The Malware that hacked Linus Tech Tips

แชร์
ฝัง
  • เผยแพร่เมื่อ 19 ธ.ค. 2024

ความคิดเห็น • 3K

  • @thepwrtank18
    @thepwrtank18 ปีที่แล้ว +7455

    File name extensions needs to be enabled BY DEFAULT. Hiding the file extensions might look cleaner, but it heavily increases the chance of getting tricked into running an executable.

    • @bgill7475
      @bgill7475 ปีที่แล้ว +550

      Yeah, it’s strange Windows hides them by default. Makes no sense.

    • @fusseldieb
      @fusseldieb ปีที่แล้ว +351

      The problem is that tech iliterate people rename a file and then accidentally remove the extension. It doesn't highlight the extension by default, but I've seen it happening a couple of times with other ppl.

    • @bgill7475
      @bgill7475 ปีที่แล้ว +499

      @@fusseldieb Windows will warn you though if you try to do this.

    • @torsten_dev
      @torsten_dev ปีที่แล้ว +215

      It's times like this you really appreciate the execute permission bit on Linux.

    • @ContraVsGigi
      @ContraVsGigi ปีที่แล้ว

      There is a solution even for that, the right-to-left writing system. A file named for instance filename.exe.pdf can be actually a .exe if the character announcing the r-to-l is before "exe". I'll try finding the clip with this. I daily drive linux and don't care a lot about these; but on Windows I could have seen myself being fooled by this (not the .scr, as I made a few programs and even screesavers when I was in highschool, many years ago).
      LE: found it on ThioJoe's channel - th-cam.com/video/nIcRK4V_Zvc/w-d-xo.html

  • @shorts9900
    @shorts9900 ปีที่แล้ว +7161

    Imagine people who send malicious emails to someone named "The pc security channel"

    • @chirukun
      @chirukun ปีที่แล้ว +826

      this is more like a declaration of war

    • @chosenuwu
      @chosenuwu ปีที่แล้ว +334

      they're getting cocky :D

    • @Tathanic
      @Tathanic ปีที่แล้ว +147

      Automated

    • @wlockuz4467
      @wlockuz4467 ปีที่แล้ว +502

      I mean they did it to a channel called "Linus *Tech Tips* " and it clearly worked so why not!

    • @cedricsonaquevido1565
      @cedricsonaquevido1565 ปีที่แล้ว +51

      roll of the dice except its 100 sided

  • @davidfrischknecht8261
    @davidfrischknecht8261 ปีที่แล้ว +958

    The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.

    • @ticenits1926
      @ticenits1926 ปีที่แล้ว +94

      That and the fact that the domain was Eastern European. The author of this video wants to act like that's totally common and no big deal but it's not. If g fuel is reaching out to you from the Czech Republic you should damn well know better.

    • @khoroshoorange
      @khoroshoorange ปีที่แล้ว +10

      Or maybe dont use File Explorer in the First place... Use smth that is more intelligently designed like total Commander

    • @davidfrischknecht8261
      @davidfrischknecht8261 ปีที่แล้ว +72

      @@khoroshoorange Whatever floats your boat.

    • @superbasyboy
      @superbasyboy ปีที่แล้ว +12

      That's the case in this example, if the PDF was 'alone' in a folder you wouldn't look twice at a .pdf

    • @Theunicorn2012
      @Theunicorn2012 ปีที่แล้ว +11

      The first red flag to me about that so-called PDF is that the extension is visible while the extension for the video file is not. A helpful tip is to configure File Explorer to always show file extensions.

  • @Magnum.Bloodstone
    @Magnum.Bloodstone ปีที่แล้ว +4531

    I've always thought it was a terrible idea for Microsoft to hide file extensions by default. Just asking for trouble.

    • @lolcat69
      @lolcat69 ปีที่แล้ว +159

      Facts, that is why I always activate the config to enable that

    • @MrHendrikje
      @MrHendrikje ปีที่แล้ว +100

      It's a pain to keep having to turn it on on every single machine I use that is new. I meaninly use it quickly be able to make back up of files so I can just aad .bak to the name or .orig. this onely works if File extension names are enabled.

    • @CD-vb9fi
      @CD-vb9fi ปีที่แล้ว +75

      That's not even the bad part of all this. MS is now active in keeping you out of some sections of the OS. You don't even know if MS is collecting these tokens or not or for what reason either. I assure you... they can and do if the right people in authority request it. Nothing on a machine is secure.

    • @DickCheneyXX
      @DickCheneyXX ปีที่แล้ว +9

      That's how you can spot computer literacy at a glance.

    • @Sierra-Whisky
      @Sierra-Whisky ปีที่แล้ว +23

      A file name is just what it is. It doesn't tell anything about its content, just as your name doesn't say anything about your personality. Changing a .xls to .jpg doesn't make it an image, just as changing my name to yours doesn't change my personality to become yours.

  • @Tigrou7777
    @Tigrou7777 ปีที่แล้ว +2480

    Antivirus software (especially Windows Defender) should automatically flag files named .pdf.src or .pdf.exe (stuff similar), because nobody is going to name their documents that way unless they have malicious intentions.

    • @defnotatroll
      @defnotatroll ปีที่แล้ว +304

      It's baffling to me that AVs don't automatically flag these files or warn the user when the scams have been happening since august last year at least

    • @robertgarrison1738
      @robertgarrison1738 ปีที่แล้ว +77

      EDR solutions like Crowdstrike DO this. This is a matter of the Linus team cheaping out on InfoSec tools.

    • @robertgarrison1738
      @robertgarrison1738 ปีที่แล้ว +26

      @@kaineuler EDR like CS, CB, or S1 do not care about file size. They monitor every single process/thread/command/execution that's running in realtime, so if it catches something it finds sus (which this absolutely would,) it will catch it, regardless of file size.

    • @kaineuler
      @kaineuler ปีที่แล้ว +63

      @@robertgarrison1738 I'm talking about windows defender or other basic antivirus.

    • @robertgarrison1738
      @robertgarrison1738 ปีที่แล้ว +29

      @@kaineuler Ah, yeah no, those can't be trusted in 2023 when it comes to proactive monitoring. Those AV's are solely reactive, and by then the damage has already been done. I see this daily at this point in my line of work.

  • @redboxthief
    @redboxthief ปีที่แล้ว +140

    Im going through my security + training and this was an awesome breakdown of a real world scenario! I am definitely a subscriber now.

    • @prodKossi
      @prodKossi ปีที่แล้ว +2

      Same here, you should check out Professor Messer if you havent already, hes got a free video series on how to pass 💜

  • @sliceoflife5812
    @sliceoflife5812 ปีที่แล้ว +972

    Kudos for defending the employee.. People were so quick to call for him to get fired w/o have an iota of an idea of how oblivious most of them would be to a targeted phishing campaign against them, especially at your employment capacity ( ironically, we become less suspicious and more compliant even in security sectors ) vs your personal email. Cheers

    • @SEMIA123
      @SEMIA123 ปีที่แล้ว +146

      If you're talking about the fire Colton thing, it's an ancient channel meme, Colton has been "fired" hundreds of times. Colton gets blamed for everything and this time it might actually have been him so the meme came back hard. He won't go anywhere though, dudes been there since day 2.

    • @jacquesfaba55
      @jacquesfaba55 ปีที่แล้ว +27

      I agree, it’s Linus’ fault here for making his employees use Windows

    • @MrHendrikje
      @MrHendrikje ปีที่แล้ว +6

      A company I worked for was hacked due to a security flaw that was introduced in a Microsoft Exchange Server update.. when it was brought to light he quickly rolled back but by then it was already too late and got hacked around the time people were looking for chocolate eggs a certain bunny had been littering.

    • @anxiousearth680
      @anxiousearth680 ปีที่แล้ว +40

      @@SEMIA123 Yeah lol. When I found out, that was my first thought. "Oh well, Colton's getting fired for the 22nd time I guess."
      Especially ironic considering the origin of that meme includes iirc him almost getting the channel banned or something and then getting 'fired'.

    • @Wr41thgu4rd
      @Wr41thgu4rd ปีที่แล้ว +12

      @@jacquesfaba55 He should probably keep people who have access to anything even remotely import to only those who terminally live inside a computer. Having Windows is not an excuse to fall for a phishing attack. The only excuse is incompetence. Not opening an executable through email is like computer literacy 101.

  • @DerLung
    @DerLung ปีที่แล้ว +210

    I think the „show file extentions“ option should be enabled by default in windows explorer because otherwise if you don‘t look at the properties of the file you would not even notice if a file had a different file extention to what you would expect. Many people have this option disabled because they just never changed it so they could easily fall for such a trap if they don‘t know that much about computers.

    • @takatamiyagawa5688
      @takatamiyagawa5688 ปีที่แล้ว +37

      I don't know how people function with file extensions off. Sure, there's no guarantee that the contents of the file match the extension, but it seems to be at least an indication of what windows will attempt to do with the file if you open it.

    • @rusl1rusl
      @rusl1rusl ปีที่แล้ว +5

      Nowdays hackers use special characters to reverse filename to make it look like a legit file even with „show file extentions“ on

    • @powerpc6037
      @powerpc6037 ปีที่แล้ว +15

      Even if file extensions are disabled, you should be able to see there is something wrong. All other files don't have the extension visible and this one did show the .pdf extension, so there should be another extension behind it, making the .pdf visible.

    • @greatveemon2
      @greatveemon2 ปีที่แล้ว +5

      anyone doesn't look at the details of the file before clicking nowadays, I guess? I have all my download as in detail view showing off the file type. I've been freaking using this account as old as youtube and i'd never been hacked.

    • @youraveragebfdifan
      @youraveragebfdifan ปีที่แล้ว +1

      @@greatveemon2 since 2006?

  • @LithiumSolar
    @LithiumSolar ปีที่แล้ว +27

    Great discussion. One big thing that was indirectly touched on here - first thing I do on any new system I install is enable viewing of extensions. This will make it immediately obvious that the file says agreement.pdf.scr. In my opinion, the default behavior that Windows hides extensions making agreement.pdf.scr look like agreement.pdf is just helping the propogation of malware. Every version of Windows seems to make things "easier and easier" by taking away as many details as possible rather than simply educating users on what a file extension is.

  • @Yemto
    @Yemto ปีที่แล้ว +457

    I have always the "File name extensions" enabled, so I don't need to go into properties to see the hidden extension. But with that said, personally, seeing .scr wouldn't be as alarming as .exe

    • @fusseldieb
      @fusseldieb ปีที่แล้ว +16

      That's probably why they did it.

    • @GYTCommnts
      @GYTCommnts ปีที่แล้ว +73

      You need to watch a ThioJoe video explaining why file name extensions only it's not bullet proof.
      To summarize, there is a technique that exploits reverse reading languages to show a different extension at the end.
      Windows should stop dumbing some things and file extensions should be showed by default, and must be the last thing on a filename NO MATTER WHAT.
      But for now, it's not the case and it's ridiculous.

    • @tehjamerz
      @tehjamerz ปีที่แล้ว +1

      n00b

    • @tryanotosehatsantoso8302
      @tryanotosehatsantoso8302 ปีที่แล้ว +8

      @@MANTISxB but the thing is sometime they send video file too... so if you are not carefull seeing the size... you will presume the big file ZIP is came from the vids

    • @b4ttlemast0r
      @b4ttlemast0r ปีที่แล้ว +5

      Yeah, I hate the fact that showing file name extensions is not the default on Windows. Makes it a lot easier to disguise executables as harmless files.

  • @khaledxo1234
    @khaledxo1234 ปีที่แล้ว +42

    I was patiently waiting for your take on what happened, well delivered!

  • @DavidRomigJr
    @DavidRomigJr ปีที่แล้ว +146

    LTT does use permissions but they have a lot of users with a variety of permissions. One of the first things Linus did was change 2FA and passwords for the main accounts and then log out all devices logged in, but logging out the attackers didn’t log them out. Then he hopped onto the content manager to start revoking rights, but he didn’t set it up and didn’t want to wake up the one that did so had to learn as he went. But TH-cam’s content manager started throwing errors and timing out trying to revoke rights for some reasons. So he tried logging into some of the users but do to a recent password mitigation, he didn’t have access to some of them yet. Later they found out Google knew which account was compromised but didn’t immediately tell them.
    Got this from the video they made the days of the attack. They sounded good considering they hadn’t slept in 24 to 48 hours at that point,

  • @JzJad
    @JzJad ปีที่แล้ว +429

    An encrypted zip file is a huge red flag alone. Normal zips are okay as most antispam services can check, usually up to a depth of like 128 folders deep.

    • @NelielSugiura
      @NelielSugiura ปีที่แล้ว +9

      I certainly use it to send stuff to myself to bypass such scanners. But that is from me to me, so I know what is going on... but it is a fairly obvious bypass all around because no AV tool out there can decrypt it (yet) to scan.

    • @nwerd7584
      @nwerd7584 ปีที่แล้ว +5

      Thats probably the biggest thing here and 99% of tech channels ignore it, im not sure they even know why scammers use the pw/encryption function in the first place.. Theres no need to ever require this unless you encounter it the way I do. From piracy and trying to download unsigned cracks etc. But scammers also use them when a game first comes out to try and trick the normies, but those are the types that dont want yu to have a pw because theres nothing in it, they want you to do surverys for a non existing password.

    • @powerpc6037
      @powerpc6037 ปีที่แล้ว +5

      I agree this is also a giveaway. Any normal company doesn't zip a pdf file so there should be no need to extract it. And even so, a huge zip file to only hold a single pdf file is suspicious. On top of that, even when file extensions are hidden (as the other files didn't show any extension) and this one did show the .pdf extension, you should be aware this won't be the true extension otherwise it was hidden as well so you can be sure there is another extension behind it making the .pdf visible.
      Also, in an email, look for obvious spelling errors like the first one that was shown: "We are sells energy drinks", this is a dead giveaway this was translated instead of typed and should be treated as suspicious.
      So Linus (or his staff) made 4 mistakes that led to this tragedy:
      1. Ignoring obvious spelling mistakes (if he received such a misspelled email)
      2. extracting a huge zip file to get a simple pdf to state an agreement
      3. ignoring the huge filesize for a simple pdf
      4. running it with a visible file extension when extensions are hidden

    • @asdfasdf-mn8iu
      @asdfasdf-mn8iu ปีที่แล้ว +2

      @@powerpc6037 That the extension is shown despite extensions being hidden was confusing to me as well. Although, if you spend about 30 sec on this file, you might easily miss that.

    • @towesc
      @towesc ปีที่แล้ว +2

      Absolutely, a red flag with a fog horn.

  • @SYLperc
    @SYLperc ปีที่แล้ว +462

    the person who's job it is to respond to these could also use a machine that doesnt have channel credentials used specifically for answering sponsorship emails as an additional layer of protection from something like this happening

    • @o-hogameplay185
      @o-hogameplay185 ปีที่แล้ว +79

      exactly. i dont dont do anything like working with sponsors or anything, but last year in the university we had a homework in java programming (basically a game) and our teachers being lazy, we had to grade each others code (everyone gets 5 random people's code). and i specifically set up a vm in case anyone would put malware into it (you would think "oh, they are not stupid to put malware in it, just think about the backlash" but no. seeing how many programming students fall for free dc nitro scams, i will not take a risk)

    • @MAST
      @MAST ปีที่แล้ว +10

      Maybe that person manage youtube videos, thumbnails, tags, descriptions, tags etc. multiple videos at ones. That kinda apps are most needed.
      If it was just about editing videos, then they would have done it on an offline machine.

    • @kkgt6591
      @kkgt6591 ปีที่แล้ว +2

      Maybe it was Linus himself.

    • @kmcat
      @kmcat ปีที่แล้ว

      @@Preetzole A Remote Desktop for YT account actions.

    • @MAST
      @MAST ปีที่แล้ว +10

      @@kkgt6591 I don't think Linus do those kind of things, I think he is only directing, managing now and prolly he employs PR, marketing, social scientist something, which prolly knows better what works.

  • @yungkneez
    @yungkneez ปีที่แล้ว +56

    A better solution might be a warning when attempting to open a file with multiple extensions, rather than just disabling "hide extensions for known file types" in Explorer. This may work for an experienced user who knows what different file extensions are, but for a novice who doesn't know the difference, they're probably going to just ignore the extension anyways. This could be annoying for power users though.

    • @hammerfist8763
      @hammerfist8763 ปีที่แล้ว +5

      The only extension that matters or is actually an extension, is the last one. I fully agree that better file level security is part of the solution, and that begins with not allowing a file to be named .pdf.scr or .pdf.exe.

    • @Conserpov
      @Conserpov ปีที่แล้ว +1

      Why would anyone who's not a complete noob use Explorer as a file manager at all, let alone with hidden extensions?

    • @thepwrtank18
      @thepwrtank18 ปีที่แล้ว +1

      "You are attempting to open an application file with the file extension [.ext] in front of it. Are you sure you want to open this application?"
      [info of application, name, publisher etc]

  • @kevbu4
    @kevbu4 ปีที่แล้ว +113

    Thio Joe has recently done a couple of videos about this and similar attacks.
    And for all the people talking about showing file extensions, it turns out there are a few unicode characters that reverse text direction after the character, even the file extension.
    That will keep you on your toes. And Thio Joe discussed that too.

    • @hiru92
      @hiru92 ปีที่แล้ว +3

      yes, i saw that video 😁

    • @richarda3659
      @richarda3659 ปีที่แล้ว +9

      Yes, there's some kind of hack involving right-to-left languages.

    • @serena-yu
      @serena-yu ปีที่แล้ว

      Interesting. It's U+202E

    • @slamscaper128
      @slamscaper128 ปีที่แล้ว +1

      Pretty sure .scr is one of those superhidden extensions, like .lnk and such. In this case, they didn't need to use that special command.

  • @AaronShenghao
    @AaronShenghao ปีที่แล้ว +67

    In the WAN show, Luke said their anti-malware solution did caught the file. But it was only a notification, and the malware was still ran before it can be stopped. (e.g. it was not quarantined in time)

    • @phir9255
      @phir9255 ปีที่แล้ว

      Should've immediately logged out

    • @deuspax
      @deuspax ปีที่แล้ว

      let's don't blame windows in the most gratuitous way, if feels a malware the OS starts to scream and puts the harmful file in carantine mode, in order to make it work you have to get in security panel and to give the proper rights - which probably the employer did

    • @flameshana9
      @flameshana9 ปีที่แล้ว +10

      How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?

    • @flameshana9
      @flameshana9 ปีที่แล้ว +2

      How can a malware detection not lock the file? I have Windows scanning my darn games every single day making me wait for it and yet an actual virus gets to run freely?

    • @88porpoise
      @88porpoise ปีที่แล้ว

      ​@@flameshana9 I suspect in this case it was identified as suspicious and generated a message but didn't have enough confidence that it was malware to lock it down.
      You can decide what actions an AV takes on a file given the risk level determined. And they basically said that the number of false positives they would get at the level of security which would have locked down this file would be too large to manage without seriously harming their business (probably far more than the hijacking and one day of outage did).
      And, yes, every single business (and person) makes the decision to accept some degree of risk in various formats to facilitate operational efficiency. The question is how you balance the two.

  • @Ramonatho
    @Ramonatho ปีที่แล้ว +59

    I don't know if this is common for malware, but one thing I found interesting was all the date and time codes for the different time markers in the hex editor were impossible dates for computers to exist in like 1601.

    • @AegisHyperon
      @AegisHyperon ปีที่แล้ว +7

      1601 is the first year of the Gregorian calendar cycle that was active when Windows was designed

    • @flubnub266
      @flubnub266 ปีที่แล้ว +8

      Completely reasonable interpretation, but those aren't the dates of the data, but rather the actual data being interpreted as dates. So because most or all of the data aren't dates, they naturally appear as nonsense when interpreted as such.

  • @HollywoodCameraWork
    @HollywoodCameraWork ปีที่แล้ว +169

    Microsoft should really stop this "Hide extension for known file types" thing. That Windows feature is the main attack vector, because it make an executable look like an innocent file.

    • @PizzaInGame
      @PizzaInGame ปีที่แล้ว +12

      maybe the reason microsoft create that fituer because for people like us, who know the meaning of extension the hide thing is useless, but for people who doesnt know, mostly they will rename their file wrong (like delete the extension)
      but i agree with you, they need to update the system
      like,..they can just show the extension but not editable when rename the file

    • @robloxfan4271
      @robloxfan4271 ปีที่แล้ว

      Agreed

    • @richarda3659
      @richarda3659 ปีที่แล้ว +4

      It's optional, you can turn it off, and it's there because that's how Apple does it. Maybe Microsoft should prohibit changing a file extension by renaming the file, and only allow it in the Properties dialogue. And also, Windows should prevent multiple file extensions when any but the last is an executable file type. So something like ".pdf.old" is permitted, but ".pdf.exe" is prohibited.

    • @HollywoodCameraWork
      @HollywoodCameraWork ปีที่แล้ว +5

      @@richarda3659 Of course you can turn it off, but it's on for 99.999% of Windows users. It's the default setting from hell. And no, Mac doesn't do this. Mac has 4-character file types and creator that can't be downloaded from the internet. The risk doesn't exist in the same way on Mac. And Mac notarizes executables. Not even a comparison.

    • @khoroshoorange
      @khoroshoorange ปีที่แล้ว +2

      ​@@richarda3659Well Apple isnt exactly a role model in anything anymore

  • @paulstubbs7678
    @paulstubbs7678 ปีที่แล้ว +596

    The bit that suprised me was that LTT had a PC with both TH-cam account access and was used to process incomming offers, I would have thought the two should be kept well apart

    • @tomatobrush3283
      @tomatobrush3283 ปีที่แล้ว +55

      Yea running vmware workstation and opening suspicious emails on a vm can go a long way to protecting your PC, definitely a hassle to maintain though.

    • @tegneren
      @tegneren ปีที่แล้ว +78

      They said that sponsored videos are uploaded by the marketing department, so that would be why

    • @nwerd7584
      @nwerd7584 ปีที่แล้ว +9

      Linus is barely even at the warehouse unless he has to be in the video.

    • @johncarter3227
      @johncarter3227 ปีที่แล้ว +26

      @tegneren but still that doesn't mean that one system should be used to process both stuff. LTT is a large organization and they can afford to have an isolated system to process outside information, before it enters the main server. Anyways they learned it the hardway!

    • @fabricio4794
      @fabricio4794 ปีที่แล้ว

      This guy (LTT)is an Amateur and Arrogant Rich Boy...nothing than a Microsoft Employee that did a anti-linux rally and then his Secure Windows was Bombed till the ground....

  • @SMGJohn
    @SMGJohn ปีที่แล้ว +6

    I worked for a state company, and they actually had put in place such severe restrictions that did not allow anyone without privilege to open any file except those permitted such as .pdf and word docs.
    Ontop of it all, the computers were thin clients connected to large array of servers, their sessions were all temporary VM's that would delete its instance after each use, all your files were stored on cloud essentially connected to your user account and constantly scanned, it was the most ridicules security setup I ever seen in my entire life, they also had automated software that scanned files developed in house to check if the files they received on email were proper or not, all happened in the background, I cannot say what state company it was you can probably already tell that stuff like this, is not just any ordinary mom and pops office job.
    But in hindsight, its not that much work to setup something similar for a small business with virtual machines and auto scanners checking files beforehand or loading files isolated from the system.
    The funniest thing from that job is how the tech got so tired of trying to fight the spam emails, they designed a DDOS program that would just automatically target the IP source of these spam mails and dedicate a small server just to run that script day and night, it worked but when the boss found out, man he was not happy knowing there was a server using 5kW of power everyday just to reverse uno email spammers LOL, I think they replaced that with an AI which was good enough to detect most of them and filter it out, that was right at the end when I left I never got to look at it because it would be handy to have something like that running in my basement.

    • @PatrickBaptist
      @PatrickBaptist 5 หลายเดือนก่อน +1

      That's how it is where I work, though I don't work for a state. I work for a company that services insurance companies and veh makers roadside assistance plans. But everything you said about where you works sounds just like how it is where I work, but I work at home and dont use a thin client though I ordered one for the electric saving and easier to power when the power goes out since we have been dealing with that alot.
      Wow 5kw for a reverse uno trick, that is so funny (I use to be in IT back late 90s early 2000s).

  • @eddielegs344
    @eddielegs344 ปีที่แล้ว +173

    I understand the dangers true scr files also start up just like exe files.
    But the fact that TH-cam doesn't have the security in place when they don't ask you to log in again when you change the password or the channel name is baffling to me.
    Or delete lot off files... crazy

    • @alouiciouswrex7141
      @alouiciouswrex7141 ปีที่แล้ว +18

      I would assume they could tie the session token to the current IP address, and if the session token is suddenly used by a different IP they cancel all sessions and request signing in again.

    • @johndododoe1411
      @johndododoe1411 ปีที่แล้ว

      ​@@alouiciouswrex7141That IP check would frequently get overboard when home ISPs and online proxies frequently change peoples public IPs. Same thing happens when facebook sends out an alert after every log in with an updated browser.

    • @EvanOfTheDarkness
      @EvanOfTheDarkness ปีที่แล้ว +29

      @@alouiciouswrex7141 That would not work with smartphones that go in and out of Wifi range, and use mobilenet when there is no WiFi. The best you could do is time and location. That's why banks invalidate sessions (log you out) after 5-10 minutes of inactivity. Most websites log you out on a device after a week or so. But youtube/google never does it, since if you are not logged in it's harder to mine your data.
      The worst part is that (when done right) stealing the environment essentially makes this indistinguishable from the original browser, making it a "trusted device".

    • @alouiciouswrex7141
      @alouiciouswrex7141 ปีที่แล้ว +3

      @@EvanOfTheDarkness Fair point, I hadn't considered mobile devices

    • @eddielegs344
      @eddielegs344 ปีที่แล้ว +1

      @@EvanOfTheDarkness or mac adres for mobiel devices

  • @FlyboyHelosim
    @FlyboyHelosim ปีที่แล้ว +620

    A 770Mb PDF file would be a major red flag. I think the largest genuine PDF file I've ever seen was less than a hundred megabytes and that contained full color images.

    • @kaywonderer
      @kaywonderer ปีที่แล้ว

      No i have seen 400mb pdfs. You obviously a noob.

    • @HexRox
      @HexRox ปีที่แล้ว +62

      The problem with a very fast internet connection is the employee probably didn't get a look how big the file and just automatically check the content after it's done downloading

    • @meneldal
      @meneldal ปีที่แล้ว +68

      @@HexRox The file is full of 0s, the zip archive would be actually quite small.

    • @dismiggo
      @dismiggo ปีที่แล้ว +18

      Even that is small, I would say. I made the yearbook for my class, and that is around 200MB. So I would be careful with blanket statements like that.

    • @0x1EGEN
      @0x1EGEN ปีที่แล้ว +15

      @@dismiggo A yearbook is different than an agreement form..

  • @CyriacS
    @CyriacS ปีที่แล้ว +1

    This video is so fantastic, I gasped a few times when you showed the properties and HEX... Good job!

  • @NuDimon
    @NuDimon ปีที่แล้ว +93

    Good thing for them they got it resolved quickly and got support trough their other business ventures to alleviate the lack of adsense when the channel was down. But they definitely have been a bit too lax on their security. Apparently their security software solution was set to a less secure settings due to too many false positives. They really did get to feel how having their policies leaning more towards convenience is a bad idea.
    That being said, how youtube does not require 2FA for sweeping changes to a channel is down right mind boggling. If you change the channel name and change the status of the majority of your video catalogue there should be some alarm bells ringing no?

    • @MAProsper
      @MAProsper ปีที่แล้ว +14

      While I agree, there are also issues with having security settings too strict, as they might leed to users circunventing them so they can do their job. Now insted of some security, you have none. So, since they said they couldn't handle the amount of false positive they settle for that. Was it the best idea? No, but they did what they thought was right. It seems that looking forward they should look into how to handle better the false positives or alternatives software suites.
      That beeing said, as you also said, Google not reauthenticating users attempting to do massive changes on the channel seems like a big mistake on their part.

    • @mechwarrior83
      @mechwarrior83 ปีที่แล้ว +14

      The fact the Google will allow login from a cookie and then change password + 2FA *without* confirmation from either is downright neglectful.

    • @Pandaptable
      @Pandaptable ปีที่แล้ว

      @@mechwarrior83 you clearly do NOT understand how logging in from a cookie works. It's not that google "lets" them. It's that you're essentially just copying how they logged in, and it's the same session in essence.

    • @rezwhap
      @rezwhap ปีที่แล้ว +9

      @@Pandaptable So confidently incorrect. They could force a reauthentication even with a valid session. Many services do for important changes.

    • @zonkedmc
      @zonkedmc ปีที่แล้ว

      You sound too invested in them personally.

  • @tallpaul9475
    @tallpaul9475 ปีที่แล้ว +19

    At my company, we've been using a 'viewer' to 'checkout' files and virtually view them. Picture it as a way to look at documents in a secured environment using a remote external viewer. Validated sites been using this almost 25 years now. If things are isolated and viewed indirectly, that would probably halt the brakes on a lot of problems.

  • @darthnegativehunter8659
    @darthnegativehunter8659 ปีที่แล้ว +4

    the problem is that you should always, ALWAYS make the file extensions visible.
    in fact this kind of thing is easy to detect. windows can have some sort of a warning for this sort of file names added. so it saves a lot of users from running executables by mistake.

    • @Gargantura
      @Gargantura ปีที่แล้ว

      how do you activate it?

    • @darthnegativehunter8659
      @darthnegativehunter8659 ปีที่แล้ว

      @@Gargantura depends on the version of the windows but a quick google search will give you the answer.
      i usually do it by control panel and folder options. then there should be a checkbox somewhere to make em visible.

    • @Gargantura
      @Gargantura ปีที่แล้ว

      @@darthnegativehunter8659 aight thanks

  • @danwake4431
    @danwake4431 ปีที่แล้ว +7

    im not a security specialist, but i spend most of my time on Linux primarily for the lack of tracking but also i generally dont have to worry about any windows based attacks. If i worked for a big YT channel I would certainly use linux for emails and almost anything else that didn't require windows. and if i DID have to use windows, id open a fresh VM just for internet and emails and never log into anything important.
    Im actually surprised these content creators even use windows, I assumed they all used Macs, since they pretty much all use iphones as well.

    • @Armand79th
      @Armand79th ปีที่แล้ว +1

      Well, a bunch of amateurs will amateur.

    • @AkiraElMittico
      @AkiraElMittico ปีที่แล้ว +1

      This is one of the reasons why I'm on Linux 100% since 2007, and never went back to windows, not even for work.

  • @yugbe
    @yugbe ปีที่แล้ว +13

    Good information. Was kinda hoping for a bit of code breakdown, but this is my first time visiting the channel, so I'm not sure how deep you go. Either way, Thank you for putting such good info and good recommendations out there.

    • @pcsecuritychannel
      @pcsecuritychannel  ปีที่แล้ว +6

      There are more in depth videos on the channel. :)

  • @quality147
    @quality147 ปีที่แล้ว +3

    I don't care how legitimate your email is; if your domain is slightly off I will ignore it.

  • @andresilvasophisma
    @andresilvasophisma ปีที่แล้ว +89

    I always thought that keeping session cookies in plain text on the storage device was a bad idea. The information should be encrypted by the browser.

    • @bluemeriadoc
      @bluemeriadoc ปีที่แล้ว +9

      or just don't let applications (like screen savers) read any arbitrary data on the disk. especially web browsers

    • @andresilvasophisma
      @andresilvasophisma ปีที่แล้ว

      @@bluemeriadoc BUt you could still read it with regular executable programs.

    • @rohanjamadagni
      @rohanjamadagni ปีที่แล้ว +3

      Would you be okay entering a password every time you launch the browser?

    • @bluemeriadoc
      @bluemeriadoc ปีที่แล้ว +6

      @@rohanjamadagni maybe, but it's not necessary. you can leverage the operating system to encrypt based on the computer's password or protect the address space, or both

    • @rohanjamadagni
      @rohanjamadagni ปีที่แล้ว

      @@bluemeriadoc encryption only works when theres a password attached to it. If the browser can launch without needing a password, the hacker can just steal all the app data of the browser and launch it in their system regardless of what the os does. Windows doesn't have strict permission checking for files and even if it did if the program got admin access, it's basically useless. The only way to fix this is to have your whole browser password authenticated, kind of like how password managers are as browser extensions. From a website pov, you should have implemented uuid checking or some hashed hardware Id checking in the cookie, again this should be implemented by browsers as it would be a security risk to allow websites to detect a hw id. Overall, I'd say from a developer perspective these kinds of attacks are really difficult to mitigate without making the ux of the user worse.

  • @Fredaffinity
    @Fredaffinity ปีที่แล้ว +11

    First "trick" that my friend taught me on my first PC was how to see extensions and how to see hidden files.
    It's the first thing I do after reinstalling windows.

    • @jinxterx
      @jinxterx ปีที่แล้ว +1

      Your friend is a true friend.

    • @Fredaffinity
      @Fredaffinity ปีที่แล้ว +2

      @@jinxterx Yeah he is a true friend for sure.
      And this feature saved me several times.

  • @fadedpuppygirl
    @fadedpuppygirl ปีที่แล้ว +1

    cant believe they opened a 700+MB pdf that would hold a simple contract. that should also have been a red flag

  • @sergeiborodin9254
    @sergeiborodin9254 ปีที่แล้ว +14

    Most malware is targeted at Windows, sandboxing public parts of interacting with the world in virtual machine could prevent that

  • @spooky4655
    @spooky4655 ปีที่แล้ว +12

    There are also samples that seem to use actual code instead of empty spaces. It appears that these samples consist of a bunch of randomly generated functions that will be called upon launch. However, if you remove them to reduce file size, the program will become corrupted and you won't be able to run it.

  • @sterling3716
    @sterling3716 ปีที่แล้ว +2

    Good video. I think it would've been neat if you added a section to these types of videos where you do some sort of sandboxing of the file, to show what it's actually doing. I'm sure you've heard of it, but Any Run is an example of an interactive open sandbox solution to do this in, another is Hybrid Analysis though it doesn't provide interactivity it still shows screenshots and breaks down the activities it performs. It would be neat to get an idea of the scheduled task creations, additional sub process executions, network traffic to threat actor domains and IPs, etc.

  • @SEMIA123
    @SEMIA123 ปีที่แล้ว +63

    I feel like at this point, proper security protocols would be to have a separate machine that exists exclusively to open emails and doesn't have access to anything except the email account.

    • @johndododoe1411
      @johndododoe1411 ปีที่แล้ว +2

      Except that many attackers want control of your recovery e-mail only (in that phase).

    • @clawrunner
      @clawrunner ปีที่แล้ว +5

      @@johndododoe1411 you can have emails forwarded to an unattached proxy email for this purpose, using something like POP so they're deleted off the first address as soon as they're sent to the second one, then you'd have to intentionally send it BACK to the first email for them to have access to that one

    • @takatamiyagawa5688
      @takatamiyagawa5688 ปีที่แล้ว +3

      They're running a youtube channel, not a military base.

    • @luka188
      @luka188 ปีที่แล้ว +21

      @@takatamiyagawa5688 If your youtube channel is your livelyhood, you may as well go the extra mile to protect it well, because if you lose it, you basically lose everything. At least in case of Linus Tech Tips and bigger channels, it's possible to recover this even after a hack happens, but it takes a lot of effort regardless and taking extra security measures to prevent this kind of thing is very worthwhile.

    • @nwerd7584
      @nwerd7584 ปีที่แล้ว

      mental outlaw has been saying for months and months if not years to go buy a shitty chrome book and use that to answer the business email.. Whats even worse is a lot of these losers use their personal email to get business emails, which has secured future fuckery. They SHOULD have a email solely for sponsorship offers, and you should only use that email on that latop. Unless you can have a braincapacity above a 5 year old and just not click them. Greed is what makes people fall fr this shit. Being content doesnt leave you with shady business.

  • @kevinh96
    @kevinh96 ปีที่แล้ว +8

    Microsoft need to, as others have said, show file extensions by default however, they also need to block .SCR files by default too as well as Defender being a bit more advanced and able to block and warn about files with double extensions, such as .pdf.exe

  • @electricspider2267
    @electricspider2267 ปีที่แล้ว +1

    There was a virus at our school that uses scr. It got everywhere. If you plug a usb into a computer, it would copy itself to it, then set all your folders to hidden + system, then create lnk files to match the name, set the link target to the malware on the stick, add an autorun.inf file to the stick.
    Hidden and system meant you wouldn't see the real folders unless you turned on both show hidden files and show system files. Show system files was a bit hidden and it warns you not to do that. A clear giveaway that your usb was infected was that all your folders turned into shortcuts that had that little arrow thing in the corner. I removed the virus from a lot of computers and fixed the usbs of who ever lended me their flash drives.

  • @filtro-d-aire6843
    @filtro-d-aire6843 ปีที่แล้ว +8

    Im learning a lot, thanks for all this videos 👍🏼

    • @jamesjross
      @jamesjross ปีที่แล้ว

      Like how to monetize someone else's misery?

  • @maxwellsmart3156
    @maxwellsmart3156 ปีที่แล้ว +10

    Sounds like it's time to sandbox certain functions and create a VM to open attachments and possibly get an antivirus that will scan large files. Also, I don't think it's hard to create a script to do some rudimentary analysis of files to display size, possible padding, extension, etc to alert to a Trojan horse file.

  • @PassionforSpace
    @PassionforSpace ปีที่แล้ว +2

    Great coverage,thanks for sharing,you explain it very well and this is what people need

  • @FlukasMcDoogle
    @FlukasMcDoogle ปีที่แล้ว +12

    Good video. And lots of great suggestions in the comments. Love to see it. And no one blaming "noobs" or non-tech savvy people. And you make it easy to understand. Love this.

  • @ostrados
    @ostrados ปีที่แล้ว +5

    Great diagnosis and analysis of the issue, but it would be great if you have described the remedy. I have many questions here, hope you could address them in other videos or in comment:
    - How could you prevent malicious emails from harming your system from the beginning? Is opening emails in a sandbox (virtual machine) considered the ultimate solution for separating harmful content from the environment? how practical can this be especially in a working environment with many users?
    - What is the best anti-virus? especially the ones that detects Maleware after falling to the hacking trap.
    - in short: is there an ultimate solution??

    • @flipina
      @flipina ปีที่แล้ว +4

      In latest WAN show, Luke said the attack was flagged by their AV. But since they did not set it to highest level, the attack was not shown/seen. So curious about these too.

    • @russellhltn1396
      @russellhltn1396 ปีที่แล้ว

      I believe he did - it's isolating the functions so the machine/person opening the emails doesn't have access to the higher privileges needed to attack. One thing he didn't mention is never use your machine when logged in as a local administrator. Only use those accounts when doing maintenance. I remember reading sometime back that most attacks will fail if the user only has "user" privileges. But people resist anything that gets in the way of doing what they want to do.

  • @stoner.07
    @stoner.07 ปีที่แล้ว +2

    Channel notification on now , i want to be updated with all these stuffs :D

  • @cook_it
    @cook_it ปีที่แล้ว +6

    For PDF's there luckily exists an FOSS tool called Dangerzone which cleans the PDF up inside a sandbox (basically acting like a virtual printer, converting the pdf to pure pixel data and then making that into an clean PDF) which can be handy for when you **have** to open up a PDF (contracts for example) but can't trust the source.

    • @UnknownString123
      @UnknownString123 ปีที่แล้ว +1

      Thats cool

    • @phir9255
      @phir9255 ปีที่แล้ว

      Or just open in Chrome

    • @cook_it
      @cook_it ปีที่แล้ว +1

      @@phir9255 While chrome does open PDF's in a sandbox which _should_ be secure that still doesn't solve all the other problems like "You opened an executable instead of a PDF".

    • @phir9255
      @phir9255 ปีที่แล้ว +1

      @@cook_it True, people should enable visible extensions

    • @cook_it
      @cook_it ปีที่แล้ว

      @@phir9255 Absolutely.
      But even then if there are other exploits like a sandbox escape in chrome you still get into problems.
      With dedicated software like Dangerzone you would first need a exploit on LibreOffice or GraphicsMagick, then if you're on windows an VM escape from Docker Desktop or for Linux a container escape exploit, which is harder than a sandbox escape but still potentially possible.
      tl:dr
      Security is hard and mistakes can always happen. Never rely on a single software to keep you safe.

  • @EricchiYukia
    @EricchiYukia ปีที่แล้ว +4

    I think the easy fix for this would be for Microsoft to:
    1. Enable file name extensions by default
    2. Make the process for executing a file different from the one for opening it. Something like on Linux, where you need to explicitly choose "Execute" when you double-click a file in order to run it, or it just opens as a text file.
    Such a shame it's 2023 and Windows is still so insecure.

    • @ContraVsGigi
      @ContraVsGigi ปีที่แล้ว

      In my Linux I can run by double click just fine.

    • @johndododoe1411
      @johndododoe1411 ปีที่แล้ว

      Microshit even requires execute permission on every document you open with doubleclick, thus forcing insecure security settings .

    • @EricchiYukia
      @EricchiYukia ปีที่แล้ว +1

      @@ContraVsGigi Huh? Strange. Maybe it depends on the desktop environment. On Linux with KDE (and I think on Gnome too) the default behavior is to just open a file when you double-click it and never execute it unless specified.

    • @ContraVsGigi
      @ContraVsGigi ปีที่แล้ว +1

      @@EricchiYukia Don't remeber exactly, I think I do check the "execute" checkbox, but I think that is not always the case. In the end it depends on the permissions to the file, if it has the +X or not. I am on Gnome (Ubuntu).

    • @EricchiYukia
      @EricchiYukia ปีที่แล้ว +1

      @@ContraVsGigiYes, that too! Files downloaded from the internet always have the "executable" flag disabled on Linux, and that was made exactly to prevent incidents like the LTT one.

  • @k808-d3j
    @k808-d3j ปีที่แล้ว

    I watched a few other videos on this topic but idk why your explanation just sticks better in my brain lol

  • @ender-gaming
    @ender-gaming ปีที่แล้ว +122

    Sadly Linus got caught here by ignoring his cyber security expert Luke. On the WAN Show Luke pointed it out that he told Linus the EXACT account and method of the hack but Linus responding "I'm focusing" and ignored the entire message. Luke then had to reach out to Linus's wife to get access to accounts (as he didn't have permissions to do what was needed, which is an issue). He offered to RDP into Linus's PC to do it but Linus was too focused combating the attack vector he thought it was (SMS/Password) to listen.

    • @jmckey
      @jmckey ปีที่แล้ว +28

      Yeah, Linus talking about his being woken in the middle of the night and ADHD, plus the severe crisis is understandable, but it still shows a SEVERE flaw in their disaster management preparedness and lack of processes. Linus himself seems to need training in how to manage a crisis and delegate better. I took a whole class in my tech master's on crisis MGMT and we workshopped stuff having to perform as a team in front of our class to fix a problem live. Cool stuff and teaches you to communicate and calm down first THEN tackle the issue so you are being the most effective.

    • @engineeingnerd
      @engineeingnerd ปีที่แล้ว

      @@jmckey Google is more faulty for it

    • @jmckey
      @jmckey ปีที่แล้ว +1

      @@engineeingnerd for sure, Google HAS to change how they secure logins and manage cookie sessions but there HAS to be process changes in the meantime at LTT to prevent something like this happening again.

    • @fabricio4794
      @fabricio4794 ปีที่แล้ว

      A Arrogant Adult imature Freak like Linus,ever hated and refused Linux,and now he got what he deserves beeing an annoying windows fanboy

    • @Armand79th
      @Armand79th ปีที่แล้ว

      Well, yeah... Linus is an amateur and a shill, not an IT Tech by any assessment worth a piss.
      Hardly surprising they got hit like this.

  • @michaeltedeschi9929
    @michaeltedeschi9929 ปีที่แล้ว +4

    Great breakdown of the situation. It blows my mind that things like this still work, but it as we see time and time again it: session stealing is very much still a lethal and viable technique. Nice breakdown and hopefully this is a reminder for the tech-oriented user to pay close attention to what they open... All it takes is letting your guard down for a quick moment to get caught by these things, and it really can happen to anyone, even the security-minded user.

    • @richarda3659
      @richarda3659 ปีที่แล้ว

      Why aren't the session tokens encrypted and only readable by the issuing web browser, based on the browser's internal ID?

    • @dealloc
      @dealloc ปีที่แล้ว +2

      @@richarda3659 Encryption doesn't matter when malware runs on _your_ computer. Where would you store the key? If your OS has access, then malware can find a way to gain access as well. Even if a hardware TPM or Secure Enclave was present.
      And aside from encryption being resource intensive to do (and battery hungry), it also would be highly ineffecient if your browser is already running, as that data would be in memory, unencrypted, anyway.

    • @alalala132whyisthishandletaken
      @alalala132whyisthishandletaken ปีที่แล้ว

      it's not "the technique", the attack vector was someone being dumb. anyone with an RCE can do anything on the machine that you can do.

    • @alalala132whyisthishandletaken
      @alalala132whyisthishandletaken ปีที่แล้ว

      ​@@dealloc the key does not have to be locally present nor does it have to be static; it can be a calculated value either based on datetime or another system similar to RSA tokens. there is also no need to "store the key" since you can input it every time, e.g. biometric keys.
      encryption is not resource-heavy, every layer 4+ connection you make has TLS over the top of it. it feels like everyone on here is just making guesses as to how computers work without understanding the stack.
      scowering memory is not a reliable vector of harvesting tokens.

  • @snickerdoooodle
    @snickerdoooodle ปีที่แล้ว +83

    I'm going to be honest, if a channel is advising you to "just use virustotal instead of an antivirus" I'd immediately look for their history as a cyber criminal lmao

    • @YRDY
      @YRDY ปีที่แล้ว

      Yes, It may help criminals more than users..

    • @aoeGamingAEGIS
      @aoeGamingAEGIS ปีที่แล้ว +1

      never use antivirus, just move linux, lol

    • @chrisdawson1776
      @chrisdawson1776 ปีที่แล้ว

      @vonKarma1186🤓

    • @AttilaAsztalos
      @AttilaAsztalos ปีที่แล้ว

      Totally DO use an antivirus if you want to throw 95% of your machine's performance away 100% of the time vs. that one time when you should have had the common sense to realize whatever you just downloaded should at least be checked by virustotal.

    • @serena-yu
      @serena-yu ปีที่แล้ว

      And I have just seen a channel that teaches people: "The first thing you should do when getting a computer is to shut down windows update and defender permanently. This is very important. Now do as I show you..."

  • @a_d_z_y__
    @a_d_z_y__ ปีที่แล้ว +10

    I think browsers should encrypt stored data like session tokens, and ask for a decryption password when launched (which would imply never storing decrypted cookies outside of the RAM)

    • @paulstelian97
      @paulstelian97 ปีที่แล้ว +1

      They do something similar to that for passwords, where they will use OS-level security/encryption as appropriate (on Linux and macOS you have KeyChain, Windows also has something similar). It would be nice if cookies are also caught in that.

    • @FrumpyJones
      @FrumpyJones ปีที่แล้ว +4

      Um.. the whole point of session tokens is to not have to put in a password... So the real solution is: "don't choose 'remember me'"

    • @a_d_z_y__
      @a_d_z_y__ ปีที่แล้ว

      @@FrumpyJones I don't agree, having to login every time on every website can be tedious, where one prompt when you open your browser asks the user for much less effort.

    • @tobelix6397
      @tobelix6397 ปีที่แล้ว +2

      The real solution would be to keep your sessions short

    • @aoeGamingAEGIS
      @aoeGamingAEGIS ปีที่แล้ว

      yeah but what if I just want to move my data from one pc to another? i just raw copy-paste files and tadaaa, I don't want encryption bllshit to deal with. Isn't windows fault it doesn't has a alert: u're about to open a .exe or.src file, are U SURE? And this to not be annoying, it would pop up only the first time u run a file. And u can even disable it...

  • @GANONdork123
    @GANONdork123 ปีที่แล้ว +9

    I'm glad you mentioned the fact that the PDF is usually not sent in the initial email, but rather a follow-up email and the fact that many legit companies use third-party PR firms to reach out for sponsorships. After hearing those two facts, it's no wonder someone who works for a big TH-cam channel would fall for this, especially if they get dozens if not hundreds of legitimate offers every single day with no discernable difference up front. Having a sponsorship manager with complete and total access to the TH-cam channel was a serious blunder on LMG's behalf though, and the hack would have been mitigated had that not been the case, so I hope they've learned a lesson from that. Imagine being a solo creator dealing with this though. Answering dozens of emails from potential sponsors while also working on your own content. You wouldn't have a buffer from this kind of attack, unlike LMG would.

    • @aoeGamingAEGIS
      @aoeGamingAEGIS ปีที่แล้ว +1

      step 1: explore & gain trust

  • @ZeroX252
    @ZeroX252 ปีที่แล้ว +17

    I'm actually more surprised that malware detection suites aren't robust enough to detect these types of attacks. A surface level check of RTL/LTR manipulation of the filename to hide the extension would catch this as a suspicious file. There aren't any legitimate use cases to use this hack in the real world, so it's pretty safe to say anything hiding the extension like this is likely to be malicious. Similarly, checking a file for padding is fairly easy to do, and doesn't require a lot of resources realistically to do so. Shrinking the file for an in-depth scan is also possible using sparsification, but thats a but more resource intensive - and only works on zero padded files directly.

    • @LordSStorm
      @LordSStorm ปีที่แล้ว +1

      Filetype manipulation can be accidental.

    • @o00nemesis00o
      @o00nemesis00o ปีที่แล้ว +1

      Some foreign languages are RTL, so yes there are legitimate use cases for the character appearing in a file name

    • @ZeroX252
      @ZeroX252 ปีที่แล้ว

      @@o00nemesis00o but not in the extension, and that's pretty easy to check for.

    • @ZeroX252
      @ZeroX252 ปีที่แล้ว

      @@LordSStorm windows warns users when changing the extension, and in this case the user could undo the mistake or make the logical conclusion that the file is or is not suspicious.

  • @NelielSugiura
    @NelielSugiura ปีที่แล้ว +5

    This reminds me of the time when my friend found an exploit in everyone's favourite media player, VLC, and added code to the end that, when played in VLC, broke things because the tool executed scripts within the video (he could have done anything, including modify the registry to never pass login, but it merely scrambled the subtitles). Video played fine in MPC and other players. The only reason he did it is because his messages to VLC devs went unanswered.
    The same, I suspect, basically would happen here (getting MS to enable file extensions by default or YT having more security). Sometimes, these big companies think they have all the answers and do not pay attention to outside reports. Despite all the smaller channels Linus mentioned as having been similarly been hit and YT had yet to do anything there, are they going to pay attention now and fix things? I would not hold my breath. :(

    • @o00nemesis00o
      @o00nemesis00o ปีที่แล้ว

      No, because hiding file extensions has made this possible for decades, MS cannot possibly be ignorant of it, and they just won't do anything because... hell if I know why.

  • @Sakisaka_Rei
    @Sakisaka_Rei ปีที่แล้ว

    You video helped me just now. Just got sent a zip file by a prospective "employer". I downloaded the file in a Ubuntu virtual machine and found a .scr file with other .jpg files inside. The .scr file was suspicious enough, but it also was over 1gb in size despite the zip file being only 5mb.Then I decided to shred it all. I have to give a big thanks to you for making me aware!

    • @dzenacs2011
      @dzenacs2011 ปีที่แล้ว

      Why you download this file? Nothing better to do just downliading random stupid files?

    • @Sakisaka_Rei
      @Sakisaka_Rei ปีที่แล้ว

      @@dzenacs2011 I think I took necessary precautions. And I got this message from artstation, so I couldn't exactly check if they were legitimate or not. As they claimed to be a game company.

  • @stevenclark2188
    @stevenclark2188 ปีที่แล้ว +10

    Okay that zero padding thing is outright negligence on the part of malware scanners.

    • @dealloc
      @dealloc ปีที่แล้ว +1

      Yes and no. You could probably come up with ways to determine a file as being potentially unsafe by looking at random bytes in a file to determine whether it contained zero padding or not. But that would likely also issue a ton of false positives. And zero padding is not the only way to circumvent it. It could just be a bunch of random data as well-it's now much harder to determine what the file is.
      There are anti-malware that does this kind of analysis already, when you run a full scan or manually select a file for a scan. But while in the background, you don't want it to do a full scan and take up all your resources and potentially battery.
      So it's both a user error and a problem of detection. If you are uncertain about a file, manually scan it with your anti-malware software at least.

    • @DylanDurdle
      @DylanDurdle ปีที่แล้ว

      Agree. Doesn't take much effort for a virus scanner to pass through the file with a trimmer to validate 99% of it being empty space. But of course, if they were to do that then the hackers would just start padding files with random noise, defeating trimming it .

  • @mashroom_
    @mashroom_ ปีที่แล้ว +7

    Wouldn't it be possible to flag padded files like the PDF as suspicious, if they have unusually low entropy? To speed up this calculation, one could sample chunks from the entire range of the file, instead of scanning the whole file, and either calculate the overall entropy of these chunks or calculate an "entropy map", where files containing large low-entropy regions are marked as suspicious.

    • @mashroom_
      @mashroom_ ปีที่แล้ว +1

      @@fred-2.7182 True, it really is a never-ending struggle. I'm not sure why you think a single random byte in every chunk would make my method fail, but please elaborate.

    • @Hyxtryx
      @Hyxtryx ปีที่แล้ว +1

      @@mashroom_ Instead of zeros they could use megabytes of random data. Then your entropy idea would fail.

    • @mashroom_
      @mashroom_ ปีที่แล้ว +1

      @@Hyxtryx You're right, but I would argue that this would make the file too difficult to compress and would hence exceed the maximum email attachment size.

    • @Hyxtryx
      @Hyxtryx ปีที่แล้ว

      @@mashroom_ Good point, I didn't think of that.

  • @michaeljoaquin6622
    @michaeljoaquin6622 ปีที่แล้ว +3

    Great video! It was my first time watching a video from you and as an IT professional transitioning into the cybersecurity field, this was a very informative video!
    btw, in the scroll history it says "Crowdsack" instead of "CrowSec". Just wanted to let you know. Again great video!

  • @RudySoliz
    @RudySoliz ปีที่แล้ว +15

    Good video with some cool insight. Linus explained that only certain people have access to the channel, and even those people have limited access to certain things. Would be a good wake-up call for new protocols or software to prevent something like this from happening again.

    • @dzenacs2011
      @dzenacs2011 ปีที่แล้ว +1

      New protocol - dont click and open unknown files like you are 7 year old first time using email

  • @bobjoe8131
    @bobjoe8131 ปีที่แล้ว +6

    Linus said their corporate anti-malware program caught it, but it was only a notification. Because no one was constantly monitoring the dashboard, the malware slipped through.

    • @fabricio4794
      @fabricio4794 ปีที่แล้ว +6

      i Hope More Malware builders test on LTTs Ecosystem.....i hate that guy·....

    • @RickMyBalls
      @RickMyBalls ปีที่แล้ว

      @@fabricio4794 what's with the retarded captialisation?

    • @DatKakashii
      @DatKakashii ปีที่แล้ว

      @@fabricio4794wait why lol

    • @Stormlywing
      @Stormlywing ปีที่แล้ว

      not like they can get Remote tools to check for them
      because of one thing
      Being too famous is asking for problems
      -----------------------------------------------------------------------
      he get out of the shower to check his channel
      Not getting dress like an fother does
      If I was an kid I would be outside because of the noise
      from an hacked channel to scar kids as well

  • @seahamdesigner
    @seahamdesigner 7 หลายเดือนก่อน

    Subbed for the quality of this video and the info in it.

  • @willwunsche6940
    @willwunsche6940 ปีที่แล้ว +6

    Don't know if it was mentioned here but they did say their antivirus detected the malware but it wasn't fully set up to high enough level to deal with it yet as they were in the process of setting up a bunch of systems too I think

    • @willwunsche6940
      @willwunsche6940 ปีที่แล้ว

      @@asksearchknock that's kind of super out of context though and not what he said. Obviously it makes sense in certain situations. And while it's probably blasphemy to say this on a malware channel I think he's probably right for most average people.

  • @BAgodmode
    @BAgodmode ปีที่แล้ว +2

    They hacked the channel and they didn’t even rename it “Linus Tech Tits,”
    What a waste.

    • @dickkickem6941
      @dickkickem6941 7 หลายเดือนก่อน

      Linus s3x tips. Btw im surprised he fell for that trick that old like a world. Lmao.

  • @dont-want-no-wrench
    @dont-want-no-wrench ปีที่แล้ว +6

    this kind of thing must explain a number of obviously hacked youtube channels i've come across

    • @vakho30
      @vakho30 ปีที่แล้ว

      At first I've thought that those channels sold their souls to devils for quite a lot of grands but then I realized that most of them might have been hacked like Linus.

  • @adivasilica
    @adivasilica ปีที่แล้ว +9

    I have a few questions, let's skip the part where we need to be careful. But doesn't Windows warn about unsigned exe/scr files? Doesn't it ask if I really want to run that file?
    If I accidentally run a file like that, how can I prevent my data from being compromised? Could it be blocked? For example, I use Malwarebytes Windows Firewall Control program and set it up so that everything that goes out prompts me. Does this help? What other additional methods can we use?

    • @kuromiLayfe
      @kuromiLayfe ปีที่แล้ว +2

      Windows and its file signing can be bypassed for years already by just using a official signing tool on any regular executable and moving the bytes to the malware executable.

    • @Hyxtryx
      @Hyxtryx ปีที่แล้ว +2

      @@kuromiLayfe Then the signature wouldn't match the file.

    • @kuromiLayfe
      @kuromiLayfe ปีที่แล้ว

      @@Hyxtryx all the signature check does is see if the amount of bytes match that sig data and if they are in the correct spot… guess what is correct when those bytes gets moved or copied to a malware version of a executable ( exactly the same method as shown in this video to mask malware code by bloating the filesize to bypass online scanners)

  • @Unfilterd
    @Unfilterd ปีที่แล้ว +3

    Great video. Would it make any difference if you were to open these files if they're being send through google drive for example? Like the quick view in Gmail? Or would that also be enough to activate it?

  • @BurritooMafia
    @BurritooMafia ปีที่แล้ว +3

    The large file size is also a massive red flag. No pdf should be that large 770 mb ???

  • @levif.1145
    @levif.1145 ปีที่แล้ว +25

    One more "best practice": do not download / open any file on the PC where you are logged into bank, youtube, etc. accounts. Keep them on separate computers.

    • @johndododoe1411
      @johndododoe1411 ปีที่แล้ว

      I assume their assigned youtube role was for checking viewer stats and proving access to legitimate sponsors. Unfortunately the delegation tool used was too coarse in its right delegation .

    • @STCatchMeTRACjRo
      @STCatchMeTRACjRo ปีที่แล้ว +1

      true but not necessary, depends on the infection capabilities and computer&network security. You could get all the emails from all the computers just from 1 computer if all the computers are connected on the same network.

    • @gameswithtroyYT
      @gameswithtroyYT ปีที่แล้ว

      @I killed that beard guy nope, the scammers should not get acess to your pc if they do they will inspect the pc and find your bank

    • @flameshana9
      @flameshana9 ปีที่แล้ว

      Or: disallow access to passwords/sessions from outside the browser.
      It's amazing that all you have to do is request the password from the browser and it just hands it over to any program that asked.

    • @gameswithtroyYT
      @gameswithtroyYT ปีที่แล้ว

      @I killed that beard guy if your deleting the virtual box data after the bank than its fine

  • @AlexPerez-bd9nc
    @AlexPerez-bd9nc ปีที่แล้ว +5

    This crap is out of control, i get emails from amazon, walmart, Netflix, etc, all sketchy as hell.

  • @Michael-uo4jj
    @Michael-uo4jj ปีที่แล้ว +1

    very cool malware honestly whoever made it was quite smart to make it a large file i also noticed avg programs don't scan larger files and good execution with the email and pdf.scr
    honestly might have even caught me off guard if i had a youtube channel

  • @stormgear896
    @stormgear896 ปีที่แล้ว +12

    This is why it is important for me that the 'Type' column is always present whenever I view files through the 'Details' view. You can immediately identify what kind of file you are looking at before you would try to open it.

    • @joesterling4299
      @joesterling4299 ปีที่แล้ว +2

      Also obvious if you always show the real extensions for all files. It should be the default in Windows, but it is not.

  • @kevbu4
    @kevbu4 ปีที่แล้ว +22

    Just realised, another red flag is when you see a .PDF extension while you have show extensions disabled.

    • @takatamiyagawa5688
      @takatamiyagawa5688 ปีที่แล้ว +13

      The sort of person that has file extensions disabled probably isn't paying attention to the end of the file's name,

    • @Hyxtryx
      @Hyxtryx ปีที่แล้ว +3

      @@takatamiyagawa5688 And wouldn't think anything of it, even if they did notice it. It's also possible that the person has extensions enabled on their home computer, but disabled on their "LTT work" computer, and missed it because of that. Or maybe it was a new install and somebody forgot to change the setting.

  • @asdfasdf-mn8iu
    @asdfasdf-mn8iu ปีที่แล้ว

    So 2 things that kinda surprised me about this video: a) file extensions are not shown by default. That's turned on on my computer and not only does that help with identifying such files but also it can help in day-to-day-business as well, being able to see if a picture is PNG or JPEG or whatever else at a glance.
    b) not using at least the windows antivirus security thingy. I do a windows defender scan on every single file i download from the net, just because it's a habit of mine and usually takes less than 10 sec to do so (and i don't download quite as many files as the employee might). Not sure if windows defender would've found that trojan because i guess that's the AV they're gonna try to fool most, but as soon as one right-clicks the file for the context menu (for scanning) one has the chance to see 770 MB file size on the bottom; one should get suspicious at that point. I know very few PDFs that are that large and they're thousands of pages or tons of pictures, so there's really no need for an offer to be that large.
    I feel like all the warning signs are there for this case if you use proper precautions...

  • @DoctorMGL
    @DoctorMGL ปีที่แล้ว +6

    content creators have to buy a separate pc that logged on TH-cam / twitch
    & the rest of your websites and only . without anything else,
    without any apps , don't open emails there , don't install anything , don't even put a flash drive there ,
    and have a different pc for games , apps , emails .. extra, thats the only genius and safe way to not lose your channel / websites

    • @xr.spedtech
      @xr.spedtech ปีที่แล้ว

      My thoughts as well ...
      But it is supposed to replicated with staff as well.

    • @matlatpower7472
      @matlatpower7472 ปีที่แล้ว +2

      you don't even need a new pc. just use a vm.

    • @nothingloz9942
      @nothingloz9942 ปีที่แล้ว

      @@matlatpower7472 wouldn't some things bypass vm's?

    • @chaos.corner
      @chaos.corner ปีที่แล้ว

      @@nothingloz9942 Yeah, stuff can be vulnerable to the host. You want to run the dangerous stuff inside the VM if possible (though that's still not without risk).
      For a channel as big as Linus', I'd say separate metal but that's just me.

  • @kiranm25x
    @kiranm25x ปีที่แล้ว

    2:35 Always enable show file extensions!! Mine is always in detail view mode and I also go through file type before opening.

  • @Eddietheteddie
    @Eddietheteddie ปีที่แล้ว +4

    Linus should have made sure all computers were set to show extention and they should run every file from a 3rd party, regardless of size, through a competent antivirus. This is really not that difficult to do. Antivirus scans take seconds with an ssd. This is basic security for most.

  • @TheWayManREAL
    @TheWayManREAL ปีที่แล้ว +7

    Sadly, I don't think he focused on the reason this happened. He overlooked the fact that his team opened an email. He just said oh well and started blaming TH-cam lol nah dude that guy needs to be way more on top of stuff for a YT about tech tips LOL. Also Nice vid, love this channel, it actually focuses on the security of things rather than blaming others.

  • @radswfiihq
    @radswfiihq ปีที่แล้ว

    6:03, even if you don't have the remember me box checked, requests are sent with a unique session token that changes on every re-authentication, which if stolen, will work (for about a day or so)

  • @sncaterd
    @sncaterd ปีที่แล้ว +24

    Most of these attacks have the files in a zipped archive and they are encrypted requiring a password to open (this helps bypass antivirus as well). Anybody who goes through the process of entering the password into a zipped archive should not be allowed anywhere near anything tech related, thats an obvious huge red flag that anybody should be aware of. Its not as simple as "just clicking one file" its a multi step process

    • @TheMelonbros123
      @TheMelonbros123 ปีที่แล้ว +3

      Im sorry alex stump but i did not know putting a password on a zip file helps bypass antivirus, do i now no longer have access to my computer?

  • @MrSociofobs
    @MrSociofobs ปีที่แล้ว +5

    A simple precaution for files like this would be to just open them from the programs that read them, not by double clicking. If you tried to open a "pdf" like that from within Acrobat, it just wouldn't read it. Red flag #1.

    • @joesterling4299
      @joesterling4299 ปีที่แล้ว +2

      Right! But the more general problem is that Windows criminally (imo) hides known file extensions by default. One of the first things to do after a new install of Windows is to have it always display extensions for all files. Then you would see the double extension (".pdf" fake extension + ".scr" real extension), and that is the most obvious red flag of all.

    • @MrSociofobs
      @MrSociofobs ปีที่แล้ว +1

      @@joesterling4299 True that, Microsoft foolishly went for aesthetics over security. Never in my 20+ years of using Windows have I ever wanted to hide the file extensions, it's always been the opposite. If they're hidden, I feel like something's wrong lol.

    • @careluisillo
      @careluisillo ปีที่แล้ว

      @@joesterling4299 so is this only available after an install of Win. or can this be done after Win is installed?

  • @ChatGPT-ef6sr
    @ChatGPT-ef6sr ปีที่แล้ว

    Your videos are security education. Fully fledged bytes of security education that are dispersed, unorganized by topic. Just glad you exist bro

  • @oei8435
    @oei8435 ปีที่แล้ว +14

    Imagine it was named: "LinusWare"

    • @flameshana9
      @flameshana9 ปีที่แล้ว

      They totally should sell new underwear with that branding on it.

  • @suborgay
    @suborgay ปีที่แล้ว +25

    No way Linus really collabed with Elon Musk also 1st cool

    • @EternalBlue0
      @EternalBlue0 ปีที่แล้ว +4

      He didn't. He was hacked, but I feel like you're joking.

    • @Therealalphajake
      @Therealalphajake ปีที่แล้ว +4

      @@EternalBlue0 he most likely was

  • @Ylyrra
    @Ylyrra ปีที่แล้ว

    It's 2023 and double-extension attacks are somehow still a thing, c'mon get it together people.
    1. LTT should have a policy that all work machines have "show extensions". (And Windows should do it by default too, but that's another matter...)
    2. Windows should throw up an extra warning when it sees a non-executable extension followed by an executable one. "Did you mean to open this file or execute it as an application?"
    3. Windows Defender, Antivirus, and spam filters should all be flagging this up as suspicious in this day and age.
    All this should have happened a decade ago, it's a JOKE that it's still a viable attack vector. The industry should have fixed this to the point of being non-viable by now.
    That's before getting into all the other issues of the hack once the session was compromised, there's a whole raft of failings there too.

  • @atpray
    @atpray ปีที่แล้ว +4

    Why does windows still have extensions turned off by default? Its ridiculous.

  • @JordanDrakeZephnath
    @JordanDrakeZephnath ปีที่แล้ว +6

    I agree that limiting admin access will help prevent a takeover like this, however, I also agree with Linus that TH-cam could do more. One thing that I predict will be a must for any platform, especially business platforms, will be Zero Trust tools and features. Had TH-cam and LTT implemented Zero Trust into their environment, this sort of attack would be near impossible without physical access to their network and their devices. But from what I can tell, TH-cam doesn't have any method for account owners to implement or integrate with a ZTN solution or even limit what IP addresses can perform administrator functions in content creators account.

    • @dzenacs2011
      @dzenacs2011 ปีที่แล้ว

      Yeah blame youtube for a moron who click and download files f4om strangers. They will be hacked again with that politics.

  • @elementoflight6834
    @elementoflight6834 ปีที่แล้ว +1

    i am suprised how it is not just common practice to check the Win Explorere Setting to not hide the actual filetype extenseion.
    Or at least how a .PDF is not a red flag if you do not see them regularly.
    So either you have file extension names disabled then the .pdf extension should sound alarms in your head, or you do have them enabled then it will show as ".pdf.scr" which is also a red flag.

  • @pathfinder8470
    @pathfinder8470 ปีที่แล้ว +6

    I'm surprised LTT didn't have a system like Zscaler to block file extension that should never be downloaded from the internet

    • @PrivateJoker0119
      @PrivateJoker0119 ปีที่แล้ว +2

      yeah as a security guy, this is hilarious to me lmao

    • @PrivateJoker0119
      @PrivateJoker0119 ปีที่แล้ว

      @Thawne I work in IT security

    • @PrivateJoker0119
      @PrivateJoker0119 ปีที่แล้ว

      @Thawne yes, i got a degree in computer engineering... many people from USA say getting a degree is not worth it, but its because a degree is too expensive there.. if it's not too expensive in your country, it's worth it

  • @spamviking8591
    @spamviking8591 ปีที่แล้ว +6

    This is why you always show file extensions.

  • @Consul99
    @Consul99 ปีที่แล้ว +1

    Be Linus employee.
    Disable extensions.
    Download "pdf" over 700mb.
    "Run" the pdf.
    Brainlet moment

  • @DogsAreGods
    @DogsAreGods ปีที่แล้ว +6

    You mentioned that there should not have been so many people who had access to be able to manage the youtube channel, but another thing to consider is that (at least to me it seems this way) most employees at LMG have administrator Windows/Mac accounts, and this type of malware code would have to run with administrative privileges to capture the session information and upload to the attacker. If Linus made it so that only senior employees (Linus and Luke etc) only had administrator access and everyone else had normal user accounts, then I feel that this attack could have been prevented. Please feel free to call me out if any of the information in my comment is incorrect. I do not want to spread misinformation.

    • @paskky913
      @paskky913 ปีที่แล้ว

      Windows likely didn't trigger UAC because then I bet they would've realized something was off. You can copy files and connect to the network without admin priviledges, I've done that myself and you can check by the simple fact that your browser, wich doesn't need admin rights to run, can both read, write and send files.

  • @allnatural1504
    @allnatural1504 ปีที่แล้ว +7

    I thought anti viruses could detect if the file’s been pumped, or just detect the abnormal amount of zeros

    • @ApolloVIIIYouAreGoForTLI
      @ApolloVIIIYouAreGoForTLI ปีที่แล้ว +1

      Well what stood out to me was Mr Pc Security said ( 2:50 )most AV software will skip a file that big? What Am I taking that out of context or is that true? Because that seems like problem that should have been fixed long ago?

  • @IanGaming101HD
    @IanGaming101HD ปีที่แล้ว +1

    So what you learn from this video is always have "File name extensions" enabled

  • @Vandelay666
    @Vandelay666 ปีที่แล้ว +5

    What if they open their email attatchments in a Virtual machine? Wouldn't that be the wisest option?

    • @ContraVsGigi
      @ContraVsGigi ปีที่แล้ว

      Yes, but still need to save things on the server, so it has to be a network machine and can infect the next one opening a presumable marketing material.

  • @hotmixer2010
    @hotmixer2010 ปีที่แล้ว +4

    This is why it's time to buy a Mac or install Linux

    • @ollie-f7y
      @ollie-f7y 8 หลายเดือนก่อน

      You can't play games on Mac or Linux, like not natively

  • @Cringber167
    @Cringber167 ปีที่แล้ว +1

    That 770 mb file being reducted to kilobytes is like the same as all the bloatware in Windows getting get rid of

  • @TheMAZZTer
    @TheMAZZTer ปีที่แล้ว +5

    Not sure how closely this tracks with how LTT was compromised, but here are tips I would have for this particular attack.
    Turn on file extensions in Windows, you will then be able to see the scr file extension. Don't open files with extensions you don't recognize, especially if it has multiple extensions or the icon does not match the extension.
    Set your file view in Explorer to Details, Tile, or Content views so you can see file details more clearly like the file type and size without needing to select the file or mouse over it to get a tooltip. This will make files with wrong types easier to catch.
    The file size is another good indicator something is wrong in this case. Given the file was largely empty that means the ZIP file size would not have been consistent with containing 700mb of actual data and would have been another clue that something weird was going on (empty data compresses very well).
    A malicious individual writing custom malware could upload it to VirusTotal to verify it is undetected. In this scenario, VirusTotal will not help you. That said most people will not custom write malware, and anything widely distributed enough will get picked up by AV software with an update eventually.

    • @MTGeomancer
      @MTGeomancer ปีที่แล้ว +1

      All Linus said is it was a malicious PDF, but likely played out as depicted here.
      1) As Leo said, these marketing people likely look at dozens (possibly more) every single day of their job. After doing so 1,000 times can you honestly say you would be just as vigilant on the 1,001st file as you were on the first? What about the 10,000th file? What about the new hire who has only been there a week?
      2) LTT marketing folks are not tech gurus, some (likely most) are as "tech illiterate" as the majority of average people out there are
      3) LTT has no IT or security staff, at all. Their entire IT efforts are done by Linus himself and Jake, with some from Anthony. None are experts, but instead advanced users (jack of all trades saying applies)
      4) All 100+ members of his staff have to get it right every single time. A malicious actor only has to get it right one single time
      5) TH-cam doesn't allow much tiered access to channels. As such, I'd agree with others saying access to the channel should be limited only to managers, or people who do not interact with the public facing side of the business
      6) Even experts (example Jim Browning) fall for scams, it can literally happen to everyone

  • @qunas101
    @qunas101 ปีที่แล้ว +11

    It's wild that, with being that big of a company, they download all sorts of email attachments on machines with access to their TH-cam channels

    • @kuromiLayfe
      @kuromiLayfe ปีที่แล้ว +3

      exactly… when handling large amounts of emails .. open them in a virtual environment with no access to official files ( a company like LTT could have easily have all e-mail processing be done on for instance a Nvidia Now environment )

    • @clawrunner
      @clawrunner ปีที่แล้ว +6

      the hospital I work at has an entire server, disconnected from everything except a single locked down connection to the email server, whose job is to filter out any attachments from external emails, and to detect spam or bad links from any email, so even if the server gets malware, it can't actually DO anything because the only accessible data is the singular email that the malware was already on, the rest is sandboxed out

    • @aoeGamingAEGIS
      @aoeGamingAEGIS ปีที่แล้ว

      @@clawrunner that's how should be done

  • @Gucek001
    @Gucek001 ปีที่แล้ว +1

    how any TECHNICAL person can EVER have file extensions disabled in Explorer is beyond me. end of story.