Linus Tech Tips – My Channel Was Deleted Last Night (opens in new tab)

(youtube.com)

35 pointsclankstar3y ago20 comments

20 comments

Pxtl3y ago

Once again, cryptocurrency has monetized cybercrime. Scams are substantially easier and harder to trace properly with crypto, helping cybercrime to scale up to this insane level we see today.

Thanks, bitcoin.

FredPret3y ago

TLDW: employee opens infected PDF from legit-looking email; session token stolen

aeroaero3y ago

How is this possible? Can someone point me in the direction of what mechanism is used here.

If I open a pdf in chrome for example am I opening myself up to this kind of attack?

Renaud3y ago

I would say first thing is to disable Windows Explorer from hiding the extension of files.

From what I understand, it was an executable inside a zip attachment to an email disguising itself as a partnership proposal from a reputable source.

The file inside the zip probably had a .pdf.exe extension. By default, Windows Explorer would show it as a .pdf, making it easy to run by mistake.

2 more replies

TheLoafOfBread3y ago

PDF can run JavaScript

WirelessGigabit3y ago

Couple of questions here on the virus side:

    Is there a link to the sample on VirusTotal?

Looking at how I can prevent this from happening to myself, am I missing something?

    Why didn't their email-service's anti-virus pick up on virus?
    In the case that it was in a zip, why didn't said anti-virus extract the zip & scan?
    In the case of a password-protected zip, why didn't the computer scan the file upon extraction?
    In the case of a scan upon extraction, why was it missed? Outdated definitions or zero day?

Linus also spoke about invalidating sessions. This is something that requires careful planning. We can't do it due to our teams switching VPNs so often.

We do enable Impossible Travel in Okta by default for our clients.

dawnerd3y ago

You'd think browsers would come up with a way to invalidate cookies and the like when data doesn't match the system.

kibwen3y ago

Any part of the system can be spoofed; virtual machines exist. In addition, once you have a session token, you don't even need to involve a browser, you can just make requests to the server directly.

From the perspective of a browser, it seems like a better mitigation would be to make it harder to steal these tokens in the first place. Cookies have to be persisted to disk in order to survive browser restarts, but maybe some cookies could be identified as password-equivalents and get stored in the system's keyring.

And of course, from the perspective of a server, they could probably be more credulous when they see a session token trying to make account management actions from a new IP.

samcat1163y ago

I wonder if there could be a new secure cookie/session token standard that makes use of hardware security keys like TPM/Secure Enclave to prevent them from being exfiltrated. They could be domain scoped for access like Passkeys are. Maybe DNSSEC could prevent MITM attacks of it as well.

scoks3y ago

Is there some kind of a sandboxed pdf viewer, that could prevent infected pdf access to the rest of the computer?

Renaud3y ago

From what he describes, the file disguised itself a PDF but may have been an executable instead, so the PDF viewer was probably never launched.

I blame Windows hiding the extension of known files by default.

`anything.pdf.exe` would show as `anything.pdf`

Can't blame people from thinking it's a PDF.

Otherwise, I use SumatraPDF as a viewer. Small, no frills, probably less of a vulnerability target than Adobe Acrobat.

Pxtl3y ago

Still, they should've gotten warning prompts for running an untrusted exe when they opened it, wouldn't they? I mean I know people are pretty well conditioned to ignore those, especially gamer geeks who are used to using dubious tools.

1 more reply

bren62x3y ago

Is Channel Manager an internal Google product for content creators? Or a third. Party app? I could not find any documentation.

input_sh3y ago

It's YouTube Studio, they just didn't say its name.

It allows creating granular permissions and you can see its interface around 08:15.

robbiet4803y ago

IMHO Pretty great of dbrand to step in and sponsor a topically sensitive video on short notice as well as provide a pretty big carrot to bring in a flood of traffic. Just ordered a matte black skin for my MBP 14". I have no relation to dbrand other than being an occasional customer.

1 more reply

j / k navigate · click thread line to collapse

20 comments

Pxtl3y ago

Once again, cryptocurrency has monetized cybercrime. Scams are substantially easier and harder to trace properly with crypto, helping cybercrime to scale up to this insane level we see today.

Thanks, bitcoin.

FredPret3y ago

TLDW: employee opens infected PDF from legit-looking email; session token stolen

aeroaero3y ago

How is this possible? Can someone point me in the direction of what mechanism is used here.

If I open a pdf in chrome for example am I opening myself up to this kind of attack?

Renaud3y ago

I would say first thing is to disable Windows Explorer from hiding the extension of files.

From what I understand, it was an executable inside a zip attachment to an email disguising itself as a partnership proposal from a reputable source.

The file inside the zip probably had a .pdf.exe extension. By default, Windows Explorer would show it as a .pdf, making it easy to run by mistake.

2 more replies

TheLoafOfBread3y ago

PDF can run JavaScript

WirelessGigabit3y ago

Couple of questions here on the virus side:

    Is there a link to the sample on VirusTotal?

Looking at how I can prevent this from happening to myself, am I missing something?

    Why didn't their email-service's anti-virus pick up on virus?
    In the case that it was in a zip, why didn't said anti-virus extract the zip & scan?
    In the case of a password-protected zip, why didn't the computer scan the file upon extraction?
    In the case of a scan upon extraction, why was it missed? Outdated definitions or zero day?

Linus also spoke about invalidating sessions. This is something that requires careful planning. We can't do it due to our teams switching VPNs so often.

We do enable Impossible Travel in Okta by default for our clients.

dawnerd3y ago

You'd think browsers would come up with a way to invalidate cookies and the like when data doesn't match the system.

kibwen3y ago

Any part of the system can be spoofed; virtual machines exist. In addition, once you have a session token, you don't even need to involve a browser, you can just make requests to the server directly.

And of course, from the perspective of a server, they could probably be more credulous when they see a session token trying to make account management actions from a new IP.

samcat1163y ago

scoks3y ago

Is there some kind of a sandboxed pdf viewer, that could prevent infected pdf access to the rest of the computer?

Renaud3y ago

From what he describes, the file disguised itself a PDF but may have been an executable instead, so the PDF viewer was probably never launched.

I blame Windows hiding the extension of known files by default.

`anything.pdf.exe` would show as `anything.pdf`

Can't blame people from thinking it's a PDF.

Otherwise, I use SumatraPDF as a viewer. Small, no frills, probably less of a vulnerability target than Adobe Acrobat.

Pxtl3y ago

1 more reply

bren62x3y ago

Is Channel Manager an internal Google product for content creators? Or a third. Party app? I could not find any documentation.

input_sh3y ago

It's YouTube Studio, they just didn't say its name.

It allows creating granular permissions and you can see its interface around 08:15.

robbiet4803y ago

1 more reply

j / k navigate · click thread line to collapse