Account Stolen With 2FA Turned On?! Protect Your Cookies!
Рет қаралды 47,309
Күн бұрынSign up for DeleteMe! Use the coupon code SNUBS for 20% off any consumer plans! Linky: www.JoinDeleteMe.com/MorseCode * (coupon code automatically applied at checkout)
LINKS:
news.sophos.com/en-us/2022/08...
krebsonsecurity.com/2022/03/a...
therecord.media/hackers-leak-...
www.microsoft.com/en-us/secur...
www.howtogeek.com/119458/htg-...
www.bleepingcomputer.com/news...
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 kzbin.info?s...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoffee.com/snubs
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/stores/morsecode
Coupon Codes 💛 snubsie.com/support
Tech I Use & Recommend 💛 kit.co/ShannonMorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
KZbin 🌸 kzbin.info?s...
Website 🌸 www.shannonrmorse.com
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/ShannonMorse
My Amazon Influencer Page ✨ www.amazon.com/shop/shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 kzbin.info?sub_confi...
Sailor Snubs 🌙 kzbin.info?s...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/contact
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/work-with-me
Sponsor This Channel ✈ snubsie.com/shannon-morse
Music from 🎵 Epidemic Sound: www.epidemicsound.com/referra...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/code-of-conduct
@jmr Жыл бұрын
Paul Hibbert was using 2FA but KZbin trusted a session instead of requiring a reauth before changes were made to his account. A second factor should always be required to make account changes when 2FA is on. Seems like a big oversight.
@arkvsi8142 Жыл бұрын
2FA using phone numbers are just for tracking purposes...not security
@paulhibbert Жыл бұрын
Thanks James, to ARKVS, my 2FA was not based on phone number, it was based on Google authenticator app. I was socially engineered by hackers and was fooled into opening malware, which gave them access to clone my cookies. Because Google aren't taking 2FA seriously the hackers were then able to replace all my tokens with their own key and boot my session. Worst week of my life.
@jmr Жыл бұрын
@@paulhibbert I'm just glad you got everything sorted!
@jmr Жыл бұрын
@@arkvsi8142 I always recommend hardware keys. They can't be phished.
@Darkk6969 Жыл бұрын
@@jmr That would be correct. However, hackers can still steal your cookies to bypass that. Which is why it's always important to log out of your session to invalidate the cookies.
@God77Particle Жыл бұрын
That was informative, thank you Shannon 😀
@MCgranat999 Жыл бұрын
If I'm not mistaken, auto filling from a Password Manager is actually better than copy-pasting manually since when you're on a look alike domain Password Manager won't let you do that thus raising suspicion.
@stratvar Жыл бұрын
Not only that, but choosing to autofill from a Password Manager will not save the password in the clipboard (because you won't copy it anywhere), so it can't be intercepted in case you are infected with a malware that can steal the information that is saved in your computer's clipboard.
@clouddylol 5 ай бұрын
You can download all that info if it’s stored anywhere on one’s PC. For example if your PW manager is a Google chrome extension it’s trash. If you’re using googles auto suggested passwords you’re screwed. If you’re storing things on one drive you’re screwed.
@Supervideo1491 Жыл бұрын
Recently, a hacker hijacked LTT's accounts by duplicating session cookies!
@coma_TOES Жыл бұрын
That's what she reported. Perhaps not the user account you're referring to: EXACTLY the Same type of breach method. 🤨 Hmm
@DOOM11777 Жыл бұрын
Shannon can you make a video about privacy and security extensions? That you recommend and use.
@jeffhale1189 Жыл бұрын
Thanks for sharing. Blessings on your day!
@roobscoob47 Ай бұрын
Thanks, Shannon~
@Ben29214 Жыл бұрын
Thanks for the discount code for delete me. Just signed up
@russdibennetto8591 Жыл бұрын
Russ DiBennetto Good video. This is the way I deal with Cookies on my Laptop. I mainly use Firefox as my browser and have an extension called Auto Cookie Delete. I can whitelist cookies I want so I don't have to use 2FA for sites I frequent. All other cookies get deleted when I close the browser. As an added precaution, I always log out of a sight when I am done. If I ever have to use a public wifi, I connect to my OpenVPN server I build on my Raspberry Pi-4 at my home and go through my home's Internet connection to get to my required destination. I should also mention but it probably goes without saying. When I site had cookie options, I always deselect all cookies that they will allow me to deselect.
@Robinzano Жыл бұрын
Shannon! Your Chrome is out of date! Lol but seriously I LOVE your videos. You explain things simply and completely, something which a lot of KZbinrs fall short of. Thank you! (Also you're really 🥰 cute!)
@person-fy8kd Жыл бұрын
As soon as you mention Girl Scout cookies I went and bought 4 boxes worth of them the thin mints are too good
@JohnSmith-op7ls 4 ай бұрын
Who doesn’t like awful, overpriced, stale cookies, filled with preservatives! Can get better from all over, made fresh, all year round. They’re the McDonalds of cookies, except people who eat McDonalds admit it’s trash. For some reason, Girl Scout cookie pigs rant and rave about how great they are, as if they’re in a cult or something.
@adisario Жыл бұрын
This seems like a simple problem to solve. Browsers should tie cookies to a hardware ID and refuse to provide them to websites unless the hardware ID remains the same. It is unlikely a hacker could reverse engineer an encrypted hardware ID.
@bassmaiasa1312 10 ай бұрын
Simple if they gaf but they don't gaf.
@JohnSmith-op7ls 4 ай бұрын
You have to be able to secure the key or they can just copy that as well. Generating the key based off arbitrary hardware won’t add security. Any hardware info the browser can access, so can malware. This is why TPMs were made to keep keys away from OS management and drive storage. But even TPMs are easy to extract the keys from on many motherboards with some basic soldering skills. Of course, you need physical access for that. Cookie encryption keys stored on a drive wouldn’t. A TPM type device in the hardware would be the best place to store keys. Apple does this with their security enclave of whatever they call it.
@VincentGroenewold Жыл бұрын
This is why I set my browser up to delete everything as soon as I quit it. Still not perfect, but it helps. :) I have to log in to everything every time I launch it, which is slightly annoying, but I know why I'm doing that, which makes it ok.
@ShannonMorse Жыл бұрын
Yup! I mention this tip in my video 😅
@Javierm0n0 Жыл бұрын
I've been thinking about doing this for a bit.
@maluc21 2 ай бұрын
I work like this, sometimes is tired but it is worth the extra effort.
@InfoSecGuardian Жыл бұрын
Good video and really good points on cookie theft. Just one warning. Copy / Paste of password from the password manager is a bad habit. The clipboard is not secure and clear text. A good PW Manager will have an auto fill or auto populate feature which will type your credentials into the website (or local hosted application) without use of the clipboard. This is one of the reasons FIPS 140-2 standards for encryption key management require use of a HSM (Hardware Security Module). If you'd still like to ignore this advice, at the very minimum you should disable Windows Settings -> System -> Clipboard --> Sync across devices. This will stop Microsoft from receiving your clipboard data to sync across devices.
@ShannonMorse Жыл бұрын
I prefer autofill (because the pw manager should recognize the correct domain but NOT autofill on an incorrect domain), but I know some people don't want to use that weirdly, hence why I pointed it out.
@valcaron Жыл бұрын
Yeah copy+paste is a bad idea, but it'd be nice if KeePassXC-Browser would properly detect login fields more than 10% of the time.
@JohnSmith-op7ls 4 ай бұрын
All sync should be off. MS is as bad as google when it comes to not giving a F about you or your privacy.
@NorthlandDWJ 4 ай бұрын
Can using a Yubi key for KZbin for example prevent cookie stealing and session hijacking if the perpetrator has gotten your cookie to login, or will the still bypass your authenticator, or would it still require them to have the key even after stealing your cookie? Also say you are logged in while they are carrying out the attack, Can they kick you out? And when you put your CPU in sleep mode are you still logged into your accounts due to the cookie session, or does it say you are logged out until you turn your CPU back on or when you refresh the webpage? The reason I say this is can they steal your cookie if you are in sleep mode with your tabs still open to the websites? Thank you! @@ShannonMorse
@SECYBERSAFE Жыл бұрын
I need to learn better presentation from you. Welldone Shannon, this was a good video.
@hafizyaakob5753 Жыл бұрын
Hello, I'm here to watch your video 😊
@sbasra Жыл бұрын
Really useful information
@EnVideoZone 4 ай бұрын
Thank you Great tips Useful comments... Subscribed.
@ShannonMorse 4 ай бұрын
Thanks for the sub!
@computerguy61 4 ай бұрын
Thank you Shannon, very informative, LTT had their Cookies stolen when a .pdf file was opened, unfortunately Windows default setting " Hide extensions for known file types" is set to ON!! Microsoft once again letting the user down with a very dangerous default setting in Windows, always turn this setting OFF after installing Windows, or just do it NOW.
@JohnSmith-op7ls 4 ай бұрын
Extensions are meaningless unless the user knows that file type can contain malware. And the vast majority of propel don’t know pdfs are risky. Almost nobody knows all the ways all vulnerable file types can cause malware execution. More like Adobe letting us down once again with their trash software and file formats.
@rogerdeutsch5883 4 ай бұрын
Great informative video. Subscribed
@ShannonMorse 4 ай бұрын
Thanks for the sub!
@HOLLYWOODlosANGELES Жыл бұрын
Merci pour votre vidéo.
@MrRJG101 Жыл бұрын
Seeing her face brings back memories of my first computer watching hak5 when she had black hair still a doll snubs.
@alanhelmickjr Жыл бұрын
MBAM is worth the money. I've been doing computer security for years and I would recommend that over any other tool first.
@m9029 14 күн бұрын
Thanks!
@michaeljackson62509 Жыл бұрын
Sites can do what Gmail does. Set up a section where it says Last account activity: and if there are multiple logins, it should show the second ip address. Like you stated, they can automatically sign out if there is a second ip address. So many things can be put in place like allowing 2FA for every instance or simply encrypting the cookie session. The funny thing is I was going to copy my URL from Safari to see if this would allow a random user to sign it. Which we knew for sometime at work so we wouldn't require cookies to be saved to the H drive (network drive)
@bassmaiasa1312 10 ай бұрын
But KZbinrs got hacked. So gmail is more competent than KZbin?
@EhteshamShahzad Жыл бұрын
7:28 girl... update that thing!
@stevenpugh5412 Жыл бұрын
Question: websites that use MFA often give an option of trusting this browser in order to skip MFA in the future. Would this install a cookie? If so, I wonder how locked those are to that browser on that specific device? Would this be more secure than trusting SMS MFA?
@Ed-ip2sg Жыл бұрын
So it would be good to have a video on the hacker forums that sell our information and how to get off and stay off them.
@dtibor5903 Жыл бұрын
Oh fck. I was always worried that websites do not ensure that the cookie is not stolen...
@gorillaflex Жыл бұрын
what about sql injection or app vulnerabilities. From a user perspective and not a developers perspective. How does a user defend their account against that? Especially since as a user there's not much you can do as far as the code goes. Especially for major social sites like twitter and instagram. So how would you not only protect your account but also your device from those situations?
@evodefense Жыл бұрын
thanks
@bassmaiasa1312 10 ай бұрын
My general use browser dumps all my cookies except the password manager. Can the password manager session be stolen? Can I assume any non-sucky password manager isn't prey to two-bit session hackers?
@turbo2ltr Жыл бұрын
is that a ham call on the shelf?
@jonreyno1187 Жыл бұрын
thanks.
@LaurenGlenn Жыл бұрын
Please don't make us have 3FA... like when you use biometrics and yet still need to do MFA on top of that.
@oscarcacnio8418 Жыл бұрын
I mean... I like 4FAs...
@dexterman6361 Жыл бұрын
Damn, if only deleteme was a lil cheaper Also, unrelated question. Do yubikeys have pins to unlock them? I don't want one quick toilet break being the time someone needs to get into my proverbial keys to the castle, password manager
@kunalzshah 4 ай бұрын
Good video, sweet voice. Was that hopeless background music really required? It is distracting.
@aquamarinereef7460 4 ай бұрын
Chrome and privacy 🧐
@BrianGlaze Жыл бұрын
Favorite Girl Scouts Cookies? Mine are Samoas and Tagalongs
@TheAcousticVibration Жыл бұрын
I've wondered what are the medals in the background? Do you go running or something? Or am I completely mistaken and they're just expo passes haha
@avis17372 Жыл бұрын
convention passes my friend
@josh-rx6ly Жыл бұрын
Why not tie the session to the IP address. Then it is useless for anyone outside your network.
@zedvee2668 4 ай бұрын
Because of convenience. It’s always a trade off… the more security the less convenience the more convenience the less security.
@Braddeman Жыл бұрын
I would hope your viewers already knew this. Do a demo with burp suite.
@roofoofighter Жыл бұрын
Good video explanation. Horrible background music though 🙉
@mattv5281 Жыл бұрын
Could you do a video on Passkeys?
@jeanniebennett3708 4 ай бұрын
Yes please. I bought yubikey and I’m need a little help
@pbrigham Жыл бұрын
Always in private mode and no more Cookies forever.
@paulbirnbaum Жыл бұрын
Could a host validate the MAC address of a device when it's using a session cookie to reestablish a connection? That would thwart cookie theft.
@zedvee2668 4 ай бұрын
A bit technical but… MAC addresses are at layer 2 of OSI model. Browsers don’t have access to that layer… Secondly… a MAC address is easy to change so an attacker could spoof another users MAC address easily.
@michaelgalloway9362 Жыл бұрын
Hoping Shannon can talk at some point on whether it's true if a website can only read its own cookies? And if it's 3rd party cookies that other websites can read only. Also, me and the FBI and lots of other folks advocate ad blockers, and I'd get mobile web browsers with really good ad blockers built-in or available and make them default until you need to do something, and ad blockers should help since even images can be used to track you, or so I've read. But I think it's really only if you are already compromised where they are most likely to be able to get your 1st party auth cookies, which is still a very real threat, especially if you are working in tech (even low level). I could be wrong, though. Which begs the question I'm asking more and more: Why are we not focusing more on changing email so that we don't just get email for whoever anymore in our Inboxes? And most of us don't need to get email sent from outside our own country, at least not having it just appear in inboxes for us to mark as spam or not. Known senders only and quarantining the rest, and making email with obvious red flags (not just on spam lists) like lots of punctuation or length or nothing in body etc. And doing the same in Teams and Slack and Discord. Also, employees at big-ish tech companies aren't working sandboxes with work and life computers literally kept separate? Give them wireless KVM to switch between the computers, if need be. Hopefully, a lot of this is already happening.
@deang5622 Жыл бұрын
Cookies are simply files on the hard disk. Windows itself does not have that level of granularity in its file access model to restrict access to files based on web addresses. Answer: no.
@hb-man Жыл бұрын
@@deang5622 You are wrong on several levels. Browsers do have policies in place to restrict arbitrary cookie access. Search for "same origin policy". Also note that the browser is the one sending cookies back to the server, if it is not sending one back, the server cannot do anything about it. So you are not sharing all your cookies with all servers all the time. Malicious software still can try to get access to the browsers cookie store. And if you both execute the malware and the browser from the same account, there is no way to prevent access in terms of account restrictions. Don't execute evil software, it's always "game over"... and I know it is easier said than done.
@michaelgalloway9362 Жыл бұрын
@@deang5622 I've played around with deleting all cookies and site info when I close my browser. Untenable, honestly. I am now using Cookie Auto Delete (gets rid of other files) and NoScript, along with the uBlock Origin ad blocker. NoScript actually is decent at cross site scripting warnings. And I definitely feel safer browsing websites. Takes work initially, though. But hey, KZbinr Linus Tech Techs just got hacked, right? From a PDF file. Exactly what we're talking about here. And it was an EMAIL ATTACHMENT. I am telling you all: EMAIL IS THE ZERO DAY EXPLOIT THAT NO ONE PATCHES! There's a lot that could be done that would better educate and inform the end user when an email is suspect, and where email headers are better analyzed (cuz emails impersonating my boss asking me to buy them a VISA gift card from the local gas station cannot mean what we have is working well), and just indicate a for sure trusted sender, often within my org. Looked into cookies more --> Cookies do have a samesite line, and other similar bits of line in those plain text files. Web browsers generally enforce this sites on the same domain reading those cookies, whether 1st or 3rd party. So it's basically malware I accidentally download or get from a unknowingly compromised website that is going to lead to cookie or session token theft. No Script, Cookie Auto Delete, and ad blockers are definitely ways to prevent this. But email and not sandboxing or dividing work and personal machines at high target orgs are the biggest attack vectors now. Well, at least the most successful ones. My opinions of course.
@janokartal5690 Жыл бұрын
Nice one
@TV-yq4sn Жыл бұрын
Can you post links to these hacker forums you mentioned? Asking for a friend
@ShannonMorse Жыл бұрын
No, because KZbin will flag my channel for malicious links. Unfortunately I have to be very careful about what I post in the description nowadays.
@williamwilliams7706 4 ай бұрын
Such a harmless little name. Cookies. I habitually block cookies when I search for stuff online or just leave the website when that pop-up is the first thing you see when the page opens.
@phungyi4947 3 ай бұрын
Victoria Nuland likes cookies..
@jhnyjoejoe69 4 ай бұрын
It should be illegal for sites to reauest to use cookies in order to allow you to use or view their content.
@russellmania5349 Жыл бұрын
Why are cookies not encrypted to prevent this?
@user-mv8cz4cw8i 11 ай бұрын
All is done on purpose. These companies know what they are doing.
@bassmaiasa1312 10 ай бұрын
Why did Paulie call in sick that day? And take the cannoli.
@robw4885 Жыл бұрын
I've not watched the video but Linus should have read the comments!
@Leggir Жыл бұрын
Too bad @LiunusTechTips didn't watch this video just after you posted this.
@monil6025 Жыл бұрын
Does changing all of your passwords reset them? I just had this happen to me 😭😭
@ShannonMorse Жыл бұрын
No... changing your passwords doesn't reset your cookies. If someone already has access, your best bet is to go into your account, change your password AND revoke or remove any devices that are currently logged in and use the info from the video about protecting / reauthenticating session cookies (so an attacker's cookies are no longer valid).
@monil6025 Жыл бұрын
@@ShannonMorse I've signed out of all my accounts and changed passwords with a manager and added 2fa to everything I could think of. I'm still worried it could happen that the file I downloaded could be hidden deep somewhere in my laptop even though I've tried a lot of malware scanners which show up with nothing. Would it be a safe bet to sign out of everywhere again and reinstall windows and change all my passwords again if my accounts get accessed again? Thank you.
@german_class_videos Жыл бұрын
This is how LTT KZbin channel got hacked
@firealarmapprentice4517 4 ай бұрын
I really trust Microsoft Windows.
@Sanjay9442 Жыл бұрын
delete me is too expensive
@norrinradd8923 Жыл бұрын
What were you doing in Utah? 5:58
@ShannonMorse Жыл бұрын
I went to Park City for a Google Pixel event! I learned how to snowboard while I was there!
@norrinradd8923 Жыл бұрын
@@ShannonMorse Snowboarding! Awesome!
@mystixa Жыл бұрын
Websites could also separate account management activities from media browsing activities. Many better secured websites require a minimum of a reauth from the 2fa when making certain moves that could compromise the account. Most often this is limited just to password changes but especially for larger accounts that should be extended to publishing and other management activities. Its also responsibility of the user to separate activities if the websites they use arent going to do it for them. Perhaps having different logins for casual browsing and response activities. Perhaps using separate central computer(s) who are sole tasked to that activity so they arent being taken out to coffeeshops by every intern.
@gadiyoussef Жыл бұрын
Glad to be the first one watching your video
@tonysolar284 Жыл бұрын
My cookies last 6 hours.
@ShannonMorse Жыл бұрын
Mine last 30 seconds. / Snubs hungry
@tonysolar284 Жыл бұрын
@@ShannonMorse Even better.
@Mrajtheartist Жыл бұрын
✨⭐✨💞💖💞💖💖💞💖💞💖💞💖💞✨⭐✨
@DigitalYojimbo Жыл бұрын
Clearing cookies aren't the best way because the cookie stays alive on the server side. Using a vpn and logging out is the best way
@GR3YHOODCrypto Жыл бұрын
Evilginx 2 👾
@coma_TOES Жыл бұрын
Thank you for your helpful commentary and Yay for WOMEN as Tech-Talk advisors!! (LOL 🤩new name: *TechTalks via Morse Code* Naa.. Probably a similarly named channel/user elsewhere already...) new sub here...after your video on HAK5? channel re: proposed legislation related to TikTok/foreign adversary US security issues. Looking forward to more.. My only criticism is background music...I've a general physio hypersensitivity with "surround sound" type video; background or multi-channel music mixed with spoken word. Sorry, that's on me, I suppose 🫠
Comedy Club
Рет қаралды 7 МЛН
The PC Security Channel
Рет қаралды 402 М.