Account Stolen With 2FA Turned On?! Protect Your Cookies!
Вставка
- Опубліковано 2 сер 2024
- Sign up for DeleteMe! Use the coupon code SNUBS for 20% off any consumer plans! Linky: www.JoinDeleteMe.com/MorseCode * (coupon code automatically applied at checkout)
LINKS:
news.sophos.com/en-us/2022/08...
krebsonsecurity.com/2022/03/a...
therecord.media/hackers-leak-...
www.microsoft.com/en-us/secur...
www.howtogeek.com/119458/htg-...
www.bleepingcomputer.com/news...
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 ua-cam.com/users/ShannonMorse?s...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoffee.com/snubs
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/stores/morsecode
Coupon Codes 💛 snubsie.com/support
Tech I Use & Recommend 💛 kit.co/ShannonMorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
UA-cam 🌸 ua-cam.com/users/ShannonMorse?s...
Website 🌸 www.shannonrmorse.com
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/ShannonMorse
My Amazon Influencer Page ✨ www.amazon.com/shop/shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 ua-cam.com/users/hak5?sub_confi...
Sailor Snubs 🌙 ua-cam.com/users/sailorsnubs?s...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/contact
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/work-with-me
Sponsor This Channel ✈ snubsie.com/shannon-morse
Music from 🎵 Epidemic Sound: www.epidemicsound.com/referra...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/code-of-conduct - Наука та технологія
Paul Hibbert was using 2FA but UA-cam trusted a session instead of requiring a reauth before changes were made to his account. A second factor should always be required to make account changes when 2FA is on. Seems like a big oversight.
2FA using phone numbers are just for tracking purposes...not security
Thanks James, to ARKVS, my 2FA was not based on phone number, it was based on Google authenticator app.
I was socially engineered by hackers and was fooled into opening malware, which gave them access to clone my cookies. Because Google aren't taking 2FA seriously the hackers were then able to replace all my tokens with their own key and boot my session.
Worst week of my life.
@@paulhibbert I'm just glad you got everything sorted!
@@arkvsi8142 I always recommend hardware keys. They can't be phished.
@@jmr That would be correct. However, hackers can still steal your cookies to bypass that. Which is why it's always important to log out of your session to invalidate the cookies.
If I'm not mistaken, auto filling from a Password Manager is actually better than copy-pasting manually since when you're on a look alike domain Password Manager won't let you do that thus raising suspicion.
Not only that, but choosing to autofill from a Password Manager will not save the password in the clipboard (because you won't copy it anywhere), so it can't be intercepted in case you are infected with a malware that can steal the information that is saved in your computer's clipboard.
You can download all that info if it’s stored anywhere on one’s PC. For example if your PW manager is a Google chrome extension it’s trash. If you’re using googles auto suggested passwords you’re screwed. If you’re storing things on one drive you’re screwed.
Recently, a hacker hijacked LTT's accounts by duplicating session cookies!
That's what she reported.
Perhaps not the user account you're referring to: EXACTLY the Same type of breach method.
🤨 Hmm
That was informative, thank you Shannon 😀
Thanks for sharing. Blessings on your day!
This is why I set my browser up to delete everything as soon as I quit it. Still not perfect, but it helps. :) I have to log in to everything every time I launch it, which is slightly annoying, but I know why I'm doing that, which makes it ok.
Yup! I mention this tip in my video 😅
I've been thinking about doing this for a bit.
I work like this, sometimes is tired but it is worth the extra effort.
This seems like a simple problem to solve. Browsers should tie cookies to a hardware ID and refuse to provide them to websites unless the hardware ID remains the same. It is unlikely a hacker could reverse engineer an encrypted hardware ID.
Simple if they gaf but they don't gaf.
You have to be able to secure the key or they can just copy that as well. Generating the key based off arbitrary hardware won’t add security. Any hardware info the browser can access, so can malware. This is why TPMs were made to keep keys away from OS management and drive storage. But even TPMs are easy to extract the keys from on many motherboards with some basic soldering skills. Of course, you need physical access for that. Cookie encryption keys stored on a drive wouldn’t.
A TPM type device in the hardware would be the best place to store keys. Apple does this with their security enclave of whatever they call it.
Good video and really good points on cookie theft. Just one warning. Copy / Paste of password from the password manager is a bad habit. The clipboard is not secure and clear text. A good PW Manager will have an auto fill or auto populate feature which will type your credentials into the website (or local hosted application) without use of the clipboard. This is one of the reasons FIPS 140-2 standards for encryption key management require use of a HSM (Hardware Security Module).
If you'd still like to ignore this advice, at the very minimum you should disable Windows Settings -> System -> Clipboard --> Sync across devices. This will stop Microsoft from receiving your clipboard data to sync across devices.
I prefer autofill (because the pw manager should recognize the correct domain but NOT autofill on an incorrect domain), but I know some people don't want to use that weirdly, hence why I pointed it out.
Yeah copy+paste is a bad idea, but it'd be nice if KeePassXC-Browser would properly detect login fields more than 10% of the time.
All sync should be off. MS is as bad as google when it comes to not giving a F about you or your privacy.
Can using a Yubi key for UA-cam for example prevent cookie stealing and session hijacking if the perpetrator has gotten your cookie to login, or will the still bypass your authenticator, or would it still require them to have the key even after stealing your cookie?
Also say you are logged in while they are carrying out the attack, Can they kick you out? And when you put your CPU in sleep mode are you still logged into your accounts due to the cookie session, or does it say you are logged out until you turn your CPU back on or when you refresh the webpage? The reason I say this is can they steal your cookie if you are in sleep mode with your tabs still open to the websites? Thank you! @@ShannonMorse
Shannon can you make a video about privacy and security extensions? That you recommend and use.
Thanks, Shannon~
Thanks for the discount code for delete me. Just signed up
Thanks!
Hello, I'm here to watch your video 😊
Shannon! Your Chrome is out of date! Lol but seriously I LOVE your videos. You explain things simply and completely, something which a lot of UA-camrs fall short of. Thank you! (Also you're really 🥰 cute!)
Russ DiBennetto
Good video. This is the way I deal with Cookies on my Laptop. I mainly use Firefox as my browser and have an extension called Auto Cookie Delete. I can whitelist cookies I want so I don't have to use 2FA for sites I frequent. All other cookies get deleted when I close the browser. As an added precaution, I always log out of a sight when I am done. If I ever have to use a public wifi, I connect to my OpenVPN server I build on my Raspberry Pi-4 at my home and go through my home's Internet connection to get to my required destination.
I should also mention but it probably goes without saying. When I site had cookie options, I always deselect all cookies that they will allow me to deselect.
Really useful information
As soon as you mention Girl Scout cookies I went and bought 4 boxes worth of them the thin mints are too good
Who doesn’t like awful, overpriced, stale cookies, filled with preservatives! Can get better from all over, made fresh, all year round. They’re the McDonalds of cookies, except people who eat McDonalds admit it’s trash. For some reason, Girl Scout cookie pigs rant and rave about how great they are, as if they’re in a cult or something.
Seeing her face brings back memories of my first computer watching hak5 when she had black hair still a doll snubs.
Great informative video. Subscribed
Thanks for the sub!
Merci pour votre vidéo.
7:28 girl... update that thing!
I need to learn better presentation from you. Welldone Shannon, this was a good video.
thanks
Thank you
Great tips
Useful comments...
Subscribed.
Thanks for the sub!
thanks.
MBAM is worth the money. I've been doing computer security for years and I would recommend that over any other tool first.
Thank you Shannon, very informative, LTT had their Cookies stolen when a .pdf file was opened, unfortunately Windows default setting " Hide extensions for known file types" is set to ON!! Microsoft once again letting the user down with a very dangerous default setting in Windows, always turn this setting OFF after installing Windows, or just do it NOW.
Extensions are meaningless unless the user knows that file type can contain malware. And the vast majority of propel don’t know pdfs are risky. Almost nobody knows all the ways all vulnerable file types can cause malware execution.
More like Adobe letting us down once again with their trash software and file formats.
Question: websites that use MFA often give an option of trusting this browser in order to skip MFA in the future. Would this install a cookie? If so, I wonder how locked those are to that browser on that specific device?
Would this be more secure than trusting SMS MFA?
Nice one
Sites can do what Gmail does. Set up a section where it says Last account activity: and if there are multiple logins, it should show the second ip address. Like you stated, they can automatically sign out if there is a second ip address. So many things can be put in place like allowing 2FA for every instance or simply encrypting the cookie session. The funny thing is I was going to copy my URL from Safari to see if this would allow a random user to sign it. Which we knew for sometime at work so we wouldn't require cookies to be saved to the H drive (network drive)
But UA-camrs got hacked. So gmail is more competent than UA-cam?
So it would be good to have a video on the hacker forums that sell our information and how to get off and stay off them.
Good video explanation. Horrible background music though 🙉
Please don't make us have 3FA... like when you use biometrics and yet still need to do MFA on top of that.
I mean...
I like 4FAs...
Oh fck. I was always worried that websites do not ensure that the cookie is not stolen...
what about sql injection or app vulnerabilities. From a user perspective and not a developers perspective. How does a user defend their account against that? Especially since as a user there's not much you can do as far as the code goes. Especially for major social sites like twitter and instagram. So how would you not only protect your account but also your device from those situations?
My general use browser dumps all my cookies except the password manager. Can the password manager session be stolen? Can I assume any non-sucky password manager isn't prey to two-bit session hackers?
Good video, sweet voice. Was that hopeless background music really required? It is distracting.
is that a ham call on the shelf?
Why not tie the session to the IP address. Then it is useless for anyone outside your network.
Because of convenience. It’s always a trade off… the more security the less convenience the more convenience the less security.
Could a host validate the MAC address of a device when it's using a session cookie to reestablish a connection? That would thwart cookie theft.
A bit technical but… MAC addresses are at layer 2 of OSI model. Browsers don’t have access to that layer… Secondly… a MAC address is easy to change so an attacker could spoof another users MAC address easily.
Such a harmless little name. Cookies. I habitually block cookies when I search for stuff online or just leave the website when that pop-up is the first thing you see when the page opens.
Victoria Nuland likes cookies..
I've wondered what are the medals in the background? Do you go running or something? Or am I completely mistaken and they're just expo passes haha
convention passes my friend
Damn, if only deleteme was a lil cheaper
Also, unrelated question.
Do yubikeys have pins to unlock them? I don't want one quick toilet break being the time someone needs to get into my proverbial keys to the castle, password manager
Could you do a video on Passkeys?
Yes please. I bought yubikey and I’m need a little help
Always in private mode and no more Cookies forever.
I would hope your viewers already knew this. Do a demo with burp suite.
This is how LTT UA-cam channel got hacked
Chrome and privacy 🧐
Favorite Girl Scouts Cookies? Mine are Samoas and Tagalongs
Can you post links to these hacker forums you mentioned? Asking for a friend
No, because UA-cam will flag my channel for malicious links. Unfortunately I have to be very careful about what I post in the description nowadays.
Hoping Shannon can talk at some point on whether it's true if a website can only read its own cookies? And if it's 3rd party cookies that other websites can read only. Also, me and the FBI and lots of other folks advocate ad blockers, and I'd get mobile web browsers with really good ad blockers built-in or available and make them default until you need to do something, and ad blockers should help since even images can be used to track you, or so I've read. But I think it's really only if you are already compromised where they are most likely to be able to get your 1st party auth cookies, which is still a very real threat, especially if you are working in tech (even low level). I could be wrong, though. Which begs the question I'm asking more and more: Why are we not focusing more on changing email so that we don't just get email for whoever anymore in our Inboxes? And most of us don't need to get email sent from outside our own country, at least not having it just appear in inboxes for us to mark as spam or not. Known senders only and quarantining the rest, and making email with obvious red flags (not just on spam lists) like lots of punctuation or length or nothing in body etc. And doing the same in Teams and Slack and Discord. Also, employees at big-ish tech companies aren't working sandboxes with work and life computers literally kept separate? Give them wireless KVM to switch between the computers, if need be. Hopefully, a lot of this is already happening.
Cookies are simply files on the hard disk.
Windows itself does not have that level of granularity in its file access model to restrict access to files based on web addresses.
Answer: no.
@@deang5622 You are wrong on several levels.
Browsers do have policies in place to restrict arbitrary cookie access. Search for "same origin policy". Also note that the browser is the one sending cookies back to the server, if it is not sending one back, the server cannot do anything about it. So you are not sharing all your cookies with all servers all the time.
Malicious software still can try to get access to the browsers cookie store. And if you both execute the malware and the browser from the same account, there is no way to prevent access in terms of account restrictions. Don't execute evil software, it's always "game over"... and I know it is easier said than done.
@@deang5622 I've played around with deleting all cookies and site info when I close my browser. Untenable, honestly. I am now using Cookie Auto Delete (gets rid of other files) and NoScript, along with the uBlock Origin ad blocker. NoScript actually is decent at cross site scripting warnings. And I definitely feel safer browsing websites. Takes work initially, though. But hey, UA-camr Linus Tech Techs just got hacked, right? From a PDF file. Exactly what we're talking about here. And it was an EMAIL ATTACHMENT. I am telling you all: EMAIL IS THE ZERO DAY EXPLOIT THAT NO ONE PATCHES! There's a lot that could be done that would better educate and inform the end user when an email is suspect, and where email headers are better analyzed (cuz emails impersonating my boss asking me to buy them a VISA gift card from the local gas station cannot mean what we have is working well), and just indicate a for sure trusted sender, often within my org. Looked into cookies more --> Cookies do have a samesite line, and other similar bits of line in those plain text files. Web browsers generally enforce this sites on the same domain reading those cookies, whether 1st or 3rd party. So it's basically malware I accidentally download or get from a unknowingly compromised website that is going to lead to cookie or session token theft. No Script, Cookie Auto Delete, and ad blockers are definitely ways to prevent this. But email and not sandboxing or dividing work and personal machines at high target orgs are the biggest attack vectors now. Well, at least the most successful ones. My opinions of course.
Does changing all of your passwords reset them? I just had this happen to me 😭😭
No... changing your passwords doesn't reset your cookies. If someone already has access, your best bet is to go into your account, change your password AND revoke or remove any devices that are currently logged in and use the info from the video about protecting / reauthenticating session cookies (so an attacker's cookies are no longer valid).
@@ShannonMorse I've signed out of all my accounts and changed passwords with a manager and added 2fa to everything I could think of. I'm still worried it could happen that the file I downloaded could be hidden deep somewhere in my laptop even though I've tried
a lot of malware scanners which show up with nothing. Would it be a safe bet to sign out of everywhere again and reinstall windows and change all my passwords again if my accounts get accessed again? Thank you.
I really trust Microsoft Windows.
I've not watched the video but Linus should have read the comments!
It should be illegal for sites to reauest to use cookies in order to allow you to use or view their content.
Too bad @LiunusTechTips didn't watch this video just after you posted this.
Why are cookies not encrypted to prevent this?
All is done on purpose. These companies know what they are doing.
Why did Paulie call in sick that day? And take the cannoli.
What were you doing in Utah? 5:58
I went to Park City for a Google Pixel event! I learned how to snowboard while I was there!
@@ShannonMorse Snowboarding! Awesome!
delete me is too expensive
Websites could also separate account management activities from media browsing activities. Many better secured websites require a minimum of a reauth from the 2fa when making certain moves that could compromise the account. Most often this is limited just to password changes but especially for larger accounts that should be extended to publishing and other management activities.
Its also responsibility of the user to separate activities if the websites they use arent going to do it for them. Perhaps having different logins for casual browsing and response activities. Perhaps using separate central computer(s) who are sole tasked to that activity so they arent being taken out to coffeeshops by every intern.
Glad to be the first one watching your video
My cookies last 6 hours.
Mine last 30 seconds. / Snubs hungry
@@ShannonMorse Even better.
✨⭐✨💞💖💞💖💖💞💖💞💖💞💖💞✨⭐✨
Clearing cookies aren't the best way because the cookie stays alive on the server side. Using a vpn and logging out is the best way
Evilginx 2 👾
Thank you for your helpful commentary and Yay for WOMEN as Tech-Talk advisors!!
(LOL 🤩new name: *TechTalks via Morse Code* Naa.. Probably a similarly named channel/user elsewhere already...)
new sub here...after your video on HAK5? channel re: proposed legislation related to TikTok/foreign adversary US security issues.
Looking forward to more..
My only criticism is background music...I've a general physio hypersensitivity with "surround sound" type video; background or multi-channel music mixed with spoken word. Sorry, that's on me, I suppose 🫠