Time to get one big john.

😮

This comment Is 9 minutes older than than the video.

I am now going to invest in a Yubico security key. 🤣 Also thanks for the tip to check out what "connected apps" were still tethered to a x/twitter accnt. I apparently had quite a few to deactivate!

I didn't have 2FA on my secondary account until it got hijacked. I was able to get it back either because I was fast or lucky. 😆 Do as I say not as I do!

x

also being a nobody helps too

Or mastodon

😆 I was thinking the hackers might be doing me a favor if they stole mine.

@@mishal_legit Elon can't make me stop saying Twitter and neither can you! 😆

In general, security is a joke to these companies.

@@jmr I'm so curious as to who you are online. 3C domain + handle + early verified 👀

@@n_n seems he's just an old engineer

@ManWhoLostTheWar Most likely has connections. I don't see him paying for any of it nor would he be in the com Even after some digging I couldn't find much history that explains away the early verification and stuff. Odd but cool to see there's still people like that out there as most get this stuff unethically.

Oh yea, surely having to re-authenticate even more often is going to solve the problem.🤦‍♂ Totally not gonna get people used to enter their login info and be less alarmed about where they actually enter it.

And that’s why strong Applocker policies are a must to prevent script execution

@KarlRock You'd think a channel dedicated to tech would have employees that know or at least trained **not to run random files even if they look legitimate** I guess not though

Yes, it's typically employees opening stuff 'sponsors' send and getting sessions hijacked. Less than 20% of the people at LTT would have any intimate knowledge of this stuff. I would have thought they had changed some policies about what can and can't get opened. Maybe not? Strict app locking policies should prevent this from occuring but that takes effort to implement and then enforce.

​@@n_n Mistakes can still be made

​@@n_n You just need to be caught slipping one time, and it'll be over. Not everyone is at their 100% every second of the day.

Absolutely Or with the backup codes, which can't be seen anymore without 2FA, easy solution

Yeah but what if you lose your phone number? I guess you can re-create your phone number, but I recall back in the day when I changed my phone number I was locked out of some (obsolete and not really used) accounts like a Hotmail account I occasionally used. That's because they would send an authentication message to the phone number that was no longer mine.

@@raylopez99 Then you have to go through support and probably provide some other kind of evidence, or a different authentication factor (such as the backup codes the other guy proposed, which is itself a form of 2FA). The toggle is fine if the ONLY way to access your account is through a method that uses 2FA but when there are other ways (such as the login token, or a simple password) then you simply shouldn't have the ability to disable 2FA without using 2FA.

Ive had issues with services that did it that way. I changed my phone number, and didn't update amazon (because I dont use amazon much, if at all). Amazon didn't let me get into my account. They also didn't let me close my account. Support said I should be able to, but it just didn't work. The new person who got my old number was able to use 2fa to get into my account and order stuff. Well, then I called my bank and had them cancel it. But it did send to my email the address of where it was going to show up. It would be funny for me to go there and be like "yup this is mine I paid for it"

​@@raylopez99Phones are easily spoofed. No one should be using that for 2FA in the first place. The option shouldn't even exist. Doubly so in certain cases where they just make it seem like it's a scam. Every time I call one of my banks now, they have to send me a code that I need to read back to them, which is exactly what scammers do. Until I found out they had made that change last year, I was confused why people thought scammers doing this were legitimate. There is no good reason for them to be sending you a text, but they do. Their newest option to get around this is using your voice, by the way. In the age of AI, they want you to turn on """"""security"""""" features, which allows all of the other security features to be turned off by voice...

John actually did a review of the Malware Email that LTT, received and that Email requests the 2fa key. Microsoft actually does it better by pinging your MFA device and requiring you type that code into the authenticator app.

yeah, they should never come back. No one needs it.

Better still. Don't use the platform at all!

protect the account; protect the world!

I second that

@@PedroKing99 Freedom of speech on Twitter... lol

@@puerlatinophilus3037 now that you mention it, do hardware keys like yubico help at all with these session hijackers like infostealers?

2FA protects against password leaks, and thats about it. Ideally, services should tie session tokens to your HWID, IP, browser fingerprint, or any other potentially unique information to make token stealers less effective.

The point of 2FA is to prevent logging in by someone when there is password leak. Some security is still better than no security.

@@Zullfix It's easy to say that, but on the other hand there's demand towards browser developers to limit any way of fingerprinting for privacy concerns. (IP isn't really viable, I tried that on my website and found that in many cases my IP address can change on the fly without me even noticing it, sometimes from an IPv4 address to an IPv6 address and vice versa. After I logged the issue for a few days I've come to realize IP address changes happen so frequently thanks to the way many internet providers work nowadays that it's unfeasable to use it as a security factor.)

Usually 2fa is on a different device, like your phone.

I agree, bad design and plenty apps do this. Why let me know I may be hacked without a way to block it off. At least from the original link that is also in your email. So, you can then put in a ticket with minimal damages. Though not saving to PC or cache is the smart choice. Sad you can't depend on the platform to fix this issue or even see it as an issue.

Then every normie everywhere will complain when their ISP resets their modem/router with an update, VPN users will encounter issues, and about 500 other things that support teams at these companies don't want to deal with. Convenience is the enemy of security, but most customers will take the convenience first and foremost. Who do you know that honestly could be bothered to purchase a hardware key? How many even use software MFA? It's just not in the cards at the moment.

@@JackShoreman I agree with that. The smart thing would be for it to be an option, to opt-in for. So people who want to be more secure can have a way and people who don't can have their convenience. 👍🏿

REAL companies do this, not twitter though....

A one or two hour delay for any security change with email and text notifications should give the legit user enough time act in case it's a bad actor.

Most helpful tech support response be like:

Good luck resolving information from a destructive box blur

@@LegacyVision. Blurring can be reversed. It's not too hard.

Some blurring can be reversed, yes. Better safe than sorry, always box it. If you want blur for the effect, add fake text on top of the box and blur that.

@@nurmr entropy and god disagree.

​@@JackShoremansearch for image deconvolution. It can absolutely be done, the techniques are of the 2000s era, you can also de-motion blur. It's not perfect but it's been used by police to make license plates readable despite out of focus and motion blurs in the captured images. Entropy doesn't enter the picture (pun intended) here because blurring is not a random process but a well-defined deterministic operation called a convolution, for which you can find an inverse operation that can theoretically restore the image (in the mathematical sense, with limited resolution and compression this is obviously not perfect). To be sure you can't find an inverse operation, you need to process your image with so-called non-linear filters (ie. median filter, pixelation, or just plainly overwriting the pixels). There is a specific issue with pixelation too, which is that with videos specifically, if the contents move over the pixelated area relative to it, restoring the content over time becomes possible. TL:DR; deblurring an image is very much possible, is old tech and has been successfully used for better and worse ends already. Your best bet is to completely overwrite the pixels by using an opaque color. Pixelation can be undone if not applied correctly.

that'd like drm: Client have to know it as plaintext anyway

I mean fr you'd think they could encrypt it and only load it when you specifically needed it for a site, like a basic desktop password manager, by this point.

I recall a Google Chrome blog article that suggested that Chromium secrets are encrypted using the system provided encryption methods, like Keychain on macOS, and GNOME Keyring on desktop Linux, but on Windows, there's some internal function that's not as secure, so Chrome developers plan to add additional security specifically on Windows.

then you would have to enter it on any start of the browser

@@Person01234 Encryption only works as a protection, if the attacker has no way of finding the encryption key. Spoiler: If their software is running on your PC, like your Browser is, then they can get that data. Even if it's encrypted, they can ask the OS, or even the browser itself to decrypt it.

Good catch, thank you! Guess I'll be ordering another YubiKey Bio!

@@_JohnHammond always advisable to have several Yubikeys set up as backups.

it's something you "have" but it also validates presence, so it can't be automated

It also ties the cryptographic token to the domain, so it shouldn't be possible to MitM a security key in the same way that authenticator codes can be MitMed.

@@belst_ True. So TECHNICALLY you could say it’s something you are: physically present. But it still doesn’t validate physical identity.

or even blocking certain countries you won't be physically/over VPN like with bank cards. I think it should be a must for VIP accounts like LTT

IP addresses are archaic and not a reliable form of determining location. Unless everyone starts using IPv6 and the many more addresses provided compared to IPv4 are doled out by nation instead of by institution/corporation/etc, it's not a reasonable metric. My IP gets registered in completely different states from where I live, imagine that in EU or anywhere else in the world where nations are geographically small.

​@@fru2728 - They can get around geo-fencing with proxies/VPN's, there are other more secure ways to auth a user.

lol.........Sponsored by Twitter

@@Sommyie new content to monetize baby!

Clearly a tax write off 😂

Yep luke gonna set the hole network to whitelist only

and right when he said he wanted an all good news wan show... really testing him right now arent we?

Agree lol I made this comment before seeing yours

Can you reverse it? Would love to get the deets if anyone actually/practically does! :)

@@_JohnHammond You can take sample letters, blur them in the same way, and then matched the blurred images. Similar to how how passwords hashes are "decrypted".

@@nurmr Right, I know the theory behind it, but would just love to see someone actually do it ;)

@@_JohnHammond 0xAab5E1cAb55b06075a0736dd5fc95DEb4Ef9523B

YT that time.

Was thinking the same thing. pretty embarrassing track record for them!

They got a SIM swap attack way back and two session token grabs since then. Three times in total have they lost access to their accounts.

And their viewers are dumb enough to fall for that obvious scam.

Yeah, they're large tech enthusiasts and not security focused. That makes them a large target without having a good security posture. They should probably bring in a security specialist to train people and set up some monitoring software across their whole infrastructure.

Exactly this. Infostealers have been doing this for a while now, and services just allow account takeovers like this to happen. Authentication tokens should automatically be invalidated if used on a different device than they were originally created on.

been using it for years on my pc and phone

Self-hosted Vaultwarden or KeePassXC

Love bitwarden.

Bitwarden store all your passwords on a remote server owned by mickr0zoft. Dodgy af.

​@@Corteum the beauty is you can self-host bitwarden if you want

I have my personal non-paid twitter use multiple security keys at the same time. i can only have one authenticator though. but technically you can get away with multiple authenticator app (or medium) once you copy the secret key.

@@ecu4321 Does it provide you with a good way to identify and disable a single security key in the list?

1 authenticator is needed but multiple keys can be used which can still be an issue

@@ecu4321 it technically doesnt allow you to have multiple authenticators right now once 1 is verified you need to deactivate it while its true IT IS possible provided the system has added flags to re-enable setting up a new authentication key

Ah yes twitter cutting corners. Good job Elon 👍🏻

there are different yubikeys, some do read your fingerprint

Depending on the model of YubiKey, the YubiKey Bio does allow it ^_^

YubiKey Bio reads your fingerprint (which is the model with the gray circle, not the gold/yellow one I showed in the video, so I'll have to get that fixed up) docs.yubico.com/hardware/yubikey/yk-tech-manual/bio-specifics.html

Yeah, but stating that yubikeys are simply fingerprint readers is 100% false. The fingerprint reading yubikeys just use your fingerprint instead of a PIN.

@@_JohnHammond That's correct, thanks for clarifying.

Can you reverse it? Would love to get the deets if anyone actually/practically does! :)

@@_JohnHammond I've seen a few people do this, some with conventional algos and some with DL algos. Depix on GitHub does this with pixelated "blurs". I also read that that gaussian blur (which is quite common) can be deconvolve somewhat accurately using FFT(?).

​@@_JohnHammond Seems my previous reply was deleted. Depix and Unredacter project does this with pixelated text. These are brute-force approaches but which should work quite well. Fliters like Gaussian blur can also in theory be deconvolved. But by showing unblured and blur text together in known editor makes it quite easy to brute force the text from image, it can also be done sequentially (char by char) instead of the whole string.

If that's how it went down then the next WAN show will be interesting.

Most likely, the hacker used the DPI bypass. Since I'm from Russia, I decided to log in to Twitter using this method and got an email with login attempt from Russia.

I'm just thinking of what a dumbass skid you'd need to be to use your actual Russian IP instead of using at least using a VPN in the same country. That alone confuses me but idk if 'hackers' are commonly that stupid/sloppy.

@@ombrezz7030 new content more sponsors 😅

@@Demoralized88 If it is from Russian then the "person" doing the hacking probably works for the FSB. I doubt they are too worried about any repercussions. The scam is probably a side hustle for when they aren't doing "official" work.

The problem with geo-fencing is let's say x implements this feature it would become publicly known. Ltt is in the US/Canada all i would need to do is use a VPN in the US or Canada to get around that. Or sign up for AWS and get a free tier EC2 and route my traffic through that

Now if IP whitelisting was allowed they could whitelist the office since businesses will likely have static IPs. Then for remote access they could use a VPN hosted from the office. Home IPs and phones are dynamic so that would solve that issue

the thing is they are hot in the eyes of these kind of hackers.

No for twitter it was a new location (IP address) but using an existing session/device. Requiring 2FA on any IP change would be such a PITA for everyone that it would trigger a mass-deactivation. This kind of alert is usually sent asynchronously, meaning it's also often too late when you receive it ...

@@maverick34 According to the screen shot it's a new DEVICE. Yeah new location too, but I get that's an issue. The fact it's a new DEVICE should trigger it to recheck 2fa even if they have a saved cookie.

As it turns out @_JohnHammond just posted a video and that screen shot was NOT from X, it was from the phish. Which also strongly implies that it wasn't a cookie hack, Linux gave up a 2fa code that the hackers used.

In the example John gave in the video, that wouldn’t necessarily prevent account compromise since the data gathered included plain text username/passwords. But I do like that idea as an added layer of security. I may have to steal that for my future development projects.

@@NoahD123 Sure against regular logins it gives no additional protection. But regular logins should be protected with a multi factor authentication. So I think in general it would help with security. And I also think everything that raises security should be available for everyone. So feel free to "steal" the idea.

For the average person, the tactics are fairly demanding. In actuality, most of them are effectively completed by experts who possess the necessary knowledge and skill set to carry out such occupations.

I’d suggest you look into passive index fund investing and learn some more. For me, I had my share of ups and downs when I first started looking for a consistent passive income so I hired an expert advisor for aid, and following her advice, I poured $130k in passive diversified safe-haven assets, Up 358k so far and pretty sure I'm ready for whatever comes.

I could really use the expertise of this advsors.

*Layan Talia Chokr* is the licensed fiduciary I use. Just research the name. You’d find necessary details to work with a correspondence to set up an appointment.

Thank you for your fantastic tip. I verified her, wrote her, and she seemed proficient.

A vm won't stop a session stealer (also needed to start a vm to do stuff is a hassle if they need to be efficient)

Yes, and when a new device logs in from a new location with an authentication token made on a different device you'd think that would be an obvious thing to block. Or when above new device changes the password, removes old 2fa methods and adds new ones the account should be locked and verification requested from multiple pre-takeover contact/2fa methods before those changes are allowed.

The only decent method for most people is IMO having a cheap secondary phone/laptop that you use for important accounts/passwords, preferably on a known-good wired network connection. Or at least logging in to sensitive accounts from ingonito/private browsers on your daily computer/phone, absolutely never storing those logins with any autofill (google account or local OS) and never saving them as cookies. That's my opinion after having been 'hacked' in 2022, modern malware is way too sophisticated to think you're safe from it happening to you.

@@Demoralized88 Ok, that's easy. I have an older laptop that I can do a fresh install of Windows. I'll use this for my crypto and financials only.

@@TC-hl1ws Yeah that's basically what I did. Are you pretty sure it's just one account that was compromised or are you thinking it was an infostealer/RAT on your system? Doesn't really matter either way, I used a new cheap chromebook on a different network to change my passwords. Using your phone for a hotspot is a good option for the old laptop instead of using it on the same network. Hopefully you're alright and it wasn't malware, the stress and anxiety was overwhelming for a long time afterwards. I didn't know about RATs/infostealers until it happened to us and really encourage researching them if you haven't, you cannot be too cautious/paranoid when dealing with some of the malware/exploits used these days. The separate device/network is necessary IMO for recovering/securing accounts and will keep you much safer going forward, especially with some discipline not sharing USB/media and networks between the main and isolated PCs.

Scary. Those businesses usually have strict compliance requirements so I’m surprised it’s legal.

@@rezwhap They have very strict encryption regulations, but I don't think there's any government regulation on the type of authentication required here. Heck one of my credit cards forces me to change my password every 6 months (great), but the password MUST be 10 characters long! My bank is 8-14 char (just had to change it today), but at least requires at least 2 caps and 2 digits and recommends special characters. But still, having those specific requirements means that attackers can lob off a huge amount of options from their dictionary if they are going to brute force. Thankfully this bank, in addition to our national ID number, also has us set a personal identifier (that we can change at any time) that needs to be used to log in - so three things at once. Not exactly 2FA, but better than ol' creddy here.

Actually I think it is only the 2nd

Unfortunately, I've seen this kind of attack be startlingly successful. Something about putting artificial urgency plus the convenience of a ready to press fake login button right in somebody's face means people turn off their brain. Not saying that's what happened here of course, but I've seen it happen.

I'm wondering if it was even on.. might not have been since its shared with other users 🤷🏻‍♀️

Where did he get that information from? 🤔

Root cause analysis, investigation of the suspect email, malware reversing of questionable files or potential payloads, communication and clarification with team members, outreach to incident responders or breach coaches if it were a bigger issue, education to improve security, amplifying awareness, moral support... anything really, just trying to be a good person, sorry 🫠 I'm in DMs with Luke right now 😅

his ip must've changed by now

@@nomunomuneo yes i've seen his IP change which I'm assuming he has a dynamic IP, still better warn someone than be the person who could've prevented a potentional damage

Thanks gonna ddos it now

Because: websites can't get your mac address, they can't exactly get your device (only stuff like resolution, mouse speed (not 100% accurate)), and user-agents can be spoofed, as for IP, it'd make it impossible to access twitter without logging in when using mobile data, or on a wifi network that isn't the one you originally accessed it from.

I am not sure how you would just do it in bash. The only thing I can think of is an encrypted fs that you un-encrypt at startup. Problem is if the malware collects while the browser is running then it will see the un-encrypted files. You'd somehow need to make the filesystem only visible to the browser -- not the rest of the system. Better would be to have the browser decrypt on the fly as needed. Storing/caching it in memory though you'd have to decide whether to keep it encrypted or repeatedly decrypt. Speed may be an issue. Even then it wouldn't be perfect, but probably better. I wonder if using an external key manager might help. If anyone knows on any interesting articles on this, that would make a good read.

@@eshwayri I just used gpg and xz, sure it can't protect while it is running but can while it's not. And it can't just open it, needs the password first

1. It's a choice dw 2. I believe it should be the case, but twitter (X) cuts corners more than we expect. Elon gotta pay for child support of his 9 children (or robot children, whatever tf u classify them into)

Except for the bio series, which isn’t the one you showed in the video. FYI.

We see rising popularity of dpi blockers. With it you can access x without vpn.

not really banned. its slowed down to the point of unusability. Im from Russia, and by using dpi bypassing software you can access twitter