Full disclosure, I did not have my Yubico security key and hardware token set up for my own Twitter/X account while recording this video -- so totally fair play to call me a hypocrite 🙃 This is a good reminder for everyone, including myself, to get that prepped and lock things down! (And please bear in mind that the thought of this being from infostealer malware is absolutely speculation until there is some root cause analysis shared from the official sources) ((And I believe it was the LTT RUclips channel that was compromised previously, NOT their Twitter/X account, so wanted to be sure I included that correction)) (((And I've cleaned up the backup code with RUclips Studio. It was regenerated multiple times anyway, but I appreciate your concerns))) ((((And the YubiKey that I show in the video is not the YubiKey Bio, which has the gray circle and accurately makes a fingerprint template -- so I'll be getting that fixed up too!))))
I am now going to invest in a Yubico security key. 🤣 Also thanks for the tip to check out what "connected apps" were still tethered to a x/twitter accnt. I apparently had quite a few to deactivate!
I didn't have 2FA on my secondary account until it got hijacked. I was able to get it back either because I was fast or lucky. 😆 Do as I say not as I do!
@ManWhoLostTheWar Most likely has connections. I don't see him paying for any of it nor would he be in the com Even after some digging I couldn't find much history that explains away the early verification and stuff. Odd but cool to see there's still people like that out there as most get this stuff unethically.
Oh yea, surely having to re-authenticate even more often is going to solve the problem.🤦♂ Totally not gonna get people used to enter their login info and be less alarmed about where they actually enter it.
Disabling 2FA without going through support should require 2FA. I mean, you need your password in order to change your password in a simple manner (you can reset it but then you need access to another account, the email), being able to just toggle off 2FA without having access to the 2FA is unforgivably bad design, something we already know is a bad idea.
Yeah but what if you lose your phone number? I guess you can re-create your phone number, but I recall back in the day when I changed my phone number I was locked out of some (obsolete and not really used) accounts like a Hotmail account I occasionally used. That's because they would send an authentication message to the phone number that was no longer mine.
@@raylopez99 Then you have to go through support and probably provide some other kind of evidence, or a different authentication factor (such as the backup codes the other guy proposed, which is itself a form of 2FA). The toggle is fine if the ONLY way to access your account is through a method that uses 2FA but when there are other ways (such as the login token, or a simple password) then you simply shouldn't have the ability to disable 2FA without using 2FA.
Ive had issues with services that did it that way. I changed my phone number, and didn't update amazon (because I dont use amazon much, if at all). Amazon didn't let me get into my account. They also didn't let me close my account. Support said I should be able to, but it just didn't work. The new person who got my old number was able to use 2fa to get into my account and order stuff. Well, then I called my bank and had them cancel it. But it did send to my email the address of where it was going to show up. It would be funny for me to go there and be like "yup this is mine I paid for it"
@@raylopez99Phones are easily spoofed. No one should be using that for 2FA in the first place. The option shouldn't even exist. Doubly so in certain cases where they just make it seem like it's a scam. Every time I call one of my banks now, they have to send me a code that I need to read back to them, which is exactly what scammers do. Until I found out they had made that change last year, I was confused why people thought scammers doing this were legitimate. There is no good reason for them to be sending you a text, but they do. Their newest option to get around this is using your voice, by the way. In the age of AI, they want you to turn on """"""security"""""" features, which allows all of the other security features to be turned off by voice...
It's always some kind of malware on an employee's computer, I think? Hackers often pose as sponsors and try to get RUclipsrs to open email attachments. Thanks for the video John.
@KarlRock You'd think a channel dedicated to tech would have employees that know or at least trained **not to run random files even if they look legitimate** I guess not though
Yes, it's typically employees opening stuff 'sponsors' send and getting sessions hijacked. Less than 20% of the people at LTT would have any intimate knowledge of this stuff. I would have thought they had changed some policies about what can and can't get opened. Maybe not? Strict app locking policies should prevent this from occuring but that takes effort to implement and then enforce.
I think the root of the problem isn't that Linus doesn't have 2FA, it's that Twitter doesn't require you to confirm your 2FA code to make security changes to the account, which is a big no-no. He had this same criticism for RUclips when the LTT channel got hijacked. It will let you reset all the security stuff without asking for your password or 2FA code again, assuming you are who you say you are.
John actually did a review of the Malware Email that LTT, received and that Email requests the 2fa key. Microsoft actually does it better by pinging your MFA device and requiring you type that code into the authenticator app.
If infostealers can just steal your token and use it on a different device in a different country AND even change password & e-mail address... What's even the point of 2FA? I'm mad.
2FA protects against password leaks, and thats about it. Ideally, services should tie session tokens to your HWID, IP, browser fingerprint, or any other potentially unique information to make token stealers less effective.
@@Zullfix It's easy to say that, but on the other hand there's demand towards browser developers to limit any way of fingerprinting for privacy concerns. (IP isn't really viable, I tried that on my website and found that in many cases my IP address can change on the fly without me even noticing it, sometimes from an IPv4 address to an IPv6 address and vice versa. After I logged the issue for a few days I've come to realize IP address changes happen so frequently thanks to the way many internet providers work nowadays that it's unfeasable to use it as a security factor.)
They Yubikey you show in the video is not a “something that you are” example because all Yubikeys except the Bio series with the black dot (so all gold dot ones) are NOT a biometric reader - it is just you tapping the button. It’s another “something that you have”.
It also ties the cryptographic token to the domain, so it shouldn't be possible to MitM a security key in the same way that authenticator codes can be MitMed.
Rather than just sending an alert that someone logged into your account from a different place in the world, that login should be challenged in the first place.
I agree, bad design and plenty apps do this. Why let me know I may be hacked without a way to block it off. At least from the original link that is also in your email. So, you can then put in a ticket with minimal damages. Though not saving to PC or cache is the smart choice. Sad you can't depend on the platform to fix this issue or even see it as an issue.
Then every normie everywhere will complain when their ISP resets their modem/router with an update, VPN users will encounter issues, and about 500 other things that support teams at these companies don't want to deal with. Convenience is the enemy of security, but most customers will take the convenience first and foremost. Who do you know that honestly could be bothered to purchase a hardware key? How many even use software MFA? It's just not in the cards at the moment.
@@JackShoreman I agree with that. The smart thing would be for it to be an option, to opt-in for. So people who want to be more secure can have a way and people who don't can have their convenience. 👍🏿
Some blurring can be reversed, yes. Better safe than sorry, always box it. If you want blur for the effect, add fake text on top of the box and blur that.
@@JackShoremansearch for image deconvolution. It can absolutely be done, the techniques are of the 2000s era, you can also de-motion blur. It's not perfect but it's been used by police to make license plates readable despite out of focus and motion blurs in the captured images. Entropy doesn't enter the picture (pun intended) here because blurring is not a random process but a well-defined deterministic operation called a convolution, for which you can find an inverse operation that can theoretically restore the image (in the mathematical sense, with limited resolution and compression this is obviously not perfect). To be sure you can't find an inverse operation, you need to process your image with so-called non-linear filters (ie. median filter, pixelation, or just plainly overwriting the pixels). There is a specific issue with pixelation too, which is that with videos specifically, if the contents move over the pixelated area relative to it, restoring the content over time becomes possible. TL:DR; deblurring an image is very much possible, is old tech and has been successfully used for better and worse ends already. Your best bet is to completely overwrite the pixels by using an opaque color. Pixelation can be undone if not applied correctly.
I still think it's crazy how logging in from a different country/location or even making password/2FA changes doesn't require re-authenticating via email or so.
IP addresses are archaic and not a reliable form of determining location. Unless everyone starts using IPv6 and the many more addresses provided compared to IPv4 are doled out by nation instead of by institution/corporation/etc, it's not a reasonable metric. My IP gets registered in completely different states from where I live, imagine that in EU or anywhere else in the world where nations are geographically small.
Sucks to see people get hacked, sucks more to see it happen again and again. I've been in a similar boat a few times. All you can do is learn and be better prepared for the next day, at this point.
Yeah, they're large tech enthusiasts and not security focused. That makes them a large target without having a good security posture. They should probably bring in a security specialist to train people and set up some monitoring software across their whole infrastructure.
I mean fr you'd think they could encrypt it and only load it when you specifically needed it for a site, like a basic desktop password manager, by this point.
I recall a Google Chrome blog article that suggested that Chromium secrets are encrypted using the system provided encryption methods, like Keychain on macOS, and GNOME Keyring on desktop Linux, but on Windows, there's some internal function that's not as secure, so Chrome developers plan to add additional security specifically on Windows.
@@Person01234 Encryption only works as a protection, if the attacker has no way of finding the encryption key. Spoiler: If their software is running on your PC, like your Browser is, then they can get that data. Even if it's encrypted, they can ask the OS, or even the browser itself to decrypt it.
DUDE... Don't use blur to hide security information it has been reversed in the past. The only trueway to protect this stuff is a black or white bar overlay.
@@_JohnHammond You can take sample letters, blur them in the same way, and then matched the blurred images. Similar to how how passwords hashes are "decrypted".
I hate the fact that the same auth token or cookie can be used from any IP without any hesitation. I want an option to revoke the tokens and cookies immediately if it is used from some other IP than from where it was originally logined from. And I fully understand that this will require me to re-login from time to time, but generally I just use my computer from home where the IP changes very infrequently so it really does not matter most of the time.
Exactly this. Infostealers have been doing this for a while now, and services just allow account takeovers like this to happen. Authentication tokens should automatically be invalidated if used on a different device than they were originally created on.
14:57 - "Try to make sure that's the only option for logging in" Unfortunately 99% of services don't support this yet. It's even worse on mobile where security keys still aren't even remotely functional on any mobile applications I've tried despite literally being implemented
Using a security key for a personal account is all well and good - but the thing that got compromised was the shared company account that needs multiple people to be able to access, to have mechanisms to kick people out when employees leave, etc. From my understanding, twitter doesn't give you an easy way to register a dozen security keys to a single account, along with identifiers that will allow for reasonable decomissioning of credentials later. I don't think the workflow is viable to make that a defense.
I have my personal non-paid twitter use multiple security keys at the same time. i can only have one authenticator though. but technically you can get away with multiple authenticator app (or medium) once you copy the secret key.
@@ecu4321 it technically doesnt allow you to have multiple authenticators right now once 1 is verified you need to deactivate it while its true IT IS possible provided the system has added flags to re-enable setting up a new authentication key
The sad thing is that you should just assume your information is already stolen. Personal information isn't private anymore. Glad you covered this John.
YubiKey Bio reads your fingerprint (which is the model with the gray circle, not the gold/yellow one I showed in the video, so I'll have to get that fixed up) docs.yubico.com/hardware/yubikey/yk-tech-manual/bio-specifics.html
Yeah, but stating that yubikeys are simply fingerprint readers is 100% false. The fingerprint reading yubikeys just use your fingerprint instead of a PIN.
The question is why X didn't mark the login attempt as malicious when it clearly originated from Russia. At the very least, the account should be locked down, requiring a code sent via SMS and email to unlock it.
The problem with geo-fencing is let's say x implements this feature it would become publicly known. Ltt is in the US/Canada all i would need to do is use a VPN in the US or Canada to get around that. Or sign up for AWS and get a free tier EC2 and route my traffic through that
Now if IP whitelisting was allowed they could whitelist the office since businesses will likely have static IPs. Then for remote access they could use a VPN hosted from the office. Home IPs and phones are dynamic so that would solve that issue
Blurred text can statistically be de-censored. The only safe way to censor text is to completely replace the pixels with something unrelated, black pixels, random noise etc (if you want to keep the aesthetic, just replace the text with gibberish text first and then blurry it). And ideally, you should also disguise the length that has been censored as well, as that can sometimes be sufficient to narrow down the guesses with the help of some context.
Are we sure that email Linus screenshotted isn't phishing and that is how he got hacked? Twitter/X is banned in Russia, meaning you couldn't reach it from a russian ip, while the email he shared states clearly that login attempt came from Russia
Most likely, the hacker used the DPI bypass. Since I'm from Russia, I decided to log in to Twitter using this method and got an email with login attempt from Russia.
I'm just thinking of what a dumbass skid you'd need to be to use your actual Russian IP instead of using at least using a VPN in the same country. That alone confuses me but idk if 'hackers' are commonly that stupid/sloppy.
@@Demoralized88 If it is from Russian then the "person" doing the hacking probably works for the FSB. I doubt they are too worried about any repercussions. The scam is probably a side hustle for when they aren't doing "official" work.
@@_JohnHammond I've seen a few people do this, some with conventional algos and some with DL algos. Depix on GitHub does this with pixelated "blurs". I also read that that gaussian blur (which is quite common) can be deconvolve somewhat accurately using FFT(?).
@@_JohnHammond Seems my previous reply was deleted. Depix and Unredacter project does this with pixelated text. These are brute-force approaches but which should work quite well. Fliters like Gaussian blur can also in theory be deconvolved. But by showing unblured and blur text together in known editor makes it quite easy to brute force the text from image, it can also be done sequentially (char by char) instead of the whole string.
It surprises me that (only using information in this video) it seems either you can log in from a device that twitter notices is a new device without re-authentication of 2fa, or the hackers got lazy after resetting 2fa and stopped pretending to be the same device that had the token.
No for twitter it was a new location (IP address) but using an existing session/device. Requiring 2FA on any IP change would be such a PITA for everyone that it would trigger a mass-deactivation. This kind of alert is usually sent asynchronously, meaning it's also often too late when you receive it ...
@@maverick34 According to the screen shot it's a new DEVICE. Yeah new location too, but I get that's an issue. The fact it's a new DEVICE should trigger it to recheck 2fa even if they have a saved cookie.
As it turns out @_JohnHammond just posted a video and that screen shot was NOT from X, it was from the phish. Which also strongly implies that it wasn't a cookie hack, Linux gave up a 2fa code that the hackers used.
Thanks John for the info!...All platforms should implement a block... check/verify when an ip is trying to attempt from a foregin country.... email the user or text the user to verify if its legit.
Big question here: how can twitter allow 2FA deactivate/reactivate without authentication of an account, trying to deactivate/reactivate, from outside source??? Like for exampe: check through current linked e-mail/phone/app-authenticator the validity of 2FA deactivation before allowing to remove 2FA. From the perspective of a person working with banking apps - it is a major security flaw that should never be on production environment.
1:16 Linus viewers are the geniuses who still think "click here to claim your million-dollar lottery prize" is a legit deal. They're practically twins in intellect with Linus himself, who's so "tech-savvy" he mistook an infostealer for a sponsor. But the best part? Watching him dodge accountability like it’s a sport, always quick to point fingers at his employees. It's like watching a comedy show where the punchline is always Linus deflecting blame.
Here's another layer: Set your browser to automatically delete your cookies when you close it. Bonus effect: You will definitely want a password manager. As we saw, cookies bypass all that security, and they're stored in the format they're used. You can just copy/paste the sqlite db from one pc to another and it will work.
Yes, and when a new device logs in from a new location with an authentication token made on a different device you'd think that would be an obvious thing to block. Or when above new device changes the password, removes old 2fa methods and adds new ones the account should be locked and verification requested from multiple pre-takeover contact/2fa methods before those changes are allowed.
From 10:35 in this video: "Authentication Factors The three basic methods of authentication are also known as types or factors. They are as follows: Type 1 A Type 1 authentication factor is something you know. Examples include a password, personal identifi cation number (PIN), or passphrase. Type 2 A Type 2 authentication factor is something you have. Physical devices that a user possesses can help them provide authentication. Examples include a smartcard, hardware token, memory card, or Universal Serial Bus (USB) drive. Type 3 A Type 3 authentication factor is something you are or something you do. It is a physical characteristic of a person identifi ed with different types of biometrics. Examples in the something-you-are category include fi ngerprints, voice prints, retina patterns, iris patterns, face shapes, palm topology, and hand geometry. Examples in the something-you-do category include signature and keystroke dynamics, also known as behavioral biometrics."
@@nomunomuneo yes i've seen his IP change which I'm assuming he has a dynamic IP, still better warn someone than be the person who could've prevented a potentional damage
you're videos are really helpful for learning cybersecurity i would love if you add titles and chapters to understand what is going on when we're confused
You would assume that any account suddenly logging in from Russia, would be flagged and locked. This happened to me around 14 years ago with Facebook. Someone got hold of my weak password, that I was using everywhere at the time. Facebook blocked that login, as they logged in USA. Would expect same from Twitter, over a decade later. EDIT: I do get that this was not a stolen password, but the fact of a highly suspicious location, should prompt a reauthentication.
shouldn't the auth token be locked to a region so if it is used in Russia it can terminate, thus asking for reverification. This should stop token sniffing, well reduce it to region base playback.
please DONT USE BLUR to censor passwords! it is entirely possible to de-blur images especially with modern AI and you even zoomed in and out, so theres more data to work off of!
In all projects I develop with end-user interactions. I have tied the session token to the device. I check some values that let me identify, that device and if something changes. All sessions get terminated. To prevent session hijacking. As log as an attacker is not able to clone all the fingerprinting or access the machine where an active login is live, there is no chance that any damage can be done.
In the example John gave in the video, that wouldn’t necessarily prevent account compromise since the data gathered included plain text username/passwords. But I do like that idea as an added layer of security. I may have to steal that for my future development projects.
@@NoahD123 Sure against regular logins it gives no additional protection. But regular logins should be protected with a multi factor authentication. So I think in general it would help with security. And I also think everything that raises security should be available for everyone. So feel free to "steal" the idea.
Where I live, many sites - in particular insurance and medical providers - are starting to ditch passwords for an sms code. This isn't even 2FA, it's OTP! So instead of forcing the user to create better passwords, they are dumbing down the whole system. 😔
@@rezwhap They have very strict encryption regulations, but I don't think there's any government regulation on the type of authentication required here. Heck one of my credit cards forces me to change my password every 6 months (great), but the password MUST be 10 characters long! My bank is 8-14 char (just had to change it today), but at least requires at least 2 caps and 2 digits and recommends special characters. But still, having those specific requirements means that attackers can lob off a huge amount of options from their dictionary if they are going to brute force. Thankfully this bank, in addition to our national ID number, also has us set a personal identifier (that we can change at any time) that needs to be used to log in - so three things at once. Not exactly 2FA, but better than ol' creddy here.
This is a mistake of both Microsoft and Chrome. Chrome lets everyone on the computer see the information easily. And Windows should let people know that their saved password will be accessed by a process. For example, when you install firefox or edge, they directly get all the information from chrome without the need for consent
I don't understand how is having a physical security key going to help, when you are under a phishing attack and the attackers can anyway steal your cookies.
Conditional Access can prevent this but its expensive for the provider. Iwanted to buy a Key for some time now but you need at least TWO because you need a backup one if the first one gets lost or damaged.
Man it's a rough week for Ltt. But it is kinda hilarious that this happened almost immediately while Luke leaves Defcon and Linus logs into his personal account on a work machine during the Wan show.
one thing you could do is to reduce the number of people who have ownership access to the account. I'm not sure if twitter has a built-in feature for having multiple users of an account, but otherwise you could use an external app to emulate this behavior.
How can you prevent that: as a user: don't get your computer compromised as Twitter: don't let users reset passwords without reauthenticating with 2FA.
11:33 "Additional password protection" is where you can now find the optional setting to create passkeys on Android to use for signing in, instead of using a password. Let Linus know that Twitter now supports passkey sign-in for Android.
MFA forces attackers to move to session token stealers. This is a cat and mouse game, as we try to move from just using passwords the attackers will move to other methods that work against MFA. The benefit is that the attack usually requires running software on your local system to steal the session tokens instead of just password spraying the Internet, potentially compromising multiple accounts at once.
When you show a person’s sensitive information block it out, do not blur. I have deblurred one of the secrets you showed, you stating many are the same helped me.
I just plain forgot to move my 2fa to a new phone and locked myself out of Tumblr. Even after sending a photo of myself as instructed, I could not get my 2fa removed and am now permanently locked out of my account. I completely know how it feels to have to do something that doesn't sound logical to get an account opened up to reset things.
Your access token for the account should be linked to IP, hardware, and location. Like a separate token for my account when signed in on my phone vs PC, so that if my account signs in from Russia on a pentium, it disables that specific token and notifies the user of which platform they were compromised on.
I think this is John's best video every! As someone that had an account hacked I am constantly worried how to prevent it from happening again. Around 10 minutes in he goes through some recommendations. Thank you.
The only decent method for most people is IMO having a cheap secondary phone/laptop that you use for important accounts/passwords, preferably on a known-good wired network connection. Or at least logging in to sensitive accounts from ingonito/private browsers on your daily computer/phone, absolutely never storing those logins with any autofill (google account or local OS) and never saving them as cookies. That's my opinion after having been 'hacked' in 2022, modern malware is way too sophisticated to think you're safe from it happening to you.
@@TC-hl1ws Yeah that's basically what I did. Are you pretty sure it's just one account that was compromised or are you thinking it was an infostealer/RAT on your system? Doesn't really matter either way, I used a new cheap chromebook on a different network to change my passwords. Using your phone for a hotspot is a good option for the old laptop instead of using it on the same network. Hopefully you're alright and it wasn't malware, the stress and anxiety was overwhelming for a long time afterwards. I didn't know about RATs/infostealers until it happened to us and really encourage researching them if you haven't, you cannot be too cautious/paranoid when dealing with some of the malware/exploits used these days. The separate device/network is necessary IMO for recovering/securing accounts and will keep you much safer going forward, especially with some discipline not sharing USB/media and networks between the main and isolated PCs.
Its wild how LinusTechTips opsec is so fking bad. Guys, you run your own backups, any day now someone is gonna wipe all of that thanks to basic opsec mistakes. Hire someone.
7:28 ugh it's not 2015 anymore. Most modern websites have mechanisms to detect and prevent unauthorized access, even if someone has access to a valid session cookie. Device Fingerprinting, Location-Based Checks, User Agent String bla bla etc. For only the cookie to work, is under very specific circumstances.
Unfortunately, I've seen this kind of attack be startlingly successful. Something about putting artificial urgency plus the convenience of a ready to press fake login button right in somebody's face means people turn off their brain. Not saying that's what happened here of course, but I've seen it happen.
One of the thoughts that I've had against impose dealers why don't the website companies put your IP address and your computer's fingerprint into the files so that if they change computers or change IP addresses beyond a region it should flag those files as fraud, not allowing them to be used.
This doesn’t make any sense. Twitter’s been officially banned in Russia for the past 2 or 3 years, and it is currently unreachable without a VPN. And VPN makes your traffic go through a different country from where Twitter is still accessible. You can not just log in to Twitter from Russia directly, and there’s no way for Twitter to know where the traffic originally comes from if it goes through a VPN.
The blurring you did on that person's info is *really* not good enough. The blur might be strong enough to be somewhat destructive, but it's needlessly reckless to show *any* little bits of information, and the blurring doesn't even cover everything completely
Browsers need feature to ask for password on startup that encrypts everything like a lot of modern OSes these days, I actually hacked together something like this in bash with few lines of bash but should be added as a feature
I am not sure how you would just do it in bash. The only thing I can think of is an encrypted fs that you un-encrypt at startup. Problem is if the malware collects while the browser is running then it will see the un-encrypted files. You'd somehow need to make the filesystem only visible to the browser -- not the rest of the system. Better would be to have the browser decrypt on the fly as needed. Storing/caching it in memory though you'd have to decide whether to keep it encrypted or repeatedly decrypt. Speed may be an issue. Even then it wouldn't be perfect, but probably better. I wonder if using an external key manager might help. If anyone knows on any interesting articles on this, that would make a good read.
@@eshwayri I just used gpg and xz, sure it can't protect while it is running but can while it's not. And it can't just open it, needs the password first
Dude who specified kursk oblast as shipping address is a good troll, I hope scammer got triggered by this, because they don’t really have control at least in some parts of the region.
If 2 factor authenticator is on and you want to disable it, shouldn't it prompt to authenticate before you are able to disable it? If it doesn't then it's really stupid.
when i open my PC it opens cmd for a split second and closes. can you explain this because when i scan my pc with windows defender it says its clean. Please Help! I know there is a malware of some kind. How do I remove it?
Does Twitter have any form of “manager account” that could be tied to the main brand account? I’m thinking like a Linux system, there are user accounts which means no one logs in as root. They could add an approval process to make posts or modifications to the account that would mean an attacker would have to compromise multiple accounts to take over the brand account.
Would something like yubikey work here? Because if you can only sign in with a security key and not an OTP, you could theoretically give a security key to whoever manages the acct or have multiple security keys on file with Twitter. Although they probably contacted Twitter support to disable it, maybe there's a way if they can enforce it that this would solve the issue?
![Yeat & Summrs - GO2WORK [Official Music Video]](http://i.ytimg.com/vi/NEFEwfPcXRA/mqdefault.jpg)
Full disclosure, I did not have my Yubico security key and hardware token set up for my own Twitter/X account while recording this video -- so totally fair play to call me a hypocrite 🙃 This is a good reminder for everyone, including myself, to get that prepped and lock things down!
(And please bear in mind that the thought of this being from infostealer malware is absolutely speculation until there is some root cause analysis shared from the official sources)
((And I believe it was the LTT RUclips channel that was compromised previously, NOT their Twitter/X account, so wanted to be sure I included that correction))
(((And I've cleaned up the backup code with RUclips Studio. It was regenerated multiple times anyway, but I appreciate your concerns)))
((((And the YubiKey that I show in the video is not the YubiKey Bio, which has the gray circle and accurately makes a fingerprint template -- so I'll be getting that fixed up too!))))
Time to get one big john.
😮
This comment Is 9 minutes older than than the video.
I am now going to invest in a Yubico security key. 🤣
Also thanks for the tip to check out what "connected apps" were still tethered to a x/twitter accnt. I apparently had quite a few to deactivate!
I didn't have 2FA on my secondary account until it got hijacked. I was able to get it back either because I was fast or lucky. 😆 Do as I say not as I do!
Way ahead of the hackers, don't have a twitter account anymore.
x
also being a nobody helps too
Or mastodon
😆 I was thinking the hackers might be doing me a favor if they stole mine.
@@mishl-dev Elon can't make me stop saying Twitter and neither can you! 😆
You should not be able to make certain changes to accounts without re-authenticating. Companies like Twitter and RUclips need to do better.
In general, security is a joke to these companies.
@@jmr I'm so curious as to who you are online. 3C domain + handle + early verified 👀
@@n_n seems he's just an old engineer
@ManWhoLostTheWar Most likely has connections. I don't see him paying for any of it nor would he be in the com
Even after some digging I couldn't find much history that explains away the early verification and stuff.
Odd but cool to see there's still people like that out there as most get this stuff unethically.
Oh yea, surely having to re-authenticate even more often is going to solve the problem.🤦♂ Totally not gonna get people used to enter their login info and be less alarmed about where they actually enter it.
Disabling 2FA without going through support should require 2FA. I mean, you need your password in order to change your password in a simple manner (you can reset it but then you need access to another account, the email), being able to just toggle off 2FA without having access to the 2FA is unforgivably bad design, something we already know is a bad idea.
Absolutely
Or with the backup codes, which can't be seen anymore without 2FA, easy solution
Yeah but what if you lose your phone number? I guess you can re-create your phone number, but I recall back in the day when I changed my phone number I was locked out of some (obsolete and not really used) accounts like a Hotmail account I occasionally used. That's because they would send an authentication message to the phone number that was no longer mine.
@@raylopez99 Then you have to go through support and probably provide some other kind of evidence, or a different authentication factor (such as the backup codes the other guy proposed, which is itself a form of 2FA).
The toggle is fine if the ONLY way to access your account is through a method that uses 2FA but when there are other ways (such as the login token, or a simple password) then you simply shouldn't have the ability to disable 2FA without using 2FA.
Ive had issues with services that did it that way. I changed my phone number, and didn't update amazon (because I dont use amazon much, if at all). Amazon didn't let me get into my account. They also didn't let me close my account. Support said I should be able to, but it just didn't work.
The new person who got my old number was able to use 2fa to get into my account and order stuff. Well, then I called my bank and had them cancel it. But it did send to my email the address of where it was going to show up. It would be funny for me to go there and be like "yup this is mine I paid for it"
@@raylopez99Phones are easily spoofed. No one should be using that for 2FA in the first place. The option shouldn't even exist.
Doubly so in certain cases where they just make it seem like it's a scam.
Every time I call one of my banks now, they have to send me a code that I need to read back to them, which is exactly what scammers do.
Until I found out they had made that change last year, I was confused why people thought scammers doing this were legitimate.
There is no good reason for them to be sending you a text, but they do.
Their newest option to get around this is using your voice, by the way. In the age of AI, they want you to turn on """"""security"""""" features, which allows all of the other security features to be turned off by voice...
It's always some kind of malware on an employee's computer, I think? Hackers often pose as sponsors and try to get RUclipsrs to open email attachments. Thanks for the video John.
And that’s why strong Applocker policies are a must to prevent script execution
@KarlRock You'd think a channel dedicated to tech would have employees that know or at least trained **not to run random files even if they look legitimate**
I guess not though
Yes, it's typically employees opening stuff 'sponsors' send and getting sessions hijacked. Less than 20% of the people at LTT would have any intimate knowledge of this stuff. I would have thought they had changed some policies about what can and can't get opened. Maybe not?
Strict app locking policies should prevent this from occuring but that takes effort to implement and then enforce.
@@n_n Mistakes can still be made
@@n_n You just need to be caught slipping one time, and it'll be over. Not everyone is at their 100% every second of the day.
Best way to protect your twitter account is to just delete it
yeah, they should never come back. No one needs it.
Better still. Don't use the platform at all!
protect the account; protect the world!
I second that
@@PedroKing99 Freedom of speech on Twitter... lol
I think the root of the problem isn't that Linus doesn't have 2FA, it's that Twitter doesn't require you to confirm your 2FA code to make security changes to the account, which is a big no-no. He had this same criticism for RUclips when the LTT channel got hijacked. It will let you reset all the security stuff without asking for your password or 2FA code again, assuming you are who you say you are.
John actually did a review of the Malware Email that LTT, received and that Email requests the 2fa key. Microsoft actually does it better by pinging your MFA device and requiring you type that code into the authenticator app.
If infostealers can just steal your token and use it on a different device in a different country AND even change password & e-mail address... What's even the point of 2FA?
I'm mad.
@@puerlatinophilus3037 now that you mention it, do hardware keys like yubico help at all with these session hijackers like infostealers?
2FA protects against password leaks, and thats about it. Ideally, services should tie session tokens to your HWID, IP, browser fingerprint, or any other potentially unique information to make token stealers less effective.
The point of 2FA is to prevent logging in by someone when there is password leak.
Some security is still better than no security.
@@Zullfix It's easy to say that, but on the other hand there's demand towards browser developers to limit any way of fingerprinting for privacy concerns. (IP isn't really viable, I tried that on my website and found that in many cases my IP address can change on the fly without me even noticing it, sometimes from an IPv4 address to an IPv6 address and vice versa. After I logged the issue for a few days I've come to realize IP address changes happen so frequently thanks to the way many internet providers work nowadays that it's unfeasable to use it as a security factor.)
Usually 2fa is on a different device, like your phone.
They Yubikey you show in the video is not a “something that you are” example because all Yubikeys except the Bio series with the black dot (so all gold dot ones) are NOT a biometric reader - it is just you tapping the button. It’s another “something that you have”.
Good catch, thank you! Guess I'll be ordering another YubiKey Bio!
@@_JohnHammond always advisable to have several Yubikeys set up as backups.
it's something you "have" but it also validates presence, so it can't be automated
It also ties the cryptographic token to the domain, so it shouldn't be possible to MitM a security key in the same way that authenticator codes can be MitMed.
@@belst_ True. So TECHNICALLY you could say it’s something you are: physically present. But it still doesn’t validate physical identity.
Rather than just sending an alert that someone logged into your account from a different place in the world, that login should be challenged in the first place.
I agree, bad design and plenty apps do this. Why let me know I may be hacked without a way to block it off. At least from the original link that is also in your email. So, you can then put in a ticket with minimal damages. Though not saving to PC or cache is the smart choice. Sad you can't depend on the platform to fix this issue or even see it as an issue.
Then every normie everywhere will complain when their ISP resets their modem/router with an update, VPN users will encounter issues, and about 500 other things that support teams at these companies don't want to deal with. Convenience is the enemy of security, but most customers will take the convenience first and foremost. Who do you know that honestly could be bothered to purchase a hardware key? How many even use software MFA? It's just not in the cards at the moment.
@@JackShoreman I agree with that. The smart thing would be for it to be an option, to opt-in for. So people who want to be more secure can have a way and people who don't can have their convenience. 👍🏿
REAL companies do this, not twitter though....
A one or two hour delay for any security change with email and text notifications should give the legit user enough time act in case it's a bad actor.
Please do not blur sensitive information. Blackbox it completely
Good luck resolving information from a destructive box blur
@@LegacyVision. Blurring can be reversed. It's not too hard.
Some blurring can be reversed, yes. Better safe than sorry, always box it. If you want blur for the effect, add fake text on top of the box and blur that.
@@nurmr entropy and god disagree.
@@JackShoremansearch for image deconvolution. It can absolutely be done, the techniques are of the 2000s era, you can also de-motion blur. It's not perfect but it's been used by police to make license plates readable despite out of focus and motion blurs in the captured images.
Entropy doesn't enter the picture (pun intended) here because blurring is not a random process but a well-defined deterministic operation called a convolution, for which you can find an inverse operation that can theoretically restore the image (in the mathematical sense, with limited resolution and compression this is obviously not perfect). To be sure you can't find an inverse operation, you need to process your image with so-called non-linear filters (ie. median filter, pixelation, or just plainly overwriting the pixels).
There is a specific issue with pixelation too, which is that with videos specifically, if the contents move over the pixelated area relative to it, restoring the content over time becomes possible.
TL:DR; deblurring an image is very much possible, is old tech and has been successfully used for better and worse ends already. Your best bet is to completely overwrite the pixels by using an opaque color. Pixelation can be undone if not applied correctly.
THIS WEEK ON THE WAN SHOW.....
lol.........Sponsored by Twitter
@@Sommyie new content to monetize baby!
Clearly a tax write off 😂
Yep luke gonna set the hole network to whitelist only
and right when he said he wanted an all good news wan show... really testing him right now arent we?
Twitter's email has the energy of saying "L bozo"
Most helpful tech support response be like:
I still think it's crazy how logging in from a different country/location or even making password/2FA changes doesn't require re-authenticating via email or so.
or even blocking certain countries you won't be physically/over VPN like with bank cards. I think it should be a must for VIP accounts like LTT
IP addresses are archaic and not a reliable form of determining location. Unless everyone starts using IPv6 and the many more addresses provided compared to IPv4 are doled out by nation instead of by institution/corporation/etc, it's not a reasonable metric. My IP gets registered in completely different states from where I live, imagine that in EU or anywhere else in the world where nations are geographically small.
@@fru2728 - They can get around geo-fencing with proxies/VPN's, there are other more secure ways to auth a user.
Sucks to see people get hacked, sucks more to see it happen again and again. I've been in a similar boat a few times. All you can do is learn and be better prepared for the next day, at this point.
Didn't LTT got hacked a couple of months ago ? ...
YT that time.
Was thinking the same thing. pretty embarrassing track record for them!
They got a SIM swap attack way back and two session token grabs since then. Three times in total have they lost access to their accounts.
And their viewers are dumb enough to fall for that obvious scam.
Yeah, they're large tech enthusiasts and not security focused. That makes them a large target without having a good security posture. They should probably bring in a security specialist to train people and set up some monitoring software across their whole infrastructure.
Imagine if browsers could keep cookies secret on a modern operating system.
We really are living in the strangest branch of this universe.
that'd like drm: Client have to know it as plaintext anyway
I mean fr you'd think they could encrypt it and only load it when you specifically needed it for a site, like a basic desktop password manager, by this point.
I recall a Google Chrome blog article that suggested that Chromium secrets are encrypted using the system provided encryption methods, like Keychain on macOS, and GNOME Keyring on desktop Linux, but on Windows, there's some internal function that's not as secure, so Chrome developers plan to add additional security specifically on Windows.
then you would have to enter it on any start of the browser
@@Person01234 Encryption only works as a protection, if the attacker has no way of finding the encryption key. Spoiler: If their software is running on your PC, like your Browser is, then they can get that data. Even if it's encrypted, they can ask the OS, or even the browser itself to decrypt it.
DUDE... Don't use blur to hide security information it has been reversed in the past. The only trueway to protect this stuff is a black or white bar overlay.
Agree lol I made this comment before seeing yours
Can you reverse it? Would love to get the deets if anyone actually/practically does! :)
@@_JohnHammond You can take sample letters, blur them in the same way, and then matched the blurred images. Similar to how how passwords hashes are "decrypted".
@@nurmr Right, I know the theory behind it, but would just love to see someone actually do it ;)
@@_JohnHammond 0xAab5E1cAb55b06075a0736dd5fc95DEb4Ef9523B
I hate the fact that the same auth token or cookie can be used from any IP without any hesitation. I want an option to revoke the tokens and cookies immediately if it is used from some other IP than from where it was originally logined from. And I fully understand that this will require me to re-login from time to time, but generally I just use my computer from home where the IP changes very infrequently so it really does not matter most of the time.
Exactly this. Infostealers have been doing this for a while now, and services just allow account takeovers like this to happen.
Authentication tokens should automatically be invalidated if used on a different device than they were originally created on.
As a Bitwarden enjoyer, I feel very validated by 9:48
been using it for years on my pc and phone
Self-hosted Vaultwarden or KeePassXC
Love bitwarden.
Bitwarden store all your passwords on a remote server owned by mickr0zoft. Dodgy af.
@@Corteum the beauty is you can self-host bitwarden if you want
14:57 - "Try to make sure that's the only option for logging in"
Unfortunately 99% of services don't support this yet. It's even worse on mobile where security keys still aren't even remotely functional on any mobile applications I've tried despite literally being implemented
Using a security key for a personal account is all well and good - but the thing that got compromised was the shared company account that needs multiple people to be able to access, to have mechanisms to kick people out when employees leave, etc.
From my understanding, twitter doesn't give you an easy way to register a dozen security keys to a single account, along with identifiers that will allow for reasonable decomissioning of credentials later. I don't think the workflow is viable to make that a defense.
I have my personal non-paid twitter use multiple security keys at the same time. i can only have one authenticator though. but technically you can get away with multiple authenticator app (or medium) once you copy the secret key.
@@ecu4321 Does it provide you with a good way to identify and disable a single security key in the list?
1 authenticator is needed but multiple keys can be used which can still be an issue
@@ecu4321 it technically doesnt allow you to have multiple authenticators right now once 1 is verified you need to deactivate it while its true IT IS possible provided the system has added flags to re-enable setting up a new authentication key
Ah yes twitter cutting corners. Good job Elon 👍🏻
The sad thing is that you should just assume your information is already stolen. Personal information isn't private anymore. Glad you covered this John.
Dude, yubikey does not read your fingerprint, it just detects if it is touched.
there are different yubikeys, some do read your fingerprint
Depending on the model of YubiKey, the YubiKey Bio does allow it ^_^
YubiKey Bio reads your fingerprint (which is the model with the gray circle, not the gold/yellow one I showed in the video, so I'll have to get that fixed up)
docs.yubico.com/hardware/yubikey/yk-tech-manual/bio-specifics.html
Yeah, but stating that yubikeys are simply fingerprint readers is 100% false. The fingerprint reading yubikeys just use your fingerprint instead of a PIN.
@@_JohnHammond That's correct, thanks for clarifying.
The question is why X didn't mark the login attempt as malicious when it clearly originated from Russia. At the very least, the account should be locked down, requiring a code sent via SMS and email to unlock it.
13:35 It'd be even better if you could say "Deny all attempts of log in that aren't from {this list of IP addresses} or at least from {this country}."
The problem with geo-fencing is let's say x implements this feature it would become publicly known. Ltt is in the US/Canada all i would need to do is use a VPN in the US or Canada to get around that. Or sign up for AWS and get a free tier EC2 and route my traffic through that
Now if IP whitelisting was allowed they could whitelist the office since businesses will likely have static IPs. Then for remote access they could use a VPN hosted from the office. Home IPs and phones are dynamic so that would solve that issue
then they will find a way to get the confirmation email and lock you out that way.
Blurred text can statistically be de-censored. The only safe way to censor text is to completely replace the pixels with something unrelated, black pixels, random noise etc (if you want to keep the aesthetic, just replace the text with gibberish text first and then blurry it). And ideally, you should also disguise the length that has been censored as well, as that can sometimes be sufficient to narrow down the guesses with the help of some context.
Are we sure that email Linus screenshotted isn't phishing and that is how he got hacked?
Twitter/X is banned in Russia, meaning you couldn't reach it from a russian ip, while the email he shared states clearly that login attempt came from Russia
If that's how it went down then the next WAN show will be interesting.
Most likely, the hacker used the DPI bypass. Since I'm from Russia, I decided to log in to Twitter using this method and got an email with login attempt from Russia.
I'm just thinking of what a dumbass skid you'd need to be to use your actual Russian IP instead of using at least using a VPN in the same country. That alone confuses me but idk if 'hackers' are commonly that stupid/sloppy.
@@ombrezz7030 new content more sponsors 😅
@@Demoralized88 If it is from Russian then the "person" doing the hacking probably works for the FSB. I doubt they are too worried about any repercussions. The scam is probably a side hustle for when they aren't doing "official" work.
Saying Shitter Support Is Shit Would Be An Insult To Shit.
Oh no, remember that blur can be easily reversed if the font is known!
Can you reverse it? Would love to get the deets if anyone actually/practically does! :)
@@_JohnHammond I've seen a few people do this, some with conventional algos and some with DL algos. Depix on GitHub does this with pixelated "blurs". I also read that that gaussian blur (which is quite common) can be deconvolve somewhat accurately using FFT(?).
@@_JohnHammond Seems my previous reply was deleted. Depix and Unredacter project does this with pixelated text. These are brute-force approaches but which should work quite well. Fliters like Gaussian blur can also in theory be deconvolved. But by showing unblured and blur text together in known editor makes it quite easy to brute force the text from image, it can also be done sequentially (char by char) instead of the whole string.
You need to delete all of the personal information from other computers before you get hacked yourself.
It surprises me that (only using information in this video) it seems either you can log in from a device that twitter notices is a new device without re-authentication of 2fa, or the hackers got lazy after resetting 2fa and stopped pretending to be the same device that had the token.
No for twitter it was a new location (IP address) but using an existing session/device. Requiring 2FA on any IP change would be such a PITA for everyone that it would trigger a mass-deactivation. This kind of alert is usually sent asynchronously, meaning it's also often too late when you receive it ...
@@maverick34 According to the screen shot it's a new DEVICE. Yeah new location too, but I get that's an issue. The fact it's a new DEVICE should trigger it to recheck 2fa even if they have a saved cookie.
As it turns out @_JohnHammond just posted a video and that screen shot was NOT from X, it was from the phish. Which also strongly implies that it wasn't a cookie hack, Linux gave up a 2fa code that the hackers used.
Thanks John for the info!...All platforms should implement a block... check/verify when an ip is trying to attempt from a foregin country.... email the user or text the user to verify if its legit.
Is't this the second time an LTT account has been compromised? First was the RUclips channel, and now the X channel. smh
the thing is they are hot in the eyes of these kind of hackers.
Big question here: how can twitter allow 2FA deactivate/reactivate without authentication of an account, trying to deactivate/reactivate, from outside source??? Like for exampe: check through current linked e-mail/phone/app-authenticator the validity of 2FA deactivation before allowing to remove 2FA.
From the perspective of a person working with banking apps - it is a major security flaw that should never be on production environment.
1:16
Linus viewers are the geniuses who still think "click here to claim your million-dollar lottery prize" is a legit deal. They're practically twins in intellect with Linus himself, who's so "tech-savvy" he mistook an infostealer for a sponsor.
But the best part? Watching him dodge accountability like it’s a sport, always quick to point fingers at his employees. It's like watching a comedy show where the punchline is always Linus deflecting blame.
Man they really need an offline sandboxed environment to open their email attachments…
Here's another layer: Set your browser to automatically delete your cookies when you close it.
Bonus effect: You will definitely want a password manager.
As we saw, cookies bypass all that security, and they're stored in the format they're used. You can just copy/paste the sqlite db from one pc to another and it will work.
Every service should require verification with 2fa if a significant change is detected like a different ip etc..
Yes, and when a new device logs in from a new location with an authentication token made on a different device you'd think that would be an obvious thing to block.
Or when above new device changes the password, removes old 2fa methods and adds new ones the account should be locked and verification requested from multiple pre-takeover contact/2fa methods before those changes are allowed.
Great job with the video. The turn around on this video was absolutely insane.
From 10:35 in this video:
"Authentication Factors
The three basic methods of authentication are also known as types or factors. They are as
follows:
Type 1 A Type 1 authentication factor is something you know. Examples include a password, personal identifi cation number (PIN), or passphrase.
Type 2 A Type 2 authentication factor is something you have. Physical devices that a user possesses can help them provide authentication. Examples include a smartcard, hardware token, memory card, or Universal Serial Bus (USB) drive.
Type 3 A Type 3 authentication factor is something you are or something you do. It is a physical characteristic of a person identifi ed with different types of biometrics. Examples in the something-you-are category include fi ngerprints, voice prints, retina patterns, iris patterns, face shapes, palm topology, and hand geometry. Examples in the something-you-do category include signature and keystroke dynamics, also known as behavioral biometrics."
12:57 ip is visible
his ip must've changed by now
@@nomunomuneo yes i've seen his IP change which I'm assuming he has a dynamic IP, still better warn someone than be the person who could've prevented a potentional damage
Thanks gonna ddos it now
they really need to learn about VMs, 2nd time they've been hacked
A vm won't stop a session stealer (also needed to start a vm to do stuff is a hassle if they need to be efficient)
you're videos are really helpful for learning cybersecurity i would love if you add titles and chapters to understand what is going on when we're confused
You would assume that any account suddenly logging in from Russia, would be flagged and locked. This happened to me around 14 years ago with Facebook. Someone got hold of my weak password, that I was using everywhere at the time. Facebook blocked that login, as they logged in USA. Would expect same from Twitter, over a decade later.
EDIT: I do get that this was not a stolen password, but the fact of a highly suspicious location, should prompt a reauthentication.
shouldn't the auth token be locked to a region so if it is used in Russia it can terminate, thus asking for reverification. This should stop token sniffing, well reduce it to region base playback.
please DONT USE BLUR to censor passwords! it is entirely possible to de-blur images especially with modern AI and you even zoomed in and out, so theres more data to work off of!
In all projects I develop with end-user interactions. I have tied the session token to the device. I check some values that let me identify, that device and if something changes. All sessions get terminated. To prevent session hijacking.
As log as an attacker is not able to clone all the fingerprinting or access the machine where an active login is live, there is no chance that any damage can be done.
In the example John gave in the video, that wouldn’t necessarily prevent account compromise since the data gathered included plain text username/passwords. But I do like that idea as an added layer of security. I may have to steal that for my future development projects.
@@NoahD123 Sure against regular logins it gives no additional protection. But regular logins should be protected with a multi factor authentication.
So I think in general it would help with security. And I also think everything that raises security should be available for everyone. So feel free to "steal" the idea.
Wasn't this the same way the RUclips account was stolen?
yes, spam emails pretend to be sponsors or ytube email.
Where I live, many sites - in particular insurance and medical providers - are starting to ditch passwords for an sms code. This isn't even 2FA, it's OTP! So instead of forcing the user to create better passwords, they are dumbing down the whole system. 😔
Scary. Those businesses usually have strict compliance requirements so I’m surprised it’s legal.
@@rezwhap They have very strict encryption regulations, but I don't think there's any government regulation on the type of authentication required here.
Heck one of my credit cards forces me to change my password every 6 months (great), but the password MUST be 10 characters long! My bank is 8-14 char (just had to change it today), but at least requires at least 2 caps and 2 digits and recommends special characters. But still, having those specific requirements means that attackers can lob off a huge amount of options from their dictionary if they are going to brute force. Thankfully this bank, in addition to our national ID number, also has us set a personal identifier (that we can change at any time) that needs to be used to log in - so three things at once. Not exactly 2FA, but better than ol' creddy here.
This is a mistake of both Microsoft and Chrome. Chrome lets everyone on the computer see the information easily. And Windows should let people know that their saved password will be accessed by a process. For example, when you install firefox or edge, they directly get all the information from chrome without the need for consent
Stg this is the third time they've been hacked.
Actually I think it is only the 2nd
I don't understand how is having a physical security key going to help, when you are under a phishing attack and the attackers can anyway steal your cookies.
Why cookies/tokes not bound to ip/country/internet provider?
By the way I hear a lot that blur isn't destructive so I would advise a black box instead of blurring it.
3:09 so this is ransomware?
Conditional Access can prevent this but its expensive for the provider. Iwanted to buy a Key for some time now but you need at least TWO because you need a backup one if the first one gets lost or damaged.
What you're saying here are things that Linus should've done? Or he already did but still got hacked?
Yup. They got hacked again.
Man it's a rough week for Ltt. But it is kinda hilarious that this happened almost immediately while Luke leaves Defcon and Linus logs into his personal account on a work machine during the Wan show.
I’m still seeing new comments based on out-of-date information. John has posted another video. The “notification” Linus received was a phishing email!
one thing you could do is to reduce the number of people who have ownership access to the account. I'm not sure if twitter has a built-in feature for having multiple users of an account, but otherwise you could use an external app to emulate this behavior.
The more factors you have, the easier it is to accidentally lose access to your account
How can you prevent that:
as a user: don't get your computer compromised
as Twitter: don't let users reset passwords without reauthenticating with 2FA.
11:33 "Additional password protection" is where you can now find the optional setting to create passkeys on Android to use for signing in, instead of using a password.
Let Linus know that Twitter now supports passkey sign-in for Android.
MFA forces attackers to move to session token stealers. This is a cat and mouse game, as we try to move from just using passwords the attackers will move to other methods that work against MFA. The benefit is that the attack usually requires running software on your local system to steal the session tokens instead of just password spraying the Internet, potentially compromising multiple accounts at once.
When you show a person’s sensitive information block it out, do not blur. I have deblurred one of the secrets you showed, you stating many are the same helped me.
I just plain forgot to move my 2fa to a new phone and locked myself out of Tumblr.
Even after sending a photo of myself as instructed, I could not get my 2fa removed and am now permanently locked out of my account.
I completely know how it feels to have to do something that doesn't sound logical to get an account opened up to reset things.
Your access token for the account should be linked to IP, hardware, and location. Like a separate token for my account when signed in on my phone vs PC, so that if my account signs in from Russia on a pentium, it disables that specific token and notifies the user of which platform they were compromised on.
I think this is John's best video every! As someone that had an account hacked I am constantly worried how to prevent it from happening again. Around 10 minutes in he goes through some recommendations. Thank you.
The only decent method for most people is IMO having a cheap secondary phone/laptop that you use for important accounts/passwords, preferably on a known-good wired network connection. Or at least logging in to sensitive accounts from ingonito/private browsers on your daily computer/phone, absolutely never storing those logins with any autofill (google account or local OS) and never saving them as cookies. That's my opinion after having been 'hacked' in 2022, modern malware is way too sophisticated to think you're safe from it happening to you.
@@Demoralized88 Ok, that's easy. I have an older laptop that I can do a fresh install of Windows. I'll use this for my crypto and financials only.
@@TC-hl1ws Yeah that's basically what I did. Are you pretty sure it's just one account that was compromised or are you thinking it was an infostealer/RAT on your system? Doesn't really matter either way, I used a new cheap chromebook on a different network to change my passwords. Using your phone for a hotspot is a good option for the old laptop instead of using it on the same network. Hopefully you're alright and it wasn't malware, the stress and anxiety was overwhelming for a long time afterwards. I didn't know about RATs/infostealers until it happened to us and really encourage researching them if you haven't, you cannot be too cautious/paranoid when dealing with some of the malware/exploits used these days. The separate device/network is necessary IMO for recovering/securing accounts and will keep you much safer going forward, especially with some discipline not sharing USB/media and networks between the main and isolated PCs.
Its wild how LinusTechTips opsec is so fking bad. Guys, you run your own backups, any day now someone is gonna wipe all of that thanks to basic opsec mistakes.
Hire someone.
i think not checking "remember me" doesn't prevent your browser from keeping session tokens
7:28 ugh it's not 2015 anymore. Most modern websites have mechanisms to detect and prevent unauthorized access, even if someone has access to a valid session cookie. Device Fingerprinting, Location-Based Checks, User Agent String bla bla etc. For only the cookie to work, is under very specific circumstances.
did you setup your security key ?
Great video thank you :)
Yes! Thanks for keeping me honest! 🤪
Phishing: Some enter you account, secure it!
Linus: Ho sht, let me in to secure
*linus enter they password
Unfortunately, I've seen this kind of attack be startlingly successful. Something about putting artificial urgency plus the convenience of a ready to press fake login button right in somebody's face means people turn off their brain. Not saying that's what happened here of course, but I've seen it happen.
“Sorry for going on a ramble” he says when I clicked on the video for that specifically 😅
One of the thoughts that I've had against impose dealers why don't the website companies put your IP address and your computer's fingerprint into the files so that if they change computers or change IP addresses beyond a region it should flag those files as fraud, not allowing them to be used.
This doesn’t make any sense. Twitter’s been officially banned in Russia for the past 2 or 3 years, and it is currently unreachable without a VPN. And VPN makes your traffic go through a different country from where Twitter is still accessible. You can not just log in to Twitter from Russia directly, and there’s no way for Twitter to know where the traffic originally comes from if it goes through a VPN.
not really banned. its slowed down to the point of unusability. Im from Russia, and by using dpi bypassing software you can access twitter
The blurring you did on that person's info is *really* not good enough. The blur might be strong enough to be somewhat destructive, but it's needlessly reckless to show *any* little bits of information, and the blurring doesn't even cover everything completely
Browsers need feature to ask for password on startup that encrypts everything like a lot of modern OSes these days, I actually hacked together something like this in bash with few lines of bash but should be added as a feature
I am not sure how you would just do it in bash. The only thing I can think of is an encrypted fs that you un-encrypt at startup. Problem is if the malware collects while the browser is running then it will see the un-encrypted files. You'd somehow need to make the filesystem only visible to the browser -- not the rest of the system. Better would be to have the browser decrypt on the fly as needed. Storing/caching it in memory though you'd have to decide whether to keep it encrypted or repeatedly decrypt. Speed may be an issue. Even then it wouldn't be perfect, but probably better. I wonder if using an external key manager might help. If anyone knows on any interesting articles on this, that would make a good read.
@@eshwayri I just used gpg and xz, sure it can't protect while it is running but can while it's not. And it can't just open it, needs the password first
The weird spacing of exclamation marks and comma's gave it away for me ;)
YubiKeys don’t “scan” your fingerprint. It’s just an impedance strip. You could literally touch the tip of your nose to it.
Except for the bio series, which isn’t the one you showed in the video. FYI.
fun sidequest; check login attempts on your microsoft account
Best way to prevent bad issues with Twitter is to not have an account…it has worked for me for years now.
First Nogla while playing Phasmophobia with VanossGaming and the other friends. Now Linus that can't get a break from hackers
Great information John, thanks for sharing and your explanation of all the difference defences we can take with our online accounts!
Linus getting hacked twice is crazy
Dude who specified kursk oblast as shipping address is a good troll, I hope scammer got triggered by this, because they don’t really have control at least in some parts of the region.
Looks like they have listened to Him, Just checked, they have now implemented password reset protection.
A info stealer with session cookies should not be able to change password on an account and logout the legitimate user without 2fa.
Auth Token:
To fix this, Twitter needs to validate the Auth Token with the IP address in-use when the Auth Token was provided...
If 2 factor authenticator is on and you want to disable it, shouldn't it prompt to authenticate before you are able to disable it? If it doesn't then it's really stupid.
I'm wondering if it was even on.. might not have been since its shared with other users 🤷🏻♀️
Why would anyone want a Twitter/X account?
Honest question.
when i open my PC it opens cmd for a split second and closes. can you explain this because when i scan my pc with windows defender it says its clean. Please Help! I know there is a malware of some kind. How do I remove it?
Why does he keep getting hacked
Does Twitter have any form of “manager account” that could be tied to the main brand account? I’m thinking like a Linux system, there are user accounts which means no one logs in as root. They could add an approval process to make posts or modifications to the account that would mean an attacker would have to compromise multiple accounts to take over the brand account.
Would something like yubikey work here? Because if you can only sign in with a security key and not an OTP, you could theoretically give a security key to whoever manages the acct or have multiple security keys on file with Twitter. Although they probably contacted Twitter support to disable it, maybe there's a way if they can enforce it that this would solve the issue?
Why would anybody use Twitter anyway…
Let me guess. Next time they are getting hacked again but this time having their other social platforms hacked