This is me racing out of bed for our front row seat to my life's work Vanishing before my eyes Linus Tech Tips: Get back online. The bad news is that this kind of attack has become so commonplace on YouTube that when we sat down to prepare this video, it took us less than 10 seconds to find a huge channel that was dealing with exactly the same thing in that moment. Let's talk then about the motive for these attacks. the process changes that we and YouTube need to make and how we can all work together as a community to educate and protect each other.

I Don't think anybody is anybody's doing any hacking? I think I Think this is all. um, social engineering. These days, acting is pretty much impossible across the border. There's only a couple things we can still hack it.

It's still just social engineering actors. Oh, but also to tell you about our sponsor Dbrand. Oh God Not Dbrand today? Really? Oh, actually no, this is good. Stay tuned as I'm not sure Bro, you don't know.

just stop. Fireworks started a little after three in the morning when the Linus Tech Tips account was renamed to Tesla and started streaming a podcast style recording of self-proclaimed techno. King Elon Musk discussing cryptocurrency. This in and of itself is not a scale, but the streams linked to a scam website that claimed that for every one Bitcoin this guy says I work in Infosec you are more right than wrong Bing Bro wasn't it in the Generals chat.

when you think about hacking. overall, you're thinking like brutes, forcing and like that. Okay, that's like old school type. then Bitcoin There's only a few hacking methods that are still running to this day.

Okay, people mostly will do social engineering and they're just gonna get like low-level employees with a bunch of um, pen testing tactics. and and there's they. just get what they want out of them. That's all.

They just talked like level one reps at most and they just they just they troll you sent. They would return double complete with fake transaction records showing other users. Definitely getting huge payouts over the next couple of hours. Then we sparred back and forth first.

I privated the streams, revoked the channel stream key, and attempted to reset the account credentials only to realize as I was investigating the source of the breach that I had been completely outmaneuvered. They were back in and the streams were live again. have okay. so I logged back in, nuked the stream again and I go to and they're up again and now videos are being Mass deleted from the channel.

Oh, over the next couple of hours playing log in. Whack-a-mole bro is this butt ass naked though? Linus Tech Tips: Tech linked and Tech quickie accounts were each used to host these Elon Musk crypto streams until they were ultimately nuked by YouTube altogether for violating YouTube's terms of service. and I could almost feel your thoughts through the screen right now. Linus Truly, after all these lectures about two-factor authentication, don't you even protect your own accounts? Course: I do.

But, while strong passwords and multi-factor authentication are very powerful security measures that you should use, they're not impenetrable. First up, let's talk 2fa. Not all. not, let's talk 3fa.

Also, people think 2fa is good if, but if you're using 2fa and they're both virtual type, it's still bad. You need to use 2fa, but you use a a physical second fa or 3fa with a physical. one, physical fa, still juicer. That's that's the real thing.

Five: if it doesn't exist, four doesn't exist. Why there's only three concepts in these security systems: Something that you know, something that you are, something that you have, something that you know a password, Something that you are your eyes, your fingertips. Some things that you have a physical tucl. All factors or additional authentication elements are equally secure.

The most common second: Factor SMS can be compromised by simple social engineering targeted at your phone carrier. Check out this video that we posted the last time our account was hijacked. For more information about that. Oh my.

God Other comments: did you just say what? I said. Notification based multi-factor is susceptible to fatigue attacks where a perpetrator will constantly try to log in hoping that you'll assume, oh, it's probably someone from work or even just click on the notification by accident. Very problematic And I'm looking at you Google since you can't disable this, Factor on Google accounts. Even time-based two-factor like Google Authenticator or Authy can be compromised.

say if you were to accidentally set it up or access it from an infected device. In spite of all of these issues with two Factor though it held the line last night, our attacker not only never gained access to our additional authentication factors, they never even had our passwords. But how can that be? I Mean Well, as it turns out, they didn't need any of that. Nope.

Which is a big part of why it took me so long to clue in and stop the spread. I was so focused on the potential damage that could be done by someone who had commandeered my SMS messages or gained access to my Google Authenticator Somehow, that I expended valuable time battening down the wrong hatches. If I had watched Theo Joe's recent video on the subject or at least skimmed the comments, I could have probably stopped the bleeding in a matter of minutes. shout out Theo Joe but I didn't So I got to be educated the hard way about a breed of attacks that bypass trivial things like passwords and 2fa entirely by targeting what's known as a session token.

Oh, and if you do give yourself a cookie, but after you log into a website and your credentials have been validated, that site will provide your web browser with a session token. This allows your browser and by extension, you to stay logged in when you restart your browser and go to access that exported. Or this isn't a bad thing. it's a good thing because realistically, nobody wants to type in a password every time they want to post instant regret on the internet.

But hold on a second, that cookie is stored locally on your device. How would someone else get it? Yeah, they, that's where we made a mistake. someone on our team and I'm not saying it was Colton Downloaded what appeared to be a sponsorship offer from a potential partner. It was an innocent enough mistake for the most part.

The email came from a legitimate looking source, and it didn't raise any immediate red flags like being full of grammatical errors. So they extracted the contents, launched what appeared to be a PDF containing the terms of the deal. Then, presumably when it didn't work, went about the rest of their day. What happened in the background took place over the course of just 30 seconds.

The malware accessed all user data from both of their installments. Well, technically it's still social engineering because you're you're making a human do a dumb thing. Okay, that is still that is still account as so your your You're enticing a dumb up to to read something and be manipulated into clicking and Link It it still is. Let's see Chrome and Edge including everything from locally saved passwords to cookies to browser preferences, giving them effectively an exact copy of those browsers on the target machine that they could export, including that's right, session tokens for every logged in website.

Now, no one should unzip an email attachment. File extensions should always be double checked when you are executing anything, and any file that doesn't do what you expect should raise immediate red flags, but then on the flip side in a box right like an individual machine and bust that. I I Can hardly blame a sales rep or a video editor someone in accounting for not being up on the latest in cyber crime, and I also believe that in a healthy organization, it actually rolls up the hill rather than down. So there's not going to be any disciplinary actions Because the simple truth is that if we had more rigorous training for our newcomers and better processes for following up notifications from our site-wide anti-malware this could have been easily avoided.

As for why it took so long for us to lock down the account once we knew what was going on, that's another training issue, but this time it was my training. We use a system for our YouTube channels called Content Manager, which theoretically improves security by allowing us to dual out specific Channel access roles to our various team members rather than just sharing the main account credentials with everyone who needs to access it. Way more complicated you can think of It kind of like replacing your one giant vault door with 20 smaller doors, any one of which realistically still chat. What did you give Admin to five accounts that gave Um upload rights to like 50 accounts each, and you had a list of a billion other emails, even to the vault.

Now in a perfect world because the smaller doors should have been restricted with less access than we configured, but hindsight is 2020. or at least I hope it is. The bottom line is that our Disaster Response processes need to improve because I realized at three whatever in the morning. Shout out Steve from Gamers Nexus for the wake-up call.

By the way that I actually didn't know how to reset the passwords and the access control across all of these channels in Channel Manager And that is not the sort of thing that you want to be troubleshooting but naked in the wee hours of the morning, but in the middle. why is he naked In Fairness to me, the way that Google handles the intermingling of all their services is not the most intuitive and both Yvonne and I experienced numerous glitches and timeouts that prevented us from effectively using nicely. Global Once we did figure out how to use them, which leads us nicely, then into the next part of our discussion: I've owned what I did wrong. Fully clothed, full full.

Yep. to their credit I heard background was aware and working on it at the highest levels within about half an hour of reaching out to my YouTube rep. and they have seemingly improved their internal tools for managing this sort of thing a lot since the last time around. They've got forms you can fill out, and the partner reps that we've worked with seem to genuinely care.

Shout out: MC I'm so sorry this spoiled your spa day However, this entire process has been pretty opaque. Other than we're aware and working on it, the internal team doesn't seem to even be allowed to communicate with creators directly. I mean I get it? Security aside, idiot users probably won't have anything to contribute to their investigation. They figured out that the attack came from one of our non-video production teams pretty quickly and then actually banned that Google workspace account almost immediately.

I mean realistically, idiot users could just slow them down, but even a quick hey I know you're stressed. Uh, here's what's going on. and here's how we can keep this from spreading. would almost certainly have calmed my nerves and saved all of us some work by keeping techlinked and Tech quickie in our hands.

And another big problem is that this approach, you know, one-on-one only benefits larger channels like ours. I've seen quite a few people rightly express some resentment that we were able to get this resolved so quickly when their favorite Niche Creator X or why struggled with it for an extended period of time or even never got it fully resolved. So it's clear that there are some changes that need to be made, and here are a few of them in no particular order we need greater. Security Options For key Channel attributes I mean how can you change the name? The person who the person who had hacked my Twitter um, didn't Even apparently they they couldn't see my DMs because all they had is a Um, they just had an interface that they could use.

Apparently all they have is like, um, like an employee interface type. That's it. That's why they were able to tweet from my account, but they weren't able to see my DMs or damn anybody aim of a channel without having to re-enter your password and your two-factor What about resetting a stream? Uh, some admins and this is just one of the ways can be limited. Rate limiting is also widely used in API Access to services like YouTube for example, Google will only process a certain number of comment moderation actions per day through their API Well, I could see implementing something similar even if you are directly accessing the service.

but then rather than limited out, right, it could prompt for authentication. To be clear: I'm not saying every time you delete a video it should ask for your password, but say if you were trying to delete 10. All right. I Get Linus I Get it, you were hacked butt naked.

Embarrassing! I Can't feel bad though Jenny height is cooked up xqcl playing with your channel back sir yo this is X x on the video I'm going through my voice as well that is anyone knows that boy I Don't know. He's just so sorry. anyone knows that boy I Don't know. He's just so sorry.