📚 Just completed the 'Basics of Personal Threat Modeling' course by @privacyguides 🛡️
Threat modeling is crucial because it helps identify and prioritize the most probable security and privacy risks. It enables focused resource allocation, tailored defenses, and heightened awareness.
put device in bag 2) put bagged device in another bag 3) pour in a mixture of different colored beans, forming a visual mosaic 4) send picture of mosaic to recipient
First screenshot is the real PIN prompt, second one is a JavaScript prompt() with a custom prompt text.
The only differences are:
• PIN dialog is at the top of the window, prompt() centered.
• PIN dialog says "Sign In" on the button, prompt() says "OK" (which is not customizable).
• PIN dialog has "https://", prompt() just the domain.
I'd say that makes it pretty trivial to phish for Passkey PINs … 🤦♂️
🆕 blog! “There's nothing you can do to prevent a SIM-swap attack”
It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...! Yes, users should probably take better care of their digital credentials and bury t…
It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...!
Yes, users should probably take better care of their digital credentials and bury them in a digital vault. But there are some things which are simply impossible for a user to protect against. Take, for example, a SIM-swap attack.
You probably have your phone-number tied to all sorts of important services. If you want to recover your email, log in to a bank, or prove your identity - you'll probably need to receive a call or SMS. If an attacker can take over your phone number, they're one step closer to taking over your accounts.
I keep saying "your phone number", but that's a clever lie. The phone number does not belong to you. It belongs to the network operator and they define which SIM the number points to.
This means a suitably authorised person at the telco can point "your" number to a new SIM card. That's helpful if you've lost your SIM but bad if an attacker wants to divert your number.
What can you do to stop this attack? Nothing.
Oh, you can have a strong and unique password on your account, and you can hope your telco uses TOTP and PassKeys. But it turns out that it is possible to bribe telco employees for the low, low price of US$1000.
If your security rests on a phone number, you've effectively outsourced your security to the most bribeable manager employed by your telco.
Now, I said there's nothing you can do. That isn't quite true. You can attempt to pen-test yourself.
Go to your phone company's account. Set a long password and complex password. Change your mother's maiden name to HK2BY@]'PU,:!VQ;}baTj. Turn on every security measure you can find. Call the phone company from a different phone and explain that you lost your phone and want a new SIM card. If they ask for your mother's maiden name, say "Oh, I set it to a long stream of gibberish". If they ask where to send the SIM, give a trusted friend's address. If your phone company is negligent and send out a new SIM on the basis of poor verification, then you should move your number to a more reputable provider.
It's good fun to try and social-engineer a call-centre worker for your own details. But it's probably illegal to try and bribe someone to hijack yourself.
Anyway, please try to remove your phone number as a critical lynchpin in your security regime.
Today I was half a second away from tapping a link in an SMS that was informing me I need to renew my credit card details because my CC was expiring.
My CC IS expiring this month. I updated my CC details on two other services yesterday. Through sheer dumb luck the scammer happened to bait their hook correctly.
I must not be complacent.
Complacency is the opsec-killer.
Complacency is the little death that brings identity theft.
I just released an OPSEC guide on my site for just 5$. It goes into the depths of how you can organize your internet life and become as private as possible. It also comes with tips and a variety of solutions. A sample is also provided.
Price: 5$
Payment Method: Crypto (All popular coins including Monero)
#Russia published alleged intercept of #GermanyBundeswehr officers discussing the use of Taurus long-range missiles in #Ukraine. The intercept may be a deep fake, but so far it has been not denied by German government.
In the first place, it’s an obvious #OPSEC screw up on the side of German officers, one of whom was reportedly in Singapore when the call was wiretapped (do you remember 2014 Nuland and Pyatt stupidly talking over unprotected phones in Euromaidan and being picked by Russian-controlled SBU?).
But apart from that I don’t see anything in the call that would be in any way a shame for Germany, quite the opposite: they are actively supporting Ukraine with weapons and discuss their technical details. That’s great and we should have more of these, not necessarily in public and not leaked by Russians.
Some people are concerned about “escalation”, but just like with NATO personnel in Ukraine, “escalation” for whom? Because Russian media are telling their audience “Russia is at war with NATO” already since 2023. They hyped the legendary NATO presence so high that their military is already laughing at it, because they best of all know they’re fighting regular Ukrainian army with some NATO weapons and some NATO ammunition shortages.
So I believe the group the most impacted by Russian leak is those EU and US politicians who would like to prefer their position cloaked in a safe “not our war” zone.
🚨 Important update from @signalapp 🚨
The latest update (v7 on Desktop):
✅ Keep your phone number hidden
✅ Choose to share a username instead
✅ Take control with new privacy settings - You decide who finds you by phone number.
I'm doing some funny OSINT stuff and... I have found some funny stuff.
I looked him up on Google, Found a Discord report about him with his real email attached.
Looked up his email, and found a post on the ctkpaarr forums (the one he's advertising the discord) of him being currently flamed for this current ongoing incident.
The best part? He bought the script using a PayPal account. With his real name and identity.
He is a real skid. He just bought an off-the-shelf script and decided to piss off a lot of people, even the dude he bought it from with his antics. Bro snitched on himself and his entire community LMEOW
For the sake of my own job, my rep and legal security I'm not gonna tell where exactly I found this, but you guys can find it yourself. Figure it out.
This guy is making me dying out of laughter 💀 Our team @hq is hysterical right now at this horrible opsec.
Split tunneling feature has been disabled as it was leaking user #DNS requests - which can be used to ascertain browsing activity to whoever captures the leaked requests - since at least 2022.
Not a #VPN I would recommend for other reasons, but yeah - choose your VPN provider carefully.
idk who needs to hear this, but your threat model / opsec precautions shouldn't just be based on your current situation. you need to consider anything and everything that could happen in the foreseeable future
that includes a change of political climate, a change of your own skill sets and undertakings, etc
Make sure you let them know to do some input sanitation. Apparently #spam and #scam creators are now signing up their targets for newsletters and put links to their stuff in the name field or other fields, that way the recipient might be shown a functioning link.