The Worst Cyberattack I've Ever Seen...
HTML-код
- Опубликовано: 4 мар 2023
- Hello guys and gals, it's me Mutahar again! Today we revisit Lastpass and look over an cyberattack that might have happened in the most absurd way possible, with every thing already leaked out it's clear this company should be sued going forward. Thanks for watching!
Like, Comment and Subscribe for more videos!
Check out the newest episode of the podcast:
• First in line for iPho... Игры
Check out the newest episode of the podcast:
ruclips.net/video/0S1QPBnp8BM/видео.html
Nice
W
3rd btw (didn't see it)
No
nice
Bruh. Not only did the guy not update plex in years, but presumably also had that OPEN TO THE INTERNET. What in god’s name is he doing working at a security company.
LastPass also never upgraded its password hashing for 10 YEARS on some customers. LastPass is still adding "noindex" HTML tags to its breach notices, so people can't find them on Google. LastPass as a policy does NOT encrypt site URLs (hello anyone with an AshleyMadison login saved). This company is a scam, trying to milk anyone that doesn't understand how dangerous they are.
@@Instabruh.User.. you talk about the Macv-Sog?
man we no longer are in Vietnam
@@BlockedUser1 no shit
My work laptop given to me by my company restricts basically everything from being installed onto it. I can get VERY basic things from THE COMPANY'S app store, but the Microsoft store isn't even installed on it, so this EXACT scenario doesn't happen. You'd think that a company that deals with safeguarding people's passwords would be even more strict than my company when it comes to potential risk. Unreal.
My work laptop is the same way. We can't install anything that isn't already cleared by security. Anything new has to go through a whole audit process. It blows my mind that bot all companies do this.
That's probably because you're a non-IT employee.
Engineers/IT typically get local admin rights to their and everyone elses computers though to be able to install almost anything.
Though I wonder if a Dev OPs Engineer would get local admin as their technically not IT but software.
Mine's the same. Can't even plug USB sticks into it. The fact that this was even possible is shocking.
@@whothou9154 yes typically software engineers will get local admin for virtualization/debugging/deployment
@@whothou9154 I'm an entry level software engineer and have local admin rights on my computer but not on dev environments (remote desktops). Only a few people at the company have the ability to generate admin passwords for dev environments and those passwords last for 6 hours. This is a small business, less than 50 people.
As a fellow engineer, I’m screaming into the void at this entire situation.
A 2020 CVE!?!?
Saw this before going in the video. I'm having a hard time accepting this...
There's some 2013 CVE's that have either resurfaced or been republished, for various reasons of course. You don't have to go far to even find "top companies" in whatever industry skimping on this kind of stuff, because IT is only ever seen as a cost center. I'd still be shouting into the void if I weren't so tired.
This clickbait is hella cringe lol.
noobs, sir, noobs
During my pentest engagements, i still find eternal blue ALL THE TIME.
Businesses and people really beed a LOT of help securing themselves
I wouldn't call it the worst cyberattack, but it's definitely one of the most pathetic. The fact that someone with high security clearance would use an obviously unauthorized app on a work device and then not update it for years....Normally I don't like the idea of industry blacklists, but this person went above and beyond to earn a spot there.
@Don't Read My Profile Picture sure
I suspect he didn't update it because it was unauthorized and could not reach update server :)
Sometimes overly aggressive security policy may incentivie user to do really stupid things...
@@grzegorzdomagala9929 Im impressed they managed to install it.
@@YumiNeeosu lol these accounts have to be one of the lamest attempts at getting attention I’ve ever seen .. smh makes me wonder who wastes time doing this or programming a bot to do this and what their median age is lol.. i dont get it ¯\_ (ツ)_/¯
@@grzegorzdomagala9929 stop using non work programs on work machines, it's that goddamn simple.
I swear muta puts out a the worst hack ever video at least once a month
true 🤣
hackers must be looking for the one piece
THE ONE PIECE IS REAL!
Damn man seems like technology and hackers are getting better every day to the point muta has to be the one to call them out
@@grassmonkeyO5 😂
So in summary. Don't mix personal with work. This includes mixing your company data with your personal data.
Thanks for the reminder 👍
This includes your personal life with your work life too. Work is not your friend, and your coworkers are not family.
what about a spontaneous urge to wack one out?
@@LetGoNoControl that's why you wack one before you get to work.
@@LetGoNoControl do it to memory
I need a "Worst Cyberattack Tier List" that Mutahar has covered to date. Please.
Now thats a good video idea
This would be awesome!! Everyone upvote this!!
I blame the company for hiring irresponsible, no-good engineers in senior positions.
They can’t even find good employees to replace old engineers, that’s why. They ask for too many tasks and responsibilities which increase the odds of this happening.
@@Labyrinth6000 this
cronyism side-effects if you ask me. a buddy hires a buddy but your buddy sucks at his craft so now this. and yeah, the job descriptions HR come up with are always ridiculous so they have an excuse to hire who they like the most without getting sued
nah its just idiocy some dude had his pw updates probably set to not update due to some work based restrictions initially and forgot to ever update his policy once his issue was resolved, lol 3 years too late
sometimes, its the lack of growth/innovation & sometimes its the job descriptions responsibilities over little pay, no one wants to work there, sometimes the case they end up hiring unqualified or not experienced enough to handle the position without any help.
It just goes to show that hacking isn't so much "cracking code" as much as it is exploiting negligence and ignorance
Cyber attacks are a crazy thing, the thing that surprises me the most is even allied countries are attacking each other non stop everyday. Trust no one.
Don’t go into the comments it’s a cringe cesspool in this thread.
There is not such thing as allies in the modern society, just bussiness partners.
@ItzSyakirin r/youngpeopleyoutube
Well allied countries are allies as long are there’re any benefits. Also the alliance is of course made by the previous president or previous head of the country.
An example would be the Philippines. Just a few years ago the president strengthened their alliance with the US. But the following presidents either dislikes the US or values the alliance with China more. But the Philippines still has an alliance with the US even with all the stuff that happened.
@ItzSyakirin this is the cringiest thing I’ve read. You have got to be no older than 8 years old.
Sounds like your part not of the muscular class so I'll enlighten you, it's called steal sharpened steal duuuuu.
According to the article at Ars Technica, it was the developer's home computer. Apparently "only" 4 senior devs were allowed to access the vaults via their home computers which really, really made my head explode.
Mutahar never fails to give me heart attacks by his titles 😂
At this point I just roll my eyes and mutter "Who got hacked THIS time"
Yeah that's clickbait for you
Dude I always feel the same, he has PERFECTED clickbait titles in the best way. I'm never mad, I always actually want to watch
As long as he stays on his meds.
How many hours you got in MSM dawg
Can somebody get a compilation of Muta saying something along the lines of "And no I'm not exaggerating THIS is the worst hack" it would be beautiful. Not as a flame, as a lovely memory
The fact that they let a cyber sec engineer use any type of personal shit on the same device that is used to access company data is crazy
you can't physically stop a worker from it, its kinda not possible
He was working from home so there was no way to stop him.
@@raylax7056 you can audit them, you can educate them, you can punish them
So this company was proven unreliable a year ago and the US Marshalls continued to use it?
Having had to interact with USMS, I'm not surprised.
The US Government will use outdated technology until they are forced to upgrade. The jail in my town was primarily running on Windows 95 until 2010
@Broskisnowskinot necessarily. You should see the price tag on some of the hardware and software they use. It feels like they go for the most expensive but least effective stuff. It’s wild
@@breguera77 The government never pays consumer prices. They're quoted higher amounts because of their (pretty much) unlimited budget. 'Military grade' things for the consumer will be priced lower but they'll be priced wayyyyy high when they're sold to the military. Which makes them opt for 'bottom of the shelf' equipment sometimes.
@Broski Snowski nah, it means the supplies from the biggest lobbier.
You forgot about the 4th option. Writing them down in a secure location (like a locked diary or something). And option 5, encrypting and storing your own passwords on your own.
Yes...no, big nope. Might work, perhaps even worse than remembering passwords you can lose it too, someone else can take it, it can be damaged by a flooding idk too many things
@@sinonimo8719 Why are you storing your passwords in only one place?
This is why hard paper is still king and I majority use paper to keep track of everything like an old school mobster accountant
This is why pen and notebook is crucial. But yes Lastpass should be sued
@ItzSyakirin "look mommy I can get people's attention too"
you can easily host a offline encrypted vault of passwords
Me: *laughs in KeePass*
Are you gonna bring that password notebook to work? What if your colleagues or someone else steals it.
Pen and paper clearly has higher risks.
@@MO_Disk it’s not tho 😂
This was the best Cybersecurity related video to date by muta, funny and informative. This channel in the last several years has been a big part in why I'm getting my masters in Cybersecurity right now. Keep up the good work!
Bro, i had the notif on my iphone for this upload for three minutes, and i came to the channel home page on my pc and i literally couldn't find this video. I had to search for it word by word in the search bar. That's weird.
Anyways. Love the content as always. Truly give us the widest range of interesting internet hermit shit i've ever had the joy of accessing.
My IT instructor drilled in my head, "Always stay updated."
My brain still glazes over whenever Muta talks about cyber attacks. But him mentioning that streaming movie app seemed interesting. I dunno how safe it is but that's certainly one thing to keep on my radar.
If you're old enough to remember the movie Hackers, We are literally living in the times that movie tried to portray, OMG it's soo eerie how accurate they were.
Tbh I use a copy book as a password manager, people say it's waste of time to write down my passwords into it every time I create an account on something but it's shit like this that only makes my case stronger 😅
People literally forget it takes 30 seconds to a minute to write down an email, password and title to what the account is for. Also, you can't hack a note book in someone's closet...
KeePass.
Just use KeePass.
Same
same
@@R3AL-AIM a house fire can
Honestly my favourite video from you so far Muta, imho your best work yet. Good stuff my friend
This reminds me I need to reflash my rooted phone to update the security on it soon.
I’ve recently started watching you btw and I do like the style of these. They feel fairly personal, they’re usually shot at night too which is similar to my sleep schedule, and it’s just like having a chat and laughing about news nowadays. Keep it up, love the relaxed feel to these types of vids.
Relaxed?
You've just perfectly described why I've been watching Muta for years now! 😅
“Muta this the 4th time you’ve shown the class “the worst cyber attack you’ve ever seen” this year”
You know it's a mutahar vídeo when mutahar is in it...
you know it's a video when moving pictures
I figured you would have covered marshals but glad you got us now. I been wondering what you would say for days.
There is also a fourth option... just writing down your passwords on pencil and paper 🙄
efficient until Jamal in the hood comes to your house with a wrench and beats you up and takes your papers lol.
or worse yet -your house burns or gets flooded.
lets be honest there is no such thing as a 100% failproof solution.. maybe 95-99%
@@heyjeySigma I agree but I mean who in their right mind ever thought that paying a company to store all of your passwords would be a smart idea. They say that it is only stored on your computer sometimes but facebook says they don't sell your data.
I love when Muta gets pissed off 😂
17:00
youre a real one muta. thanks for bringing a smile to my face, im poor and lonely but you always stay real and make it feel like ur talking to us as a friend.
Yo muta if ya see this comment i wanna say thanks for helping me through some dark times your content always helps me sit back and clear my mind of my anxiety and extreme ocd much love muta
I keep seeing ads for all sorts of password storage apps but I keep reminding myself that nothing on the internet is safe and putting all your passwords into one single database is just asking for trouble.
This is why I save my important accounts on a separate drive with my car keys and useless stuff in pass managers
How do you do that? I'm keen to know how to stay safe.
@@sommerforrest2694 Just have some notepad files and save it into a flash drive or something. I didn’t label which account is which either so if someone steals it, it wouldn’t make any sense
muta back with another banger, let’s goo !!
I love your channel man, it covers all the crap I care about.
I enjoy these videos every once in a while and the e entire time I just enjoy it, admittedly I’m no computer expert so a lot of the really technical stuff goes over my head lol
Love your channel Muta!! 🇨🇦🇨🇦🇨🇦
I was hoping you had some info on the dish ransomware attack!
Love your videos ❤
Wiser words have not often been uttered.
I (for one) am glad LastPass has been open about the extent of the intrusion.
Keep spreading the gospel, I testify.
Mutah you always teach us valuable lessons, passwords and security wise
Bitwarden with a Yubikey for 2fa is my personal favorite
a WitSec leak would be catastrophic, even if no one was harmed. the amount of resources that would need to be expedited to save everyone would be staggering.
I can't remember how many friends and family I warned to stay away when LastPass did their huge social media advertisement campaign because how could they not be painting a huge target on their back from square one? Sure the zero knowledge model helps delay compromises, but you can bet bad actors with enough funding can crack them. It does suck that at this point it boils down to "I told you so" which can hurt the reachability of the people who need to heed the warnings most.
Keep fighting the good fight Muta.
this is the worst cyber attack i've seen ever
Another banger of a vid mutahar🙏🎮
This could have a lot of security risks for all kinds of institutions and companies. Imagine how that data could be correlated, I hope this isn’t a domino effect about to go down. WEF and FDIC talking about cyber attacks and here this happens…
As a student in cybersecurity, I love watching Muta
Very cool mutahar, can’t wait for the worst cyberattack ever next week
You know once upon a time around high school I was a last pass user. When I got disillusioned about security in "The Cloud" (someone else's computer) I decided to store my passwords myself with keepass. Probably not the greatest thing but not the absolute worst.
i use keepass, too :c)
Anything at this point is better than LastPass
Still laughing my ass off at the very idea that anyone would think that hosting all their credential behind a single account, thus creating a single point of failure, was a good idea.
I think there is some merit to the idea. If the password manager you use is remotely competent, that single account (more accurately, a username/password combination) is used to derive an encryption key that is not stored anywhere. That encryption key is used to encrypt and decrypt your password manager's vault.
Now, the obvious caveat is that if someone gets access to your vault, they have a pretty good way of attacking it by brute-forcing the username/password combination.
But here's the kicker, when you remove the need to put a lot of thought into generating a hundred plus different passwords and instead just have one password, you can focus your energy on making that single password a lot stronger.
Of course, this is reliant on the fact that you know how to do this, but this can be remediated with devs that know what they're doing and good documentation on how to make good passwords. You may also opt to add a pepper to your passwords (i.e. have a random string you add to every password that you don't write down), wherein even if the vault gets compromised, the attacker still has to figure out what your pepper is, and that adds additional effort of compromising other databases or brute forcing account logins.
Additionally, if you don't trust a cloud database hosting all of your passwords even if they're end to end encrypted, you can always opt to self-host, which significantly increases the difficulty of compromising your vault (since, you know, someone would have to get into your network, compromise your Bitwarden database, and THEN brute force the username/password combo. And you can always opt to use a password book, but usually that succumbs to a similar problem with more of a headache and no possibility for encryption.
One final note: Brute forcing these vaults is often more difficult than brute forcing an individual password because again, if the provider knows what they're doing, the derived encryption key should be made with an algorithm that takes time and resources to generate. Of course, in a single attempt a few extra milliseconds is negligible, but when we're dealing with millions and billions of attempts? That can be the difference between losing your vault and an attacker giving up and moving on to an easier target.
That said, yeah, I completely get the hesitation with "putting your passwords in the cloud."
The sad bit is cybersecurity "experts" still screech that you need to use a password manager.
better then using the same 8 character password over and over.
And the other option is.... ?
@@naughtyhieroglyph669 Using a password manager is factually the best option out there, just not one hosted by a company, host your own Bitwarden server or just use KeePass and make backups of the files, done, no more security risks.
I honestly have no idea how Password Vault programs don't ring any alarm bells. To any decent hacker, how is that not just a lootbox for them.
It is
I saw the title and Lastpass was the first thing that popped in my head.
Bitwarden FTW. I let Bitwarden manage my vault. While I'd like to run my own Bitwarden server, I just don't have the energy to do IT work off the clock. I love this industry, and I love Linux so much that I run it as a daily, but sometimes I just want to step away after work.
Thank god the witness data wasn't leaked.
"Why am I not surprised?" - John Stewart/Green Lantern (Justice League Animated)
thank god muda has talked about this subject even more
who would've thought storing your passwords onto an online database was such a bad idea?
Muda just because your MySpace has been hacked doesn’t meant it’s the biggest cyberattack
Muthony Dartano here, the internet's busiest tech nerd
Any videos teaching us how to isolate a computer on a home network? I don't know if there's one posted already, but if it isn't, it could be quite a helpful piece of info
ANUS OVERLORD?!?!? Awesome username, Muta!! ;P
It's amazing a password manager subscription got hack so that being said lets be honest it could've been a lot worse, at least it was targeted towards certain people and not everyone
We really don't know. Any subscription company can sell information to other companies. And in case those other companies will need more information on a certain user from the subscription company, the best excuse is getting hack while providing the information to those other companies. Getting hack is really a good excuse nowadays for companies.
having a subscription to an online password manager sounds like the dumbest idea ever
The attacker got access to cloud backups. That’s pretty bad.
Guess saving passwords on a piece of paper works better than a password manager.
@@razorback9999able That and something like a titan security key are probably the most secure way you can store/secure your passwords
Welcome to cyberpunk where there's always cyber attack. (That's what it feels like anyway)
No rest in Night city
A buddy of mine used to work with the Marshall's user website, he would always say it was a huge mess, and the coding he had to maintain was a security nightmare. He also said things about the fact that he had to make the website very nice for a few uber rich people that sat at the desks at the Marshalls and not for the public and it just wasn't for him, he hated the feeling he got from it.
The worst I've ever seen is a ransomware hack that destroyed my dad's successful company after 30 years of hard work.
The irony is I was considering getting one of these cause I’m fucking lazy. Ended up choosing not to do so cause I was like, what if it gets hacked. Oh how the turn tables
There's an open source one that comes bundled with some Linux distros whose name has slipped my mind, that one might be the best cloud/electronic option. But yeah your best bet is just a notebook stashed away somewhere in your house.
The classic way is the safest way
For their safety anyway I'd be moving every witSEC on the roster !! This is so scary
Every week has "the worst hack" muta has ever seen
It's like the worst cyberattack happens every other week at this rate.
Yeah I got hit by the last pass hack, however I was so lucky that I got lazy and only used it for my steam and like 1 account that was easy to reset. I actually was going to use it MORE but it's like nowhere is safe
… Muta low-key implying they are in the Wit-Sec database? (j/k)
Having good OpSec is like being faster than your bad OpSec friend while you both are running away from a vicious hacker grizzly bear.
Babe wake up new "the worst cyber attack ever" lore just dropped
Had a botnet get into an apartment complex I was living in not super long ago. Had me paranoid to the point where I was having a hard time differentiating between actual things related to the attack and my own imagination reaching for connections. Ended up having to move after having to close my bank account and opening a new one. Thankfully, nothing was stolen. I feel bad for the people still living there.
Paranoia
WinGet would have solved all of this...
Supposedly Microsoft is working on restartless security updates, too.
I would like to remind people reading the comments to leave a like for this man, he has worked hard for this video and has taken time out of his own personal schedule just to keep us updated and safe from cybersecurity threats.
You have earned my sub!
Great information thank you sir
U should be a dungeon master in d&d u have the voice for it lol😅
Not surprising everyday there will be new loopholes new security breaches new people clicking on links they shouldn't LOL
I was a bit skeptical when their first update came. When I received the email with the second update, the immediate next step I took was deleting the account and resetting every single password.
my school district recently got hacked and we were all snowed in so there wasnt much communication as to why everything was down
Kind of a useless hack. Even if they get the whole S3 dump, what's the point when the generated password is always random? Except for a fraction of cases where the users are making up their own password, they could build a rainbow table or dictionary for later attacks. Unless they're targeting the people immediately, the long-term ROI or the value of the dump in the marketplace is pretty low. Not recommended.
This better be about the chapters indigo plum points cyber attack. I want 5 dollars off of my ridiculously overpriced books dammit
My approach for passwords is the lazy route. For frequently used sites I use unique strong passwords I remember
For everything else, i sign up, use a unique password, forget about them and if I need to log back in, password forget function. Works like a charm.
Muta was malding haaaard about the dude :D funny asf
You look very mutah today mutah
I think we all see things that make us mad
Just imagining the dude ignoring the "please update" popups, thinking "eg, what's the worst that could happen"?
Muta finally doing whats his supposed to do since he was born and its documented on screen.
dam
You know it’s serious when Muta doesn’t laugh at the beginning of the video
10:25 Thanks for the passwords! I'll make sure to use them. If Muta made them, they must be secure, right?
Anytime you hear "upload all your account info and passwords online", its always a bad idea.
Mutahar never fails to make amazing videos
you didn't even watch this one
It's been out 2 minutes
@@nneural Yes I did?
Man is our best source of info in these times.
@ItzSyakirin you’re joking right?
The moment they switched to a one type of device per free account only system, I immediately left them for Bitwarden, a free password manager that lets you store as many passwords to your heart’s content, and does not lock the all device access for Bitwarden app behind a paywall, they have some more advanced features in their pro version, and I respect them for putting all the necessities on the free tier, I would gladly donate to them. Shame on you, lastpass.
The worst cyberattack I have seen was the launch of Cyberpunk 2077.