Тёмный

The Malware that hacked Linus Tech Tips 

The PC Security Channel
Подписаться 504 тыс.
Просмотров 1,5 млн
50% 1

Linus Tech Tips recently was hacked by a redline infostealer pdf/scr file in a malicious sponsor email. I myself have been receiving a ton of such fake sponsor emails and in this video we look at the attack process. Get Crowdsec for free: www.crowdsec.net/?mtm_campaig... (sponsor)
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact

Наука

Опубликовано:

 

16 июн 2024

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 3 тыс.   
@thepwrtank18
@thepwrtank18 Год назад
File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.
@bgill7475
@bgill7475 Год назад
Yeah, it’s strange Windows hides them by default. Makes no sense.
@fusseldieb
@fusseldieb Год назад
The problem is that tech iliterate people rename a file and then accidentally remove the extension. It doesn't highlight the extension by default, but I've seen it happening a couple of times with other ppl.
@bgill7475
@bgill7475 Год назад
@@fusseldieb Windows will warn you though if you try to do this.
@torsten_dev
@torsten_dev Год назад
It's times like this you really appreciate the execute permission bit on Linux.
@FlorinArjocu
@FlorinArjocu Год назад
There is a solution even for that, the right-to-left writing system. A file named for instance filename.exe.pdf can be actually a .exe if the character announcing the r-to-l is before "exe". I'll try finding the clip with this. I daily drive linux and don't care a lot about these; but on Windows I could have seen myself being fooled by this (not the .scr, as I made a few programs and even screesavers when I was in highschool, many years ago). LE: found it on ThioJoe's channel - ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-nIcRK4V_Zvc.html
@shorts9900
@shorts9900 Год назад
Imagine people who send malicious emails to someone named "The pc security channel"
@chirukun
@chirukun Год назад
this is more like a declaration of war
@chosenuwu
@chosenuwu Год назад
they're getting cocky :D
@Tathanic
@Tathanic Год назад
Automated
@wlockuz4467
@wlockuz4467 Год назад
I mean they did it to a channel called "Linus *Tech Tips* " and it clearly worked so why not!
@cedricsonaquevido1565
@cedricsonaquevido1565 Год назад
roll of the dice except its 100 sided
@davidfrischknecht8261
@davidfrischknecht8261 Год назад
The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.
@ticenits1926
@ticenits1926 Год назад
That and the fact that the domain was Eastern European. The author of this video wants to act like that's totally common and no big deal but it's not. If g fuel is reaching out to you from the Czech Republic you should damn well know better.
@khoroshoorange
@khoroshoorange Год назад
Or maybe dont use File Explorer in the First place... Use smth that is more intelligently designed like total Commander
@davidfrischknecht8261
@davidfrischknecht8261 Год назад
@@khoroshoorange Whatever floats your boat.
@superbasyboy
@superbasyboy Год назад
That's the case in this example, if the PDF was 'alone' in a folder you wouldn't look twice at a .pdf
@Theunicorn2012
@Theunicorn2012 Год назад
The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.
@DavidRomigJr
@DavidRomigJr Год назад
LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But RU-vid’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them. Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,
@Magnum.Bloodstone
@Magnum.Bloodstone Год назад
I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.
@lolcat69
@lolcat69 Год назад
Facts, that is why I always activate the config to enable that
@MrHendrikje
@MrHendrikje Год назад
It's a pain to keep having to turn it on on every single machine I use that is new. I meaninly use it quickly be able to make back up of files so I can just aad .bak to the name or .orig. this onely works if File extension names are enabled.
@CD-vb9fi
@CD-vb9fi Год назад
That's not even the bad part of all this. MS is now active in keeping you out of some sections of the OS. You don't even know if MS is collecting these tokens or not or for what reason either. I assure you... they can and do if the right people in authority request it. Nothing on a machine is secure.
@DickCheneyXX
@DickCheneyXX Год назад
That's how you can spot computer literacy at a glance.
@Sierra-Whisky
@Sierra-Whisky Год назад
A file name is just what it is. It doesn't tell anything about its content, just as your name doesn't say anything about your personality. Changing a .xls to .jpg doesn't make it an image, just as changing my name to yours doesn't change my personality to become yours.
@Tigrou7777
@Tigrou7777 Год назад
Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.
@defnotatroll
@defnotatroll Год назад
It's baffling to me that AVs don't automatically flag these files or warn the user when the scams have been happening since august last year at least
@robertgarrison1738
@robertgarrison1738 Год назад
EDR solutions like Crowdstrike DO this. This is a matter of the Linus team cheaping out on InfoSec tools.
@robertgarrison1738
@robertgarrison1738 Год назад
@@kaineuler EDR like CS, CB, or S1 do not care about file size. They monitor every single process/thread/command/execution that's running in realtime, so if it catches something it finds sus (which this absolutely would,) it will catch it, regardless of file size.
@kaineuler
@kaineuler Год назад
@@robertgarrison1738 I'm talking about windows defender or other basic antivirus.
@robertgarrison1738
@robertgarrison1738 Год назад
@@kaineuler Ah, yeah no, those can't be trusted in 2023 when it comes to proactive monitoring. Those AV's are solely reactive, and by then the damage has already been done. I see this daily at this point in my line of work.
@redboxthief
@redboxthief Год назад
Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.
@prodKossi
@prodKossi Год назад
Same here, you should check out Professor Messer if you havent already, hes got a free video series on how to pass 💜
@LithiumSolar
@LithiumSolar Год назад
Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.
@sliceoflife5812
@sliceoflife5812 Год назад
Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers
@SEMIA123
@SEMIA123 Год назад
If you're talking about the fire Colton thing, it's an ancient channel meme, Colton has been "fired" hundreds of times. Colton gets blamed for everything and this time it might actually have been him so the meme came back hard. He won't go anywhere though, dudes been there since day 2.
@jacquesfaba55
@jacquesfaba55 Год назад
I agree, it’s Linus’ fault here for making his employees use Windows
@MrHendrikje
@MrHendrikje Год назад
A company I worked for was hacked due to a security flaw that was introduced in a Microsoft Exchange Server update.. when it was brought to light he quickly rolled back but by then it was already too late and got hacked around the time people were looking for chocolate eggs a certain bunny had been littering.
@anxiousearth680
@anxiousearth680 Год назад
@@SEMIA123 Yeah lol. When I found out, that was my first thought. "Oh well, Colton's getting fired for the 22nd time I guess." Especially ironic considering the origin of that meme includes iirc him almost getting the channel banned or something and then getting 'fired'.
@Wr41thgu4rd
@Wr41thgu4rd Год назад
@@jacquesfaba55 He should probably keep people who have access to anything even remotely import to only those who terminally live inside a computer. Having Windows is not an excuse to fall for a phishing attack. The only excuse is incompetence. Not opening an executable through email is like computer literacy 101.
@JzJad
@JzJad Год назад
An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.
@NelielSugiura
@NelielSugiura Год назад
I certainly use it to send stuff to myself to bypass such scanners. But that is from me to me, so I know what is going on... but it is a fairly obvious bypass all around because no AV tool out there can decrypt it (yet) to scan.
@nwerd7584
@nwerd7584 Год назад
Thats probably the biggest thing here and 99% of tech channels ignore it, im not sure they even know why scammers use the pw/encryption function in the first place.. Theres no need to ever require this unless you encounter it the way I do. From piracy and trying to download unsigned cracks etc. But scammers also use them when a game first comes out to try and trick the normies, but those are the types that dont want yu to have a pw because theres nothing in it, they want you to do surverys for a non existing password.
@powerpc6037
@powerpc6037 Год назад
I agree this is also a giveaway. Any normal company doesn't zip a pdf file so there should be no need to extract it. And even so, a huge zip file to only hold a single pdf file is suspicious. On top of that, even when file extensions are hidden (as the other files didn't show any extension) and this one did show the .pdf extension, you should be aware this won't be the true extension otherwise it was hidden as well so you can be sure there is another extension behind it making the .pdf visible. Also, in an email, look for obvious spelling errors like the first one that was shown: "We are sells energy drinks", this is a dead giveaway this was translated instead of typed and should be treated as suspicious. So Linus (or his staff) made 4 mistakes that led to this tragedy: 1. Ignoring obvious spelling mistakes (if he received such a misspelled email) 2. extracting a huge zip file to get a simple pdf to state an agreement 3. ignoring the huge filesize for a simple pdf 4. running it with a visible file extension when extensions are hidden
@asdfasdf-mn8iu
@asdfasdf-mn8iu Год назад
@@powerpc6037 That the extension is shown despite extensions being hidden was confusing to me as well. Although, if you spend about 30 sec on this file, you might easily miss that.
@towesc
@towesc Год назад
Absolutely, a red flag with a fog horn.
@michaeljoaquin6622
@michaeljoaquin6622 Год назад
Great video! It was my first time watching a video from you and as an IT professional transitioning into the cybersecurity field, this was a very informative video! btw, in the scroll history it says "Crowdsack" instead of "CrowSec". Just wanted to let you know. Again great video!
@Unfilterd
@Unfilterd Год назад
Great video. Would it make any difference if you were to open these files if they're being send through google drive for example? Like the quick view in Gmail? Or would that also be enough to activate it?
@HollywoodCameraWork
@HollywoodCameraWork Год назад
Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.
@PizzaInGame
@PizzaInGame Год назад
maybe the reason microsoft create that fituer because for people like us, who know the meaning of extension the hide thing is useless, but for people who doesnt know, mostly they will rename their file wrong (like delete the extension) but i agree with you, they need to update the system like,..they can just show the extension but not editable when rename the file
@robloxfan4271
@robloxfan4271 Год назад
Agreed
@richarda3659
@richarda3659 Год назад
It's optional, you can turn it off, and it's there because that's how Apple does it. Maybe Microsoft should prohibit changing a file extension by renaming the file, and only allow it in the Properties dialogue. And also, Windows should prevent multiple file extensions when any but the last is an executable file type. So something like ".pdf.old" is permitted, but ".pdf.exe" is prohibited.
@HollywoodCameraWork
@HollywoodCameraWork Год назад
@@richarda3659 Of course you can turn it off, but it's on for 99.999% of Windows users. It's the default setting from hell. And no, Mac doesn't do this. Mac has 4-character file types and creator that can't be downloaded from the internet. The risk doesn't exist in the same way on Mac. And Mac notarizes executables. Not even a comparison.
@khoroshoorange
@khoroshoorange Год назад
​@@richarda3659Well Apple isnt exactly a role model in anything anymore
@Yemto
@Yemto Год назад
I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe
@fusseldieb
@fusseldieb Год назад
That's probably why they did it.
@GYTCommnts
@GYTCommnts Год назад
You need to watch a ThioJoe video explaining why file name extensions only it's not bullet proof. To summarize, there is a technique that exploits reverse reading languages to show a different extension at the end. Windows should stop dumbing some things and file extensions should be showed by default, and must be the last thing on a filename NO MATTER WHAT. But for now, it's not the case and it's ridiculous.
@tehjamerz
@tehjamerz Год назад
n00b
@tryanotosehatsantoso8302
@tryanotosehatsantoso8302 Год назад
@@MANTISxB but the thing is sometime they send video file too... so if you are not carefull seeing the size... you will presume the big file ZIP is came from the vids
@b4ttlemast0r
@b4ttlemast0r Год назад
Yeah, I hate the fact that showing file name extensions is not the default on Windows. Makes it a lot easier to disguise executables as harmless files.
@sterling3716
@sterling3716 Год назад
Good video. I think it would've been neat if you added a section to these types of videos where you do some sort of sandboxing of the file, to show what it's actually doing. I'm sure you've heard of it, but Any Run is an example of an interactive open sandbox solution to do this in, another is Hybrid Analysis though it doesn't provide interactivity it still shows screenshots and breaks down the activities it performs. It would be neat to get an idea of the scheduled task creations, additional sub process executions, network traffic to threat actor domains and IPs, etc.
@Ramonatho
@Ramonatho Год назад
I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.
@AegisHyperon
@AegisHyperon Год назад
1601 is the first year of the Gregorian calendar cycle that was active when Windows was designed
@flubnub266
@flubnub266 Год назад
Completely reasonable interpretation, but those aren't the dates of the data, but rather the actual data being interpreted as dates. So because most or all of the data aren't dates, they naturally appear as nonsense when interpreted as such.
@DerLung
@DerLung Год назад
I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.
@takatamiyagawa5688
@takatamiyagawa5688 Год назад
I don't know how people function with file extensions off. Sure, there's no guarantee that the contents of the file match the extension, but it seems to be at least an indication of what windows will attempt to do with the file if you open it.
@rusl1rusl
@rusl1rusl Год назад
Nowdays hackers use special characters to reverse filename to make it look like a legit file even with „show file extentions“ on
@powerpc6037
@powerpc6037 Год назад
Even if file extensions are disabled, you should be able to see there is something wrong. All other files don't have the extension visible and this one did show the .pdf extension, so there should be another extension behind it, making the .pdf visible.
@greatveemon2
@greatveemon2 Год назад
anyone doesn't look at the details of the file before clicking nowadays, I guess? I have all my download as in detail view showing off the file type. I've been freaking using this account as old as youtube and i'd never been hacked.
@PeppermintOSC
@PeppermintOSC Год назад
@@greatveemon2 since 2006?
@SYLperc
@SYLperc Год назад
the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening
@o-hogameplay185
@o-hogameplay185 Год назад
exactly. i dont dont do anything like working with sponsors or anything, but last year in the university we had a homework in java programming (basically a game) and our teachers being lazy, we had to grade each others code (everyone gets 5 random people's code). and i specifically set up a vm in case anyone would put malware into it (you would think "oh, they are not stupid to put malware in it, just think about the backlash" but no. seeing how many programming students fall for free dc nitro scams, i will not take a risk)
@MAST
@MAST Год назад
Maybe that person manage youtube videos, thumbnails, tags, descriptions, tags etc. multiple videos at ones. That kinda apps are most needed. If it was just about editing videos, then they would have done it on an offline machine.
@kkgt6591
@kkgt6591 Год назад
Maybe it was Linus himself.
@kmcat
@kmcat Год назад
@@Preetzole A Remote Desktop for YT account actions.
@MAST
@MAST Год назад
@@kkgt6591 I don't think Linus do those kind of things, I think he is only directing, managing now and prolly he employs PR, marketing, social scientist something, which prolly knows better what works.
@GANONdork123
@GANONdork123 Год назад
I'm glad you mentioned the fact that the PDF is usually not sent in the initial email, but rather a follow-up email and the fact that many legit companies use third-party PR firms to reach out for sponsorships. After hearing those two facts, it's no wonder someone who works for a big RU-vid channel would fall for this, especially if they get dozens if not hundreds of legitimate offers every single day with no discernable difference up front. Having a sponsorship manager with complete and total access to the RU-vid channel was a serious blunder on LMG's behalf though, and the hack would have been mitigated had that not been the case, so I hope they've learned a lesson from that. Imagine being a solo creator dealing with this though. Answering dozens of emails from potential sponsors while also working on your own content. You wouldn't have a buffer from this kind of attack, unlike LMG would.
@aoeGamingAEGIS
@aoeGamingAEGIS Год назад
step 1: explore & gain trust
@CyriacS
@CyriacS Год назад
This video is so fantastic, I gasped a few times when you showed the properties and HEX... Good job!
@paulstubbs7678
@paulstubbs7678 Год назад
The bit that suprised me was that LTT had a PC with both RU-vid account access and was used to process incomming offers, I would have thought the two should be kept well apart
@tomatobrush3283
@tomatobrush3283 Год назад
Yea running vmware workstation and opening suspicious emails on a vm can go a long way to protecting your PC, definitely a hassle to maintain though.
@tegneren
@tegneren Год назад
They said that sponsored videos are uploaded by the marketing department, so that would be why
@nwerd7584
@nwerd7584 Год назад
Linus is barely even at the warehouse unless he has to be in the video.
@johncarter3227
@johncarter3227 Год назад
@tegneren but still that doesn't mean that one system should be used to process both stuff. LTT is a large organization and they can afford to have an isolated system to process outside information, before it enters the main server. Anyways they learned it the hardway!
@fabricio4794
@fabricio4794 Год назад
This guy (LTT)is an Amateur and Arrogant Rich Boy...nothing than a Microsoft Employee that did a anti-linux rally and then his Secure Windows was Bombed till the ground....
@FlyboyHelosim
@FlyboyHelosim Год назад
A 770Mb PDF file would be a major red flag. I think the largest genuine PDF file I've ever seen was less than a hundred megabytes and that contained full color images.
@kaywonderer
@kaywonderer Год назад
No i have seen 400mb pdfs. You obviously a noob.
@HexRox
@HexRox Год назад
The problem with a very fast internet connection is the employee probably didn't get a look how big the file and just automatically check the content after it's done downloading
@meneldal
@meneldal Год назад
@@HexRox The file is full of 0s, the zip archive would be actually quite small.
@dismiggo
@dismiggo Год назад
Even that is small, I would say. I made the yearbook for my class, and that is around 200MB. So I would be careful with blanket statements like that.
@0xD1CE
@0xD1CE Год назад
@@dismiggo A yearbook is different than an agreement form..
@yungkneez
@yungkneez Год назад
A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.
@hammerfist8763
@hammerfist8763 Год назад
The only extension that matters or is actually an extension, is the last one. I fully agree that better file level security is part of the solution, and that begins with not allowing a file to be named .pdf.scr or .pdf.exe.
@Conserpov
@Conserpov 11 месяцев назад
Why would anyone who's not a complete noob use Explorer as a file manager at all, let alone with hidden extensions?
@thepwrtank18
@thepwrtank18 10 месяцев назад
"You are attempting to open an application file with the file extension [.ext] in front of it. Are you sure you want to open this application?" [info of application, name, publisher etc]
@nixxblikka
@nixxblikka Год назад
best video in this regard- can you make a video about these session tokens?
@kevbu4
@kevbu4 Год назад
Thio Joe has recently done a couple of videos about this and similar attacks. And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension. That will keep you on your toes. And Thio Joe discussed that too.
@hiru92
@hiru92 Год назад
yes, i saw that video 😁
@richarda3659
@richarda3659 Год назад
Yes, there's some kind of hack involving right-to-left languages.
@serena-yu
@serena-yu Год назад
Interesting. It's U+202E ‮
@slamscaper128
@slamscaper128 Год назад
Pretty sure .scr is one of those superhidden extensions, like .lnk and such. In this case, they didn't need to use that special command.
@AaronShenghao
@AaronShenghao Год назад
In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)
@phir9255
@phir9255 Год назад
Should've immediately logged out
@deuspax
@deuspax Год назад
let's don't blame windows in the most gratuitous way, if feels a malware the OS starts to scream and puts the harmful file in carantine mode, in order to make it work you have to get in security panel and to give the proper rights - which probably the employer did
@flameshana9
@flameshana9 Год назад
How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?
@flameshana9
@flameshana9 Год назад
How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?
@88porpoise
@88porpoise Год назад
​@@flameshana9 I suspect in this case it was identified as suspicious and generated a message but didn't have enough confidence that it was malware to lock it down. You can decide what actions an AV takes on a file given the risk level determined. And they basically said that the number of false positives they would get at the level of security which would have locked down this file would be too large to manage without seriously harming their business (probably far more than the hijacking and one day of outage did). And, yes, every single business (and person) makes the decision to accept some degree of risk in various formats to facilitate operational efficiency. The question is how you balance the two.
@silverphoenix2450
@silverphoenix2450 Год назад
Thank you for letting me know about the screen saver file extension and how they can run as an application. I didn't know that.
@SMGJohn
@SMGJohn Год назад
I worked for a state company, and they actually had put in place such severe restrictions that did not allow anyone without privilege to open any file except those permitted such as .pdf and word docs. Ontop of it all, the computers were thin clients connected to large array of servers, their sessions were all temporary VM's that would delete its instance after each use, all your files were stored on cloud essentially connected to your user account and constantly scanned, it was the most ridicules security setup I ever seen in my entire life, they also had automated software that scanned files developed in house to check if the files they received on email were proper or not, all happened in the background, I cannot say what state company it was you can probably already tell that stuff like this, is not just any ordinary mom and pops office job. But in hindsight, its not that much work to setup something similar for a small business with virtual machines and auto scanners checking files beforehand or loading files isolated from the system. The funniest thing from that job is how the tech got so tired of trying to fight the spam emails, they designed a DDOS program that would just automatically target the IP source of these spam mails and dedicate a small server just to run that script day and night, it worked but when the boss found out, man he was not happy knowing there was a server using 5kW of power everyday just to reverse uno email spammers LOL, I think they replaced that with an AI which was good enough to detect most of them and filter it out, that was right at the end when I left I never got to look at it because it would be handy to have something like that running in my basement.
@eddielegs344
@eddielegs344 Год назад
I understand the dangers true scr files also start up just like exe files. But the fact that RU-vid doesn't have the security in place when they don't ask you to log in again when you change the password or the channel name is baffling to me. Or delete lot off files... crazy
@alouiciouswrex7141
@alouiciouswrex7141 Год назад
I would assume they could tie the session token to the current IP address, and if the session token is suddenly used by a different IP they cancel all sessions and request signing in again.
@johndododoe1411
@johndododoe1411 Год назад
​@@alouiciouswrex7141That IP check would frequently get overboard when home ISPs and online proxies frequently change peoples public IPs. Same thing happens when facebook sends out an alert after every log in with an updated browser.
@EvanOfTheDarkness
@EvanOfTheDarkness Год назад
@@alouiciouswrex7141 That would not work with smartphones that go in and out of Wifi range, and use mobilenet when there is no WiFi. The best you could do is time and location. That's why banks invalidate sessions (log you out) after 5-10 minutes of inactivity. Most websites log you out on a device after a week or so. But youtube/google never does it, since if you are not logged in it's harder to mine your data. The worst part is that (when done right) stealing the environment essentially makes this indistinguishable from the original browser, making it a "trusted device".
@alouiciouswrex7141
@alouiciouswrex7141 Год назад
@@EvanOfTheDarkness Fair point, I hadn't considered mobile devices
@eddielegs344
@eddielegs344 Год назад
@@EvanOfTheDarkness or mac adres for mobiel devices
@khaledxo1234
@khaledxo1234 Год назад
I was patiently waiting for your take on what happened, well delivered!
@user-bo1jh5li4b
@user-bo1jh5li4b Год назад
I watched a few other videos on this topic but idk why your explanation just sticks better in my brain lol
@SeahamV2
@SeahamV2 Месяц назад
Subbed for the quality of this video and the info in it.
@AggressiveNewt
@AggressiveNewt Год назад
100% this all ramps down to the fact that even if you're a manager on the channel you can't create community posts. You can upload videos, delete videos, whatever you want. You can't make community posts. You have to be logged in from the "main" account. It's the worst.
@fltfathin
@fltfathin Год назад
weirdly it can be delegated via API which means if you have the capacity you can "relay" the intent with custom local tool/ web service
@wadimek116
@wadimek116 Год назад
They could use clean virtual machine or server for posting only
@dontaskiwasbored2008
@dontaskiwasbored2008 Год назад
That is 100% not at all what this ramps down to lmao.
@EpicMiniMeatwad
@EpicMiniMeatwad Год назад
@@dontaskiwasbored2008 True, but cool API fact.
@helloitismetomato
@helloitismetomato Год назад
RU-vid Studio is just *incredibly* poorly designed. It's an absolute disgrace, especially since it took them absolutely forever to create and they had a very lengthy (multi year!) feedback period that they literally did not do anything with. In RU-vid Studio you either have too little access or way too much access. If you're an editor you can't even edit a playlist (because that can only be done in the main site, and they simply didn't bother to implement in in Studio!) As someone who's been a professional in this space for half my life it's actually OFFENSIVE to me how poorly designed it is. They literally just didn't bother doing it anywhere close to properly. Everything about it fucking sucks ass from the UI to the core functionality.
@SEMIA123
@SEMIA123 Год назад
I feel like at this point, proper security protocols would be to have a separate machine that exists exclusively to open emails and doesn't have access to anything except the email account.
@johndododoe1411
@johndododoe1411 Год назад
Except that many attackers want control of your recovery e-mail only (in that phase).
@rosiepone
@rosiepone Год назад
@@johndododoe1411 you can have emails forwarded to an unattached proxy email for this purpose, using something like POP so they're deleted off the first address as soon as they're sent to the second one, then you'd have to intentionally send it BACK to the first email for them to have access to that one
@takatamiyagawa5688
@takatamiyagawa5688 Год назад
They're running a youtube channel, not a military base.
@luka188
@luka188 Год назад
@@takatamiyagawa5688 If your youtube channel is your livelyhood, you may as well go the extra mile to protect it well, because if you lose it, you basically lose everything. At least in case of Linus Tech Tips and bigger channels, it's possible to recover this even after a hack happens, but it takes a lot of effort regardless and taking extra security measures to prevent this kind of thing is very worthwhile.
@nwerd7584
@nwerd7584 Год назад
mental outlaw has been saying for months and months if not years to go buy a shitty chrome book and use that to answer the business email.. Whats even worse is a lot of these losers use their personal email to get business emails, which has secured future fuckery. They SHOULD have a email solely for sponsorship offers, and you should only use that email on that latop. Unless you can have a braincapacity above a 5 year old and just not click them. Greed is what makes people fall fr this shit. Being content doesnt leave you with shady business.
@Michael-uo4jj
@Michael-uo4jj Год назад
very cool malware honestly whoever made it was quite smart to make it a large file i also noticed avg programs don't scan larger files and good execution with the email and pdf.scr honestly might have even caught me off guard if i had a youtube channel
@burritomafia352
@burritomafia352 Год назад
The large file size is also a massive red flag. No pdf should be that large 770 mb ???
@NuDimon
@NuDimon Год назад
Good thing for them they got it resolved quickly and got support trough their other business ventures to alleviate the lack of adsense when the channel was down. But they definitely have been a bit too lax on their security. Apparently their security software solution was set to a less secure settings due to too many false positives. They really did get to feel how having their policies leaning more towards convenience is a bad idea. That being said, how youtube does not require 2FA for sweeping changes to a channel is down right mind boggling. If you change the channel name and change the status of the majority of your video catalogue there should be some alarm bells ringing no?
@MAProsper
@MAProsper Год назад
While I agree, there are also issues with having security settings too strict, as they might leed to users circunventing them so they can do their job. Now insted of some security, you have none. So, since they said they couldn't handle the amount of false positive they settle for that. Was it the best idea? No, but they did what they thought was right. It seems that looking forward they should look into how to handle better the false positives or alternatives software suites. That beeing said, as you also said, Google not reauthenticating users attempting to do massive changes on the channel seems like a big mistake on their part.
@mechwarrior83
@mechwarrior83 Год назад
The fact the Google will allow login from a cookie and then change password + 2FA *without* confirmation from either is downright neglectful.
@Pandaptable
@Pandaptable Год назад
@@mechwarrior83 you clearly do NOT understand how logging in from a cookie works. It's not that google "lets" them. It's that you're essentially just copying how they logged in, and it's the same session in essence.
@rezwhap
@rezwhap Год назад
@@Pandaptable So confidently incorrect. They could force a reauthentication even with a valid session. Many services do for important changes.
@xX_MC_OvU_PvP_YT_Xx
@xX_MC_OvU_PvP_YT_Xx Год назад
You sound too invested in them personally.
@Fredaffinity
@Fredaffinity Год назад
First "trick" that my friend taught me on my first PC was how to see extensions and how to see hidden files. It's the first thing I do after reinstalling windows.
@jinxterx
@jinxterx Год назад
Your friend is a true friend.
@Fredaffinity
@Fredaffinity Год назад
@@jinxterx Yeah he is a true friend for sure. And this feature saved me several times.
@aofh666
@aofh666 Год назад
Little tip, use the "details" view of the files, it tells you more information about the files that live in your downloads folder. Like the size precisely.
@ThePortuguesePlayer
@ThePortuguesePlayer Год назад
If it's a scr file, then it would mean this attack would not work on a PC that is not a Windows one, correct? So, yet another security measure could be just using a different OS to do that type of work on, like one of the UNIX based ones.
@yugbe
@yugbe Год назад
Good information. Was kinda hoping for a bit of code breakdown, but this is my first time visiting the channel, so I'm not sure how deep you go. Either way, Thank you for putting such good info and good recommendations out there.
@pcsecuritychannel
@pcsecuritychannel Год назад
There are more in depth videos on the channel. :)
@sergeiborodin9254
@sergeiborodin9254 Год назад
Most malware is targeted at Windows, sandboxing public parts of interacting with the world in virtual machine could prevent that
@stoner.07
@stoner.07 Год назад
Channel notification on now , i want to be updated with all these stuffs :D
@PassionforSpace
@PassionforSpace 8 месяцев назад
Great coverage,thanks for sharing,you explain it very well and this is what people need
@danwake4431
@danwake4431 Год назад
im not a security specialist, but i spend most of my time on Linux primarily for the lack of tracking but also i generally dont have to worry about any windows based attacks. If i worked for a big YT channel I would certainly use linux for emails and almost anything else that didn't require windows. and if i DID have to use windows, id open a fresh VM just for internet and emails and never log into anything important. Im actually surprised these content creators even use windows, I assumed they all used Macs, since they pretty much all use iphones as well.
@Armand79th
@Armand79th Год назад
Well, a bunch of amateurs will amateur.
@AkiraElMittico
@AkiraElMittico Год назад
This is one of the reasons why I'm on Linux 100% since 2007, and never went back to windows, not even for work.
@spooky4655
@spooky4655 Год назад
There are also samples that seem to use actual code instead of empty spaces. It appears that these samples consist of a bunch of randomly generated functions that will be called upon launch. However, if you remove them to reduce file size, the program will become corrupted and you won't be able to run it.
@RudySoliz
@RudySoliz Год назад
Good video with some cool insight. Linus explained that only certain people have access to the channel, and even those people have limited access to certain things. Would be a good wake-up call for new protocols or software to prevent something like this from happening again.
@dzenacs2011
@dzenacs2011 Год назад
New protocol - dont click and open unknown files like you are 7 year old first time using email
@HouseOfFunQM
@HouseOfFunQM Год назад
You didn't mention that basically all compression algorithms will reduce the padding to about 2 bytes - that's why it ships perfectly fine via email, and probably why it explodes so quickly also. You would obviously notice if the zipped PDF you received is taking like 10 minutes to extract.
@tallpaul9475
@tallpaul9475 Год назад
At my company, we've been using a 'viewer' to 'checkout' files and virtually view them. Picture it as a way to look at documents in a secured environment using a remote external viewer. Validated sites been using this almost 25 years now. If things are isolated and viewed indirectly, that would probably halt the brakes on a lot of problems.
@andresilvasophisma
@andresilvasophisma Год назад
I always thought that keeping session cookies in plain text on the storage device was a bad idea. The information should be encrypted by the browser.
@bluemeriadoc
@bluemeriadoc Год назад
or just don't let applications (like screen savers) read any arbitrary data on the disk. especially web browsers
@andresilvasophisma
@andresilvasophisma Год назад
@@bluemeriadoc BUt you could still read it with regular executable programs.
@rohanjamadagni
@rohanjamadagni Год назад
Would you be okay entering a password every time you launch the browser?
@bluemeriadoc
@bluemeriadoc Год назад
@@rohanjamadagni maybe, but it's not necessary. you can leverage the operating system to encrypt based on the computer's password or protect the address space, or both
@rohanjamadagni
@rohanjamadagni Год назад
@@bluemeriadoc encryption only works when theres a password attached to it. If the browser can launch without needing a password, the hacker can just steal all the app data of the browser and launch it in their system regardless of what the os does. Windows doesn't have strict permission checking for files and even if it did if the program got admin access, it's basically useless. The only way to fix this is to have your whole browser password authenticated, kind of like how password managers are as browser extensions. From a website pov, you should have implemented uuid checking or some hashed hardware Id checking in the cookie, again this should be implemented by browsers as it would be a security risk to allow websites to detect a hw id. Overall, I'd say from a developer perspective these kinds of attacks are really difficult to mitigate without making the ux of the user worse.
@raughboy188
@raughboy188 Год назад
When it comes to emails as a way to sneak malware in your system having good spam filter can help too mostly because emails containing potental malware are automaticaly sent to spam folder and you don't get notified.
@ChrisM541
@ChrisM541 Год назад
Excellent, super interesting video, thanks for the upload. Subbed. Can I ask you a question? - do you think today/tomorrow's continuing march to abstract away much of what programming used to be is a significant cause for concern, particularly today's almost complete loss of assembly programming skills, and affecting the field of security? This, in context with the fact that every program and language used today, and for years to come, is ultimately converted to machine code. I'd imagine that any country who's government sponsors the training of assembly language experts in the security field, can increasingly use these skills to cause some serious problems. I'm speaking from the point of view of someone who used to program games in the 1980's-90's in assembly, when it was a very popular language. Yes, it's CPU specific, but if the majority are using a handful of generic CPU types then the potential is there.
@maxwellsmart3156
@maxwellsmart3156 Год назад
Sounds like it's time to sandbox certain functions and create a VM to open attachments and possibly get an antivirus that will scan large files. Also, I don't think it's hard to create a script to do some rudimentary analysis of files to display size, possible padding, extension, etc to alert to a Trojan horse file.
@willwunsche6940
@willwunsche6940 Год назад
Don't know if it was mentioned here but they did say their antivirus detected the malware but it wasn't fully set up to high enough level to deal with it yet as they were in the process of setting up a bunch of systems too I think
@willwunsche6940
@willwunsche6940 Год назад
@@asksearchknock that's kind of super out of context though and not what he said. Obviously it makes sense in certain situations. And while it's probably blasphemy to say this on a malware channel I think he's probably right for most average people.
@asiaman
@asiaman Год назад
So, if you receive this email, just clicking on the attachment in gmail would allow that malware to do its work? Or would the file have to be saved to your computer then opened to be affected by the malware?
@vilmoswinkler3050
@vilmoswinkler3050 11 месяцев назад
isn't there an automated process in any antimalware for deletimg the empty space in files?
@kevinh96
@kevinh96 Год назад
Microsoft need to, as others have said, show file extensions by default however, they also need to block .SCR files by default too as well as Defender being a bit more advanced and able to block and warn about files with double extensions, such as .pdf.exe
@kevbu4
@kevbu4 Год назад
Just realised, another red flag is when you see a .PDF extension while you have show extensions disabled.
@takatamiyagawa5688
@takatamiyagawa5688 Год назад
The sort of person that has file extensions disabled probably isn't paying attention to the end of the file's name,
@Hyxtryx
@Hyxtryx Год назад
@@takatamiyagawa5688 And wouldn't think anything of it, even if they did notice it. It's also possible that the person has extensions enabled on their home computer, but disabled on their "LTT work" computer, and missed it because of that. Or maybe it was a new install and somebody forgot to change the setting.
@Welshmanshots
@Welshmanshots Год назад
The size of that "PDF" already threw me for a loop, considering how many files I manage on a daily basis 9 times out 10 I would know if it's sketchy or not then again i can understand that some people arent always focused when reading emails, hell i ignore half of mine.
@darthnegativehunter8659
@darthnegativehunter8659 Год назад
the problem is that you should always, ALWAYS make the file extensions visible. in fact this kind of thing is easy to detect. windows can have some sort of a warning for this sort of file names added. so it saves a lot of users from running executables by mistake.
@Gargantura
@Gargantura Год назад
how do you activate it?
@darthnegativehunter8659
@darthnegativehunter8659 Год назад
@@Gargantura depends on the version of the windows but a quick google search will give you the answer. i usually do it by control panel and folder options. then there should be a checkbox somewhere to make em visible.
@Gargantura
@Gargantura Год назад
@@darthnegativehunter8659 aight thanks
@AlexPerez-bd9nc
@AlexPerez-bd9nc Год назад
This crap is out of control, i get emails from amazon, walmart, Netflix, etc, all sketchy as hell.
@stevenclark2188
@stevenclark2188 Год назад
Okay that zero padding thing is outright negligence on the part of malware scanners.
@dealloc
@dealloc Год назад
Yes and no. You could probably come up with ways to determine a file as being potentially unsafe by looking at random bytes in a file to determine whether it contained zero padding or not. But that would likely also issue a ton of false positives. And zero padding is not the only way to circumvent it. It could just be a bunch of random data as well-it's now much harder to determine what the file is. There are anti-malware that does this kind of analysis already, when you run a full scan or manually select a file for a scan. But while in the background, you don't want it to do a full scan and take up all your resources and potentially battery. So it's both a user error and a problem of detection. If you are uncertain about a file, manually scan it with your anti-malware software at least.
@DylanDurdle
@DylanDurdle Год назад
Agree. Doesn't take much effort for a virus scanner to pass through the file with a trimmer to validate 99% of it being empty space. But of course, if they were to do that then the hackers would just start padding files with random noise, defeating trimming it .
@electricspider2267
@electricspider2267 Год назад
There was a virus at our school that uses scr. It got everywhere. If you plug a usb into a computer, it would copy itself to it, then set all your folders to hidden + system, then create lnk files to match the name, set the link target to the malware on the stick, add an autorun.inf file to the stick. Hidden and system meant you wouldn't see the real folders unless you turned on both show hidden files and show system files. Show system files was a bit hidden and it warns you not to do that. A clear giveaway that your usb was infected was that all your folders turned into shortcuts that had that little arrow thing in the corner. I removed the virus from a lot of computers and fixed the usbs of who ever lended me their flash drives.
@MrBluGruv
@MrBluGruv Год назад
Am I to understand that this vulnerability would not be applicable if one were to log out after every session/not select the myriad "Remember me on this device" options? I'm aware that is more hassle than a lot of people would want to go to these days, but it would illustrate another example of why availing yourself of those options is not a particularly secure choice in the long run.
@ender-gaming
@ender-gaming Год назад
Sadly Linus got caught here by ignoring his cyber security expert Luke. On the WAN Show Luke pointed it out that he told Linus the EXACT account and method of the hack but Linus responding "I'm focusing" and ignored the entire message. Luke then had to reach out to Linus's wife to get access to accounts (as he didn't have permissions to do what was needed, which is an issue). He offered to RDP into Linus's PC to do it but Linus was too focused combating the attack vector he thought it was (SMS/Password) to listen.
@jmckey
@jmckey Год назад
Yeah, Linus talking about his being woken in the middle of the night and ADHD, plus the severe crisis is understandable, but it still shows a SEVERE flaw in their disaster management preparedness and lack of processes. Linus himself seems to need training in how to manage a crisis and delegate better. I took a whole class in my tech master's on crisis MGMT and we workshopped stuff having to perform as a team in front of our class to fix a problem live. Cool stuff and teaches you to communicate and calm down first THEN tackle the issue so you are being the most effective.
@engineeingnerd
@engineeingnerd Год назад
@@jmckey Google is more faulty for it
@jmckey
@jmckey Год назад
@@engineeingnerd for sure, Google HAS to change how they secure logins and manage cookie sessions but there HAS to be process changes in the meantime at LTT to prevent something like this happening again.
@fabricio4794
@fabricio4794 Год назад
A Arrogant Adult imature Freak like Linus,ever hated and refused Linux,and now he got what he deserves beeing an annoying windows fanboy
@Armand79th
@Armand79th Год назад
Well, yeah... Linus is an amateur and a shill, not an IT Tech by any assessment worth a piss. Hardly surprising they got hit like this.
@oei8435
@oei8435 Год назад
Imagine it was named: "LinusWare"
@flameshana9
@flameshana9 Год назад
They totally should sell new underwear with that branding on it.
@elementoflight6834
@elementoflight6834 Год назад
i am suprised how it is not just common practice to check the Win Explorere Setting to not hide the actual filetype extenseion. Or at least how a .PDF is not a red flag if you do not see them regularly. So either you have file extension names disabled then the .pdf extension should sound alarms in your head, or you do have them enabled then it will show as ".pdf.scr" which is also a red flag.
@TonyFarley-gi2cv
@TonyFarley-gi2cv 11 месяцев назад
Are you building software on a unstable production floor or design a new products on a unstable production floor that comes from outside forces that sell to you
@atpray
@atpray Год назад
Why does windows still have extensions turned off by default? Its ridiculous.
@filtro-d-aire6843
@filtro-d-aire6843 Год назад
Im learning a lot, thanks for all this videos 👍🏼
@jamesjross
@jamesjross Год назад
Like how to monetize someone else's misery?
@boahneelassmal
@boahneelassmal Год назад
apart from file-extensions being displayed I _always_ have the preview window open. If I don't see a matching preview to the file I have, when I know it is capable of displaying a preview, this file gets analyzed or deleted outright. And I did actually develop the habit of crossreferencing the file size. A picture of 500x500 wihch is several mb in size goes in the trash.
@dronyland
@dronyland Год назад
Easy fix from Google/RU-vid, would be to detect that the IP address changed when the hackers enter the authentification cookies, and thus, ask for the 2FA again each time such location difference is detected.
@stormgear896
@stormgear896 Год назад
This is why it is important for me that the 'Type' column is always present whenever I view files through the 'Details' view. You can immediately identify what kind of file you are looking at before you would try to open it.
@joesterling4299
@joesterling4299 Год назад
Also obvious if you always show the real extensions for all files. It should be the default in Windows, but it is not.
@Vandelay666
@Vandelay666 Год назад
What if they open their email attatchments in a Virtual machine? Wouldn't that be the wisest option?
@FlorinArjocu
@FlorinArjocu Год назад
Yes, but still need to save things on the server, so it has to be a network machine and can infect the next one opening a presumable marketing material.
@Cootshk
@Cootshk 9 месяцев назад
6:03, even if you don't have the remember me box checked, requests are sent with a unique session token that changes on every re-authentication, which if stolen, will work (for about a day or so)
@doubleb3813
@doubleb3813 Год назад
Do you recommend a anti-virus Programm and if yes which one? I always thought the windows anti-virus is good enough
@ZeroX252
@ZeroX252 Год назад
I'm actually more surprised that malware detection suites aren't robust enough to detect these types of attacks. A surface level check of RTL/LTR manipulation of the filename to hide the extension would catch this as a suspicious file. There aren't any legitimate use cases to use this hack in the real world, so it's pretty safe to say anything hiding the extension like this is likely to be malicious. Similarly, checking a file for padding is fairly easy to do, and doesn't require a lot of resources realistically to do so. Shrinking the file for an in-depth scan is also possible using sparsification, but thats a but more resource intensive - and only works on zero padded files directly.
@LordSStorm
@LordSStorm Год назад
Filetype manipulation can be accidental.
@o00nemesis00o
@o00nemesis00o Год назад
Some foreign languages are RTL, so yes there are legitimate use cases for the character appearing in a file name
@ZeroX252
@ZeroX252 Год назад
@@o00nemesis00o but not in the extension, and that's pretty easy to check for.
@ZeroX252
@ZeroX252 Год назад
@@LordSStorm windows warns users when changing the extension, and in this case the user could undo the mistake or make the logical conclusion that the file is or is not suspicious.
@adivasilica9471
@adivasilica9471 Год назад
I have a few questions, let's skip the part where we need to be careful. But doesn't Windows warn about unsigned exe/scr files? Doesn't it ask if I really want to run that file? If I accidentally run a file like that, how can I prevent my data from being compromised? Could it be blocked? For example, I use Malwarebytes Windows Firewall Control program and set it up so that everything that goes out prompts me. Does this help? What other additional methods can we use?
@kuromiLayfe
@kuromiLayfe Год назад
Windows and its file signing can be bypassed for years already by just using a official signing tool on any regular executable and moving the bytes to the malware executable.
@Hyxtryx
@Hyxtryx Год назад
@@kuromiLayfe Then the signature wouldn't match the file.
@kuromiLayfe
@kuromiLayfe Год назад
@@Hyxtryx all the signature check does is see if the amount of bytes match that sig data and if they are in the correct spot… guess what is correct when those bytes gets moved or copied to a malware version of a executable ( exactly the same method as shown in this video to mask malware code by bloating the filesize to bypass online scanners)
@Insidema2013
@Insidema2013 Год назад
Would this have been caught by a contextual scan prior to opening the file?
@AurioDK
@AurioDK Год назад
Not a tech nerd and our firm only has two pc´s which allow emails to be received by unknown senders, these are not connected to the rest of the grid and function mainly to create new contacts. Once the contacts have been verified ... other stuff happens, somebody explained to me but I didn´t understand much of it, something to do with a third computer which functions as a transition hub. I am not allowed to receive any emails at work, can´t browse either. Pretty much all I can do is use the software meant for my job, as far as I understood the system has redundant layers of protection, if one gets broken/infected ... the other just continues normally. I think there are 10 PCs in total ... so not a huge firm.
@CoolJosh3k
@CoolJosh3k Год назад
All those bytes being zero means the compression can have it result in a normal looking size when zipped, right? You didn’t mention that.
@summerishere2868
@summerishere2868 Год назад
Yes it can be compressed to a very small file.
@spamviking8591
@spamviking8591 Год назад
This is why you always show file extensions.
@jamesjross
@jamesjross Год назад
shut up
@Eddietheteddie
@Eddietheteddie Год назад
Linus should have made sure all computers were set to show extention and they should run every file from a 3rd party, regardless of size, through a competent antivirus. This is really not that difficult to do. Antivirus scans take seconds with an ssd. This is basic security for most.
@richardbennett4365
@richardbennett4365 Год назад
With such an important site, his backups can be used to restore the content he had on RU-vid. He just needs to rebuild from backups his new site. Some lost time, but no list content with the backups he has.
@ostrados
@ostrados Год назад
Great diagnosis and analysis of the issue, but it would be great if you have described the remedy. I have many questions here, hope you could address them in other videos or in comment: - How could you prevent malicious emails from harming your system from the beginning? Is opening emails in a sandbox (virtual machine) considered the ultimate solution for separating harmful content from the environment? how practical can this be especially in a working environment with many users? - What is the best anti-virus? especially the ones that detects Maleware after falling to the hacking trap. - in short: is there an ultimate solution??
@diwataluna
@diwataluna Год назад
In latest WAN show, Luke said the attack was flagged by their AV. But since they did not set it to highest level, the attack was not shown/seen. So curious about these too.
@russellhltn1396
@russellhltn1396 Год назад
I believe he did - it's isolating the functions so the machine/person opening the emails doesn't have access to the higher privileges needed to attack. One thing he didn't mention is never use your machine when logged in as a local administrator. Only use those accounts when doing maintenance. I remember reading sometime back that most attacks will fail if the user only has "user" privileges. But people resist anything that gets in the way of doing what they want to do.
@EricchiYukia
@EricchiYukia Год назад
I think the easy fix for this would be for Microsoft to: 1. Enable file name extensions by default 2. Make the process for executing a file different from the one for opening it. Something like on Linux, where you need to explicitly choose "Execute" when you double-click a file in order to run it, or it just opens as a text file. Such a shame it's 2023 and Windows is still so insecure.
@FlorinArjocu
@FlorinArjocu Год назад
In my Linux I can run by double click just fine.
@johndododoe1411
@johndododoe1411 Год назад
Microshit even requires execute permission on every document you open with doubleclick, thus forcing insecure security settings .
@EricchiYukia
@EricchiYukia Год назад
@@FlorinArjocu Huh? Strange. Maybe it depends on the desktop environment. On Linux with KDE (and I think on Gnome too) the default behavior is to just open a file when you double-click it and never execute it unless specified.
@FlorinArjocu
@FlorinArjocu Год назад
@@EricchiYukia Don't remeber exactly, I think I do check the "execute" checkbox, but I think that is not always the case. In the end it depends on the permissions to the file, if it has the +X or not. I am on Gnome (Ubuntu).
@EricchiYukia
@EricchiYukia Год назад
@@FlorinArjocuYes, that too! Files downloaded from the internet always have the "executable" flag disabled on Linux, and that was made exactly to prevent incidents like the LTT one.
@Funkfreed
@Funkfreed Год назад
Also if you have a password manager as a browser extension is that bad would the session to that extension be easily compromised?
@DogsAreGods
@DogsAreGods Год назад
You mentioned that there should not have been so many people who had access to be able to manage the youtube channel, but another thing to consider is that (at least to me it seems this way) most employees at LMG have administrator Windows/Mac accounts, and this type of malware code would have to run with administrative privileges to capture the session information and upload to the attacker. If Linus made it so that only senior employees (Linus and Luke etc) only had administrator access and everyone else had normal user accounts, then I feel that this attack could have been prevented. Please feel free to call me out if any of the information in my comment is incorrect. I do not want to spread misinformation.
@paskky913
@paskky913 9 месяцев назад
Windows likely didn't trigger UAC because then I bet they would've realized something was off. You can copy files and connect to the network without admin priviledges, I've done that myself and you can check by the simple fact that your browser, wich doesn't need admin rights to run, can both read, write and send files.
@michaeltedeschi9929
@michaeltedeschi9929 Год назад
Great breakdown of the situation. It blows my mind that things like this still work, but it as we see time and time again it: session stealing is very much still a lethal and viable technique. Nice breakdown and hopefully this is a reminder for the tech-oriented user to pay close attention to what they open... All it takes is letting your guard down for a quick moment to get caught by these things, and it really can happen to anyone, even the security-minded user.
@richarda3659
@richarda3659 Год назад
Why aren't the session tokens encrypted and only readable by the issuing web browser, based on the browser's internal ID?
@dealloc
@dealloc Год назад
@@richarda3659 Encryption doesn't matter when malware runs on _your_ computer. Where would you store the key? If your OS has access, then malware can find a way to gain access as well. Even if a hardware TPM or Secure Enclave was present. And aside from encryption being resource intensive to do (and battery hungry), it also would be highly ineffecient if your browser is already running, as that data would be in memory, unencrypted, anyway.
@jebactychpolicjantow5497
@jebactychpolicjantow5497 Год назад
it's not "the technique", the attack vector was someone being dumb. anyone with an RCE can do anything on the machine that you can do.
@jebactychpolicjantow5497
@jebactychpolicjantow5497 Год назад
​@@dealloc the key does not have to be locally present nor does it have to be static; it can be a calculated value either based on datetime or another system similar to RSA tokens. there is also no need to "store the key" since you can input it every time, e.g. biometric keys. encryption is not resource-heavy, every layer 4+ connection you make has TLS over the top of it. it feels like everyone on here is just making guesses as to how computers work without understanding the stack. scowering memory is not a reliable vector of harvesting tokens.
@NelielSugiura
@NelielSugiura Год назад
This reminds me of the time when my friend found an exploit in everyone's favourite media player, VLC, and added code to the end that, when played in VLC, broke things because the tool executed scripts within the video (he could have done anything, including modify the registry to never pass login, but it merely scrambled the subtitles). Video played fine in MPC and other players. The only reason he did it is because his messages to VLC devs went unanswered. The same, I suspect, basically would happen here (getting MS to enable file extensions by default or YT having more security). Sometimes, these big companies think they have all the answers and do not pay attention to outside reports. Despite all the smaller channels Linus mentioned as having been similarly been hit and YT had yet to do anything there, are they going to pay attention now and fix things? I would not hold my breath. :(
@o00nemesis00o
@o00nemesis00o Год назад
No, because hiding file extensions has made this possible for decades, MS cannot possibly be ignorant of it, and they just won't do anything because... hell if I know why.
@HDJess
@HDJess Год назад
Show files extension - it's basically one of the first quality of life settings that I turn on, whenever I install Windows, or on any PC that I use, for that matter. It's been a habit for me since I can remember, probably year 2000. I'm also proud to say I have no idea how an antivirus looks anymore, I haven't used one in over 20 years and I never bonked my PC.
@asdfasdf-mn8iu
@asdfasdf-mn8iu Год назад
So 2 things that kinda surprised me about this video: a) file extensions are not shown by default. That's turned on on my computer and not only does that help with identifying such files but also it can help in day-to-day-business as well, being able to see if a picture is PNG or JPEG or whatever else at a glance. b) not using at least the windows antivirus security thingy. I do a windows defender scan on every single file i download from the net, just because it's a habit of mine and usually takes less than 10 sec to do so (and i don't download quite as many files as the employee might). Not sure if windows defender would've found that trojan because i guess that's the AV they're gonna try to fool most, but as soon as one right-clicks the file for the context menu (for scanning) one has the chance to see 770 MB file size on the bottom; one should get suspicious at that point. I know very few PDFs that are that large and they're thousands of pages or tons of pictures, so there's really no need for an offer to be that large. I feel like all the warning signs are there for this case if you use proper precautions...
@allnatural1504
@allnatural1504 Год назад
I thought anti viruses could detect if the file’s been pumped, or just detect the abnormal amount of zeros
@ApolloVIIIYouAreGoForTLI
@ApolloVIIIYouAreGoForTLI Год назад
Well what stood out to me was Mr Pc Security said ( 2:50 )most AV software will skip a file that big? What Am I taking that out of context or is that true? Because that seems like problem that should have been fixed long ago?
@dont-want-no-wrench
@dont-want-no-wrench Год назад
this kind of thing must explain a number of obviously hacked youtube channels i've come across
@vakho30
@vakho30 Год назад
At first I've thought that those channels sold their souls to devils for quite a lot of grands but then I realized that most of them might have been hacked like Linus.
@davix3f
@davix3f Год назад
The thing also is, it's pretty hard for a pdf file to have a large size unless it's a 100 page filled with high resolution images. A business inquiry or similar types of documents hardly go over 10mb
@aoeGamingAEGIS
@aoeGamingAEGIS Год назад
pdf do take space, even 10 pages can hit 20 MB if are used high res images in it. That's why i use.txt, lol
@FantaBH
@FantaBH Год назад
To add , thank you even I did not know for this way of attacking. I mean didn't know or paid attention to fact that antimalware , antivirus software skips on large files. So to me this information is very nice , thank you .
@mashroom_
@mashroom_ Год назад
Wouldn't it be possible to flag padded files like the PDF as suspicious, if they have unusually low entropy? To speed up this calculation, one could sample chunks from the entire range of the file, instead of scanning the whole file, and either calculate the overall entropy of these chunks or calculate an "entropy map", where files containing large low-entropy regions are marked as suspicious.
@fred5459
@fred5459 Год назад
Sure, everything is possible. But the malware guys are very creative and they will find a way around. Your method will fail if there is one random byte in every chunk.
@mashroom_
@mashroom_ Год назад
@@fred5459 True, it really is a never-ending struggle. I'm not sure why you think a single random byte in every chunk would make my method fail, but please elaborate.
@Hyxtryx
@Hyxtryx Год назад
@@mashroom_ Instead of zeros they could use megabytes of random data. Then your entropy idea would fail.
@mashroom_
@mashroom_ Год назад
@@Hyxtryx You're right, but I would argue that this would make the file too difficult to compress and would hence exceed the maximum email attachment size.
@Hyxtryx
@Hyxtryx Год назад
@@mashroom_ Good point, I didn't think of that.
@ZipplyZane
@ZipplyZane Год назад
You don't have to have file extensions disable to pull off this exploit. You can use RTL encoding to make it where the extension doesn't appear at the end. How many people are going to look for the letters rcs anywhere in the filename?
@asdfasdf-mn8iu
@asdfasdf-mn8iu Год назад
If the filename is a mess of characters for a media offer, that's suspicious already. In a filename that's just a sentence i'm pretty sure you would notice what you're describing here.
@bryanp.1327
@bryanp.1327 Год назад
You would think by now that AV scanners can be smart enough to see a big file, scan up to a certain point (or maybe just look at the end of the file), and when it catches all that padding to throw a red flag. If it gets to a reasonable point in the file and doesn't see anything suspicious, it can just stop scanning to save resources.
@cook_it
@cook_it Год назад
For PDF's there luckily exists an FOSS tool called Dangerzone which cleans the PDF up inside a sandbox (basically acting like a virtual printer, converting the pdf to pure pixel data and then making that into an clean PDF) which can be handy for when you **have** to open up a PDF (contracts for example) but can't trust the source.
@UnknownString88
@UnknownString88 Год назад
Thats cool
@phir9255
@phir9255 Год назад
Or just open in Chrome
@cook_it
@cook_it Год назад
@@phir9255 While chrome does open PDF's in a sandbox which _should_ be secure that still doesn't solve all the other problems like "You opened an executable instead of a PDF".
@phir9255
@phir9255 Год назад
@@cook_it True, people should enable visible extensions
@cook_it
@cook_it Год назад
@@phir9255 Absolutely. But even then if there are other exploits like a sandbox escape in chrome you still get into problems. With dedicated software like Dangerzone you would first need a exploit on LibreOffice or GraphicsMagick, then if you're on windows an VM escape from Docker Desktop or for Linux a container escape exploit, which is harder than a sandbox escape but still potentially possible. tl:dr Security is hard and mistakes can always happen. Never rely on a single software to keep you safe.
Далее
All of our data is GONE!
22:58
Просмотров 9 млн
How to not get hacked: real example
13:55
Просмотров 382 тыс.
FUN&SUN | Update 0.29.0 Trailer | Standoff 2
02:32
Просмотров 1,1 млн
Malwarebytes vs 2000 Malware
11:12
Просмотров 157 тыс.
How A Steam Bug Deleted Someone’s Entire PC
11:49
Просмотров 892 тыс.
Cicada 3301: An Internet Mystery
17:54
Просмотров 35 млн
Where People Go When They Want to Hack You
34:40
Просмотров 1,1 млн
Hey Siri, I’m Giving You A Second Chance
15:31
Просмотров 1,1 млн
The Kids Who Hacked The CIA
23:05
Просмотров 6 млн
Downloading and running the 100 Malware links
13:33
Просмотров 167 тыс.
Для фанатов SEGA MEGADRIVE - Anbernic RG ARC
14:23
НАШ ЛЮБИМЫЙ КЛИЕНТ
1:00
Просмотров 511 тыс.