this is me racing out of bed for our front row seat to my life's work Vanishing before my eyes Linus Tech tips deleted Tech linked toasted techwiki gone the good news is that if you're watching this we're back online bad news is that this kind of attack has become so commonplace on YouTube that when we sat down to prepare this video it took us less than 10 seconds to find a huge channel that was dealing with exactly the same thing in that moment let's talk then about the motive for these attacks the process changes that we and YouTube need to make and how we can all work together as a community to educate and protect each other from Bad actors oh and to tell you about our sponsor dbrand oh God not dbrand today really oh actually no they've got something good stay tuned foreign started a little after three in the morning when the Linus Tech tips account was renamed to Tesla and started streaming a podcast style recording of self-proclaimed techno King Elon Musk discussing cryptocurrency this in and of itself is not a scam but the streams linked to a scam website that claimed that for every one Bitcoin you sent they would return double complete with fake transaction records showing other users definitely getting huge payouts over the next couple of hours then we sparred back and forth first I privated the streams revoked the channel stream key and attempted to reset the account credentials only to realize as I was investigating the source of the breach that I had been completely outmaneuvered they were back in and the streams were live again have okay so I logged back in Nuke the stream again and I go to and they're up again and now videos are being Mass deleted from the channel over the next couple of hours playing login whack-a-mole the Linus Tech tips Tech linked and Tech quickie accounts were each used to host these Elon Musk crypto streams until they were ultimately nuked by YouTube altogether for violating YouTube's terms of service and I could almost feel your thoughts through the screen right now Linus truly after all these lectures about two-factor authentication don't you even protect your own accounts course I do but while strong passwords and multi-factor authentication are very powerful security measures that you should use they're not impenetrable first up let's talk to fa not all factors or additional authentication elements are equally secure the most common second Factor SMS can be compromised by simple social engineering targeted at your phone carrier check out this video that we posted the last time our account was hijacked for more information about that another common factor notification based multi-factor is susceptible to fatigue attacks where a perpetrator will constantly try to log in hoping that you'll assume oh it's probably someone from work or even just click on the notification by accident very problematic and I'm looking at you Google since you can't disable this Factor on Google accounts even time-based two-factor like Google Authenticator or authy can be compromised say if you were to accidentally set it up or access it from an infected device in spite of all of these issues with two Factor though it held the line last night our attacker not only never gained access to our additional authentication factors they never even had our passwords but how can that be well as it turns out they didn't need any of that which is a big part of why it took me so long to clue in and stop the spread I was so focused on the potential damage that could be done by someone who had commandeered my SMS messages or gained access to my Google Authenticator somehow that I expended valuable time battening down the wrong hatches if I had watched Theo Joe's recent video on the subject or at least skimmed the comments I could have probably stopped the bleeding in a matter of minutes shout out Theo Joe but I didn't so I got to be educated the hard way about a breed of attacks that bypass trivial things like passwords and 2fa entirely by targeting what's known as a session token now many of you will know this already and if you do give yourself a cookie but after you log into a website and your credentials have been validated that site will provide your web browser with a session token this allows your browser and by extension you to stay logged in when you restart your browser and go to access that site again this isn't a bad thing it's a good thing because realistically nobody wants to type in a password every time they want to post instant regret on the internet but hold on a second that cookie is stored locally on your device how would someone else get it well that's where we made a mistake someone on our team and I'm not saying it was Colton downloaded what appeared to be a sponsorship offer from a potential partner it was an innocent enough mistake for the most part the email came from a legitimate looking source and it didn't raise any immediate red flags like being full of grammatical errors so they extracted the contents launched what appeared to be a PDF containing the terms of the deal then presumably when it didn't work went about the rest of their day what happened in the background took place over the course of just 30 seconds the malware accessed all user data from both of their installed browsers Chrome and Edge including everything from locally saved passwords to cookies to browser preferences giving them effectively an exact copy of those browsers on the target machine that they could export including that's right session tokens for every logged in website now no one should unzip an email attachment file extensions should always be double checked when you are executing anything and any file that doesn't do what you expect should raise immediate red flags but then on the flip side I can hardly blame a sales rep or a video editor or someone in accounting for not being up on the latest in cyber crime and I also believe that in a healthy organization it actually rolls up the hill rather than down so there's not going to be any disciplinary actions because the simple truth is that if we had more rigorous training for our newcomers and better processes for following up notifications from our sitewide anti-malware this could have been easily avoided as for why it took so long for us to lock down the account once we knew what was going on that's another training issue but this time it was my training we use a system for our YouTube channels called content manager which theoretically improves security by allowing us to dual out specific Channel access roles to our various team members rather than just sharing the main account credentials with everyone who needs to access it this made the process of determining the attack Vector way more complicated you can think of it kind of like replacing your one giant vault door with 20 smaller doors any one of which realistically still gets you into the vault now in a perfect world these smaller doors should have been restricted with less access than we configured but hindsight is 20 20.
Or at least I hope it is the bottom line is that our Disaster Response processes need to improve because I realized at three whatever in the morning shout out Steve from Gamers Nexus for the wake-up call by the way but I actually didn't know how to reset the passwords and the access control across all of these channels in channel manager and that is not the sort of thing that you want to be troubleshooting but naked in the wee hours of the morning in the middle of a crisis In fairness to me the way that Google handles the intermingling of all their services is not the most intuitive and both Yvonne and I experienced numerous glitches and timeouts that prevented us from effectively using these tools even once we did figure out how to use them which leads us nicely then into the next part of our discussion I've owned what I did wrong and now it's time to talk about Google to their credit I heard back that someone was aware and working on it at the highest levels within about half an hour of reaching out to my YouTube rep and they have seemingly improved their internal tools for managing this sort of thing a lot since the last time around they've got forms you can fill out and the partner reps that we've worked with seem to genuinely care shout out MC I'm so sorry this spoiled your spa day however this entire process has been pretty opaque other than we're aware and working on it the internal team doesn't seem to even be allowed to communicate with creators directly I mean I get it security aside idiot users probably won't have anything to contribute to their investigation they figured out that the attack came from one of our non-video production teams pretty quickly and then actually banned that Google workspace account almost immediately I mean realistically idiot users could just slow them down but even a quick hey I know you're stressed uh here's what's going on and here's how we can keep this from spreading would almost certainly have calmed my nerves and saved all of us some work by keeping techlinked and Tech quickie in our hands and another big problem is that this approach you know one-on-one only benefits larger channels like ours I've seen quite a few people rightly express some resentment that we were able to get this resolved so quickly when their favorite Niche Creator X or Y struggled with it for an extended period of time or even never got it fully resolved so it's clear that there are some changes that need to be made and here are a few of them in no particular order we need greater Security Options for key Channel attributes I mean how can you change the name of a channel without having to re-enter your password and your two-factor what about resetting a stream key same deal in my opinion and this is just one of the ways that the impact of a session hijacking can be limited rate limiting is also widely used in API access to services like YouTube for example Google will only process a certain number of comment moderation actions per day through their API well I could see implementing something similar even if you are directly accessing the service but then rather than limited out right it could prompt for authentication to be clear I'm not saying every time you delete a video it should ask for your password but say if you were trying to delete 10 or 100 or a thousand videos at a time a little are you sure about that are you actually you would probably be in order the funny thing is that none of that stuff would even be necessary with proper security policies on session tokens bare minimum would be time based expiry you know how when you boot up an old smartphone all your accounts are usually logged out session expiry but many sites also factor in other attributes like location so if you were to suddenly try to access a site or service from Antarctica you should be prompted to log in again these measures are very common on high-risk websites like online banking I'm not saying banks are model citizens when it comes to login security but they do usually invalidate sessions in a matter of minutes but can you remember the last time Instagram or SnapChat asked you to log in again social media platforms YouTube excuse me tend to be a lot less aggressive since they want to make using their platforms as frictionless as possible now In fairness Google does usually require re-authentication when you're changing a password or other Security Options or I don't know when a session token gets reused by a new IP address on the other side of the freaking planet but we've heard from multiple people that this isn't always the case so the big question is that with Google owning the whole chain here like start to finish really including the bloody web browser how is this crap not only still possible but so prevalent it's time for them to not just ask these questions internally but come up with real answers for them I think the only group whose response here was perfect was our community and no this is not like standing on stage you guys were amazing um prominent members of our Forum whom I've interacted with over the years reached out to my team directly upstanding citizens were paying real money out of their own Pockets to send super chats warning stream viewers that the channel was hijacked and over 5 000 of you in the last 12 hours alone subscribe to floatplane.com to show your support and to ensure that you wouldn't miss any of our uploads I have had a pretty rough day a pretty long day but you know what it's also been amazing to see how fast we can bounce back thanks to your unwavering support the incredible team we have here like everyone we got Artie over there is Colton still there no all right well whatever Andrew's there James is working on guidance for this Luke was up half the night with me and Yvonne trying to help us figure things out driving to the office um really appreciate you all uh oh our partners at YouTube um and of course dbrand something something dbrand with me a lot yes uh it's true but the thing about dbrand is as much as they love to poke fun having partners like them makes losing a full day of YouTube Revenue a lot less of a concern not a lot of companies are going to step up and sponsor a video talking about how our account got hacked that's the I mean that's the kind of subject nobody wants to get close to at all but dbrand jumped at the chance to help us out and not just help us out by sponsoring the video today making it so we don't got to worry about how to pay all these guys their overtime but help us out by setting you guys up with an unprecedented deal for the first time ever dbrand is offering a site-wide deal for LTT viewers just go to really guys shortliness.com and you will save 15 on any order using code five foot one that's one word all one word f-i-v-e-f-o-o-t-o-w-n-e we really couldn't do it without all of you thanks to you my team and yes even dbrand I'll have them linked down below
