Never tick that box that says "remember me". But in general, all cookies need to expire within an hour. In M365, even if you have 2FA turned on, the cookie bypasses this requirement. For the really important stuff, logout before you leave.
even if you have 2FA turned ON NOT even if you have 2FA turned on You have not learned yet that ON OFF and on off are used in different contexts ON OFF are used when referring to ' switching ' on off would be use or example : I start work on Monday and I am off on the week-end When you pay attention to detail you wil notice that SWITCHES often have ON OFF written on them and not on off Understanding this comes from knowing High Level English such as correct grammatical legal English. Common Street English is traditionally the language of peasants though they do not call them that anymore because they become offended -- so instead they are called Citizens The thing to remember is Pay attention to detail. HOW words are written is of critical importance
I do find that logging off invalidates the cookie session on the server side so even they manage to steal your cookie it won't work since the session is no longer valid and have to authenticate to get in. Just have to force a habit to always click log off and wait for the server to acknowledge that you've been logged off.
Excellent video. Browsers work against us by remembering passwords, payment info etc by default. Some sort of containerized solution is really the closest to bullet proof (VM's or CubesOS or similar). Or using a dedicated device for only financial transactions.
The scammers are super sophisticated. As an example, my company announced upcoming layoffs. A few days later an email showed up from “HR” talking about a layoff. I hit report this email thinking it was another lame company phishing test. It wasn’t and came from the outside.
Something wrong in this video is that a file with a .exe.pdf extension will not be treated as an exe by Windows or any other operating system. It will be treated as a PDF. [Edit: Just tried it out. Made an exe and changed the name so it has .exe.pdf at the end. Windows treats it as a pdf.]
I'll make some video covering Apple at some point in the future. They are generally quite a bit more secure than Windows out of the box though. If you want to learn more, Apple has some documentation on XProtect and Notarization. If you want to go a bit further, you could try out Lockdown Mode. It's in the privacy & security section in settings. Apple says it really restricts usability, but I've had barely any issues with it. Your milage may vary though.
After you mentioned clearing cookies, at about 7 minutes into this video I instantly as if by magic cleared my cookies and web page cache (which my browser said the there was 1.1 GB of data in there. Also per your advice, I set my browser to delete cookies every time I close my browser. Now on to the rest of the show.
I remember back in 2014 when i was doing my bachelor degree, i proposed my academic advisor i want to write a thesis about vulnerability of cookie. This guy that just earned his phd decided to shut me down saying it is not a thing because he never heard of it and want me to do his shitty little project instead.
*Most PHDs are that way.* They ONLY want YOU to do what THEY are working on AND because they have the FUNDING, you have no choice, because there are no other options. Whatever "research" YOU want to do will ONLY get done if YOU have your own FUNDING. Otherwise you have to hitch a ride on someone else's project.
What? It's been a thing, in 2004 we would play with cookies. Going to a public library you could be almost anyone because no one even cleared the history. In 2014 it's not a thing and two days ago now it is? Again we did this in 2004. Heck IIRC there was a MySpace bug where you could set your cookie to a user token and gain access.
Cookies had been found to contain malwares even before this guy posted the video. So chase all those other companies and guys who are implementing these safety protocols. What an insecure guy!! Anybody could just say blah blah blah without evidence. I could also say the same thing and nobody could check whether I am telling a fact or a fiction.
@@DivineRedwood No funding for you if what you're doing will threaten the oligarch's control of various institutions. Massive funding if what you're doing can be used against civilization in the future or is yet another route to steal tax payer's money and launder it. People assume it's incompetence or ego and not premeditated malice.
@@djp_video don't banks limit sessions to some 10 minutes and then cut you off, to get logged in again? That, in my understanding, makes the previous cookie obsolete. No? Unless the scammer acts quickly, they would be out of luck. If the login system demands using a different combination of characters of your password, that should prevent such scam.
It's almost like no one gives a sh*t about the ordinary peeps, the computers we use are insecure by design and the protocols that the internet operates on have vulnerability built in at the lowest level. Let's hope the WWWC gets around to ditching cookies once and for all, they're a relic of a bygone age: only used for nefarious purposes these days.
Obviously. Ordinary peeps are seen as and treated like a resource. To be exploited and used. That's what the elites always do. Corporations, banks etc have done this for years. Tyrant culture is common and rampant
Its like that so their friends can harvest your Data a telemetry, thats where all the money is. If you follow best practices on everything that is recommended, especially long passwords etc. You have very little to worry about. ... Make a mistake, and you Pay!!!
If they plug holes it gives them less power over you. That is why every browser and free OS is corporate infiltrated so they can make sure they can spy on you and more easily control and manipulate you.
This is horrendous. The banks have closed their physical branch’s and made us go online. The Government made laws to limit cookies that have been ignored and I have to grant or refuse them every time I go online. They can’t let this happen to people who don’t want to understand this crap. This is a whole world of sh1t we don’t need that has been allowed by Microsoft, big corporations and the Government.😤
The banks have closed their physical branches not The banks have closed their physical branch’s Undertake an intensive reading program to better educate yourself and learn correct grammatical legal English Your present education level is at the lowest elementary level. Also learn how to format text and use paragraphs. It is not difficult to get it right My youngest students age 8 are academically more advanced than you. Keep that in mind
EXACTLY. Most of us DO NOT HAVE THE TIME OR THE INCLINATION to keep up on all of this CRAP. It is NEVER ENDING and FAR TOO COMPLICATED,...And many of us are VERY Technical BUT we are WORN OUT with trying to stay ahead of this crap. What's the point of passwords, 2FA, Yubikeys...etc etc. etc. if NONE of that crap works? And WHAT is CONGRESS DOING to protect people. Instead they spoon their time complaining about useless crap that affects NO ONE. Sen Warren is the PERFECT EXAMPLE. She spends her time complaining about how dangerous CRYPTO is and how it is only used by hackers....INSTEAD OF LOOKING FOR ACTUAL WAYS TO PREVENT HACKERS FROM HACKING PEOPLE. I'm sick and tired of it.
I've always thought that webmasters have been lazy to continue relying on cookies instead of creating something more sophisticated and impenetrable. It would not need any more space requirements than cookies do, but would require some more in depth expertise as a webmaster, which is still doable.
@@whirled_peas Browser fingerprinting has nearly obsoleted the need for any kind of cookies at all required to track every move by the big players in the game.
The hidden file extension setting is actually "Hide Extensions for Known File Types". You should unselect that. Has nothing to do with hidden files and folders..
I think you have to agree to the script they send though on public wifi. The Internet is entirely too safe it's just all there forever. Crypto hacking isn't a thing because it's all there the transactions and you report it just like when someone steals from a centralized bank they catch them except quicker. Someone stealing a flashdrive is obvious I mean the USB can eat the cookies n then we can monetize that or you can do anything I mean you're right there at the computer. You can't not have an IP or am I wrong
Don't use a banking service that relies on cookies, get one who will not let you log in or transfer/pay for anything without a physical code devices paired with your password.
We have had this in Sweden for years. When I login to my bank, I use a app I have to install on my phone, then a qr code is updating on the screen every second that I point my phone to. THen I have to either enter a code, or use my fingerprint to get into the bank. Same thing then applies if I want to transfer money. If the phone does not work, I also have a hardware box in my house, that I enter a code for.. then I get a code from the bank that I enter, and I return the new code that is now calculated.
What is scary, that Google Wallet - GPay is one of those banking service which don't ask anything on online payment. I had never added my bank card to my Google Wallet before two weeks to experiment with it. The phone has to be unlocked at any physical store payment, that alone is also not so secure. E.g. You have to unlock your phone entering on mass transport gates as well, but in general, people travels with browsing socials all the time... Other than that, Google ylay never asks fornany code on oayment, it doesn't even show the actually paid amount via NFC! But the worst thing is many web shops offer GPay payment on their sites. I tried to buy something via it: well, GPay did not even asked me for my google account, password or 2FA. I was in Edge, so logged on with my MS account into the browser, not with my Google account. So I guess hr browser used my Google account from cookies or from some chache? Only step had to take that the transaction had to approved via my Bank's native app. However the amount was above the legal limit for this, lower amount do not even need to ask for this approval (I am in the EU). So, guys, I just removed all my credit/debit cards from the Google Wallet.
That's excessive. Ways of taking your money away, such as adding a new recipient, are the only things that need a physical code. Thankfully, that's what my bank does. If someone stole my browser cookies, they could see my balances and transfer money around between my accounts and such. (yes, this could cause problems, but nothing earth-shattering) As soon as they tried to withdraw money to somewhere new, they'd need my hardware token.
Cookies are kind of incidental to this attack. If I have RCE on a modern operating system, I can do anything you do: I can intercept mouse and keyboard events, access hardware (including physical tokens), steal any secrets etc. The tragedy is that there is no reason computers shouldn't be able to keep secrets and keep running programs isolated, we've known how to build secure operating systems for half a century now.
"we've known how to build secure operating systems for half a century now." There is no WE. The most secure operating system is simply not connected to the internet. If you want secure, Solaris! Good luck with some of the websites you visit. In the meantime simply configure your browser to delete cookies on exit. Or don't use your computer for banking. Or use one computer ONLY for banking and the other computer for "surfing the net"
I decided long ago that I would have two devices. Phone is for play but NO BANKING. PC is for banking and work but NO PLAY. As for social media, I have none, unless you include RUclips, which is attached to an email account used specifically for it and nothing else. I read none, delete all. I'm also not a geek; no gaming or tech stuff. Any downloads come directly from the source. My scanning routine for my PC is daily, with 3 apps. Thanks to this news I'll also be including cookie deletions. Thanks for the info. My biggest fear comes from the big shopping sites. I also don't have friends emailing so traffic is minimal.
PS... those sites that pop up a page that says "Click Allow to prove you are not a Bot" are trying to install permissions on your browser that will lead to bad things.
If you have older people who aren't good with technology, buy them a new tablet from a reputable brand that they will only use for banking. Make sure they install security updates and buy a new tablet whenever the update period ends. Ideally, it would connect to a different wifi router network that is only used for banking or, even better, have it's own sim card. Ask them to talk to their bank to block all transactions to buy crypto.
When checking session tokens, APIs should also validate the request IP address matches the stored IP of the session. That would prevent session hijacking… unless I’m mistaken
@@zedvee2668 That can happen, but in the majority of cases it is a good protection. It can cause problems on some devices where they change their IP addresses, such as Tor, and some mobile devices might change their IP address regularly. Personally, I'm happy interfering with Tor as on our servers we only see malicious requests from there.
like 10 years ago, if you travelled on vacation, and tried to login to a site, you often got a "Hey this is not your normal ip", and you had to answer a secret question, and got emails that warned you.. These days, people are lazy and do not like these things, so websites have removed it. We used to always have to enter a 4 digit code when using our bankcards, but now they removed it.. so you just tap the card.. so we make things less safe cause of lazy people complaining about its hard to remember 4 digits..
Andrew gave the answer to this - I'm just reinforcing it. It is for sure possible to block due to a different IP, but most places don't do it for the sake of convenience.
I had just decided to leave Gmail open on my MacBook browser rather than an app but now see the danger in that. So it’s perfect timing for me to get this warning.
Great video, one source of malware that nobody mentions is outsourcing, i wouldn't be surprised if it represents the highest proportion of malware that businesses are infected with
nobody can mention or do anything as every'body' is buried in the cemetery Go see for yourself. It is full of bodies Also Answer this question: How many of YOU are there in existence on this earth ? Are you getting it yet ?
What I don't understand is how they clear the bank out. Even if they have control over your browser and it is logged in to the bank you must still sign the transfer in your phone verification app.
It's still amazes me that in 2024, big corporation like Google, even developing AI and hiring lot of supposedly engineer and smart people, cannot check something as simple as matching IP address &nd/or country at login. When someone steel a session token and tries to access your account in a different country or even different IP address than the one the session originated from, Google (or the banks, PayPal, eBay...etc) should right away log you off and ask for your password and 2FA again. But nope, they don't do it and let hacker connects from different IP just with a session cookie. 🤨🧐
Here >>> 13:55 Block Lists/Encrypted DNS Totally off the rails. I have no idea what you're talking about because you fail to explain what the hell you're doing.
best solution seems to be who cares my accounts are locked to like 100 bucks and I have to approve large transactions for the amount and vendor before they're made
12:35: You are confusing two different things here. Showing hidden files and showing file extensions. Both should be turned on for security reasons, so it becomes harder for bad actors to hide files (show hidden files) or disguise files (show file extensions). Showing file extensions for all files is actually a setting a bit further down from the one you are pointing out. It's a check box labelled "Hide extensions for known file types." You do have it unchecked (as it should be), but you are never pointing it out in this video.
Showing file name extensions is one of the first settings I switch on when setting up a new computer. It is quite simply incorrect that Microsoft even has such a setting, let alone having it off by default. Probably they wanted to be more Mac-like by not having shown file extensions.
Trying to keep up with security and scams is so overwhelming, especially for those of us who are not particularly tech savvy. I know the basics, but overall, I do not understand everything you are talking about. Getting to the point where I don't want to be online at all. There are just way too many things to try and remember. I do the basics and I think I have pretty good common sense online, but this is just way too much and very confusing.
That's definitely understandable. These videos are mostly for informational purposes. Some decent security on a computer and caution about downloading or opening random sites goes a really long way.
Thank you for all of the preventative measures, but how do you make sure that after you have attacked, you are sure you system is clean? After my bank sign on screen was highjacked, I deleted all cookies and even deleted the browser. I changed the banking password on another pc, then I ran Defender, McAfee and Bitlocker and nothing was found. My Google browser was sync'd across other computers with Google. Can the malware be transferred to those from the infected laptop? How can I be sure that there isn't any other traces of malware?
If antivirus says the PC is clean, you're probably okay. You could run something called a second opinion scanner if you want to be sure, which would be something like the Kaspersky Virus Removal Tool or the Emsisoft Emergency Kit. As far as the browser, I would recommend checking the Chrome extensions and making sure nothing malicious was added, since there's a chance that could sync to another PC. Also, run second opinion scanners on the other PCs to check for anything.
Clearing your browser cookie cache will make no difference if it is a man in the middle attack. Ideally as soon as you request a new session and cookie all old ones should be expired by the server. The reason this doesn't and can't happen is that you are permitted multiple simultaneous sessions from different browsers and devices. This is a major philosophical security oversight baked into industry technology stacks!: I'd prefer all but my latest active open browser window and device to expire! This is the real crux of the problem and I am not even a security specialist! (Just one hellava systems engineer haha!)
Well that's fine for your banking systems.... but I really don't wanna have to login again to virtually every other website every time I switch devices. Some of them really aren't that critical or I even use fake details or whatever, and it's a ridiculous pain in the arris usability wise to do what you're suggesting.
GREAT F-ING Video, thanks man!!! Just like back when engineers were command-line and HAD to know what they were doing, everyone is a keyboard jockey now and frackin click happy on everything. Seems like things are getting better who the hell really knows what is going on "under the covers these days". Had a friend call last weekend, his machine was compromised, had a webpage open with an audio loop stating "This is Microsoft and you have been HACKED. Please call this number so we can assist". This is the THIRD time this has happened to him and LAST TIME he called, gave them direct access to his machine and even got $100 from him to "fix" the damn problem they created. I had to rebuild the damn thing and eventually took his Admin access away, clicking around on some questionable sites I'm sure. Crazy times, thanks for the tool, very helpful!
Thanks for the support, I'm glad you liked the video! Man, sometimes being the tech support guy for friends and family can be a chore. That's crazy that it happened to him three times!
I've gotten those "this is microsoft you've been hacked sites too many times. And it won't let you click off the site etc. I just open Task Manager, scroll down to Chrome and click end task. This seems so easy and it works does it not ? I always have Task Manager pinned to the task bar. Is this not a good way to deal with it. ?
@@mebobtheone That method works to close the browser, though I would recommend trying to solve the issue at the root. Do you use uBlock Origin or something similar?
12:12 Hidden file extensions has been something in windows since I want to say it was turned on an XP because we want to save people from themselves changing those pesky file names and now their word documents don't open there's no consequence like having screensaver files pretending to be something else.
Always great info.... problem is most people have mobiles and tech but are unaware of any issues until they get hacked or scammed.... No one shows them how to use basic security....No one would drive a car if it did not have brakes. Problem every hardware and software do different things under different conditions.. too complex for the average citizen.
very true. Right click youre c drive(windows os)select user select view unselect hidden items go to user application data name 7 zip that folder copy it into another most site will load as if it was you're first. . I never need to type a password in again :P neither do the scammers know you're password don't save even in google password management its all saved to that folder. Heck even microsoft is running LINUX SERVERS microsoft is a haven for this malware even they run linux funny as fook. I had not to need to login to sites that I was a member to for almost 20 years copying and pasting my cookies to new machines lol. How many people did iI fix there computers and can access there every login. a pc guy fixing a broken pc. When you bring that pc in to a shop. Hardrive is taken out to be cloned so as to not touch the actual data. Even the recovery mode allows for more users to be added to cookies less no need to type.....
I have separate profiles in firefox, I have a default and a bank one. The default is for everything that's not banking, and the banking one only is for banking. I have a phony proxy in the "banking" that only proxies to the banking hosts but drops everything else on the floor. This way that profile is only visiting the bank hosts. The final thing I do is have multi-account containers and compartment each bank into its own container. I make sure the banking profile only has bookmarks for the banks and all the default bootmarks have been removed, the idea being I want the "banking" profile to be obviously different in appearance.
Correct me if I'm wrong, but don't you want to disable "Hide extensions for known file types" to show the extension? "Show hidden files" is also good, but won't show file extensions.
@@KenHarrisio its funny that you read out the wrong one, but still didnt realize it was the wrong thing for the context of what you were talking about. But as its something you missed, you should consider pinning the above comment so if anyone reads, they'll see the correct option to select.
Great Vid : But your ordinary Joe Citizen is too occupied ,trying to keep their s**t together in this horrendous world to even start to understand your subject matter ,let alone understand the terminology your using .Please have a little bit of thought and sympathy for those people for whom what you are saying is a foreign language : Your intentions are obviously for the good.
2FA in another device can prevent your bank account being hacked/emptied. Fortunately, my banks always send a code (not via sms or email) to my phone where I will have to enter my own specified pin to verify the code.
Good stuff. Booting from a read-only device running VM-hypervisor spawning a Virtualized app environment for my banking and crypto needs. Airgapped pc makes this device.
I have a colleague that had a RUclips channel, and his channel was affected by the same thing that Linus Tech tips was. He contacted RUclips about it and they just blew him off. He has not got his channel back yet. He has taken to uploading his videos on another popular website because he doesn't trust RUclips anymore. It took a lot of time to get all the subscribers he had on RUclips, and they just blew him off!
I think most people this happens to are pretty much SOL. A hijacked verified channel with 300K subs is still allowed to spread malware, which is ridiculous. It wouldn't take much effort for YT to fix it but they haven't. I doubt they help much for people with less than 1M subs.
Cookies and having your browser remember passwords are very insecure things nearly everyone relies on. Both are saved in user files, so any other user mode program can get at them if they know where to find them without need for admin privileges. That's how a browser can import such things from other installed browsers. Basically, if you can access anything without having to authenticate, any other software I your PC can access it.
Ty! Your terrific & informative & you have the perfect soothing tone & volume of your voice & that's why I just subscribed, Liked, Shared on FB with my 2000+ friends/family & now making a comment. I wanted to help the best & the only way I could being a low income senior in appreciation for this information that you give everyone for free. Ty! Ty!
Say no to cookies, use a password protection manager with 2 face authentication, remember your passwords, make sure they are all different, change em every couple months to a year (depending) make sure they are considered strong and not weak. Use a vpn service, not a free one, run virus scans every other week. All this seems like overkill, but this will help from any attacks. I personally only use one device if I'm logging into banks, etc. And the device runs vpn 24/7 with other high security.
Or live in a country that have high security xD No one can login to my bank even if I have once logged in, cause 1. The bank logs you out 2. Even if it didn't they wouldn't be able cause it would ask for my digital ID once there is a little change to the location or IP, just not possible.
Sometimes it can catch it, but there are times it'll make it through. For example, a brand new strain of malware won't have a signature, which many AVs use to detect malware. Without a signature, they have to rely on heuristics, which may or may not work.
Could you give any recommendations on what to do after the malware is installed and someone stole/hijacked your account? This happened to me a few days ago and I'm trying to understand what to do next. I did a full reinstall of windows after I noticed someone stole my crypto, and also managed to change most of my passwords so far (using a different device and after reinstalling windows). Any more advice on what to do?
Many of the motherboard manufacturers should have patches released for this issue. I suggest checking for a BIOS update for your board. That's going to be the best way to fix this. Also, some boards have this feature and some don't, but you could also check to see if there's a way to disable the boot logo. The researchers thought that would be a fix for it. I also recommend using something called a second opinion scanner on all your Windows devices. Emsisoft Emergency Kit is a solid option. I don't know if AV is able to catch this stuff yet, but it would be a good idea to run a scan anyway.
Security needs to be made easier on the end-user. I should not have to clear my cookies every day, use impossible to remember passwords which I have to change every day, and restrict my own PC access so heavily I see security popups just to run steam games. I just want to use my computer to watch youtube and play games. I don't have patience to deal with all that other noise. I count myself lucky I haven't had to deal with a situation yet. I know better than to click anything sussy. That's good enough for me, it seems.
I agree 100%. A lot of these issues come up because the process is made too complicated for anyone who isn't a power user. We're probably another few years away before more substantial changes are made to improve things.
Don't banks limit the sessions to like 10 minutes and then they log you out if you are inactive? Unless you keep having third party payment channels open, like paypal. But even that one kept logging me out repeatedly.
I think it is a good idea to have a dedicated device only for your bank and sites where you have money and turn off internet when not using and avoiding using any online stuff in these devices, specially email, social media and messaging.
CloudFlare has a really low score compared to the others. Here's a good test that I've referenced in the past: techblog.nexxwave.eu/public-dns-malware-filters-tested-in-2024/ NextDNS owns dns0, so the scores would probably be similar for NextDNS.
Not necessarily. If the session can still be used, the hacker could take over the account. Login timeout after a short period of time can help protect against this issue.
LP is a pretty decent password manager. They've had a few hacks happen in the past. I'm not sure how they are these days. Either way, it's a way better option to use them than to not have one.
Sorry to comment on it here since it's not about this video but a previous one, out of curiosity is picocrypt's paranoid mode post-quantum encryption? I've been using CFB AES from pycrypt but I'm wondering if paranoid mode would be better in terms of security from quantum computers. Ty.
No problem, feel free to ask away. The paranoid mode wraps Serpent and ChaCha20 encryption. ChaCha is quantum resistant, but I've not found anything saying Serpent is the same. Given that they get combined, I'm sure you'd be good to go to use it.
I literally just had this happen to me the day before this video uploaded. I'm still dealing with securing accounts. Chrome tells me "240 compromised passwords" ...thanks, that's what I deserve for storing them in Chrome 🤬🤦
That was from an app on GitHub called Configure Defender by AndyFul. It's just a GUI that allows hardening Defender that would otherwise require a person to use Group Policy and RegEdit.
How do we know that the government isn't actually behind the malware? We keep finding many things designed to protect us and keep us hidden are actually created by the government...(TOR is a good example) I think people either forget or just don't realize, that the internet is a creation of of the military, which is a government kind of thing...
This particular type will only steal session tokens. A lot of extensions can be malicious though, so I recommend researching any of them that you want to use.
Never tick that box that says "remember me". But in general, all cookies need to expire within an hour.
In M365, even if you have 2FA turned on, the cookie bypasses this requirement. For the really important stuff, logout before you leave.
Very good advice.
Never have. I know where it's stored and how to extract that to a USB. If I can do it anyone can.
even if you have 2FA turned ON
NOT
even if you have 2FA turned on
You have not learned yet that ON OFF and on off
are used in different contexts
ON OFF are used when referring to ' switching '
on off would be use or example :
I start work on Monday and I am off on the week-end
When you pay attention to detail you wil notice that SWITCHES often
have ON OFF written on them and not on off
Understanding this comes from knowing High Level English such as
correct grammatical legal English.
Common Street English is traditionally the language of peasants
though they do not call them that anymore because they become
offended -- so instead they are called Citizens
The thing to remember is Pay attention to detail.
HOW words are written is of critical importance
I do find that logging off invalidates the cookie session on the server side so even they manage to steal your cookie it won't work since the session is no longer valid and have to authenticate to get in. Just have to force a habit to always click log off and wait for the server to acknowledge that you've been logged off.
"Remember me" on Gmail or the bank account website?
RUclips isn’t fixing anything because.. the call is coming from inside the house.
Google- Alphabet 😮
People are being taught, how to scam and hack right on the platform, and nothing is being done about it.
Your voting maintains the status quo of corruption. Keep complaining while your actions reinforce everything that you hate.
@@STONE69_ lawlessness
@@AintSkeerdNWO Google-> Alphabet-> InQTel -> CIA -> Secret societies -> Oligarch usurpers of our governments
Excellent video. Browsers work against us by remembering passwords, payment info etc by default. Some sort of containerized solution is really the closest to bullet proof (VM's or CubesOS or similar). Or using a dedicated device for only financial transactions.
Great job with this video and your content. Keep up the great work!!
Thanks for the support!
Thank you for the information. I have subscribed and I hope to see more content like this!
Thanks for supporting! 🍻
Dude , you are T Factory. Thanks for the malware update.
Thank you for typing out an outline. It's great to screengrab to make a note for later.
The scammers are super sophisticated. As an example, my company announced upcoming layoffs. A few days later an email showed up from “HR” talking about a layoff. I hit report this email thinking it was another lame company phishing test. It wasn’t and came from the outside.
I set my browsers to delete all cookies and related files on closing. "Remember me" option is a non starter. Always log out of any session once done.
Something wrong in this video is that a file with a .exe.pdf extension will not be treated as an exe by Windows or any other operating system. It will be treated as a PDF.
[Edit: Just tried it out. Made an exe and changed the name so it has .exe.pdf at the end. Windows treats it as a pdf.]
The thing is, what he's saying makes no sense to me. You need a professional to decipher all this.
He's singing to his own choir.
great content!
Thank you!
I wish that you would discuss the similar problems of session stealing on an iOS device, iPhone or iPad.
I'll make some video covering Apple at some point in the future. They are generally quite a bit more secure than Windows out of the box though.
If you want to learn more, Apple has some documentation on XProtect and Notarization. If you want to go a bit further, you could try out Lockdown Mode. It's in the privacy & security section in settings. Apple says it really restricts usability, but I've had barely any issues with it. Your milage may vary though.
I have a dedicated brower with absolutly nothing there but my banking.....that is all it does..
I keep asking businesses that send communicaitons of any nature to STOP sending links at all. So far they all ignore my requests.
After you mentioned clearing cookies, at about 7 minutes into this video I instantly as if by magic cleared my cookies and web page cache (which my browser said the there was 1.1 GB of data in there.
Also per your advice, I set my browser to delete cookies every time I close my browser.
Now on to the rest of the show.
but what if the attack happen when we were login?
I remember back in 2014 when i was doing my bachelor degree, i proposed my academic advisor i want to write a thesis about vulnerability of cookie. This guy that just earned his phd decided to shut me down saying it is not a thing because he never heard of it and want me to do his shitty little project instead.
*Most PHDs are that way.* They ONLY want YOU to do what THEY are working on AND because they have the FUNDING, you have no choice, because there are no other options. Whatever "research" YOU want to do will ONLY get done if YOU have your own FUNDING. Otherwise you have to hitch a ride on someone else's project.
Some people trip a lot on their own egos.
What? It's been a thing, in 2004 we would play with cookies. Going to a public library you could be almost anyone because no one even cleared the history. In 2014 it's not a thing and two days ago now it is? Again we did this in 2004. Heck IIRC there was a MySpace bug where you could set your cookie to a user token and gain access.
Cookies had been found to contain malwares even before this guy posted the video. So chase all those other companies and guys who are implementing these safety protocols. What an insecure guy!! Anybody could just say blah blah blah without evidence. I could also say the same thing and nobody could check whether I am telling a fact or a fiction.
@@DivineRedwood No funding for you if what you're doing will threaten the oligarch's control of various institutions. Massive funding if what you're doing can be used against civilization in the future or is yet another route to steal tax payer's money and launder it. People assume it's incompetence or ego and not premeditated malice.
Don't save username or password, login with a new private window each time you go to a banking website. Don't stay logged in to important sites.
That wouldn't prevent this from being an issue. Even logging in once provides the information someone would need to impersonate you.
Good point, thank you
But it HELPS to NOT stay logged into things like Amazon, banking sites, delivery sites, etc.!!! 🫡
@@djp_video don't banks limit sessions to some 10 minutes and then cut you off, to get logged in again? That, in my understanding, makes the previous cookie obsolete. No? Unless the scammer acts quickly, they would be out of luck. If the login system demands using a different combination of characters of your password, that should prevent such scam.
Bro I cant even figure out how to get to the fucking screen you did.
It's almost like no one gives a sh*t about the ordinary peeps, the computers we use are insecure by design and the protocols that the internet operates on have vulnerability built in at the lowest level. Let's hope the WWWC gets around to ditching cookies once and for all, they're a relic of a bygone age: only used for nefarious purposes these days.
"It's almost like no one gives a sh*t about the ordinary peeps"
Probably. What is your level of concern for ordinary peeps?
Obviously. Ordinary peeps are seen as and treated like a resource. To be exploited and used. That's what the elites always do. Corporations, banks etc have done this for years. Tyrant culture is common and rampant
Its like that so their friends can harvest your Data a telemetry, thats where all the money is. If you follow best practices on everything that is recommended, especially long passwords etc. You have very little to worry about. ... Make a mistake, and you Pay!!!
I’ve gotten to where I just my gaming laptop for fun and anything serious involving banking, crypto, etc. I do all on my iPad.
If they plug holes it gives them less power over you. That is why every browser and free OS is corporate infiltrated so they can make sure they can spy on you and more easily control and manipulate you.
I knew taking from the cookie jar was bad since childhood but this is a whole other level
This is horrendous. The banks have closed their physical branch’s and made us go online. The Government made laws to limit cookies that have been ignored and I have to grant or refuse them every time I go online. They can’t let this happen to people who don’t want to understand this crap. This is a whole world of sh1t we don’t need that has been allowed by Microsoft, big corporations and the Government.😤
The banks have closed their physical branches
not
The banks have closed their physical branch’s
Undertake an intensive reading program to better educate yourself
and learn correct grammatical legal English
Your present education level is at the lowest elementary level.
Also learn how to format text and use paragraphs.
It is not difficult to get it right
My youngest students age 8 are academically more advanced than you.
Keep that in mind
@@andrew_koala2974 go harass a banker's webmaster with that critical nonsense .
"people who don’t want to understand this crap" Well that explains a lot!
EXACTLY. Most of us DO NOT HAVE THE TIME OR THE INCLINATION to keep up on all of this CRAP. It is NEVER ENDING and FAR TOO COMPLICATED,...And many of us are VERY Technical BUT we are WORN OUT with trying to stay ahead of this crap. What's the point of passwords, 2FA, Yubikeys...etc etc. etc. if NONE of that crap works? And WHAT is CONGRESS DOING to protect people. Instead they spoon their time complaining about useless crap that affects NO ONE. Sen Warren is the PERFECT EXAMPLE. She spends her time complaining about how dangerous CRYPTO is and how it is only used by hackers....INSTEAD OF LOOKING FOR ACTUAL WAYS TO PREVENT HACKERS FROM HACKING PEOPLE. I'm sick and tired of it.
@@andrew_koala2974Nice advice but I notice that you think punctuation doesn't apply in your case.
Cookies have been vulnerable even since the 90s. I'm amazed at how much they're still relied upon.
Yeah, you'd think they would have done something to secure them after so long. Feels like an ancient piece of technology by now.
I've always thought that webmasters have been lazy to continue relying on cookies instead of creating something more sophisticated and impenetrable. It would not need any more space requirements than cookies do, but would require some more in depth expertise as a webmaster, which is still doable.
After thought: There may already be such sophisticated web sub-programs in use today, but they do not advertise their existence for good reasons.
Mandatory cookie settings for websites should be retracted. It's ridiculous.
Cookies are necessary to persist things like logged in states. It’s a surprisingly tricky problem to solve
@whirled_peas i understand that however i just delete them the moment i have to accept them
@@whirled_peas Browser fingerprinting has nearly obsoleted the need for any kind of cookies at all required to track every move by the big players in the game.
The hidden file extension setting is actually "Hide Extensions for Known File Types". You should unselect that. Has nothing to do with hidden files and folders..
Came here to say this. How can this kid not know? It's been there since Windows 95. And he already has it unselected.
Shhh! You're spoiling the scary story with facts! 😉😆
I will save you 22 minutes. "Don't click on any suspicious files". Malware is malware. This has nothing to do with cookies.
Yes it does, and the majority happens, when people use Public Wifi.
I think you have to agree to the script they send though on public wifi. The Internet is entirely too safe it's just all there forever. Crypto hacking isn't a thing because it's all there the transactions and you report it just like when someone steals from a centralized bank they catch them except quicker. Someone stealing a flashdrive is obvious I mean the USB can eat the cookies n then we can monetize that or you can do anything I mean you're right there at the computer. You can't not have an IP or am I wrong
@@La80R4TQRiii not only are you wrong, you are stu-pid.
Nowadays everything is HTTPS, unless you get spoof DNS and get redirected to a fake website@@STONE69_
Sigh, a vm for your banking, a vm for social media, a vm for crypto. It works a treat👍
vpn
Not everybody can ditch 100 GB to host 4 VMS that use up about 20 GB minimum just to access 1 fucking website.
@@da_cat true, but most people can. And you can always use a Linux distribution to keep down that image size
@@sgholtno, he means a virtual machine for each separate use type
Agreed. VM is the best way to remove our footprint. VPN isn't secure as we always thought
Don't use a banking service that relies on cookies, get one who will not let you log in or transfer/pay for anything without a physical code devices paired with your password.
We have had this in Sweden for years. When I login to my bank, I use a app I have to install on my phone, then a qr code is updating on the screen every second that I point my phone to. THen I have to either enter a code, or use my fingerprint to get into the bank. Same thing then applies if I want to transfer money. If the phone does not work, I also have a hardware box in my house, that I enter a code for.. then I get a code from the bank that I enter, and I return the new code that is now calculated.
What is scary, that Google Wallet - GPay is one of those banking service which don't ask anything on online payment. I had never added my bank card to my Google Wallet before two weeks to experiment with it. The phone has to be unlocked at any physical store payment, that alone is also not so secure. E.g. You have to unlock your phone entering on mass transport gates as well, but in general, people travels with browsing socials all the time... Other than that, Google ylay never asks fornany code on oayment, it doesn't even show the actually paid amount via NFC! But the worst thing is many web shops offer GPay payment on their sites. I tried to buy something via it: well, GPay did not even asked me for my google account, password or 2FA. I was in Edge, so logged on with my MS account into the browser, not with my Google account. So I guess hr browser used my Google account from cookies or from some chache? Only step had to take that the transaction had to approved via my Bank's native app. However the amount was above the legal limit for this, lower amount do not even need to ask for this approval (I am in the EU). So, guys, I just removed all my credit/debit cards from the Google Wallet.
@@AndrewTSqthat's interesting. I'm glad they have that for you over there.
@@lucakat9262yeah, also when I am doing my tax refunds, I just logon with this system and send in my digital form for tax returns. Very convenient.
That's excessive. Ways of taking your money away, such as adding a new recipient, are the only things that need a physical code. Thankfully, that's what my bank does. If someone stole my browser cookies, they could see my balances and transfer money around between my accounts and such. (yes, this could cause problems, but nothing earth-shattering) As soon as they tried to withdraw money to somewhere new, they'd need my hardware token.
You know why the name Windows was used? Because Windows are easy to break and there is no privacy har har har
Lol that's a good one.
Cookies are kind of incidental to this attack. If I have RCE on a modern operating system, I can do anything you do: I can intercept mouse and keyboard events, access hardware (including physical tokens), steal any secrets etc. The tragedy is that there is no reason computers shouldn't be able to keep secrets and keep running programs isolated, we've known how to build secure operating systems for half a century now.
Linux Qubes
ChromeOS has you covered.
"we've known how to build secure operating systems for half a century now."
There is no WE.
The most secure operating system is simply not connected to the internet.
If you want secure, Solaris! Good luck with some of the websites you visit.
In the meantime simply configure your browser to delete cookies on exit.
Or don't use your computer for banking.
Or use one computer ONLY for banking and the other computer for "surfing the net"
@@speedibusrex couldn't you just use a second Linux distro inside Virtualbox for your online banking?
@@AndrewTSq do you really trust Google?
I decided long ago that I would have two devices. Phone is for play but NO BANKING. PC is for banking and work but NO PLAY.
As for social media, I have none, unless you include RUclips, which is attached to an email account used specifically for it and nothing else. I read none, delete all.
I'm also not a geek; no gaming or tech stuff. Any downloads come directly from the source.
My scanning routine for my PC is daily, with 3 apps. Thanks to this news I'll also be including cookie deletions. Thanks for the info.
My biggest fear comes from the big shopping sites.
I also don't have friends emailing so traffic is minimal.
PS... those sites that pop up a page that says "Click Allow to prove you are not a Bot" are trying to install permissions on your browser that will lead to bad things.
If you have older people who aren't good with technology, buy them a new tablet from a reputable brand that they will only use for banking. Make sure they install security updates and buy a new tablet whenever the update period ends. Ideally, it would connect to a different wifi router network that is only used for banking or, even better, have it's own sim card. Ask them to talk to their bank to block all transactions to buy crypto.
Please please please keep grinding, your content is life saving. Thank you for covering this junk, you're a hero.
When checking session tokens, APIs should also validate the request IP address matches the stored IP of the session. That would prevent session hijacking… unless I’m mistaken
Unless the hijack happened on the same local network or machine.
@@zedvee2668 or can they check your IP and make theirs look like yours? Something like spoofing.
@@zedvee2668 That can happen, but in the majority of cases it is a good protection. It can cause problems on some devices where they change their IP addresses, such as Tor, and some mobile devices might change their IP address regularly. Personally, I'm happy interfering with Tor as on our servers we only see malicious requests from there.
like 10 years ago, if you travelled on vacation, and tried to login to a site, you often got a "Hey this is not your normal ip", and you had to answer a secret question, and got emails that warned you.. These days, people are lazy and do not like these things, so websites have removed it. We used to always have to enter a 4 digit code when using our bankcards, but now they removed it.. so you just tap the card.. so we make things less safe cause of lazy people complaining about its hard to remember 4 digits..
Andrew gave the answer to this - I'm just reinforcing it. It is for sure possible to block due to a different IP, but most places don't do it for the sake of convenience.
I had just decided to leave Gmail open on my MacBook browser rather than an app but now see the danger in that. So it’s perfect timing for me to get this warning.
Great video, one source of malware that nobody mentions is outsourcing, i wouldn't be surprised if it represents the highest proportion of malware that businesses are infected with
nobody can mention or do anything
as every'body' is buried in the cemetery
Go see for yourself.
It is full of bodies
Also Answer this question:
How many of YOU are there in existence on this earth ?
Are you getting it yet ?
What I don't understand is how they clear the bank out. Even if they have control over your browser and it is logged in to the bank you must still sign the transfer in your phone verification app.
Many banks could also step up their security and be more proactive rather than reactive or at least have the added security functionality available
It's still amazes me that in 2024, big corporation like Google, even developing AI and hiring lot of supposedly engineer and smart people, cannot check something as simple as matching IP address &nd/or country at login. When someone steel a session token and tries to access your account in a different country or even different IP address than the one the session originated from, Google (or the banks, PayPal, eBay...etc) should right away log you off and ask for your password and 2FA again. But nope, they don't do it and let hacker connects from different IP just with a session cookie. 🤨🧐
Here >>> 13:55 Block Lists/Encrypted DNS Totally off the rails. I have no idea what you're talking about because you fail to explain what the hell you're doing.
I use Sandboxie and then delete the sandbox .... no more cookies.
best solution seems to be who cares my accounts are locked to like 100 bucks and I have to approve large transactions for the amount and vendor before they're made
12:35: You are confusing two different things here. Showing hidden files and showing file extensions. Both should be turned on for security reasons, so it becomes harder for bad actors to hide files (show hidden files) or disguise files (show file extensions).
Showing file extensions for all files is actually a setting a bit further down from the one you are pointing out. It's a check box labelled "Hide extensions for known file types." You do have it unchecked (as it should be), but you are never pointing it out in this video.
Showing file name extensions is one of the first settings I switch on when setting up a new computer. It is quite simply incorrect that Microsoft even has such a setting, let alone having it off by default. Probably they wanted to be more Mac-like by not having shown file extensions.
Thanks for mentioning that. I'm not sure why I didn't notice that when I was filming.
@@KenHarrisio do u get blocked when logging into online banking
when yur connected to VPN?
I haven't had any issues personally, but a lot will depend on the bank and how they have their security configured.@@jirehla-ab1671
Trying to keep up with security and scams is so overwhelming, especially for those of us who are not particularly tech savvy. I know the basics, but overall, I do not understand everything you are talking about. Getting to the point where I don't want to be online at all. There are just way too many things to try and remember. I do the basics and I think I have pretty good common sense online, but this is just way too much and very confusing.
That's definitely understandable. These videos are mostly for informational purposes. Some decent security on a computer and caution about downloading or opening random sites goes a really long way.
Thank you for all of the preventative measures, but how do you make sure that after you have attacked, you are sure you system is clean? After my bank sign on screen was highjacked, I deleted all cookies and even deleted the browser. I changed the banking password on another pc, then I ran Defender, McAfee and Bitlocker and nothing was found. My Google browser was sync'd across other computers with Google. Can the malware be transferred to those from the infected laptop? How can I be sure that there isn't any other traces of malware?
If antivirus says the PC is clean, you're probably okay. You could run something called a second opinion scanner if you want to be sure, which would be something like the Kaspersky Virus Removal Tool or the Emsisoft Emergency Kit.
As far as the browser, I would recommend checking the Chrome extensions and making sure nothing malicious was added, since there's a chance that could sync to another PC. Also, run second opinion scanners on the other PCs to check for anything.
I'm recommending to configure the browser to delete cookies on close for about 18 years now.
Clearing your browser cookie cache will make no difference if it is a man in the middle attack. Ideally as soon as you request a new session and cookie all old ones should be expired by the server. The reason this doesn't and can't happen is that you are permitted multiple simultaneous sessions from different browsers and devices. This is a major philosophical security oversight baked into industry technology stacks!: I'd prefer all but my latest active open browser window and device to expire! This is the real crux of the problem and I am not even a security specialist! (Just one hellava systems engineer haha!)
Well that's fine for your banking systems.... but I really don't wanna have to login again to virtually every other website every time I switch devices. Some of them really aren't that critical or I even use fake details or whatever, and it's a ridiculous pain in the arris usability wise to do what you're suggesting.
But it's more secure so I want it!: Active security tokens should not just be left lying around like loose bloody change as they currently are!
GREAT F-ING Video, thanks man!!! Just like back when engineers were command-line and HAD to know what they were doing, everyone is a keyboard jockey now and frackin click happy on everything. Seems like things are getting better who the hell really knows what is going on "under the covers these days". Had a friend call last weekend, his machine was compromised, had a webpage open with an audio loop stating "This is Microsoft and you have been HACKED. Please call this number so we can assist". This is the THIRD time this has happened to him and LAST TIME he called, gave them direct access to his machine and even got $100 from him to "fix" the damn problem they created. I had to rebuild the damn thing and eventually took his Admin access away, clicking around on some questionable sites I'm sure. Crazy times, thanks for the tool, very helpful!
Thanks for the support, I'm glad you liked the video!
Man, sometimes being the tech support guy for friends and family can be a chore. That's crazy that it happened to him three times!
I've gotten those "this is microsoft you've been hacked sites too many times. And it won't let you click off the site etc. I just open Task Manager, scroll down to Chrome and click end task. This seems so easy and it works does it not ? I always have Task Manager pinned to the task bar. Is this not a good way to deal with it. ?
@@mebobtheone That method works to close the browser, though I would recommend trying to solve the issue at the root. Do you use uBlock Origin or something similar?
Sadly you bored me to death before you got to the part on how to avoid it. I got to 7:30 minutes and clocked off.
12:12 Hidden file extensions has been something in windows since I want to say it was turned on an XP because we want to save people from themselves changing those pesky file names and now their word documents don't open there's no consequence like having screensaver files pretending to be something else.
So the bottom line is.. stay away from any Windows machine. ? Do all your banking and critical personal wealth and such on a Linux or Mac ?
Jokes on them cause im broke as fuck
Who deleted their cookies while watching this 😂💁♂️
I ate mine 🤤 NomNoMNOM!!!
Eh noone who is smart since 2010 and auto deletes his cookis always
Most (if not all) hardware wallets are cold, therefore auth is performed on the hardware itself - no sessions on an internet connected device.
Always great info.... problem is most people have mobiles and tech but are unaware of any issues until they get hacked or scammed.... No one shows them how to use basic security....No one would drive a car if it did not have brakes. Problem every hardware and software do different things under different conditions.. too complex for the average citizen.
very true. Right click youre c drive(windows os)select user select view unselect hidden items go to user application data name 7 zip that folder copy it into another most site will load as if it was you're first. . I never need to type a password in again :P neither do the scammers know you're password don't save even in google password management its all saved to that folder. Heck even microsoft is running LINUX SERVERS microsoft is a haven for this malware even they run linux funny as fook. I had not to need to login to sites that I was a member to for almost 20 years copying and pasting my cookies to new machines lol. How many people did iI fix there computers and can access there every login. a pc guy fixing a broken pc. When you bring that pc in to a shop. Hardrive is taken out to be cloned so as to not touch the actual data. Even the recovery mode allows for more users to be added to cookies less no need to type.....
I have separate profiles in firefox, I have a default and a bank one. The default is for everything that's not banking, and the banking one only is for banking. I have a phony proxy in the "banking" that only proxies to the banking hosts but drops everything else on the floor. This way that profile is only visiting the bank hosts. The final thing I do is have multi-account containers and compartment each bank into its own container. I make sure the banking profile only has bookmarks for the banks and all the default bootmarks have been removed, the idea being I want the "banking" profile to be obviously different in appearance.
I use Linux, and only Linux, and never store my banking User and PW on my desktop. Not too worried.
Correct me if I'm wrong, but don't you want to disable "Hide extensions for known file types" to show the extension? "Show hidden files" is also good, but won't show file extensions.
This is the correct setting he meant to talk about. It was just a few items down from the setting he showed.
That's just about the first thing I do with a new computer. Show extensions and show hidden files.
Good catch. I'm not sure why I didn't notice that when filming.
@@KenHarrisio its funny that you read out the wrong one, but still didnt realize it was the wrong thing for the context of what you were talking about. But as its something you missed, you should consider pinning the above comment so if anyone reads, they'll see the correct option to select.
Great Vid : But your ordinary Joe Citizen is too occupied ,trying to keep their s**t together in this horrendous world to even start to understand your subject matter ,let alone understand the terminology your using .Please have a little bit of thought and sympathy for those people for whom what you are saying is a foreign language : Your intentions are obviously for the good.
Convenience = Higher chance of being hacked. Making it easier for it to happen.
Isn't that why you should always use the banks official app?
Malware can place a overlay over the app💀
2FA in another device can prevent your bank account being hacked/emptied. Fortunately, my banks always send a code (not via sms or email) to my phone where I will have to enter my own specified pin to verify the code.
Good stuff. Booting from a read-only device running VM-hypervisor spawning a Virtualized app environment for my banking and crypto needs. Airgapped pc makes this device.
I have a colleague that had a RUclips channel, and his channel was affected by the same thing that Linus Tech tips was. He contacted RUclips about it and they just blew him off. He has not got his channel back yet. He has taken to uploading his videos on another popular website because he doesn't trust RUclips anymore. It took a lot of time to get all the subscribers he had on RUclips, and they just blew him off!
I think most people this happens to are pretty much SOL. A hijacked verified channel with 300K subs is still allowed to spread malware, which is ridiculous. It wouldn't take much effort for YT to fix it but they haven't. I doubt they help much for people with less than 1M subs.
Cookies and having your browser remember passwords are very insecure things nearly everyone relies on. Both are saved in user files, so any other user mode program can get at them if they know where to find them without need for admin privileges. That's how a browser can import such things from other installed browsers.
Basically, if you can access anything without having to authenticate, any other software I your PC can access it.
Ty! Your terrific & informative & you have the perfect soothing tone & volume of your voice & that's why I just subscribed, Liked, Shared on FB with my 2000+ friends/family & now making a comment. I wanted to help the best & the only way I could being a low income senior in appreciation for this information that you give everyone for free. Ty! Ty!
Thank you very much for the support and the kind comment!
NEVER save important passwords that could cost money, period. Log in manually!
Thank you! Seems like some commentators didn’t listen to what you said.
That is why My Daily Operating System is Linux Mint, it cannot get Malware
Say no to cookies, use a password protection manager with 2 face authentication, remember your passwords, make sure they are all different, change em every couple months to a year (depending) make sure they are considered strong and not weak. Use a vpn service, not a free one, run virus scans every other week. All this seems like overkill, but this will help from any attacks. I personally only use one device if I'm logging into banks, etc. And the device runs vpn 24/7 with other high security.
Or live in a country that have high security xD No one can login to my bank even if I have once logged in, cause 1. The bank logs you out 2. Even if it didn't they wouldn't be able cause it would ask for my digital ID once there is a little change to the location or IP, just not possible.
I locked down all my Email accounts with 2 fips 140-3 hardware keys. my banks seem to refuse allowing them , pisses me off.
What if you click on an attachment and give information, there is nothing to protect people from themselves lol
Switch to Linux💪 and use common sense to not fall for social engineering scam emails. 🤪
Bank with a Live Linux on USB with a LAN connection. Also tell your bank you want account transfers disabled for online banking.
Almost as shocking as getting lettuce on your donair. Horrible.
Why wouldn't anti-virus software catch this? That's *SPECIFICALLY* what anti-virus software is designed to do!
Sometimes it can catch it, but there are times it'll make it through. For example, a brand new strain of malware won't have a signature, which many AVs use to detect malware. Without a signature, they have to rely on heuristics, which may or may not work.
So setting the browser to delete cookies on exit is a good idea. Inconvenient, but whatever.
How does it beat 2FA when it's a passcode sent via a message to your phone?
Could you give any recommendations on what to do after the malware is installed and someone stole/hijacked your account? This happened to me a few days ago and I'm trying to understand what to do next. I did a full reinstall of windows after I noticed someone stole my crypto, and also managed to change most of my passwords so far (using a different device and after reinstalling windows). Any more advice on what to do?
Many of the motherboard manufacturers should have patches released for this issue. I suggest checking for a BIOS update for your board. That's going to be the best way to fix this. Also, some boards have this feature and some don't, but you could also check to see if there's a way to disable the boot logo. The researchers thought that would be a fix for it. I also recommend using something called a second opinion scanner on all your Windows devices. Emsisoft Emergency Kit is a solid option. I don't know if AV is able to catch this stuff yet, but it would be a good idea to run a scan anyway.
how in Gods name would a malware know its inside a VM? this is next level...
Security needs to be made easier on the end-user. I should not have to clear my cookies every day, use impossible to remember passwords which I have to change every day, and restrict my own PC access so heavily I see security popups just to run steam games. I just want to use my computer to watch youtube and play games. I don't have patience to deal with all that other noise. I count myself lucky I haven't had to deal with a situation yet. I know better than to click anything sussy. That's good enough for me, it seems.
I agree 100%. A lot of these issues come up because the process is made too complicated for anyone who isn't a power user. We're probably another few years away before more substantial changes are made to improve things.
@Ken Harris - Thank you for this cold dose of reality! I've become really lazy the past few years 👍👍👍
Don't banks limit the sessions to like 10 minutes and then they log you out if you are inactive? Unless you keep having third party payment channels open, like paypal. But even that one kept logging me out repeatedly.
*WRONG! By US Federal Law the Banks must pay you back*
For Crypto, ur screwed.
Up to 250k per account, right?
I've been seeing this for years. It's basically what made me invest in security keys. Quantum will be so much worse
Quantum is going to be a nightmare for security. If people think things are bad now, they are in for a very bad surprise.
I think it is a good idea to have a dedicated device only for your bank and sites where you have money and turn off internet when not using and avoiding using any online stuff in these devices, specially email, social media and messaging.
Is CloudFlare's security DNS as good as Quad9's ones (or ControlD or NextDNS)?
CloudFlare has a really low score compared to the others. Here's a good test that I've referenced in the past: techblog.nexxwave.eu/public-dns-malware-filters-tested-in-2024/
NextDNS owns dns0, so the scores would probably be similar for NextDNS.
can something like a Yubikey or another form of 2FA be used to stop a cookie being useful on the hackers system?
Not necessarily. If the session can still be used, the hacker could take over the account. Login timeout after a short period of time can help protect against this issue.
TheShookKitty still haven't taken down? shhhiiiet, I reported about 4 weeks ago.
I dont save user names or passwords in a browser, but I do have lastpass complete each login. It's that secure? It has a strong password.
LP is a pretty decent password manager. They've had a few hacks happen in the past. I'm not sure how they are these days. Either way, it's a way better option to use them than to not have one.
Thanks! This was very informative! I will definitely check out How to not get hacked by a pdf file
Sorry to comment on it here since it's not about this video but a previous one, out of curiosity is picocrypt's paranoid mode post-quantum encryption? I've been using CFB AES from pycrypt but I'm wondering if paranoid mode would be better in terms of security from quantum computers. Ty.
No problem, feel free to ask away. The paranoid mode wraps Serpent and ChaCha20 encryption. ChaCha is quantum resistant, but I've not found anything saying Serpent is the same. Given that they get combined, I'm sure you'd be good to go to use it.
@@KenHarrisio tanks
Thanks, I just made my pc much more secure thanks to you.
From what I understood ( about 20%) I thought it was great. Could you do another video for a layperson please. Thank you
I'll add it to the list. Thanks for watching!
Why can’t the services require a new log in or new code every time a new IP Address is detected? That would end the cookie session hijack issue.
I literally just had this happen to me the day before this video uploaded. I'm still dealing with securing accounts.
Chrome tells me "240 compromised passwords" ...thanks, that's what I deserve for storing them in Chrome 🤬🤦
Damn, that's some bad luck. I hope you can get everything cleaned up.
Very thorough video, thanks.
Don't see anything in Windows Defender like what you're showing on the screen. 22:49
That was from an app on GitHub called Configure Defender by AndyFul. It's just a GUI that allows hardening Defender that would otherwise require a person to use Group Policy and RegEdit.
We need legislation immediately introduced to Congress to protect people.
How do we know that the government isn't actually behind the malware? We keep finding many things designed to protect us and keep us hidden are actually created by the government...(TOR is a good example) I think people either forget or just don't realize, that the internet is a creation of of the military, which is a government kind of thing...
whats better google or fortnite? pls answer bro
Can this type of malware hijack web browser extensions?
This particular type will only steal session tokens. A lot of extensions can be malicious though, so I recommend researching any of them that you want to use.