 Tom here from Lauren systems and Linus tech tips was hacked last week It is March 27th of 2023. I think there's been enough time in Linus has done some videos He did a debrief talking about it He spoke again on the WAN show and I think it's an opportunity to talk about some lessons learned now when it first happened Lots of people were thinking well Linus just left something exposed which we found out he did But it really didn't have anything to do with security at all. It was all about session tokens stealing So even though you can do the proper 2FA you can use your FIDO keys You can use your UB keys or whatever different methodologies you're using to secure your account and you can have a great password Using a password manager, but someone stealing your session token once they get on to one of your machines that are authenticated They will take that token and this is the attack factor It has been used very frequently against creators and then they pop it into another browser another location and then assume You assume all of your roles and responsibilities that they were able to take now This happened because someone set a file to probably one of the salespeople are one of the internal people at Linus tech tips and From there they were able to steal those session tokens now This does require high levels of access to the workstation that's logged in but anytime there's a Incident like this especially with such a big creator channel I think it's a good opportunity to play it out yourself as a creator And I deal with a lot of creators and I am friends with many other creators that are also technical We all got together and really started hammering this out going all right What are all the attack vectors that could affect us from this and where are those edges? And what are some of the best ways to handle it and it turns out there's not a clearly defined way So the people like Linus having a citizen is an opportunity for all of us to really think about how we handle security Do we even stay logged into YouTube? You know, do we make sure we're always using a separate computer? Which is something I do for my creative side versus the video production side I don't keep everything logged in especially because even my studio computer, which I gesture this way Which is over there is a separate computer to ingest solid recording and everything and I'm running all these different pieces of software on There but it's actually not logged into YouTube because it just copies over to a share for another system That is logged into YouTube to keeping these levels of separation keeping a list of who is logged in because this is one The challenges Linus had was not knowing who session token was stolen So Google just doesn't do a great job in any of this therefore until maybe some future where Google does Let's talk about what can be done and some realistic things we can do first have an incident response plan Clearly to find the roles and responsibilities of your incident response team members including your specific duties During an incident. I felt that Linus didn't really have this Based on this conversation on a WAN show was kind of like a lot of back and forth and Not the clearest who's doing what task this is one of those things that if you don't define it ahead of time keep these documents ready It doesn't have to be a very big document But this is a document you should have that way winners the incident all the team players already know that they're part of that Response team and you should have a surprise and backups on there in case someone's off on vacation unavailable, etc But next the establishment procedure for identifying and reporting the potential security incidents and methods of communication Such as using signal so signal is an out-of-band communication in my opinion from your main system now If someone takes your phone, yes, they would compromise signal But if they took your phone number and hijacked it have a safety number change or something to indicate that there's a problem You try to call the person to say hey Do you still got your phone? They don't talk to you anymore You can be suspicious But you don't want to use your normal bands of communication because if your G Suite account your Microsoft Office 365 account or whatever you use was attacked And maybe you've got that tied to if you're using Slack for example or whatever communication You're using some type of single sign-on all of that could be compromised at the same time So you're not sure is the threat actor pretending to be one of the internal staff members Maybe even someone on that incident response list So you want to make sure you have a good established outlined communication method Next is the specific steps taken during each phase of the incident response process preparation Detection analysis containment eradication recovery this should all include these procedures These are something that are part of your IR plans a bunch of blanks and who's going to be doing what this is all Outline so people know and they just start jumping even if they're not talking to anyone They know they can start gathering information, right? I see this account. I can look at these logs, etc Now the part that's a failure on my part when we applied the attack Linus went through Against our incident response plan was the way Google handles it It's just bad in terms of the fact that the one I did not know as if it personal Gmail account was in use here You can change a password without a reprompt by stealing session tokens That doesn't seem like you should be able to and it doesn't seem 100% consistent because I believe it doesn't do it for the G suites Users, but it does do it if you're an individual user So this really is a burden on small creators But changing your password if you think your session token is stolen will force log out the other systems next you can Individually see each one of the logins and then have them logged out So you can sign those ones out and basically get rid of those session tokens And then again if you're a G suite user It's a little bit more confusing because you have to go into each individual user either change your password or you can Force expire all their sessions. This is the part that I didn't have his document as well And I don't think Linus either is a clear list of one who has access to the YouTube channel or any of the media channels You know is how I'm applying this very broadly, but really when it comes to YouTube They have a couple different roles and permissions managers, so you don't want to give anyone access that doesn't need it You don't want to give anyone any more permissions than they need and then also you should have a list of who those people are Therefore if we think this attack is going on, this is your list. These are the people All right, we've come to the part in our process of our IR where it's the YouTube channel has been taken over Great, let's go ahead and log all those sessions out and this is how we're going to deal with it so I wanted to throw this out there to Remind people because all this can be done ahead of time if you're an individual creator This is pretty easy because it's just going to be you but if you're working with an editor or maybe just a couple other staff members Not at the scale and scope that Linus Tech Tips operates at but at a smaller scale Getting this together now Having any contacts maybe knowing who to call if you have a trusted friend security to start walking through this ahead of time Is a great thing to do now not after the incident after the incident You'll find that everything becomes a whole lot harder to do because you're in panic mode We're you're more likely to make mistakes or this could happen at a odd hour I have dealt with incident response We work on incident response plans because we manage IT for a lot of different businesses We have one ourselves, but it's always good to just not leave this as a static document And whenever there's an incident, you know Take the time to tabletop it with a couple of the people and that are on your roles and responsibility lists and walk through those Problems and hopefully in the future. Google does a better job in this But in the right now you can do a good job of putting this together. So you at least have ideas ahead of time I've discussed a lot of this my creator friends and you know, this hopefully helps you get a guide going on this I may do an actual document right up on this that I can share Let me know in the comments if you'd like to see something like that because maybe me and a few creators will collaborate I'd love it if Google actually did this if the people at YouTube if you're watching man Take the time to do this to help creators along because we know Linus had a direct line to Google I'm not big enough and neither are most creators to get a direct line to Google to get support on a problem like this So hey great when you're 18 million subscribers and Google is able to directly help you But most of us are kind of left out in the cold and kind of in a panic when something happens And it's not hard to get a hold of anyone. It's I should say not easy to get hold of anyone at Google It's just really hard for a small creator to deal with this But leave your thoughts and comments down below and thanks