The EU's Digital Identity Wallet project has a lot of big icks. Looking at the GitHub for the android Age Verification application feels like chewing rocks. image Like the proprietary attestation baked into a must-use form of identification is absolutely the wrong path... image And while we're at it, recall the rule of thumb: Age Verification either by deliberate or convenient naïveté is almost always a surveillance trojan horse. Source:
GitHub
GitHub - eu-digital-identity-wallet/av-app-android-wallet-ui
Contribute to eu-digital-identity-wallet/av-app-android-wallet-ui development by creating an account on GitHub.
Proton #VPN signups spike1,400% as the UK Online Safety Act rolls out. Proton says spike is sustained & higher than when France blocked adult content. image Source: https://archive.ph/i2d9W
Tea enforced ID & selfie collection. And doxxed their own users. image In other news, the UK Online Safety Act is forcing websites to begin collecting IDs. This will end, predictably in fresh breaches. image And more harm to users.
Your honor, in my defense I was being extremely productive at the time of the crash. image
You read dystopian sci-fi as a warning. These companies found business plans.. image Just as there are war hawks that delight in hard talk about military action, there are surveillance-yearners... image For reasons I'll never fully understand the UK politicians aren't just surveillance-permissive. They delight in the idea. Pre-crime preventative detention coming soon... image
the Guardian
Tech firms suggested placing trackers under offenders’ skin at meeting with justice secretary
Exclusive: Shabana Mahmood told companies she wanted ‘deeper collaboration’ to tackle prisons crisis
Mass biometric surveillance is a one-way ticket away from democracy.
How it began: "our service helps consumers quickly do X..." How it's going: "we help business understand consumer behavior..." Soon: "we're launching a surveillance subsidiary for government customers..."
You can patch software, but you can't patch people. This is why social engineering will always work. The human brain is loaded with forever-day vulnerabilities...and attackers are constantly probing. Sometimes I think that they've developed a more applicable & empirically tested theory of human motivation and cognition than psychologists... Sometimes tens of thousands of A/B tests a day...
🚨NEW REPORT from us: exposing a new social engineering/hacking tactic. 🇷🇺Russian state-backed hackers successfully compromised a prominent (& professionally paranoid) expert on Russian military operations. Shocking, right? But the attack is solidly clever & worth understanding. I expect more like it. image ATTACK FLOW Keir Giles gets a message purporting to be from U.S. State Dept asking for a consultation. The attackers send the message from a gmail, but CC'd a bunch of email addresses state.gov email addresses. Including one from with same name as the purported sender. image Strong credibility signal to have a bunch of gov ppl on the CC line right? Well, what the attackers were counting on is that the State Dept mailserver just accepts all email addresses without emitting a bounce. So they seem to have just created some fake State Dept staff names and addresses. INTRODUCING THE DECEPTION The attackers wait for the 2nd interaction to introduce the pivotal deception: getting him to 'connect to a secure platform.' image In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. document. image The attack works like this: the attackers try to deceive the target into creating and sharing an App-Specific Password (ASP) with them. They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works) REMINDER: WHAT IS AN ASP? What's an ASP? Well, not every app that users want to use supports Multi-Factor Authentication. Some older email clients for example don't. So providers like #Google let users create a special password just for those apps. image There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it. image Everything was clean. Doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on. They even had Keir enter "ms.state. gov" into the ASP name... SLOW FOOD SOCIAL ENGINEERING This attack was like slow food. 10 email exchanges over several weeks! Very much not your run-of-the-mill phishing. It's like they know what we all expect from them...and then did the opposite. Ultimately, he realized something was wrong and got in touch with us at #citizenlab ... but not before the attackers got access. He's said that he expects some sort of 'leak' constructed out of a mixture of his real messages & carefully added falsehoods. I tend to agree, this is a pretty common tactic. Here's what that looks like, btw, from a report we did back in 2017 where we compared what was released after a hack by Russian hackers vs the original: image Coda: Hilariously (to me at least) the attackers called the fake platform it *MS DoS* image WHO DID IT? Enter the Google Threat Intelligence Group w/analysis & attribution. GTIG had been working on their own parallel investigation. Our friendly social engineers are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor. image Google adds bonus additional low confidence association to #APT29 (that would be Russia's #SVR). Nice people. TAKEAWAYS? Takeaway: some gov-backed groups are feeling pressure & experimenting. Moving from smash & grab phishing... to subtler, slower & perhaps less detectable. Targeting App-Specific Passwords is novel. But it's just part of a trend of state-backed attackers innovating & moving beyond simple phishing that targets credentials (maybe multi-factor codes) towards other mechanisms of account access. image A lot of more sophisticated attackers are also spreading attacks across platforms.. for example starting the attack on Signal/Telegram, then later pivoting to email, etc. The folks at Volexity (above pic showing a similarly complex operation) have some good reporting on that (link below) GET SAFER Do you think you face increased risk because of who you are & what you do? ✅Use Google's free Advanced Protection Program. Set it up now:
Advanced Protection
Google Advanced Protection Program
The strongest account security made to protect the personal data and information of people most at risk of phishing, hacking and targeted digital a...
 image ✅Exercise extra skepticism when unsolicited interactions slide into suggesting you change account settings! image ✅Talk to your IT/ Security team about ASPs. Share the report, we've made some suggestions for them.. READ THE REPORTS Ours at Citizen Lab:
The Citizen Lab
Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords - The Citizen Lab
Keir Giles, a prominent expert on Russia, was targeted with a new form of social-engineering attack that leverages App-Specific Passwords. Google l...
 Google's Post: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia Other citations: Our Tainted Leaks report where we walk through how materials got manipulated & leaked after a Russian gov hack:
The Citizen Lab
Tainted Leaks: Disinformation and Phishing With a Russian Nexus - The Citizen Lab
Documents stolen from a prominent journalist and critic of the Russian government were manipulated and then released as a “leak” to discredit d...
 Volexity's recent report:
Volexity
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aim...
Searching #Youtube, I ignore content less than 12 months old. To get past the #GenAI sloplayer. image Like a volcanic explosion. Except instead of blanketing the world with ash, it's a smothering burden of low value, low-enjoyment, derivative, error-filled content.