Bruh. Not only did the guy not update plex in years, but presumably also had that OPEN TO THE INTERNET. What in god’s name is he doing working at a security company.
LastPass also never upgraded its password hashing for 10 YEARS on some customers. LastPass is still adding "noindex" HTML tags to its breach notices, so people can't find them on Google. LastPass as a policy does NOT encrypt site URLs (hello anyone with an AshleyMadison login saved). This company is a scam, trying to milk anyone that doesn't understand how dangerous they are.
My work laptop given to me by my company restricts basically everything from being installed onto it. I can get VERY basic things from THE COMPANY'S app store, but the Microsoft store isn't even installed on it, so this EXACT scenario doesn't happen. You'd think that a company that deals with safeguarding people's passwords would be even more strict than my company when it comes to potential risk. Unreal.
My work laptop is the same way. We can't install anything that isn't already cleared by security. Anything new has to go through a whole audit process. It blows my mind that bot all companies do this.
That's probably because you're a non-IT employee. Engineers/IT typically get local admin rights to their and everyone elses computers though to be able to install almost anything. Though I wonder if a Dev OPs Engineer would get local admin as their technically not IT but software.
@@whothou9154 I'm an entry level software engineer and have local admin rights on my computer but not on dev environments (remote desktops). Only a few people at the company have the ability to generate admin passwords for dev environments and those passwords last for 6 hours. This is a small business, less than 50 people.
I wouldn't call it the worst cyberattack, but it's definitely one of the most pathetic. The fact that someone with high security clearance would use an obviously unauthorized app on a work device and then not update it for years....Normally I don't like the idea of industry blacklists, but this person went above and beyond to earn a spot there.
I suspect he didn't update it because it was unauthorized and could not reach update server :) Sometimes overly aggressive security policy may incentivie user to do really stupid things...
@@YumiNeeosu lol these accounts have to be one of the lamest attempts at getting attention I’ve ever seen .. smh makes me wonder who wastes time doing this or programming a bot to do this and what their median age is lol.. i dont get it ¯\_ (ツ)_/¯
There's some 2013 CVE's that have either resurfaced or been republished, for various reasons of course. You don't have to go far to even find "top companies" in whatever industry skimping on this kind of stuff, because IT is only ever seen as a cost center. I'd still be shouting into the void if I weren't so tired.
Cyber attacks are a crazy thing, the thing that surprises me the most is even allied countries are attacking each other non stop everyday. Trust no one. Don’t go into the comments it’s a cringe cesspool in this thread.
Well allied countries are allies as long are there’re any benefits. Also the alliance is of course made by the previous president or previous head of the country. An example would be the Philippines. Just a few years ago the president strengthened their alliance with the US. But the following presidents either dislikes the US or values the alliance with China more. But the Philippines still has an alliance with the US even with all the stuff that happened.
They can’t even find good employees to replace old engineers, that’s why. They ask for too many tasks and responsibilities which increase the odds of this happening.
cronyism side-effects if you ask me. a buddy hires a buddy but your buddy sucks at his craft so now this. and yeah, the job descriptions HR come up with are always ridiculous so they have an excuse to hire who they like the most without getting sued
nah its just idiocy some dude had his pw updates probably set to not update due to some work based restrictions initially and forgot to ever update his policy once his issue was resolved, lol 3 years too late
sometimes, its the lack of growth/innovation & sometimes its the job descriptions responsibilities over little pay, no one wants to work there, sometimes the case they end up hiring unqualified or not experienced enough to handle the position without any help.
According to the article at Ars Technica, it was the developer's home computer. Apparently "only" 4 senior devs were allowed to access the vaults via their home computers which really, really made my head explode.
Can somebody get a compilation of Muta saying something along the lines of "And no I'm not exaggerating THIS is the worst hack" it would be beautiful. Not as a flame, as a lovely memory
@Broskisnowskinot necessarily. You should see the price tag on some of the hardware and software they use. It feels like they go for the most expensive but least effective stuff. It’s wild
@@breguera77 The government never pays consumer prices. They're quoted higher amounts because of their (pretty much) unlimited budget. 'Military grade' things for the consumer will be priced lower but they'll be priced wayyyyy high when they're sold to the military. Which makes them opt for 'bottom of the shelf' equipment sometimes.
You forgot about the 4th option. Writing them down in a secure location (like a locked diary or something). And option 5, encrypting and storing your own passwords on your own.
Yes...no, big nope. Might work, perhaps even worse than remembering passwords you can lose it too, someone else can take it, it can be damaged by a flooding idk too many things
My brain still glazes over whenever Muta talks about cyber attacks. But him mentioning that streaming movie app seemed interesting. I dunno how safe it is but that's certainly one thing to keep on my radar.
Bro, i had the notif on my iphone for this upload for three minutes, and i came to the channel home page on my pc and i literally couldn't find this video. I had to search for it word by word in the search bar. That's weird. Anyways. Love the content as always. Truly give us the widest range of interesting internet hermit shit i've ever had the joy of accessing.
Tbh I use a copy book as a password manager, people say it's waste of time to write down my passwords into it every time I create an account on something but it's shit like this that only makes my case stronger 😅
People literally forget it takes 30 seconds to a minute to write down an email, password and title to what the account is for. Also, you can't hack a note book in someone's closet...
I’ve recently started watching you btw and I do like the style of these. They feel fairly personal, they’re usually shot at night too which is similar to my sleep schedule, and it’s just like having a chat and laughing about news nowadays. Keep it up, love the relaxed feel to these types of vids.
You know once upon a time around high school I was a last pass user. When I got disillusioned about security in "The Cloud" (someone else's computer) I decided to store my passwords myself with keepass. Probably not the greatest thing but not the absolute worst.
efficient until Jamal in the hood comes to your house with a wrench and beats you up and takes your papers lol. or worse yet -your house burns or gets flooded. lets be honest there is no such thing as a 100% failproof solution.. maybe 95-99%
@@heyjeySigma I agree but I mean who in their right mind ever thought that paying a company to store all of your passwords would be a smart idea. They say that it is only stored on your computer sometimes but facebook says they don't sell your data.
I can't remember how many friends and family I warned to stay away when LastPass did their huge social media advertisement campaign because how could they not be painting a huge target on their back from square one? Sure the zero knowledge model helps delay compromises, but you can bet bad actors with enough funding can crack them. It does suck that at this point it boils down to "I told you so" which can hurt the reachability of the people who need to heed the warnings most. Keep fighting the good fight Muta.
@@sommerforrest2694 Just have some notepad files and save it into a flash drive or something. I didn’t label which account is which either so if someone steals it, it wouldn’t make any sense
Wiser words have not often been uttered. I (for one) am glad LastPass has been open about the extent of the intrusion. Keep spreading the gospel, I testify.
17:00 youre a real one muta. thanks for bringing a smile to my face, im poor and lonely but you always stay real and make it feel like ur talking to us as a friend.
I keep seeing ads for all sorts of password storage apps but I keep reminding myself that nothing on the internet is safe and putting all your passwords into one single database is just asking for trouble.
This was the best Cybersecurity related video to date by muta, funny and informative. This channel in the last several years has been a big part in why I'm getting my masters in Cybersecurity right now. Keep up the good work!
Bitwarden FTW. I let Bitwarden manage my vault. While I'd like to run my own Bitwarden server, I just don't have the energy to do IT work off the clock. I love this industry, and I love Linux so much that I run it as a daily, but sometimes I just want to step away after work.
Had a botnet get into an apartment complex I was living in not super long ago. Had me paranoid to the point where I was having a hard time differentiating between actual things related to the attack and my own imagination reaching for connections. Ended up having to move after having to close my bank account and opening a new one. Thankfully, nothing was stolen. I feel bad for the people still living there.
Still laughing my ass off at the very idea that anyone would think that hosting all their credential behind a single account, thus creating a single point of failure, was a good idea.
I think there is some merit to the idea. If the password manager you use is remotely competent, that single account (more accurately, a username/password combination) is used to derive an encryption key that is not stored anywhere. That encryption key is used to encrypt and decrypt your password manager's vault. Now, the obvious caveat is that if someone gets access to your vault, they have a pretty good way of attacking it by brute-forcing the username/password combination. But here's the kicker, when you remove the need to put a lot of thought into generating a hundred plus different passwords and instead just have one password, you can focus your energy on making that single password a lot stronger. Of course, this is reliant on the fact that you know how to do this, but this can be remediated with devs that know what they're doing and good documentation on how to make good passwords. You may also opt to add a pepper to your passwords (i.e. have a random string you add to every password that you don't write down), wherein even if the vault gets compromised, the attacker still has to figure out what your pepper is, and that adds additional effort of compromising other databases or brute forcing account logins. Additionally, if you don't trust a cloud database hosting all of your passwords even if they're end to end encrypted, you can always opt to self-host, which significantly increases the difficulty of compromising your vault (since, you know, someone would have to get into your network, compromise your Bitwarden database, and THEN brute force the username/password combo. And you can always opt to use a password book, but usually that succumbs to a similar problem with more of a headache and no possibility for encryption. One final note: Brute forcing these vaults is often more difficult than brute forcing an individual password because again, if the provider knows what they're doing, the derived encryption key should be made with an algorithm that takes time and resources to generate. Of course, in a single attempt a few extra milliseconds is negligible, but when we're dealing with millions and billions of attempts? That can be the difference between losing your vault and an attacker giving up and moving on to an easier target. That said, yeah, I completely get the hesitation with "putting your passwords in the cloud."
@@naughtyhieroglyph669 Using a password manager is factually the best option out there, just not one hosted by a company, host your own Bitwarden server or just use KeePass and make backups of the files, done, no more security risks.
a WitSec leak would be catastrophic, even if no one was harmed. the amount of resources that would need to be expedited to save everyone would be staggering.
This could have a lot of security risks for all kinds of institutions and companies. Imagine how that data could be correlated, I hope this isn’t a domino effect about to go down. WEF and FDIC talking about cyber attacks and here this happens…
It's amazing a password manager subscription got hack so that being said lets be honest it could've been a lot worse, at least it was targeted towards certain people and not everyone
We really don't know. Any subscription company can sell information to other companies. And in case those other companies will need more information on a certain user from the subscription company, the best excuse is getting hack while providing the information to those other companies. Getting hack is really a good excuse nowadays for companies.
I would like to remind people reading the comments to leave a like for this man, he has worked hard for this video and has taken time out of his own personal schedule just to keep us updated and safe from cybersecurity threats. You have earned my sub!
The moment they switched to a one type of device per free account only system, I immediately left them for Bitwarden, a free password manager that lets you store as many passwords to your heart’s content, and does not lock the all device access for Bitwarden app behind a paywall, they have some more advanced features in their pro version, and I respect them for putting all the necessities on the free tier, I would gladly donate to them. Shame on you, lastpass.
The irony is I was considering getting one of these cause I’m fucking lazy. Ended up choosing not to do so cause I was like, what if it gets hacked. Oh how the turn tables
There's an open source one that comes bundled with some Linux distros whose name has slipped my mind, that one might be the best cloud/electronic option. But yeah your best bet is just a notebook stashed away somewhere in your house.
Yo muta if ya see this comment i wanna say thanks for helping me through some dark times your content always helps me sit back and clear my mind of my anxiety and extreme ocd much love muta
Yeah I got hit by the last pass hack, however I was so lucky that I got lazy and only used it for my steam and like 1 account that was easy to reset. I actually was going to use it MORE but it's like nowhere is safe
the icing on the cake is the fact that they ran an outdate codes from a program on their work machine for their personal use.... its like basic 101 of any type of IT team from all of their department is never mix personal and work devices... i also BYOD for my work but i don't connect to the network or if i need connect to the network for some god damn reason, they had already isolated my BYOD machine to be unable to access the internet and other devices on the network except my work laptop... i also use different OS on those 2 devices just to screw with any potential software running in the background on either machine.... the ironic part was i was arguing with some fans of some youtuber who was an IT security guy who was promoting last pass.... and i was arguing how stupid people are to trust an online password manager to store your login credential to all your sites... and look at how the tables have turned.... how ironic the world is.... how moronic these people must now feel....
The fact that a corporate company hack happened bc an update wasn’t done is wild to me. I work in insurance, we don’t get to choose yo update or not. My system updates weekly
This is why it’s frustrating when people try to put non work applications on work computers. I don’t trust an employee to update the software unless it stops working or already configured it to automatically update. Yet IT isn’t going to update software not business critical. Despite this, its crazy how people don’t see the problem with this.
Kind of a useless hack. Even if they get the whole S3 dump, what's the point when the generated password is always random? Except for a fraction of cases where the users are making up their own password, they could build a rainbow table or dictionary for later attacks. Unless they're targeting the people immediately, the long-term ROI or the value of the dump in the marketplace is pretty low. Not recommended.
A buddy of mine used to work with the Marshall's user website, he would always say it was a huge mess, and the coding he had to maintain was a security nightmare. He also said things about the fact that he had to make the website very nice for a few uber rich people that sat at the desks at the Marshalls and not for the public and it just wasn't for him, he hated the feeling he got from it.
My approach for passwords is the lazy route. For frequently used sites I use unique strong passwords I remember For everything else, i sign up, use a unique password, forget about them and if I need to log back in, password forget function. Works like a charm.
i cannot in good conscience, ever sympathise with a company. That being said, sometimes hearing that a certain company got hacked does scare me, not for their sake, but for all of us who may have had our data stolen bcuz of this.
I actually used LastPass for quite a while, and the first breach news didn't worry me too much... then it just kept getting worse and I was like "WELP. I'M OUT."
I just use a random notebook and a pencil. For a one-time payment of like 5 dollars, I can have a completely unhackable password manager that can potentially store thousands and thousands of passwords.
I'm lucky I stopped using lastpass a year or so ago, all my important accounts have updated passwords since then... the crazy thing is the only reason I stopped using it was because it didnt let me use mobile AND desktop anymore and it was a hassle
Half the time updates break stuff or introduce new requirements that make using the software a lot less convenient. I completely understand the "if it ain't broke" mentality of running old versions.
Check out the newest episode of the podcast:
ruclips.net/video/0S1QPBnp8BM/видео.html
Nice
W
3rd btw (didn't see it)
No
nice
Bruh. Not only did the guy not update plex in years, but presumably also had that OPEN TO THE INTERNET. What in god’s name is he doing working at a security company.
LastPass also never upgraded its password hashing for 10 YEARS on some customers. LastPass is still adding "noindex" HTML tags to its breach notices, so people can't find them on Google. LastPass as a policy does NOT encrypt site URLs (hello anyone with an AshleyMadison login saved). This company is a scam, trying to milk anyone that doesn't understand how dangerous they are.
@@Instabruh.User.. you talk about the Macv-Sog?
man we no longer are in Vietnam
@@BlockedUser420 no shit
My work laptop given to me by my company restricts basically everything from being installed onto it. I can get VERY basic things from THE COMPANY'S app store, but the Microsoft store isn't even installed on it, so this EXACT scenario doesn't happen. You'd think that a company that deals with safeguarding people's passwords would be even more strict than my company when it comes to potential risk. Unreal.
My work laptop is the same way. We can't install anything that isn't already cleared by security. Anything new has to go through a whole audit process. It blows my mind that bot all companies do this.
That's probably because you're a non-IT employee.
Engineers/IT typically get local admin rights to their and everyone elses computers though to be able to install almost anything.
Though I wonder if a Dev OPs Engineer would get local admin as their technically not IT but software.
Mine's the same. Can't even plug USB sticks into it. The fact that this was even possible is shocking.
@@whothou9154 yes typically software engineers will get local admin for virtualization/debugging/deployment
@@whothou9154 I'm an entry level software engineer and have local admin rights on my computer but not on dev environments (remote desktops). Only a few people at the company have the ability to generate admin passwords for dev environments and those passwords last for 6 hours. This is a small business, less than 50 people.
I wouldn't call it the worst cyberattack, but it's definitely one of the most pathetic. The fact that someone with high security clearance would use an obviously unauthorized app on a work device and then not update it for years....Normally I don't like the idea of industry blacklists, but this person went above and beyond to earn a spot there.
@Don't Read My Profile Picture sure
I suspect he didn't update it because it was unauthorized and could not reach update server :)
Sometimes overly aggressive security policy may incentivie user to do really stupid things...
@@grzegorzdomagala9929 Im impressed they managed to install it.
@@YumiNeeosu lol these accounts have to be one of the lamest attempts at getting attention I’ve ever seen .. smh makes me wonder who wastes time doing this or programming a bot to do this and what their median age is lol.. i dont get it ¯\_ (ツ)_/¯
@@grzegorzdomagala9929 stop using non work programs on work machines, it's that goddamn simple.
As a fellow engineer, I’m screaming into the void at this entire situation.
A 2020 CVE!?!?
Saw this before going in the video. I'm having a hard time accepting this...
There's some 2013 CVE's that have either resurfaced or been republished, for various reasons of course. You don't have to go far to even find "top companies" in whatever industry skimping on this kind of stuff, because IT is only ever seen as a cost center. I'd still be shouting into the void if I weren't so tired.
This clickbait is hella cringe lol.
noobs, sir, noobs
During my pentest engagements, i still find eternal blue ALL THE TIME.
Businesses and people really beed a LOT of help securing themselves
I swear muta puts out a the worst hack ever video at least once a month
true 🤣
hackers must be looking for the one piece
THE ONE PIECE IS REAL!
Damn man seems like technology and hackers are getting better every day to the point muta has to be the one to call them out
@@grassmonkeyO5 😂
So in summary. Don't mix personal with work. This includes mixing your company data with your personal data.
Thanks for the reminder 👍
This includes your personal life with your work life too. Work is not your friend, and your coworkers are not family.
what about a spontaneous urge to wack one out?
@@Ew4ya that's why you wack one before you get to work.
@@Ew4ya do it to memory
Cyber attacks are a crazy thing, the thing that surprises me the most is even allied countries are attacking each other non stop everyday. Trust no one.
Don’t go into the comments it’s a cringe cesspool in this thread.
There is not such thing as allies in the modern society, just bussiness partners.
@ItzSyakirin r/youngpeopleyoutube
Well allied countries are allies as long are there’re any benefits. Also the alliance is of course made by the previous president or previous head of the country.
An example would be the Philippines. Just a few years ago the president strengthened their alliance with the US. But the following presidents either dislikes the US or values the alliance with China more. But the Philippines still has an alliance with the US even with all the stuff that happened.
@ItzSyakirin this is the cringiest thing I’ve read. You have got to be no older than 8 years old.
Sounds like your part not of the muscular class so I'll enlighten you, it's called steal sharpened steal duuuuu.
I need a "Worst Cyberattack Tier List" that Mutahar has covered to date. Please.
Now thats a good video idea
This would be awesome!! Everyone upvote this!!
It just goes to show that hacking isn't so much "cracking code" as much as it is exploiting negligence and ignorance
I blame the company for hiring irresponsible, no-good engineers in senior positions.
They can’t even find good employees to replace old engineers, that’s why. They ask for too many tasks and responsibilities which increase the odds of this happening.
@@Labyrinth6000 this
cronyism side-effects if you ask me. a buddy hires a buddy but your buddy sucks at his craft so now this. and yeah, the job descriptions HR come up with are always ridiculous so they have an excuse to hire who they like the most without getting sued
nah its just idiocy some dude had his pw updates probably set to not update due to some work based restrictions initially and forgot to ever update his policy once his issue was resolved, lol 3 years too late
sometimes, its the lack of growth/innovation & sometimes its the job descriptions responsibilities over little pay, no one wants to work there, sometimes the case they end up hiring unqualified or not experienced enough to handle the position without any help.
According to the article at Ars Technica, it was the developer's home computer. Apparently "only" 4 senior devs were allowed to access the vaults via their home computers which really, really made my head explode.
Can somebody get a compilation of Muta saying something along the lines of "And no I'm not exaggerating THIS is the worst hack" it would be beautiful. Not as a flame, as a lovely memory
This is why pen and notebook is crucial. But yes Lastpass should be sued
@ItzSyakirin "look mommy I can get people's attention too"
you can easily host a offline encrypted vault of passwords
Me: *laughs in KeePass*
Are you gonna bring that password notebook to work? What if your colleagues or someone else steals it.
Pen and paper clearly has higher risks.
@@g2jxGhF5G8z1gL7S it’s not tho 😂
So this company was proven unreliable a year ago and the US Marshalls continued to use it?
Having had to interact with USMS, I'm not surprised.
The US Government will use outdated technology until they are forced to upgrade. The jail in my town was primarily running on Windows 95 until 2010
@Broskisnowskinot necessarily. You should see the price tag on some of the hardware and software they use. It feels like they go for the most expensive but least effective stuff. It’s wild
@@breguera77 The government never pays consumer prices. They're quoted higher amounts because of their (pretty much) unlimited budget. 'Military grade' things for the consumer will be priced lower but they'll be priced wayyyyy high when they're sold to the military. Which makes them opt for 'bottom of the shelf' equipment sometimes.
@Broski Snowski nah, it means the supplies from the biggest lobbier.
You forgot about the 4th option. Writing them down in a secure location (like a locked diary or something). And option 5, encrypting and storing your own passwords on your own.
Yes...no, big nope. Might work, perhaps even worse than remembering passwords you can lose it too, someone else can take it, it can be damaged by a flooding idk too many things
@@sinonimo8719 Why are you storing your passwords in only one place?
The fact that they let a cyber sec engineer use any type of personal shit on the same device that is used to access company data is crazy
you can't physically stop a worker from it, its kinda not possible
He was working from home so there was no way to stop him.
@@raylax7056 you can audit them, you can educate them, you can punish them
This is why hard paper is still king and I majority use paper to keep track of everything like an old school mobster accountant
My IT instructor drilled in my head, "Always stay updated."
My brain still glazes over whenever Muta talks about cyber attacks. But him mentioning that streaming movie app seemed interesting. I dunno how safe it is but that's certainly one thing to keep on my radar.
“Muta this the 4th time you’ve shown the class “the worst cyber attack you’ve ever seen” this year”
Bro, i had the notif on my iphone for this upload for three minutes, and i came to the channel home page on my pc and i literally couldn't find this video. I had to search for it word by word in the search bar. That's weird.
Anyways. Love the content as always. Truly give us the widest range of interesting internet hermit shit i've ever had the joy of accessing.
Tbh I use a copy book as a password manager, people say it's waste of time to write down my passwords into it every time I create an account on something but it's shit like this that only makes my case stronger 😅
People literally forget it takes 30 seconds to a minute to write down an email, password and title to what the account is for. Also, you can't hack a note book in someone's closet...
KeePass.
Just use KeePass.
Same
same
@@R3AL-AIM a house fire can
I’ve recently started watching you btw and I do like the style of these. They feel fairly personal, they’re usually shot at night too which is similar to my sleep schedule, and it’s just like having a chat and laughing about news nowadays. Keep it up, love the relaxed feel to these types of vids.
Relaxed?
You've just perfectly described why I've been watching Muta for years now! 😅
This reminds me I need to reflash my rooted phone to update the security on it soon.
You know once upon a time around high school I was a last pass user. When I got disillusioned about security in "The Cloud" (someone else's computer) I decided to store my passwords myself with keepass. Probably not the greatest thing but not the absolute worst.
i use keepass, too :c)
Anything at this point is better than LastPass
Im a senior engineer and rarely update my stuff. Bleeding edge bites you too. Just don’t use the work pc for non-work things.
There is also a fourth option... just writing down your passwords on pencil and paper 🙄
efficient until Jamal in the hood comes to your house with a wrench and beats you up and takes your papers lol.
or worse yet -your house burns or gets flooded.
lets be honest there is no such thing as a 100% failproof solution.. maybe 95-99%
@@heyjeySigma I agree but I mean who in their right mind ever thought that paying a company to store all of your passwords would be a smart idea. They say that it is only stored on your computer sometimes but facebook says they don't sell your data.
I can't remember how many friends and family I warned to stay away when LastPass did their huge social media advertisement campaign because how could they not be painting a huge target on their back from square one? Sure the zero knowledge model helps delay compromises, but you can bet bad actors with enough funding can crack them. It does suck that at this point it boils down to "I told you so" which can hurt the reachability of the people who need to heed the warnings most.
Keep fighting the good fight Muta.
This is why I save my important accounts on a separate drive with my car keys and useless stuff in pass managers
How do you do that? I'm keen to know how to stay safe.
@@sommerforrest2694 Just have some notepad files and save it into a flash drive or something. I didn’t label which account is which either so if someone steals it, it wouldn’t make any sense
Wiser words have not often been uttered.
I (for one) am glad LastPass has been open about the extent of the intrusion.
Keep spreading the gospel, I testify.
17:00
youre a real one muta. thanks for bringing a smile to my face, im poor and lonely but you always stay real and make it feel like ur talking to us as a friend.
I keep seeing ads for all sorts of password storage apps but I keep reminding myself that nothing on the internet is safe and putting all your passwords into one single database is just asking for trouble.
Honestly my favourite video from you so far Muta, imho your best work yet. Good stuff my friend
This was the best Cybersecurity related video to date by muta, funny and informative. This channel in the last several years has been a big part in why I'm getting my masters in Cybersecurity right now. Keep up the good work!
Bitwarden FTW. I let Bitwarden manage my vault. While I'd like to run my own Bitwarden server, I just don't have the energy to do IT work off the clock. I love this industry, and I love Linux so much that I run it as a daily, but sometimes I just want to step away after work.
As a student in cybersecurity, I love watching Muta
Bitwarden with a Yubikey for 2fa is my personal favorite
You know it's a mutahar vídeo when mutahar is in it...
you know it's a video when moving pictures
Had a botnet get into an apartment complex I was living in not super long ago. Had me paranoid to the point where I was having a hard time differentiating between actual things related to the attack and my own imagination reaching for connections. Ended up having to move after having to close my bank account and opening a new one. Thankfully, nothing was stolen. I feel bad for the people still living there.
Paranoia
Still laughing my ass off at the very idea that anyone would think that hosting all their credential behind a single account, thus creating a single point of failure, was a good idea.
I think there is some merit to the idea. If the password manager you use is remotely competent, that single account (more accurately, a username/password combination) is used to derive an encryption key that is not stored anywhere. That encryption key is used to encrypt and decrypt your password manager's vault.
Now, the obvious caveat is that if someone gets access to your vault, they have a pretty good way of attacking it by brute-forcing the username/password combination.
But here's the kicker, when you remove the need to put a lot of thought into generating a hundred plus different passwords and instead just have one password, you can focus your energy on making that single password a lot stronger.
Of course, this is reliant on the fact that you know how to do this, but this can be remediated with devs that know what they're doing and good documentation on how to make good passwords. You may also opt to add a pepper to your passwords (i.e. have a random string you add to every password that you don't write down), wherein even if the vault gets compromised, the attacker still has to figure out what your pepper is, and that adds additional effort of compromising other databases or brute forcing account logins.
Additionally, if you don't trust a cloud database hosting all of your passwords even if they're end to end encrypted, you can always opt to self-host, which significantly increases the difficulty of compromising your vault (since, you know, someone would have to get into your network, compromise your Bitwarden database, and THEN brute force the username/password combo. And you can always opt to use a password book, but usually that succumbs to a similar problem with more of a headache and no possibility for encryption.
One final note: Brute forcing these vaults is often more difficult than brute forcing an individual password because again, if the provider knows what they're doing, the derived encryption key should be made with an algorithm that takes time and resources to generate. Of course, in a single attempt a few extra milliseconds is negligible, but when we're dealing with millions and billions of attempts? That can be the difference between losing your vault and an attacker giving up and moving on to an easier target.
That said, yeah, I completely get the hesitation with "putting your passwords in the cloud."
The sad bit is cybersecurity "experts" still screech that you need to use a password manager.
better then using the same 8 character password over and over.
And the other option is.... ?
@@naughtyhieroglyph669 Using a password manager is factually the best option out there, just not one hosted by a company, host your own Bitwarden server or just use KeePass and make backups of the files, done, no more security risks.
a WitSec leak would be catastrophic, even if no one was harmed. the amount of resources that would need to be expedited to save everyone would be staggering.
"Why am I not surprised?" - John Stewart/Green Lantern (Justice League Animated)
This could have a lot of security risks for all kinds of institutions and companies. Imagine how that data could be correlated, I hope this isn’t a domino effect about to go down. WEF and FDIC talking about cyber attacks and here this happens…
Babe wake up new "the worst cyber attack ever" lore just dropped
It's amazing a password manager subscription got hack so that being said lets be honest it could've been a lot worse, at least it was targeted towards certain people and not everyone
We really don't know. Any subscription company can sell information to other companies. And in case those other companies will need more information on a certain user from the subscription company, the best excuse is getting hack while providing the information to those other companies. Getting hack is really a good excuse nowadays for companies.
having a subscription to an online password manager sounds like the dumbest idea ever
The attacker got access to cloud backups. That’s pretty bad.
Guess saving passwords on a piece of paper works better than a password manager.
@@razorback9999able That and something like a titan security key are probably the most secure way you can store/secure your passwords
The worst I've ever seen is a ransomware hack that destroyed my dad's successful company after 30 years of hard work.
I love when Muta gets pissed off 😂
I honestly have no idea how Password Vault programs don't ring any alarm bells. To any decent hacker, how is that not just a lootbox for them.
It is
I was hoping you had some info on the dish ransomware attack!
I would like to remind people reading the comments to leave a like for this man, he has worked hard for this video and has taken time out of his own personal schedule just to keep us updated and safe from cybersecurity threats.
You have earned my sub!
Welcome to cyberpunk where there's always cyber attack. (That's what it feels like anyway)
No rest in Night city
The moment they switched to a one type of device per free account only system, I immediately left them for Bitwarden, a free password manager that lets you store as many passwords to your heart’s content, and does not lock the all device access for Bitwarden app behind a paywall, they have some more advanced features in their pro version, and I respect them for putting all the necessities on the free tier, I would gladly donate to them. Shame on you, lastpass.
The irony is I was considering getting one of these cause I’m fucking lazy. Ended up choosing not to do so cause I was like, what if it gets hacked. Oh how the turn tables
There's an open source one that comes bundled with some Linux distros whose name has slipped my mind, that one might be the best cloud/electronic option. But yeah your best bet is just a notebook stashed away somewhere in your house.
The classic way is the safest way
As someone new to the security industry it’s crazy how much human failure is responsible for so many attacks .
Muda just because your MySpace has been hacked doesn’t meant it’s the biggest cyberattack
Muthony Dartano here, the internet's busiest tech nerd
Yo muta if ya see this comment i wanna say thanks for helping me through some dark times your content always helps me sit back and clear my mind of my anxiety and extreme ocd much love muta
Yeah I got hit by the last pass hack, however I was so lucky that I got lazy and only used it for my steam and like 1 account that was easy to reset. I actually was going to use it MORE but it's like nowhere is safe
the icing on the cake is the fact that they ran an outdate codes from a program on their work machine for their personal use.... its like basic 101 of any type of IT team from all of their department is never mix personal and work devices...
i also BYOD for my work but i don't connect to the network or if i need connect to the network for some god damn reason, they had already isolated my BYOD machine to be unable to access the internet and other devices on the network except my work laptop... i also use different OS on those 2 devices just to screw with any potential software running in the background on either machine....
the ironic part was i was arguing with some fans of some youtuber who was an IT security guy who was promoting last pass.... and i was arguing how stupid people are to trust an online password manager to store your login credential to all your sites... and look at how the tables have turned.... how ironic the world is.... how moronic these people must now feel....
For their safety anyway I'd be moving every witSEC on the roster !! This is so scary
The fact that a corporate company hack happened bc an update wasn’t done is wild to me. I work in insurance, we don’t get to choose yo update or not. My system updates weekly
muta back with another banger, let’s goo !!
This is why it’s frustrating when people try to put non work applications on work computers. I don’t trust an employee to update the software unless it stops working or already configured it to automatically update. Yet IT isn’t going to update software not business critical. Despite this, its crazy how people don’t see the problem with this.
Kind of a useless hack. Even if they get the whole S3 dump, what's the point when the generated password is always random? Except for a fraction of cases where the users are making up their own password, they could build a rainbow table or dictionary for later attacks. Unless they're targeting the people immediately, the long-term ROI or the value of the dump in the marketplace is pretty low. Not recommended.
this is the worst cyber attack i've seen ever
Thank god the witness data wasn't leaked.
I figured you would have covered marshals but glad you got us now. I been wondering what you would say for days.
who would've thought storing your passwords onto an online database was such a bad idea?
When a breach happened a while ago, I canceled auto renewal. Perfectly timed, today, my subscription ended. LastPass account nuked.
WinGet would have solved all of this...
Supposedly Microsoft is working on restartless security updates, too.
A buddy of mine used to work with the Marshall's user website, he would always say it was a huge mess, and the coding he had to maintain was a security nightmare. He also said things about the fact that he had to make the website very nice for a few uber rich people that sat at the desks at the Marshalls and not for the public and it just wasn't for him, he hated the feeling he got from it.
My approach for passwords is the lazy route. For frequently used sites I use unique strong passwords I remember
For everything else, i sign up, use a unique password, forget about them and if I need to log back in, password forget function. Works like a charm.
Man is our best source of info in these times.
@ItzSyakirin you’re joking right?
i cannot in good conscience, ever sympathise with a company. That being said, sometimes hearing that a certain company got hacked does scare me, not for their sake, but for all of us who may have had our data stolen bcuz of this.
Another banger of a vid mutahar🙏🎮
I actually used LastPass for quite a while, and the first breach news didn't worry me too much... then it just kept getting worse and I was like "WELP. I'M OUT."
Love your videos ❤
I just use a random notebook and a pencil. For a one-time payment of like 5 dollars, I can have a completely unhackable password manager that can potentially store thousands and thousands of passwords.
Mutahar never fails to make amazing videos
you didn't even watch this one
It's been out 2 minutes
@@nneural Yes I did?
Having good OpSec is like being faster than your bad OpSec friend while you both are running away from a vicious hacker grizzly bear.
… Muta low-key implying they are in the Wit-Sec database? (j/k)
The worst cyberattack I have seen was the launch of Cyberpunk 2077.
You know it’s serious when Muta doesn’t laugh at the beginning of the video
I'm lucky I stopped using lastpass a year or so ago, all my important accounts have updated passwords since then... the crazy thing is the only reason I stopped using it was because it didnt let me use mobile AND desktop anymore and it was a hassle
Not surprising everyday there will be new loopholes new security breaches new people clicking on links they shouldn't LOL
Half the time updates break stuff or introduce new requirements that make using the software a lot less convenient. I completely understand the "if it ain't broke" mentality of running old versions.
U should be a dungeon master in d&d u have the voice for it lol😅
Very cool mutahar, can’t wait for the worst cyberattack ever next week
This better be about the chapters indigo plum points cyber attack. I want 5 dollars off of my ridiculously overpriced books dammit
I use last pass. do i need to delete everything and get a new password notes manager?
I think we all see things that make us mad
my school district recently got hacked and we were all snowed in so there wasnt much communication as to why everything was down
It feels like every 3-6 months SOG tells us about the new worst cyber attack
shits crazy
as someone who is beginning to study cybersecurity, this makes me visibly frustrated.
You look very mutah today mutah
Last Pass is one of the first companies where instead of just not using their service anymore I actively deleted my account.
dam
thank god muda has talked about this subject even more
no views but theres comments how is that possible
@ItzSyakirin you mean Script kiddies AKA Bun Bun Girls
Remember kids: devops does not equal security minded. As a cyber security engineer, this whole situation is a giant facepalm.