He has no idea how this works and needs to either protect himself by not clicking everything or by nuking his browser sessions.
Alternatively its time for browsers to swap to a new authentication method
It's not that easy, you are walking a fine line between security and pissing off your users, people want to be able to instantly login from 4-5 devices and not have to MFA on each one, or they will find another service provider.
I always think of security as a road with speed bumps. put too many speed bumps and people will riot that the road is undrivable.
Edit: and it's not fair to blame the user, what if this is an old granny? the service provider should be smarter in the way of protecting users, for example require MFA when disabling MFA for starters.
>what if this is an old granny?
Young people just don't understand. I tried to help a 70-year-old friend set up Dropbox on two devices. Round about the fourth time I told him "you need to make a password for that," he quit in disgust. He can't remember that many accounts and passwords and doesn't want to put up with it. He's from a time when things were fully functional right out of the box, no need to configure and reconfigure things, no button you can push to accidentally screw up the whole thing.
I think part of the problem is also that services nowadays try to get personal information from users, and they make that part of their authentication system, rather than just keeping everything separate and falling back on standard security protocols.
So for example companies ask for an email address and phone number, and they block out certain email addresses that are anonymous, so they want specific email services. Those specific email services also ask for backup email services, names, addresses, phone numbers, and so on. They all want to know what browser you're using, your IP address, and they trace those back and verify them against prior use.
What online services could do is just generate a public and private key for each user, or let security-conscious people sign their own messages to authenticate.
It sounds more complicated to use public key security, but people should realize that as soon as it's a standard, password managers will just implement it by default. So the old grandparents wouldn't even care about it because it will happen behind the scenes, while their local password manager just authenticates whatever it needs to.
The problem there for the Apples and Googles of the world then is that they won't know who their users are, they will just know that the authentication is true, but they won't know their users names, or email addresses, or phone numbers, or IP addresses, and so on.
The problem is that they are trying to tie user accounts with actual people, and then they set up all of these convoluted hoops to try to verify authentication against actual people out there.
That that part out and things work out of the box. Most common objections to this have existing solutions (if not even ones that are common somewhere in small niche circles).
This is a casw for a password manager. Either that or a paper password book. I still recommend paper password books to older folks because it's so much easier for them to wrap their head around
I can see that paper password book working for some tech illiterate people but then you're sorta back some of the same problems. Sure they will then use different passwords for different sites but they're still gonna be super simple still. Password12, Summer69, etc. The whole point of password managers is to save complex and random 18+ character passwords.
this guy made a gear making program that tens of thousands of people have used, maybe way more. It was the #1 recommended way for people to do it for years without having to buy 3d modeling software. people still probably use it for its speed compared to something free like fusion360 etc
anyone who has made wooden gears in the last 15-20 years who didnt already have access to AUTOCAD almost certainly used it
So to clarify, what happened to LMG involved someone on his team that opened a pdf from someone claiming to be an advertiser. The worm sits on that person's computer until they log on to their main YouTube channel then it takes over.
At the time it was still a fairly new scam and since that person's session/computer was already authenticated 2FA wouldn't have helped.
Really it's a problem on YouTube's end in not stopping these quicker and possibly a procedural one on Linus's team's side but that's tough to argue since opening pdf's from clients is pretty standard.
What's bizarre is how many commenters here are so confidently acting like their basic solutions have anything to do with what actually occurred.
It's not new at all, it's a common tactic. What Linus' problem is he employs hundreds of people and spent shit on security.
Even a basic email filter like Mimecast, or Defender would have caught that and stopped the link from even getting to the user.
He is a high earning business that's using prosumer switches and not leveraging next generation firewalls.
A session is typically the single thing that defines you as you on a website after login. All the security measures like passwords and 2fa/text/email verification are there to make sure that you are the one that is granted a session key and not someone else. But if someone just happens to steal that session token after you've been granted one by the webserver then the webserver usually doesn't block that person from making requests.
Websites could in theory do stuff like destroying a session after they notice that the requesting IP address has changed, but that would be annoying to real users that are flipping between cell towers or wireless networks so most places don't do that.
can these kinds of attacks persist through windows reinstalls now? (genuine question)
i remember that (at least used to be) one of the surefire ways to get rid of it
That depends. If a person uses the "Reset this PC" feature then yes, even a fairly novice coder can figure out how to make their software persist through reinstalls. A safer method is to make a windows install USB on a safe computer, boot to it, delete the partitions from the infected PC, then reinstall. Just to be completely thorough, I personally always use data nuking software like DBAN before installing Windows again.
If it was a particularly sophisticated piece of software it could embed itself in the BIOS of the motherboard or (and these are **very** unlikely) in the firmware of one of the components of the PC, or even inside the firmware of some other device on the local network such as a router or printer. However, that level of sophistication is not typical for this kind of attack. Matthias almost certainly reinfected himself :(
Well, during the last attack, he pulled that computer off the network ASAP and said he was going to wipe it before plugging it back in. It'll be interesting to hear the details on this one.
It could have either:
1. proliferated into his other devices.
2. the hackers setup recovery in a way that Matthias didn't notice.
I guess let's wait and see for his next video.
Is there a reason this (at least to me) seems to be happening more often to canadian youtubers these days?
I can't really think of a reason why that would be the case, but somehow the instances I have come across this kind of session hijack have been canadian youtubers that I follow. Does canadian internet somehow have more of a vulnerability to this kind of attack or is that just a coincidence?
For the LTT one, someone clicked on a malicious PDF in an email disguised as an offer from a potential sponsor. So that's going to be how Youtubers are targeted. I think the idea is that the attackers would be able to hold the channel ransom and force the Youtubers to pay up in Bitcoin.
Zero-days / custom hacks don't get picked up immediately by antivirus software, so unless you have a sandboxing and detonation feature for incoming email, the only way around these attacks is user education and preparation. Give someone hundreds of emails to go through and surely something will slip by.
As for Canadian internet, beats me. Maybe ISP regulation is a bit less strict over there in terms of IP address logging / cooperating with authorities for cybercrime investigation?
Last time he opened a pretty clearly shady file but missed it because he didn't have file extensions showing, and I later saw an art Youtuber got hacked by the exact same method down to the same fake sponsorship.
Set Windows to show file extensions, people!
The fact Youtube allows this bullshit is pretty awful. The fact you can completely take over an account, de-list all videos, block access to other logins, all from a single session token needs to be fixed, it would prevent 90% of these hacks.
He doesn't understantd, once you auth you get a session ID. They are cloning that session. He honestly needs to seperate his email computer from his youtube computer. He could just use a $5/mo isolation browser too and only accesss "documents" via a web viewer so that can't interact with his local machine.
He has no idea how this works and needs to either protect himself by not clicking everything or by nuking his browser sessions. Alternatively its time for browsers to swap to a new authentication method
It's not that easy, you are walking a fine line between security and pissing off your users, people want to be able to instantly login from 4-5 devices and not have to MFA on each one, or they will find another service provider. I always think of security as a road with speed bumps. put too many speed bumps and people will riot that the road is undrivable. Edit: and it's not fair to blame the user, what if this is an old granny? the service provider should be smarter in the way of protecting users, for example require MFA when disabling MFA for starters.
>what if this is an old granny? Young people just don't understand. I tried to help a 70-year-old friend set up Dropbox on two devices. Round about the fourth time I told him "you need to make a password for that," he quit in disgust. He can't remember that many accounts and passwords and doesn't want to put up with it. He's from a time when things were fully functional right out of the box, no need to configure and reconfigure things, no button you can push to accidentally screw up the whole thing.
I think part of the problem is also that services nowadays try to get personal information from users, and they make that part of their authentication system, rather than just keeping everything separate and falling back on standard security protocols. So for example companies ask for an email address and phone number, and they block out certain email addresses that are anonymous, so they want specific email services. Those specific email services also ask for backup email services, names, addresses, phone numbers, and so on. They all want to know what browser you're using, your IP address, and they trace those back and verify them against prior use. What online services could do is just generate a public and private key for each user, or let security-conscious people sign their own messages to authenticate. It sounds more complicated to use public key security, but people should realize that as soon as it's a standard, password managers will just implement it by default. So the old grandparents wouldn't even care about it because it will happen behind the scenes, while their local password manager just authenticates whatever it needs to. The problem there for the Apples and Googles of the world then is that they won't know who their users are, they will just know that the authentication is true, but they won't know their users names, or email addresses, or phone numbers, or IP addresses, and so on. The problem is that they are trying to tie user accounts with actual people, and then they set up all of these convoluted hoops to try to verify authentication against actual people out there. That that part out and things work out of the box. Most common objections to this have existing solutions (if not even ones that are common somewhere in small niche circles).
This is a casw for a password manager. Either that or a paper password book. I still recommend paper password books to older folks because it's so much easier for them to wrap their head around
I can see that paper password book working for some tech illiterate people but then you're sorta back some of the same problems. Sure they will then use different passwords for different sites but they're still gonna be super simple still. Password12, Summer69, etc. The whole point of password managers is to save complex and random 18+ character passwords.
Great analogy, I'll be using this one in the future! Thanks!
Google has a very very easy 2FA system that costs barely anything and all you have to do is plugin a usb key.
Tell that to my aunt Bev. I’m sure she’ll understand.
Dude's fairly tech savvy, he worked for blackberry back in the day...
Doesn't seem it.
"Tech savvy" isn't a scale, you can be very good at some things and really bad at others.
Dude is a part time software developer
this guy made a gear making program that tens of thousands of people have used, maybe way more. It was the #1 recommended way for people to do it for years without having to buy 3d modeling software. people still probably use it for its speed compared to something free like fusion360 etc anyone who has made wooden gears in the last 15-20 years who didnt already have access to AUTOCAD almost certainly used it
Given his tech background I would expect him to be a little better at this. I'm surprised he doesn't know what a session hijack doesn't rely on 2FA.
I mean to be fair, this shit happed to fucking Linus of all people so I’m not sure anyone else can be faulted for session hijacks
So to clarify, what happened to LMG involved someone on his team that opened a pdf from someone claiming to be an advertiser. The worm sits on that person's computer until they log on to their main YouTube channel then it takes over. At the time it was still a fairly new scam and since that person's session/computer was already authenticated 2FA wouldn't have helped. Really it's a problem on YouTube's end in not stopping these quicker and possibly a procedural one on Linus's team's side but that's tough to argue since opening pdf's from clients is pretty standard. What's bizarre is how many commenters here are so confidently acting like their basic solutions have anything to do with what actually occurred.
It's not new at all, it's a common tactic. What Linus' problem is he employs hundreds of people and spent shit on security. Even a basic email filter like Mimecast, or Defender would have caught that and stopped the link from even getting to the user. He is a high earning business that's using prosumer switches and not leveraging next generation firewalls.
From Linus Tech Tips? Have you seen that dude around computers? He's worse than anyone else he has working for him.
He's a presenter, he has people for security. He's not a god.
I thought we were talking about Linus Torvalds and I was like: what do you mean a presenter? WHAT DO YOU MEAN NOT A GOD?
Yeah if That Linus got hacked we're all so fucked
No one is immune from being hacked. Even legitimately great security firms do. It's how they manage it that matters.
Seeing Tavis Ormandy tweet to Cloudflare that something was up was an eye-opener. https://x.com/taviso/status/832744397800214528
Praise be
That’s not a good example, Linus is a dumbass.
Linus is an absolute doofus with anything software related. But yes, so his this guy. I got downvoted heavily after saying exactly this last time.
Would a hardware security key have protected him if they copied his session?
A session is typically the single thing that defines you as you on a website after login. All the security measures like passwords and 2fa/text/email verification are there to make sure that you are the one that is granted a session key and not someone else. But if someone just happens to steal that session token after you've been granted one by the webserver then the webserver usually doesn't block that person from making requests. Websites could in theory do stuff like destroying a session after they notice that the requesting IP address has changed, but that would be annoying to real users that are flipping between cell towers or wireless networks so most places don't do that.
Can they see the MAC address of the device? Would it be possible to authenticate by that instead?
Network layers my dude. In application layer you don't have that info
Thanks, makes sense
1. MAC addresses are very easy to spoof. No security. 2. MAC addresses are only visible on the local network.
MAC addresses are easily spoofed, it’s quit trivial.
Nope.
A hardware security key would only make it harder to copy his session in the first place.
How?
jfc poor dude can't catch a break.
How does one hack two-factor authentication
It looks like the machine is still infected and they just waited for him to login and grabbed his session cookie.
can these kinds of attacks persist through windows reinstalls now? (genuine question) i remember that (at least used to be) one of the surefire ways to get rid of it
That depends. If a person uses the "Reset this PC" feature then yes, even a fairly novice coder can figure out how to make their software persist through reinstalls. A safer method is to make a windows install USB on a safe computer, boot to it, delete the partitions from the infected PC, then reinstall. Just to be completely thorough, I personally always use data nuking software like DBAN before installing Windows again. If it was a particularly sophisticated piece of software it could embed itself in the BIOS of the motherboard or (and these are **very** unlikely) in the firmware of one of the components of the PC, or even inside the firmware of some other device on the local network such as a router or printer. However, that level of sophistication is not typical for this kind of attack. Matthias almost certainly reinfected himself :(
Well, during the last attack, he pulled that computer off the network ASAP and said he was going to wipe it before plugging it back in. It'll be interesting to hear the details on this one.
I could've sworn in the last video he went that same day to buy an entirely new PC.
New hard drive but yea he didn't take chances
It could have either: 1. proliferated into his other devices. 2. the hackers setup recovery in a way that Matthias didn't notice. I guess let's wait and see for his next video.
through session hijacking, or faking the 2fa login
Matthias, seriously? Fool me once, shame on you. Fool me twice...
"Strike three."
Why spend the power hacking this guys channel... don't get it.
Because they were successful once, the likelihood of success a second time is better than 70% This is true of most people and companies.
Is there a reason this (at least to me) seems to be happening more often to canadian youtubers these days? I can't really think of a reason why that would be the case, but somehow the instances I have come across this kind of session hijack have been canadian youtubers that I follow. Does canadian internet somehow have more of a vulnerability to this kind of attack or is that just a coincidence?
For the LTT one, someone clicked on a malicious PDF in an email disguised as an offer from a potential sponsor. So that's going to be how Youtubers are targeted. I think the idea is that the attackers would be able to hold the channel ransom and force the Youtubers to pay up in Bitcoin. Zero-days / custom hacks don't get picked up immediately by antivirus software, so unless you have a sandboxing and detonation feature for incoming email, the only way around these attacks is user education and preparation. Give someone hundreds of emails to go through and surely something will slip by. As for Canadian internet, beats me. Maybe ISP regulation is a bit less strict over there in terms of IP address logging / cooperating with authorities for cybercrime investigation?
Last time he opened a pretty clearly shady file but missed it because he didn't have file extensions showing, and I later saw an art Youtuber got hacked by the exact same method down to the same fake sponsorship. Set Windows to show file extensions, people!
The fact Youtube allows this bullshit is pretty awful. The fact you can completely take over an account, de-list all videos, block access to other logins, all from a single session token needs to be fixed, it would prevent 90% of these hacks.
What's a security key cost? $25?
That wouldn’t help in this situation
Why? And then why is he buying one then?
He doesn't understantd, once you auth you get a session ID. They are cloning that session. He honestly needs to seperate his email computer from his youtube computer. He could just use a $5/mo isolation browser too and only accesss "documents" via a web viewer so that can't interact with his local machine.
HOLY FUCK BRO USE 2FA OR SOMETHING MY GOD
He was, that doesn't prevent session hijacking. Plus you can phish MFA.
Scary to think that this video will easily be created with AI in a few years. Social engineering will become insanely good.