Paul Hibbert was using 2FA but TH-cam trusted a session instead of requiring a reauth before changes were made to his account. A second factor should always be required to make account changes when 2FA is on. Seems like a big oversight.
Thanks James, to ARKVS, my 2FA was not based on phone number, it was based on Google authenticator app. I was socially engineered by hackers and was fooled into opening malware, which gave them access to clone my cookies. Because Google aren't taking 2FA seriously the hackers were then able to replace all my tokens with their own key and boot my session. Worst week of my life.
@@jmr That would be correct. However, hackers can still steal your cookies to bypass that. Which is why it's always important to log out of your session to invalidate the cookies.
Thanks for the video and sharing awareness. I would like to recommend a few steps to the audience on how to protect themselves from these threat actors. 1. Always use non-privileged user account to login interactively and to operate your system on a daily basis 2. Run your browser using a different non-privileged account. This step enables your cookies to be isolated and protected. 3. Enable "Core Isolation" in Windows. Ensure Memory Integrity is checked. 4. Enable "Controlled folder access" to secure your critical folders and ensure to add only the known & trusted programs/apps to the "Authorized" list. 5. Use Admin account with care and ensure you are 100% sure what you're doing.
If I'm not mistaken, auto filling from a Password Manager is actually better than copy-pasting manually since when you're on a look alike domain Password Manager won't let you do that thus raising suspicion.
Not only that, but choosing to autofill from a Password Manager will not save the password in the clipboard (because you won't copy it anywhere), so it can't be intercepted in case you are infected with a malware that can steal the information that is saved in your computer's clipboard.
You can download all that info if it’s stored anywhere on one’s PC. For example if your PW manager is a Google chrome extension it’s trash. If you’re using googles auto suggested passwords you’re screwed. If you’re storing things on one drive you’re screwed.
Good video and really good points on cookie theft. Just one warning. Copy / Paste of password from the password manager is a bad habit. The clipboard is not secure and clear text. A good PW Manager will have an auto fill or auto populate feature which will type your credentials into the website (or local hosted application) without use of the clipboard. This is one of the reasons FIPS 140-2 standards for encryption key management require use of a HSM (Hardware Security Module). If you'd still like to ignore this advice, at the very minimum you should disable Windows Settings -> System -> Clipboard --> Sync across devices. This will stop Microsoft from receiving your clipboard data to sync across devices.
I prefer autofill (because the pw manager should recognize the correct domain but NOT autofill on an incorrect domain), but I know some people don't want to use that weirdly, hence why I pointed it out.
Can using a Yubi key for TH-cam for example prevent cookie stealing and session hijacking if the perpetrator has gotten your cookie to login, or will the still bypass your authenticator, or would it still require them to have the key even after stealing your cookie? Also say you are logged in while they are carrying out the attack, Can they kick you out? And when you put your CPU in sleep mode are you still logged into your accounts due to the cookie session, or does it say you are logged out until you turn your CPU back on or when you refresh the webpage? The reason I say this is can they steal your cookie if you are in sleep mode with your tabs still open to the websites? Thank you! @@ShannonMorse
This is why I set my browser up to delete everything as soon as I quit it. Still not perfect, but it helps. :) I have to log in to everything every time I launch it, which is slightly annoying, but I know why I'm doing that, which makes it ok.
This seems like a simple problem to solve. Browsers should tie cookies to a hardware ID and refuse to provide them to websites unless the hardware ID remains the same. It is unlikely a hacker could reverse engineer an encrypted hardware ID.
You have to be able to secure the key or they can just copy that as well. Generating the key based off arbitrary hardware won’t add security. Any hardware info the browser can access, so can malware. This is why TPMs were made to keep keys away from OS management and drive storage. But even TPMs are easy to extract the keys from on many motherboards with some basic soldering skills. Of course, you need physical access for that. Cookie encryption keys stored on a drive wouldn’t. A TPM type device in the hardware would be the best place to store keys. Apple does this with their security enclave of whatever they call it.
Who doesn’t like awful, overpriced, stale cookies, filled with preservatives! Can get better from all over, made fresh, all year round. They’re the McDonalds of cookies, except people who eat McDonalds admit it’s trash. For some reason, Girl Scout cookie pigs rant and rave about how great they are, as if they’re in a cult or something.
Thank you Shannon, very informative, LTT had their Cookies stolen when a .pdf file was opened, unfortunately Windows default setting " Hide extensions for known file types" is set to ON!! Microsoft once again letting the user down with a very dangerous default setting in Windows, always turn this setting OFF after installing Windows, or just do it NOW.
Extensions are meaningless unless the user knows that file type can contain malware. And the vast majority of propel don’t know pdfs are risky. Almost nobody knows all the ways all vulnerable file types can cause malware execution. More like Adobe letting us down once again with their trash software and file formats.
Shannon! Your Chrome is out of date! Lol but seriously I LOVE your videos. You explain things simply and completely, something which a lot of TH-camrs fall short of. Thank you! (Also you're really 🥰 cute!)
Russ DiBennetto Good video. This is the way I deal with Cookies on my Laptop. I mainly use Firefox as my browser and have an extension called Auto Cookie Delete. I can whitelist cookies I want so I don't have to use 2FA for sites I frequent. All other cookies get deleted when I close the browser. As an added precaution, I always log out of a sight when I am done. If I ever have to use a public wifi, I connect to my OpenVPN server I build on my Raspberry Pi-4 at my home and go through my home's Internet connection to get to my required destination. I should also mention but it probably goes without saying. When I site had cookie options, I always deselect all cookies that they will allow me to deselect.
Question: websites that use MFA often give an option of trusting this browser in order to skip MFA in the future. Would this install a cookie? If so, I wonder how locked those are to that browser on that specific device? Would this be more secure than trusting SMS MFA?
Sites can do what Gmail does. Set up a section where it says Last account activity: and if there are multiple logins, it should show the second ip address. Like you stated, they can automatically sign out if there is a second ip address. So many things can be put in place like allowing 2FA for every instance or simply encrypting the cookie session. The funny thing is I was going to copy my URL from Safari to see if this would allow a random user to sign it. Which we knew for sometime at work so we wouldn't require cookies to be saved to the H drive (network drive)
Such a harmless little name. Cookies. I habitually block cookies when I search for stuff online or just leave the website when that pop-up is the first thing you see when the page opens.
what about sql injection or app vulnerabilities. From a user perspective and not a developers perspective. How does a user defend their account against that? Especially since as a user there's not much you can do as far as the code goes. Especially for major social sites like twitter and instagram. So how would you not only protect your account but also your device from those situations?
A bit technical but… MAC addresses are at layer 2 of OSI model. Browsers don’t have access to that layer… Secondly… a MAC address is easy to change so an attacker could spoof another users MAC address easily.
Hoping Shannon can talk at some point on whether it's true if a website can only read its own cookies? And if it's 3rd party cookies that other websites can read only. Also, me and the FBI and lots of other folks advocate ad blockers, and I'd get mobile web browsers with really good ad blockers built-in or available and make them default until you need to do something, and ad blockers should help since even images can be used to track you, or so I've read. But I think it's really only if you are already compromised where they are most likely to be able to get your 1st party auth cookies, which is still a very real threat, especially if you are working in tech (even low level). I could be wrong, though. Which begs the question I'm asking more and more: Why are we not focusing more on changing email so that we don't just get email for whoever anymore in our Inboxes? And most of us don't need to get email sent from outside our own country, at least not having it just appear in inboxes for us to mark as spam or not. Known senders only and quarantining the rest, and making email with obvious red flags (not just on spam lists) like lots of punctuation or length or nothing in body etc. And doing the same in Teams and Slack and Discord. Also, employees at big-ish tech companies aren't working sandboxes with work and life computers literally kept separate? Give them wireless KVM to switch between the computers, if need be. Hopefully, a lot of this is already happening.
Cookies are simply files on the hard disk. Windows itself does not have that level of granularity in its file access model to restrict access to files based on web addresses. Answer: no.
@@deang5622 You are wrong on several levels. Browsers do have policies in place to restrict arbitrary cookie access. Search for "same origin policy". Also note that the browser is the one sending cookies back to the server, if it is not sending one back, the server cannot do anything about it. So you are not sharing all your cookies with all servers all the time. Malicious software still can try to get access to the browsers cookie store. And if you both execute the malware and the browser from the same account, there is no way to prevent access in terms of account restrictions. Don't execute evil software, it's always "game over"... and I know it is easier said than done.
@@deang5622 I've played around with deleting all cookies and site info when I close my browser. Untenable, honestly. I am now using Cookie Auto Delete (gets rid of other files) and NoScript, along with the uBlock Origin ad blocker. NoScript actually is decent at cross site scripting warnings. And I definitely feel safer browsing websites. Takes work initially, though. But hey, TH-camr Linus Tech Techs just got hacked, right? From a PDF file. Exactly what we're talking about here. And it was an EMAIL ATTACHMENT. I am telling you all: EMAIL IS THE ZERO DAY EXPLOIT THAT NO ONE PATCHES! There's a lot that could be done that would better educate and inform the end user when an email is suspect, and where email headers are better analyzed (cuz emails impersonating my boss asking me to buy them a VISA gift card from the local gas station cannot mean what we have is working well), and just indicate a for sure trusted sender, often within my org. Looked into cookies more --> Cookies do have a samesite line, and other similar bits of line in those plain text files. Web browsers generally enforce this sites on the same domain reading those cookies, whether 1st or 3rd party. So it's basically malware I accidentally download or get from a unknowingly compromised website that is going to lead to cookie or session token theft. No Script, Cookie Auto Delete, and ad blockers are definitely ways to prevent this. But email and not sandboxing or dividing work and personal machines at high target orgs are the biggest attack vectors now. Well, at least the most successful ones. My opinions of course.
My general use browser dumps all my cookies except the password manager. Can the password manager session be stolen? Can I assume any non-sucky password manager isn't prey to two-bit session hackers?
Damn, if only deleteme was a lil cheaper Also, unrelated question. Do yubikeys have pins to unlock them? I don't want one quick toilet break being the time someone needs to get into my proverbial keys to the castle, password manager
No... changing your passwords doesn't reset your cookies. If someone already has access, your best bet is to go into your account, change your password AND revoke or remove any devices that are currently logged in and use the info from the video about protecting / reauthenticating session cookies (so an attacker's cookies are no longer valid).
@@ShannonMorse I've signed out of all my accounts and changed passwords with a manager and added 2fa to everything I could think of. I'm still worried it could happen that the file I downloaded could be hidden deep somewhere in my laptop even though I've tried a lot of malware scanners which show up with nothing. Would it be a safe bet to sign out of everywhere again and reinstall windows and change all my passwords again if my accounts get accessed again? Thank you.
Websites could also separate account management activities from media browsing activities. Many better secured websites require a minimum of a reauth from the 2fa when making certain moves that could compromise the account. Most often this is limited just to password changes but especially for larger accounts that should be extended to publishing and other management activities. Its also responsibility of the user to separate activities if the websites they use arent going to do it for them. Perhaps having different logins for casual browsing and response activities. Perhaps using separate central computer(s) who are sole tasked to that activity so they arent being taken out to coffeeshops by every intern.
Thank you for your helpful commentary and Yay for WOMEN as Tech-Talk advisors!! (LOL 🤩new name: *TechTalks via Morse Code* Naa.. Probably a similarly named channel/user elsewhere already...) new sub here...after your video on HAK5? channel re: proposed legislation related to TikTok/foreign adversary US security issues. Looking forward to more.. My only criticism is background music...I've a general physio hypersensitivity with "surround sound" type video; background or multi-channel music mixed with spoken word. Sorry, that's on me, I suppose 🫠
![[LIVE] : ONE ลุมพินี 89 | คู่เอก "ยอดไอคิว vs คิริลล์"](http://i.ytimg.com/vi/Z3vYkHJ_5Ig/mqdefault.jpg)
Paul Hibbert was using 2FA but TH-cam trusted a session instead of requiring a reauth before changes were made to his account. A second factor should always be required to make account changes when 2FA is on. Seems like a big oversight.
2FA using phone numbers are just for tracking purposes...not security
Thanks James, to ARKVS, my 2FA was not based on phone number, it was based on Google authenticator app.
I was socially engineered by hackers and was fooled into opening malware, which gave them access to clone my cookies. Because Google aren't taking 2FA seriously the hackers were then able to replace all my tokens with their own key and boot my session.
Worst week of my life.
@@paulhibbert I'm just glad you got everything sorted!
@@arkvsi8142 I always recommend hardware keys. They can't be phished.
@@jmr That would be correct. However, hackers can still steal your cookies to bypass that. Which is why it's always important to log out of your session to invalidate the cookies.
Thanks for the video and sharing awareness. I would like to recommend a few steps to the audience on how to protect themselves from these threat actors.
1. Always use non-privileged user account to login interactively and to operate your system on a daily basis
2. Run your browser using a different non-privileged account. This step enables your cookies to be isolated and protected.
3. Enable "Core Isolation" in Windows. Ensure Memory Integrity is checked.
4. Enable "Controlled folder access" to secure your critical folders and ensure to add only the known & trusted programs/apps to the "Authorized" list.
5. Use Admin account with care and ensure you are 100% sure what you're doing.
If I'm not mistaken, auto filling from a Password Manager is actually better than copy-pasting manually since when you're on a look alike domain Password Manager won't let you do that thus raising suspicion.
Not only that, but choosing to autofill from a Password Manager will not save the password in the clipboard (because you won't copy it anywhere), so it can't be intercepted in case you are infected with a malware that can steal the information that is saved in your computer's clipboard.
You can download all that info if it’s stored anywhere on one’s PC. For example if your PW manager is a Google chrome extension it’s trash. If you’re using googles auto suggested passwords you’re screwed. If you’re storing things on one drive you’re screwed.
Recently, a hacker hijacked LTT's accounts by duplicating session cookies!
That's what she reported.
Perhaps not the user account you're referring to: EXACTLY the Same type of breach method.
🤨 Hmm
Good video and really good points on cookie theft. Just one warning. Copy / Paste of password from the password manager is a bad habit. The clipboard is not secure and clear text. A good PW Manager will have an auto fill or auto populate feature which will type your credentials into the website (or local hosted application) without use of the clipboard. This is one of the reasons FIPS 140-2 standards for encryption key management require use of a HSM (Hardware Security Module).
If you'd still like to ignore this advice, at the very minimum you should disable Windows Settings -> System -> Clipboard --> Sync across devices. This will stop Microsoft from receiving your clipboard data to sync across devices.
I prefer autofill (because the pw manager should recognize the correct domain but NOT autofill on an incorrect domain), but I know some people don't want to use that weirdly, hence why I pointed it out.
All sync should be off. MS is as bad as google when it comes to not giving a F about you or your privacy.
Can using a Yubi key for TH-cam for example prevent cookie stealing and session hijacking if the perpetrator has gotten your cookie to login, or will the still bypass your authenticator, or would it still require them to have the key even after stealing your cookie?
Also say you are logged in while they are carrying out the attack, Can they kick you out? And when you put your CPU in sleep mode are you still logged into your accounts due to the cookie session, or does it say you are logged out until you turn your CPU back on or when you refresh the webpage? The reason I say this is can they steal your cookie if you are in sleep mode with your tabs still open to the websites? Thank you! @@ShannonMorse
That was informative, thank you Shannon 😀
This is why I set my browser up to delete everything as soon as I quit it. Still not perfect, but it helps. :) I have to log in to everything every time I launch it, which is slightly annoying, but I know why I'm doing that, which makes it ok.
Yup! I mention this tip in my video 😅
I've been thinking about doing this for a bit.
I work like this, sometimes is tired but it is worth the extra effort.
This seems like a simple problem to solve. Browsers should tie cookies to a hardware ID and refuse to provide them to websites unless the hardware ID remains the same. It is unlikely a hacker could reverse engineer an encrypted hardware ID.
Simple if they gaf but they don't gaf.
You have to be able to secure the key or they can just copy that as well. Generating the key based off arbitrary hardware won’t add security. Any hardware info the browser can access, so can malware. This is why TPMs were made to keep keys away from OS management and drive storage. But even TPMs are easy to extract the keys from on many motherboards with some basic soldering skills. Of course, you need physical access for that. Cookie encryption keys stored on a drive wouldn’t.
A TPM type device in the hardware would be the best place to store keys. Apple does this with their security enclave of whatever they call it.
Im not giving my hardware ID losing privacy
Shannon can you make a video about privacy and security extensions? That you recommend and use.
As soon as you mention Girl Scout cookies I went and bought 4 boxes worth of them the thin mints are too good
Who doesn’t like awful, overpriced, stale cookies, filled with preservatives! Can get better from all over, made fresh, all year round. They’re the McDonalds of cookies, except people who eat McDonalds admit it’s trash. For some reason, Girl Scout cookie pigs rant and rave about how great they are, as if they’re in a cult or something.
Thank you Shannon, very informative, LTT had their Cookies stolen when a .pdf file was opened, unfortunately Windows default setting " Hide extensions for known file types" is set to ON!! Microsoft once again letting the user down with a very dangerous default setting in Windows, always turn this setting OFF after installing Windows, or just do it NOW.
Extensions are meaningless unless the user knows that file type can contain malware. And the vast majority of propel don’t know pdfs are risky. Almost nobody knows all the ways all vulnerable file types can cause malware execution.
More like Adobe letting us down once again with their trash software and file formats.
Hello, I'm here to watch your video 😊
Shannon! Your Chrome is out of date! Lol but seriously I LOVE your videos. You explain things simply and completely, something which a lot of TH-camrs fall short of. Thank you! (Also you're really 🥰 cute!)
Russ DiBennetto
Good video. This is the way I deal with Cookies on my Laptop. I mainly use Firefox as my browser and have an extension called Auto Cookie Delete. I can whitelist cookies I want so I don't have to use 2FA for sites I frequent. All other cookies get deleted when I close the browser. As an added precaution, I always log out of a sight when I am done. If I ever have to use a public wifi, I connect to my OpenVPN server I build on my Raspberry Pi-4 at my home and go through my home's Internet connection to get to my required destination.
I should also mention but it probably goes without saying. When I site had cookie options, I always deselect all cookies that they will allow me to deselect.
Thanks for sharing. Blessings on your day!
MBAM is worth the money. I've been doing computer security for years and I would recommend that over any other tool first.
Thanks for the discount code for delete me. Just signed up
Please don't make us have 3FA... like when you use biometrics and yet still need to do MFA on top of that.
I mean...
I like 4FAs...
7:28 girl... update that thing!
Question: websites that use MFA often give an option of trusting this browser in order to skip MFA in the future. Would this install a cookie? If so, I wonder how locked those are to that browser on that specific device?
Would this be more secure than trusting SMS MFA?
Thanks, Shannon~
Seeing her face brings back memories of my first computer watching hak5 when she had black hair still a doll snubs.
Why not tie the session to the IP address. Then it is useless for anyone outside your network.
Because of convenience. It’s always a trade off… the more security the less convenience the more convenience the less security.
Oh fck. I was always worried that websites do not ensure that the cookie is not stolen...
Sites can do what Gmail does. Set up a section where it says Last account activity: and if there are multiple logins, it should show the second ip address. Like you stated, they can automatically sign out if there is a second ip address. So many things can be put in place like allowing 2FA for every instance or simply encrypting the cookie session. The funny thing is I was going to copy my URL from Safari to see if this would allow a random user to sign it. Which we knew for sometime at work so we wouldn't require cookies to be saved to the H drive (network drive)
But TH-camrs got hacked. So gmail is more competent than TH-cam?
Great informative video. Subscribed
Thanks for the sub!
So it would be good to have a video on the hacker forums that sell our information and how to get off and stay off them.
I need to learn better presentation from you. Welldone Shannon, this was a good video.
Thank you
Great tips
Useful comments...
Subscribed.
Thanks for the sub!
Thanks!
Such a harmless little name. Cookies. I habitually block cookies when I search for stuff online or just leave the website when that pop-up is the first thing you see when the page opens.
Victoria Nuland likes cookies..
Really useful information
What if you used a Yubikey. Would they be able to get in with your stolen session cookie ?
Why are cookies not encrypted to prevent this?
All is done on purpose. These companies know what they are doing.
Why did Paulie call in sick that day? And take the cannoli.
Could you do a video on Passkeys?
Yes please. I bought yubikey and I’m need a little help
what about sql injection or app vulnerabilities. From a user perspective and not a developers perspective. How does a user defend their account against that? Especially since as a user there's not much you can do as far as the code goes. Especially for major social sites like twitter and instagram. So how would you not only protect your account but also your device from those situations?
Could a host validate the MAC address of a device when it's using a session cookie to reestablish a connection? That would thwart cookie theft.
A bit technical but… MAC addresses are at layer 2 of OSI model. Browsers don’t have access to that layer… Secondly… a MAC address is easy to change so an attacker could spoof another users MAC address easily.
Hoping Shannon can talk at some point on whether it's true if a website can only read its own cookies? And if it's 3rd party cookies that other websites can read only. Also, me and the FBI and lots of other folks advocate ad blockers, and I'd get mobile web browsers with really good ad blockers built-in or available and make them default until you need to do something, and ad blockers should help since even images can be used to track you, or so I've read. But I think it's really only if you are already compromised where they are most likely to be able to get your 1st party auth cookies, which is still a very real threat, especially if you are working in tech (even low level). I could be wrong, though. Which begs the question I'm asking more and more: Why are we not focusing more on changing email so that we don't just get email for whoever anymore in our Inboxes? And most of us don't need to get email sent from outside our own country, at least not having it just appear in inboxes for us to mark as spam or not. Known senders only and quarantining the rest, and making email with obvious red flags (not just on spam lists) like lots of punctuation or length or nothing in body etc. And doing the same in Teams and Slack and Discord. Also, employees at big-ish tech companies aren't working sandboxes with work and life computers literally kept separate? Give them wireless KVM to switch between the computers, if need be. Hopefully, a lot of this is already happening.
Cookies are simply files on the hard disk.
Windows itself does not have that level of granularity in its file access model to restrict access to files based on web addresses.
Answer: no.
@@deang5622 You are wrong on several levels.
Browsers do have policies in place to restrict arbitrary cookie access. Search for "same origin policy". Also note that the browser is the one sending cookies back to the server, if it is not sending one back, the server cannot do anything about it. So you are not sharing all your cookies with all servers all the time.
Malicious software still can try to get access to the browsers cookie store. And if you both execute the malware and the browser from the same account, there is no way to prevent access in terms of account restrictions. Don't execute evil software, it's always "game over"... and I know it is easier said than done.
@@deang5622 I've played around with deleting all cookies and site info when I close my browser. Untenable, honestly. I am now using Cookie Auto Delete (gets rid of other files) and NoScript, along with the uBlock Origin ad blocker. NoScript actually is decent at cross site scripting warnings. And I definitely feel safer browsing websites. Takes work initially, though. But hey, TH-camr Linus Tech Techs just got hacked, right? From a PDF file. Exactly what we're talking about here. And it was an EMAIL ATTACHMENT. I am telling you all: EMAIL IS THE ZERO DAY EXPLOIT THAT NO ONE PATCHES! There's a lot that could be done that would better educate and inform the end user when an email is suspect, and where email headers are better analyzed (cuz emails impersonating my boss asking me to buy them a VISA gift card from the local gas station cannot mean what we have is working well), and just indicate a for sure trusted sender, often within my org. Looked into cookies more --> Cookies do have a samesite line, and other similar bits of line in those plain text files. Web browsers generally enforce this sites on the same domain reading those cookies, whether 1st or 3rd party. So it's basically malware I accidentally download or get from a unknowingly compromised website that is going to lead to cookie or session token theft. No Script, Cookie Auto Delete, and ad blockers are definitely ways to prevent this. But email and not sandboxing or dividing work and personal machines at high target orgs are the biggest attack vectors now. Well, at least the most successful ones. My opinions of course.
Always in private mode and no more Cookies forever.
Merci pour votre vidéo.
thanks
It should be illegal for sites to reauest to use cookies in order to allow you to use or view their content.
This is how LTT TH-cam channel got hacked
My general use browser dumps all my cookies except the password manager. Can the password manager session be stolen? Can I assume any non-sucky password manager isn't prey to two-bit session hackers?
Yes
Good video explanation. Horrible background music though 🙉
Damn, if only deleteme was a lil cheaper
Also, unrelated question.
Do yubikeys have pins to unlock them? I don't want one quick toilet break being the time someone needs to get into my proverbial keys to the castle, password manager
I would hope your viewers already knew this. Do a demo with burp suite.
Can you post links to these hacker forums you mentioned? Asking for a friend
No, because TH-cam will flag my channel for malicious links. Unfortunately I have to be very careful about what I post in the description nowadays.
Does changing all of your passwords reset them? I just had this happen to me 😭😭
No... changing your passwords doesn't reset your cookies. If someone already has access, your best bet is to go into your account, change your password AND revoke or remove any devices that are currently logged in and use the info from the video about protecting / reauthenticating session cookies (so an attacker's cookies are no longer valid).
@@ShannonMorse I've signed out of all my accounts and changed passwords with a manager and added 2fa to everything I could think of. I'm still worried it could happen that the file I downloaded could be hidden deep somewhere in my laptop even though I've tried
a lot of malware scanners which show up with nothing. Would it be a safe bet to sign out of everywhere again and reinstall windows and change all my passwords again if my accounts get accessed again? Thank you.
I've wondered what are the medals in the background? Do you go running or something? Or am I completely mistaken and they're just expo passes haha
convention passes my friend
Good video, sweet voice. Was that hopeless background music really required? It is distracting.
Chrome and privacy 🧐
thanks.
is that a ham call on the shelf?
What were you doing in Utah? 5:58
I went to Park City for a Google Pixel event! I learned how to snowboard while I was there!
@@ShannonMorse Snowboarding! Awesome!
Favorite Girl Scouts Cookies? Mine are Samoas and Tagalongs
I really trust Microsoft Windows.
I've not watched the video but Linus should have read the comments!
Nice one
Too bad @LiunusTechTips didn't watch this video just after you posted this.
delete me is too expensive
Websites could also separate account management activities from media browsing activities. Many better secured websites require a minimum of a reauth from the 2fa when making certain moves that could compromise the account. Most often this is limited just to password changes but especially for larger accounts that should be extended to publishing and other management activities.
Its also responsibility of the user to separate activities if the websites they use arent going to do it for them. Perhaps having different logins for casual browsing and response activities. Perhaps using separate central computer(s) who are sole tasked to that activity so they arent being taken out to coffeeshops by every intern.
My cookies last 6 hours.
Mine last 30 seconds. / Snubs hungry
@@ShannonMorse Even better.
Glad to be the first one watching your video
Clearing cookies aren't the best way because the cookie stays alive on the server side. Using a vpn and logging out is the best way
✨⭐✨💞💖💞💖💖💞💖💞💖💞💖💞✨⭐✨
Evilginx 2 👾
Thank you for your helpful commentary and Yay for WOMEN as Tech-Talk advisors!!
(LOL 🤩new name: *TechTalks via Morse Code* Naa.. Probably a similarly named channel/user elsewhere already...)
new sub here...after your video on HAK5? channel re: proposed legislation related to TikTok/foreign adversary US security issues.
Looking forward to more..
My only criticism is background music...I've a general physio hypersensitivity with "surround sound" type video; background or multi-channel music mixed with spoken word. Sorry, that's on me, I suppose 🫠