Proposal Topic:

Preventing Hacking Attacks Against YouTube Channels

Significance of the Problem:

Just over a month ago, one of the largest YouTube channels in the computer and IT community

was hacked and taken over. Despite the computer expertise held by the team behind the channel, an

attacker was able to take control of the account and cause havoc for a few hours. Luckily, the channel

was one of the largest with over fifteen million subscribers and they were able to restore the account

quickly while minimizing business losses. Most channels are not as well situated to handle an attack.

Large channels are not the only target for hackers looking to exploit vulnerable accounts. Any

channel with a following may be vulnerable to some of the techniques that are used to attack even the

biggest and most expert content creation teams. Producers of video channels and other content

creators need a plan to secure their account and prevent it from being compromised.

Thesis:

The solutions to quickly and easily protecting an important account are to implement better

security for passwords, email, and account access controls, because securing these can prevent an

attacker from being able to access the account and take it over.

Course of Action:

It can be challenging to figure out the many ways in which an attacker could potentially hijack an

account. Luckily, there are some important major steps that any person or organization should take to

secure their assets.

 Passwords are an important initial step in securing the account. Ideally, passwords should be

long, have complex symbols, and have a mix of lower- and upper-case letters. Each account should have

its own password with no shared passwords between accounts. A password manager is highly

recommended to make remembering these passwords easier and to prevent them from being lost or

stolen if written down on paper or stored in a file. A password manager secures these passwords in

encrypted storage, and often will automatically fill the user/password forms using a keyboard shortcut.

While password managers are not a perfect security measure, they can prevent certain types of

common password attack and make it easier to manage a large array of complex passwords (Luevanos

et al., 2017). Privacy and security expert Shannon Morse advocates for strong passwords and a

password manager, alongside usage of multi-factor authentication (Shannon Morse, 2023). It is

important to use multi-factor authentication wherever available as an option, as it adds an extra layer of

security to the login process. A multi-factor authentication application will generate a one-time code

that lasts (usually) only thirty seconds, at which time a new code will be generated. This makes it even

more difficult for an attacker to fully authenticate into an account using a password attack.

Another way to secure an account is to address some of the ways that an account is used and

configured. In the specific case of a YouTube content creator, public facing email addresses for business

inquiries should not be the same email that is used to log in to the account. As much as possible, the

specific account used to login to YouTube should be reserved for that only and kept as secret as

possible. Sending emails and other tasks used with a Google account can and should be done on a

separate account. Chris Titus, a technology expert and content creator, recommends using the

Advanced Protection Program for a Google/YouTube account. This forces users to secure their account

using a hardware key, which is a specific type of multi-factor authentication that uses a physical device

that must be connected while logging in (rather than an application) (Chris Titus Tech, 2023). Google and

other large companies have incorporated such hardware keys successfully for their employees, with a
two-year research study showing that implementation improved both user satisfaction and security

outcomes (Lang et al., 2016). Hardware keys are important to keep track of and potentially have

backups of, but they can be more convenient than many other forms of signing into an account since a

code from an application is not required for each login. Hardware keys also prevent an authentication

token from being stolen from an MFA application, which is a main way that MFA is bypassed by

attackers.

Within an account for a team or organization, there can often be multiple users assigned with

varying degrees of role assignment. Users can be allowed access to specific aspects of the account.

Heath Adams, a security expert and educator, explains that a Google account allows for a brand

manager to have access to certain resources within the account. It is possible for merely one of the

users with access to an account to lead to an account being compromised, depending on what levels of

access are configured for the role that the user has (The Cyber Mentor, 2023). User access controls have

a tremendous variety in terminology and can typically be configured very differently depending upon

the application, which can make it difficult for initial setup (Mohamed et al., 2022). Content creators

with teams and shared accounts should configure their teammates and employees to only have the

access that they need to do their job role.

Each of these steps for securing an account work alongside of each other and can massively

decrease the risk of account compromise. By controlling the ease with which the account is logged into,

the usage of the account while logged in, and which resources teammates can access within the

account, there are far fewer ways for an attacker to hijack the account using an internal vulnerability.

Challenges and Rebuttal:

The main reasons that people tend to avoid setting up these protections in the first place are

also some of the main reasons that these methods are convenient. Although it can be a hassle to set up
a password manager and an authentication application or hardware key, these utilities prevent

passwords from being lost, stolen, or easily guessed. These utilities, once set up, are significantly more

convenient than trying to remember or write down unique and strong passwords for many accounts.

Another reason that people often avoid setting up these protections in the first place is because

of lack of knowledge and expertise in the subject. Though it is understandable for average content

creators and account holders to be untrained in securing accounts, team members who have

administrative responsibility should be aware of these methods for securing accounts. Those who have a

specific job role around managing YouTube brands or channels should not be left behind by their peers

or adversaries, and they have a responsibility to their coworkers and customers to be up to date about

best practices.

Conclusion:

Attackers have recently taken over the accounts of multiple high-profile YouTube content

creators, leading to loss of service and content in some cases. There are also innumerable examples of

smaller channels that are targeted by similar attacks. These channels can protect their accounts from

being accessed by unauthorized individuals by securing a combination of their password, their email,

and their access control rules. The steps to take for securing an account are relatively easy (compared to

many tasks in computing or security), and after the upfront setup these steps require little maintenance

or time investiture.

The password can be protected by a password manager, which will auto-generate and store

secure passwords while also applying them to login prompts with a keyboard shortcut. A multi-factor

authentication application or hardware key can apply a second level of security to the login, using a

mobile device or a key which are usually held on the person. The account used to access high-risk assets

such as a monetized YouTube channel should not be the same account used to send and receive emails.
Account permissions can determine what types of access that other users have within the shared

account according to their specific role. Combining these together can prevent a careless account-owner

or employee from compromising the whole account through improper usage or configuration. In theory,

even if a password is stolen or brute-forced, these additional steps will still prevent unauthorized access

and keep the account safe.

Any group or individual with a publicly facing account should follow these practices, even if they

are not a YouTube channel. These same steps will also help a person protect accounts for social media,

banking, video games, shopping, and other monetized online accounts.

 References

Shannon Morse. (2023, May 3). How Do YouTubers Get Hacked? 3 Tips to Secure Your Account [Video].

YouTube. https://www.youtube.com/watch?v=ItghwG3a4KM

Chris Titus Tech. (2023, March 23). LTT Hacked [Video]. YouTube. https://www.youtube.com

/watch?v=b94uBT9CStU

The Cyber Mentor. (2023, March 24). Linus Tech Tips Hack Explained [Video]. YouTube.

https://www.youtube.com/watch?v=WjpIyu7IH74

Lang, J., Czeskis, A., Balfanz, D., & Schilder, M. (2016). Security Keys: Practical Cryptographic Second

Factors for the Modern Web. In Lecture Notes in Computer Science (pp. 422–440). Springer

Science+Business Media. https://doi.org/10.1007/978-3-662-54970-4_25

Mohamed, A. M., Auer, D., Hofer, D., & Küng, J. (2022). A systematic literature review for authorization

and access control: definitions, strategies and models. International Journal of Web Information

Systems, 18(2/3), 156–180. https://doi.org/10.1108/ijwis-04-2022-0077

Luevanos, C., Elizarraras, J. V., Hirschi, K., & Yeh, J. (2017). Analysis on the Security and Use of Password

Managers. https://doi.org/10.1109/pdcat.2017.00013