Paul Hibbert was using 2FA but KZbin trusted a session instead of requiring a reauth before changes were made to his account. A second factor should always be required to make account changes when 2FA is on. Seems like a big oversight.
@arkvsi8142 Жыл бұрын
2FA using phone numbers are just for tracking purposes...not security
@paulhibbert Жыл бұрын
Thanks James, to ARKVS, my 2FA was not based on phone number, it was based on Google authenticator app. I was socially engineered by hackers and was fooled into opening malware, which gave them access to clone my cookies. Because Google aren't taking 2FA seriously the hackers were then able to replace all my tokens with their own key and boot my session. Worst week of my life.
@jmr Жыл бұрын
@@paulhibbert I'm just glad you got everything sorted!
@jmr Жыл бұрын
@@arkvsi8142 I always recommend hardware keys. They can't be phished.
@Darkk6969 Жыл бұрын
@@jmr That would be correct. However, hackers can still steal your cookies to bypass that. Which is why it's always important to log out of your session to invalidate the cookies.
@MCgranat999 Жыл бұрын
If I'm not mistaken, auto filling from a Password Manager is actually better than copy-pasting manually since when you're on a look alike domain Password Manager won't let you do that thus raising suspicion.
@stratvar Жыл бұрын
Not only that, but choosing to autofill from a Password Manager will not save the password in the clipboard (because you won't copy it anywhere), so it can't be intercepted in case you are infected with a malware that can steal the information that is saved in your computer's clipboard.
@clouddylol10 ай бұрын
You can download all that info if it’s stored anywhere on one’s PC. For example if your PW manager is a Google chrome extension it’s trash. If you’re using googles auto suggested passwords you’re screwed. If you’re storing things on one drive you’re screwed.
@RingZero4 ай бұрын
Thanks for the video and sharing awareness. I would like to recommend a few steps to the audience on how to protect themselves from these threat actors. 1. Always use non-privileged user account to login interactively and to operate your system on a daily basis 2. Run your browser using a different non-privileged account. This step enables your cookies to be isolated and protected. 3. Enable "Core Isolation" in Windows. Ensure Memory Integrity is checked. 4. Enable "Controlled folder access" to secure your critical folders and ensure to add only the known & trusted programs/apps to the "Authorized" list. 5. Use Admin account with care and ensure you are 100% sure what you're doing.
@DOOM11777 Жыл бұрын
Shannon can you make a video about privacy and security extensions? That you recommend and use.
@InfoSecGuardian Жыл бұрын
Good video and really good points on cookie theft. Just one warning. Copy / Paste of password from the password manager is a bad habit. The clipboard is not secure and clear text. A good PW Manager will have an auto fill or auto populate feature which will type your credentials into the website (or local hosted application) without use of the clipboard. This is one of the reasons FIPS 140-2 standards for encryption key management require use of a HSM (Hardware Security Module). If you'd still like to ignore this advice, at the very minimum you should disable Windows Settings -> System -> Clipboard --> Sync across devices. This will stop Microsoft from receiving your clipboard data to sync across devices.
@ShannonMorse Жыл бұрын
I prefer autofill (because the pw manager should recognize the correct domain but NOT autofill on an incorrect domain), but I know some people don't want to use that weirdly, hence why I pointed it out.
@JohnSmith-op7ls9 ай бұрын
All sync should be off. MS is as bad as google when it comes to not giving a F about you or your privacy.
@NorthlandDWJ9 ай бұрын
Can using a Yubi key for KZbin for example prevent cookie stealing and session hijacking if the perpetrator has gotten your cookie to login, or will the still bypass your authenticator, or would it still require them to have the key even after stealing your cookie? Also say you are logged in while they are carrying out the attack, Can they kick you out? And when you put your CPU in sleep mode are you still logged into your accounts due to the cookie session, or does it say you are logged out until you turn your CPU back on or when you refresh the webpage? The reason I say this is can they steal your cookie if you are in sleep mode with your tabs still open to the websites? Thank you! @@ShannonMorse
@Supervideo1491 Жыл бұрын
Recently, a hacker hijacked LTT's accounts by duplicating session cookies!
@coma_TOES Жыл бұрын
That's what she reported. Perhaps not the user account you're referring to: EXACTLY the Same type of breach method. 🤨 Hmm
@VincentGroenewold Жыл бұрын
This is why I set my browser up to delete everything as soon as I quit it. Still not perfect, but it helps. :) I have to log in to everything every time I launch it, which is slightly annoying, but I know why I'm doing that, which makes it ok.
@ShannonMorse Жыл бұрын
Yup! I mention this tip in my video 😅
@Javierm0n0 Жыл бұрын
I've been thinking about doing this for a bit.
@maluc217 ай бұрын
I work like this, sometimes is tired but it is worth the extra effort.
@God77Particle Жыл бұрын
That was informative, thank you Shannon 😀
@adisario Жыл бұрын
This seems like a simple problem to solve. Browsers should tie cookies to a hardware ID and refuse to provide them to websites unless the hardware ID remains the same. It is unlikely a hacker could reverse engineer an encrypted hardware ID.
@bassmaiasa1312 Жыл бұрын
Simple if they gaf but they don't gaf.
@JohnSmith-op7ls9 ай бұрын
You have to be able to secure the key or they can just copy that as well. Generating the key based off arbitrary hardware won’t add security. Any hardware info the browser can access, so can malware. This is why TPMs were made to keep keys away from OS management and drive storage. But even TPMs are easy to extract the keys from on many motherboards with some basic soldering skills. Of course, you need physical access for that. Cookie encryption keys stored on a drive wouldn’t. A TPM type device in the hardware would be the best place to store keys. Apple does this with their security enclave of whatever they call it.
@lussor13 ай бұрын
Im not giving my hardware ID losing privacy
@EhteshamShahzad Жыл бұрын
7:28 girl... update that thing!
@computerguy619 ай бұрын
Thank you Shannon, very informative, LTT had their Cookies stolen when a .pdf file was opened, unfortunately Windows default setting " Hide extensions for known file types" is set to ON!! Microsoft once again letting the user down with a very dangerous default setting in Windows, always turn this setting OFF after installing Windows, or just do it NOW.
@JohnSmith-op7ls9 ай бұрын
Extensions are meaningless unless the user knows that file type can contain malware. And the vast majority of propel don’t know pdfs are risky. Almost nobody knows all the ways all vulnerable file types can cause malware execution. More like Adobe letting us down once again with their trash software and file formats.
@stevenpugh5412 Жыл бұрын
Question: websites that use MFA often give an option of trusting this browser in order to skip MFA in the future. Would this install a cookie? If so, I wonder how locked those are to that browser on that specific device? Would this be more secure than trusting SMS MFA?
@person-fy8kd Жыл бұрын
As soon as you mention Girl Scout cookies I went and bought 4 boxes worth of them the thin mints are too good
@JohnSmith-op7ls9 ай бұрын
Who doesn’t like awful, overpriced, stale cookies, filled with preservatives! Can get better from all over, made fresh, all year round. They’re the McDonalds of cookies, except people who eat McDonalds admit it’s trash. For some reason, Girl Scout cookie pigs rant and rave about how great they are, as if they’re in a cult or something.
@russdibennetto8591 Жыл бұрын
Russ DiBennetto Good video. This is the way I deal with Cookies on my Laptop. I mainly use Firefox as my browser and have an extension called Auto Cookie Delete. I can whitelist cookies I want so I don't have to use 2FA for sites I frequent. All other cookies get deleted when I close the browser. As an added precaution, I always log out of a sight when I am done. If I ever have to use a public wifi, I connect to my OpenVPN server I build on my Raspberry Pi-4 at my home and go through my home's Internet connection to get to my required destination. I should also mention but it probably goes without saying. When I site had cookie options, I always deselect all cookies that they will allow me to deselect.
@Robinzano Жыл бұрын
Shannon! Your Chrome is out of date! Lol but seriously I LOVE your videos. You explain things simply and completely, something which a lot of KZbinrs fall short of. Thank you! (Also you're really 🥰 cute!)
@roobscoob476 ай бұрын
Thanks, Shannon~
@jeffhale1189 Жыл бұрын
Thanks for sharing. Blessings on your day!
@gorillaflex Жыл бұрын
what about sql injection or app vulnerabilities. From a user perspective and not a developers perspective. How does a user defend their account against that? Especially since as a user there's not much you can do as far as the code goes. Especially for major social sites like twitter and instagram. So how would you not only protect your account but also your device from those situations?
@MrRJG101 Жыл бұрын
Seeing her face brings back memories of my first computer watching hak5 when she had black hair still a doll snubs.
@Ben29214 Жыл бұрын
Thanks for the discount code for delete me. Just signed up
@michaeljackson62509 Жыл бұрын
Sites can do what Gmail does. Set up a section where it says Last account activity: and if there are multiple logins, it should show the second ip address. Like you stated, they can automatically sign out if there is a second ip address. So many things can be put in place like allowing 2FA for every instance or simply encrypting the cookie session. The funny thing is I was going to copy my URL from Safari to see if this would allow a random user to sign it. Which we knew for sometime at work so we wouldn't require cookies to be saved to the H drive (network drive)
@bassmaiasa1312 Жыл бұрын
But KZbinrs got hacked. So gmail is more competent than KZbin?
@Ed-ip2sg Жыл бұрын
So it would be good to have a video on the hacker forums that sell our information and how to get off and stay off them.
@dtibor5903 Жыл бұрын
Oh fck. I was always worried that websites do not ensure that the cookie is not stolen...
@FreedomDaddy3 ай бұрын
What if you used a Yubikey. Would they be able to get in with your stolen session cookie ?
@LaurenGlenn Жыл бұрын
Please don't make us have 3FA... like when you use biometrics and yet still need to do MFA on top of that.
@oscarcacnio8418 Жыл бұрын
I mean... I like 4FAs...
@josh-rx6ly Жыл бұрын
Why not tie the session to the IP address. Then it is useless for anyone outside your network.
@zedvee26689 ай бұрын
Because of convenience. It’s always a trade off… the more security the less convenience the more convenience the less security.
@alanhelmickjr Жыл бұрын
MBAM is worth the money. I've been doing computer security for years and I would recommend that over any other tool first.
@hafizyaakob5753 Жыл бұрын
Hello, I'm here to watch your video 😊
@SECYBERSAFE Жыл бұрын
I need to learn better presentation from you. Welldone Shannon, this was a good video.
@mattv5281 Жыл бұрын
Could you do a video on Passkeys?
@jeanniebennett37089 ай бұрын
Yes please. I bought yubikey and I’m need a little help
@paulbirnbaum Жыл бұрын
Could a host validate the MAC address of a device when it's using a session cookie to reestablish a connection? That would thwart cookie theft.
@zedvee26689 ай бұрын
A bit technical but… MAC addresses are at layer 2 of OSI model. Browsers don’t have access to that layer… Secondly… a MAC address is easy to change so an attacker could spoof another users MAC address easily.
@m90295 ай бұрын
Thanks!
@russellmania5349 Жыл бұрын
Why are cookies not encrypted to prevent this?
@ImLearning-e7h Жыл бұрын
All is done on purpose. These companies know what they are doing.
@bassmaiasa1312 Жыл бұрын
Why did Paulie call in sick that day? And take the cannoli.
@evodefense Жыл бұрын
thanks
@bassmaiasa1312 Жыл бұрын
My general use browser dumps all my cookies except the password manager. Can the password manager session be stolen? Can I assume any non-sucky password manager isn't prey to two-bit session hackers?
@lussor13 ай бұрын
Yes
@EnVideoZone9 ай бұрын
Thank you Great tips Useful comments... Subscribed.
@ShannonMorse9 ай бұрын
Thanks for the sub!
@norrinradd8923 Жыл бұрын
What were you doing in Utah? 5:58
@ShannonMorse Жыл бұрын
I went to Park City for a Google Pixel event! I learned how to snowboard while I was there!
@norrinradd8923 Жыл бұрын
@@ShannonMorse Snowboarding! Awesome!
@dexterman6361 Жыл бұрын
Damn, if only deleteme was a lil cheaper Also, unrelated question. Do yubikeys have pins to unlock them? I don't want one quick toilet break being the time someone needs to get into my proverbial keys to the castle, password manager
@turbo2ltr Жыл бұрын
is that a ham call on the shelf?
@michaelgalloway9362 Жыл бұрын
Hoping Shannon can talk at some point on whether it's true if a website can only read its own cookies? And if it's 3rd party cookies that other websites can read only. Also, me and the FBI and lots of other folks advocate ad blockers, and I'd get mobile web browsers with really good ad blockers built-in or available and make them default until you need to do something, and ad blockers should help since even images can be used to track you, or so I've read. But I think it's really only if you are already compromised where they are most likely to be able to get your 1st party auth cookies, which is still a very real threat, especially if you are working in tech (even low level). I could be wrong, though. Which begs the question I'm asking more and more: Why are we not focusing more on changing email so that we don't just get email for whoever anymore in our Inboxes? And most of us don't need to get email sent from outside our own country, at least not having it just appear in inboxes for us to mark as spam or not. Known senders only and quarantining the rest, and making email with obvious red flags (not just on spam lists) like lots of punctuation or length or nothing in body etc. And doing the same in Teams and Slack and Discord. Also, employees at big-ish tech companies aren't working sandboxes with work and life computers literally kept separate? Give them wireless KVM to switch between the computers, if need be. Hopefully, a lot of this is already happening.
@deang5622 Жыл бұрын
Cookies are simply files on the hard disk. Windows itself does not have that level of granularity in its file access model to restrict access to files based on web addresses. Answer: no.
@hb-man Жыл бұрын
@@deang5622 You are wrong on several levels. Browsers do have policies in place to restrict arbitrary cookie access. Search for "same origin policy". Also note that the browser is the one sending cookies back to the server, if it is not sending one back, the server cannot do anything about it. So you are not sharing all your cookies with all servers all the time. Malicious software still can try to get access to the browsers cookie store. And if you both execute the malware and the browser from the same account, there is no way to prevent access in terms of account restrictions. Don't execute evil software, it's always "game over"... and I know it is easier said than done.
@michaelgalloway9362 Жыл бұрын
@@deang5622 I've played around with deleting all cookies and site info when I close my browser. Untenable, honestly. I am now using Cookie Auto Delete (gets rid of other files) and NoScript, along with the uBlock Origin ad blocker. NoScript actually is decent at cross site scripting warnings. And I definitely feel safer browsing websites. Takes work initially, though. But hey, KZbinr Linus Tech Techs just got hacked, right? From a PDF file. Exactly what we're talking about here. And it was an EMAIL ATTACHMENT. I am telling you all: EMAIL IS THE ZERO DAY EXPLOIT THAT NO ONE PATCHES! There's a lot that could be done that would better educate and inform the end user when an email is suspect, and where email headers are better analyzed (cuz emails impersonating my boss asking me to buy them a VISA gift card from the local gas station cannot mean what we have is working well), and just indicate a for sure trusted sender, often within my org. Looked into cookies more --> Cookies do have a samesite line, and other similar bits of line in those plain text files. Web browsers generally enforce this sites on the same domain reading those cookies, whether 1st or 3rd party. So it's basically malware I accidentally download or get from a unknowingly compromised website that is going to lead to cookie or session token theft. No Script, Cookie Auto Delete, and ad blockers are definitely ways to prevent this. But email and not sandboxing or dividing work and personal machines at high target orgs are the biggest attack vectors now. Well, at least the most successful ones. My opinions of course.
@williamwilliams77069 ай бұрын
Such a harmless little name. Cookies. I habitually block cookies when I search for stuff online or just leave the website when that pop-up is the first thing you see when the page opens.
@phungyi49478 ай бұрын
Victoria Nuland likes cookies..
@sbasra Жыл бұрын
Really useful information
@TV-yq4sn Жыл бұрын
Can you post links to these hacker forums you mentioned? Asking for a friend
@ShannonMorse Жыл бұрын
No, because KZbin will flag my channel for malicious links. Unfortunately I have to be very careful about what I post in the description nowadays.
@HOLLYWOODlosANGELES Жыл бұрын
Merci pour votre vidéo.
@rogerdeutsch58839 ай бұрын
Great informative video. Subscribed
@ShannonMorse9 ай бұрын
Thanks for the sub!
@monil6025 Жыл бұрын
Does changing all of your passwords reset them? I just had this happen to me 😭😭
@ShannonMorse Жыл бұрын
No... changing your passwords doesn't reset your cookies. If someone already has access, your best bet is to go into your account, change your password AND revoke or remove any devices that are currently logged in and use the info from the video about protecting / reauthenticating session cookies (so an attacker's cookies are no longer valid).
@monil6025 Жыл бұрын
@@ShannonMorse I've signed out of all my accounts and changed passwords with a manager and added 2fa to everything I could think of. I'm still worried it could happen that the file I downloaded could be hidden deep somewhere in my laptop even though I've tried a lot of malware scanners which show up with nothing. Would it be a safe bet to sign out of everywhere again and reinstall windows and change all my passwords again if my accounts get accessed again? Thank you.
@TheAcousticVibration Жыл бұрын
I've wondered what are the medals in the background? Do you go running or something? Or am I completely mistaken and they're just expo passes haha
@avis17372 Жыл бұрын
convention passes my friend
@pbrigham Жыл бұрын
Always in private mode and no more Cookies forever.
@jonreyno1187 Жыл бұрын
thanks.
@roofoofighter Жыл бұрын
Good video explanation. Horrible background music though 🙉
@BrianGlaze Жыл бұрын
Favorite Girl Scouts Cookies? Mine are Samoas and Tagalongs
@aquamarinereef74609 ай бұрын
Chrome and privacy 🧐
@kunalzshah9 ай бұрын
Good video, sweet voice. Was that hopeless background music really required? It is distracting.
@Braddeman Жыл бұрын
I would hope your viewers already knew this. Do a demo with burp suite.
@jhnyjoejoe699 ай бұрын
It should be illegal for sites to reauest to use cookies in order to allow you to use or view their content.
@akhileshsooraj Жыл бұрын
This is how LTT KZbin channel got hacked
@janokartal5690 Жыл бұрын
Nice one
@gadiyoussef Жыл бұрын
Glad to be the first one watching your video
@mystixa Жыл бұрын
Websites could also separate account management activities from media browsing activities. Many better secured websites require a minimum of a reauth from the 2fa when making certain moves that could compromise the account. Most often this is limited just to password changes but especially for larger accounts that should be extended to publishing and other management activities. Its also responsibility of the user to separate activities if the websites they use arent going to do it for them. Perhaps having different logins for casual browsing and response activities. Perhaps using separate central computer(s) who are sole tasked to that activity so they arent being taken out to coffeeshops by every intern.
@robw4885 Жыл бұрын
I've not watched the video but Linus should have read the comments!
@Leggir Жыл бұрын
Too bad @LiunusTechTips didn't watch this video just after you posted this.
@firealarmapprentice45179 ай бұрын
I really trust Microsoft Windows.
@Sanjay9442 Жыл бұрын
delete me is too expensive
@tonysolar284 Жыл бұрын
My cookies last 6 hours.
@ShannonMorse Жыл бұрын
Mine last 30 seconds. / Snubs hungry
@tonysolar284 Жыл бұрын
@@ShannonMorse Even better.
@Mrajtheartist Жыл бұрын
✨⭐✨💞💖💞💖💖💞💖💞💖💞💖💞✨⭐✨
@DigitalYojimbo Жыл бұрын
Clearing cookies aren't the best way because the cookie stays alive on the server side. Using a vpn and logging out is the best way
@GR3YHOODCrypto Жыл бұрын
Evilginx 2 👾
@coma_TOES Жыл бұрын
Thank you for your helpful commentary and Yay for WOMEN as Tech-Talk advisors!! (LOL 🤩new name: *TechTalks via Morse Code* Naa.. Probably a similarly named channel/user elsewhere already...) new sub here...after your video on HAK5? channel re: proposed legislation related to TikTok/foreign adversary US security issues. Looking forward to more.. My only criticism is background music...I've a general physio hypersensitivity with "surround sound" type video; background or multi-channel music mixed with spoken word. Sorry, that's on me, I suppose 🫠