i your browser can be quite the combo
6:03, even if you don't have the remember me box checked, requests are sent with a unique session token that changes on every re-authentication, which if stolen, will work (for about a day or so)
Good video. And lots of great suggestions in the comments. Love to see it. And no one blaming "noobs" or non-tech savvy people. And you make it easy to understand. Love this.
I think the easy fix for this would be for Microsoft to: 1. Enable file name extensions by default 2. Make the process for executing a file different from the one for opening it. Something like on Linux, where you need to explicitly choose "Execute" when you double-click a file in order to run it, or it just opens as a text file. Such a shame it's 2023 and Windows is still so insecure.
@FlorinArjocu
Жыл бұрын
In my Linux I can run by double click just fine.
@johndododoe1411
Жыл бұрын
Microshit even requires execute permission on every document you open with doubleclick, thus forcing insecure security settings .
@EricchiYukia
Жыл бұрын
@@FlorinArjocu Huh? Strange. Maybe it depends on the desktop environment. On Linux with KDE (and I think on Gnome too) the default behavior is to just open a file when you double-click it and never execute it unless specified.
@FlorinArjocu
Жыл бұрын
@@EricchiYukia Don't remeber exactly, I think I do check the "execute" checkbox, but I think that is not always the case. In the end it depends on the permissions to the file, if it has the +X or not. I am on Gnome (Ubuntu).
@EricchiYukia
Жыл бұрын
@@FlorinArjocuYes, that too! Files downloaded from the internet always have the "executable" flag disabled on Linux, and that was made exactly to prevent incidents like the LTT one.
You video helped me just now. Just got sent a zip file by a prospective "employer". I downloaded the file in a Ubuntu virtual machine and found a .scr file with other .jpg files inside. The .scr file was suspicious enough, but it also was over 1gb in size despite the zip file being only 5mb.Then I decided to shred it all. I have to give a big thanks to you for making me aware!
@dzenacs2011
Жыл бұрын
Why you download this file? Nothing better to do just downliading random stupid files?
@Sakisaka_Rei
Жыл бұрын
@@dzenacs2011 I think I took necessary precautions. And I got this message from artstation, so I couldn't exactly check if they were legitimate or not. As they claimed to be a game company.
I love how your example of a domain that doesnt match actually did match.
This is why it is important for me that the 'Type' column is always present whenever I view files through the 'Details' view. You can immediately identify what kind of file you are looking at before you would try to open it.
@joesterling4299
Жыл бұрын
Also obvious if you always show the real extensions for all files. It should be the default in Windows, but it is not.
I, as a youtuber, also receive this type of email, the first time I went with caution, because usually Contracts can be seen directly in the browser, you don't need to download a zip file with a password to be able to sign. Not to mention that when you download the file it has 14mb and when you extract it it shows these 770mb empty
For me checking fine extensions, the answer is yes, I check them all the time, and they are visible by default on all the computers I own or manage
What if you only browsed email on a VM? no web logins of any kind on the VM, just email. it wouldnt be possible for the malware to access data on the host machine
This is why you always show file extensions.
@jamesjross
Жыл бұрын
shut up
Great diagnosis and analysis of the issue, but it would be great if you have described the remedy. I have many questions here, hope you could address them in other videos or in comment: - How could you prevent malicious emails from harming your system from the beginning? Is opening emails in a sandbox (virtual machine) considered the ultimate solution for separating harmful content from the environment? how practical can this be especially in a working environment with many users? - What is the best anti-virus? especially the ones that detects Maleware after falling to the hacking trap. - in short: is there an ultimate solution??
@diwataluna
Жыл бұрын
In latest WAN show, Luke said the attack was flagged by their AV. But since they did not set it to highest level, the attack was not shown/seen. So curious about these too.
@russellhltn1396
Жыл бұрын
I believe he did - it's isolating the functions so the machine/person opening the emails doesn't have access to the higher privileges needed to attack. One thing he didn't mention is never use your machine when logged in as a local administrator. Only use those accounts when doing maintenance. I remember reading sometime back that most attacks will fail if the user only has "user" privileges. But people resist anything that gets in the way of doing what they want to do.
Show files extension - it's basically one of the first quality of life settings that I turn on, whenever I install Windows, or on any PC that I use, for that matter. It's been a habit for me since I can remember, probably year 2000. I'm also proud to say I have no idea how an antivirus looks anymore, I haven't used one in over 20 years and I never bonked my PC.
It's also happening on Twitter DM's. I almost fell for it since they were uploading it onto google drive.
Thank you for this video! It really helped me understand what happened. Now I'm reviewing some of my own security protocols.
It's wild that, with being that big of a company, they download all sorts of email attachments on machines with access to their KZread channels
@kuromiLayfe
Жыл бұрын
exactly… when handling large amounts of emails .. open them in a virtual environment with no access to official files ( a company like LTT could have easily have all e-mail processing be done on for instance a Nvidia Now environment )
@eveleynce
Жыл бұрын
the hospital I work at has an entire server, disconnected from everything except a single locked down connection to the email server, whose job is to filter out any attachments from external emails, and to detect spam or bad links from any email, so even if the server gets malware, it can't actually DO anything because the only accessible data is the singular email that the malware was already on, the rest is sandboxed out
@aoeGamingAEGIS
Жыл бұрын
@@eveleynce that's how should be done
Since I got my first computer on 2002. I have always enabled the show the extension feature. I have never like not knowing what I’m opening.
To add , thank you even I did not know for this way of attacking. I mean didn't know or paid attention to fact that antimalware , antivirus software skips on large files. So to me this information is very nice , thank you .
Right off the bat, I noticed there are spelling mistakes on these emails. I’m surprised this wasn’t mentioned.
@xr.spedtech
Жыл бұрын
Linus and his workers are blinded by money.
@eujekas
Жыл бұрын
Unfortunately Im not a native english speaker and I can’t notice some grammar mistakes :c
@repsrandom6474
Жыл бұрын
@@xr.spedtech kinda makes sense, considering how much sponsors they include
@24OscarM
Жыл бұрын
@@xr.spedtech I really hate ignorant comments like this regarding anyone
@FlorinArjocu
Жыл бұрын
There are plenty of people not living in native English countries. We are much more tolerant to there mistakes as we grow up with our languages.
This reminds me of the time when my friend found an exploit in everyone's favourite media player, VLC, and added code to the end that, when played in VLC, broke things because the tool executed scripts within the video (he could have done anything, including modify the registry to never pass login, but it merely scrambled the subtitles). Video played fine in MPC and other players. The only reason he did it is because his messages to VLC devs went unanswered. The same, I suspect, basically would happen here (getting MS to enable file extensions by default or YT having more security). Sometimes, these big companies think they have all the answers and do not pay attention to outside reports. Despite all the smaller channels Linus mentioned as having been similarly been hit and YT had yet to do anything there, are they going to pay attention now and fix things? I would not hold my breath. :(
@o00nemesis00o
Жыл бұрын
No, because hiding file extensions has made this possible for decades, MS cannot possibly be ignorant of it, and they just won't do anything because... hell if I know why.
You mentioned that there should not have been so many people who had access to be able to manage the youtube channel, but another thing to consider is that (at least to me it seems this way) most employees at LMG have administrator Windows/Mac accounts, and this type of malware code would have to run with administrative privileges to capture the session information and upload to the attacker. If Linus made it so that only senior employees (Linus and Luke etc) only had administrator access and everyone else had normal user accounts, then I feel that this attack could have been prevented. Please feel free to call me out if any of the information in my comment is incorrect. I do not want to spread misinformation.
@paskky913
8 ай бұрын
Windows likely didn't trigger UAC because then I bet they would've realized something was off. You can copy files and connect to the network without admin priviledges, I've done that myself and you can check by the simple fact that your browser, wich doesn't need admin rights to run, can both read, write and send files.
Easy fix from Google/KZread, would be to detect that the IP address changed when the hackers enter the authentification cookies, and thus, ask for the 2FA again each time such location difference is detected.
I have a few questions, let's skip the part where we need to be careful. But doesn't Windows warn about unsigned exe/scr files? Doesn't it ask if I really want to run that file? If I accidentally run a file like that, how can I prevent my data from being compromised? Could it be blocked? For example, I use Malwarebytes Windows Firewall Control program and set it up so that everything that goes out prompts me. Does this help? What other additional methods can we use?
@kuromiLayfe
Жыл бұрын
Windows and its file signing can be bypassed for years already by just using a official signing tool on any regular executable and moving the bytes to the malware executable.
@Hyxtryx
Жыл бұрын
@@kuromiLayfe Then the signature wouldn't match the file.
@kuromiLayfe
Жыл бұрын
@@Hyxtryx all the signature check does is see if the amount of bytes match that sig data and if they are in the correct spot… guess what is correct when those bytes gets moved or copied to a malware version of a executable ( exactly the same method as shown in this video to mask malware code by bloating the filesize to bypass online scanners)
I think browsers should encrypt stored data like session tokens, and ask for a decryption password when launched (which would imply never storing decrypted cookies outside of the RAM)
@paulstelian97
Жыл бұрын
They do something similar to that for passwords, where they will use OS-level security/encryption as appropriate (on Linux and macOS you have KeyChain, Windows also has something similar). It would be nice if cookies are also caught in that.
@FrumpyJones
Жыл бұрын
Um.. the whole point of session tokens is to not have to put in a password... So the real solution is: "don't choose 'remember me'"
@a_d_z_y__
Жыл бұрын
@@FrumpyJones I don't agree, having to login every time on every website can be tedious, where one prompt when you open your browser asks the user for much less effort.
@tobelix6397
Жыл бұрын
The real solution would be to keep your sessions short
@aoeGamingAEGIS
Жыл бұрын
yeah but what if I just want to move my data from one pc to another? i just raw copy-paste files and tadaaa, I don't want encryption bllshit to deal with. Isn't windows fault it doesn't has a alert: u're about to open a .exe or.src file, are U SURE? And this to not be annoying, it would pop up only the first time u run a file. And u can even disable it...
Subbed: excellent content!
You didn't mention that basically all compression algorithms will reduce the padding to about 2 bytes - that's why it ships perfectly fine via email, and probably why it explodes so quickly also. You would obviously notice if the zipped PDF you received is taking like 10 minutes to extract.