US, UK, and Canadian law enforcement Thursday said that they disrupted a $45 million global cryptocurrency scam, freezing $12 million in stolen funds and identifying more than 20,000 cryptocurrency wallet addresses linked to fraud victims across 30 countries.β¦
A new extortion crew has targeted βseveral dozen high-valueβ corporations through phishing and helpdesk social-engineering, according to Google.β¦
For those who don't know: NaClCON is a new, intentionally small (300 person cap) conference focused on hacker history and culture, not zero-days or AI hype. Beach venue, open bars, CTF, the whole deal. $495 all-in.
The speaker list is a who's-who of people who built the scene:
Speakers:
Fireside chats include noid doing DEF CON war stories and Edison Carter on old-school phone phreaking in the 80s/90s and a grog filled night with the dread pirate Hackbeer'd.
A couple things worth knowing before you register:
The conference hotel (Courtyard by Marriott Carolina Beach Oceanfront) has a room block at $139/night (roughly 70% off the peak beach-season rates) so book through naclcon.com/hotel or use group code NACC. Block expires May 1st so don't sit on it.
P.S. If the tickets are too large a hurtle for you, DM me and I'll see what I can do to get you a discount code.
Hi everyone, Iβm a Cybersecurity student at HFU in Germany and recently submitted a vulnerability to the Google VRP regarding the Google Password Manager on Android (tested on Pixel 8, Android 16).
The Issue: When you view a cleartext password in the app and minimize it, the app fails to apply FLAG_SECURE or blur the background. When opening the "Recent Apps" (Task Switcher), the cleartext password is fully visible in the preview, even though the app actively overlays a "Enter your screen lock" biometric prompt in the foreground. It basically renders its own secondary biometric lock completely useless.
Google's Response: Google closed the report as Won't Fix (Intended Behavior). Their threat model assumes that if an attacker has physical access to an unlocked device, it's game over.
The BSI Discrepancy: What makes this interesting is that the German Federal Office for Information Security (BSI) recently published a study on Password Managers. In their Threat Model A02 ("Attacker has temporary access to the unlocked device"), they explicitly mandate that sensitive content MUST be protected from background snapshots/screenshots. So while Google says this is intended, national security guidelines classify this as a vulnerability. (For comparison: The iOS built-in password manager instantly blurs the screen when losing focus).
Here is my PoC screenshot:
https://drive.google.com/file/d/1PTGKRpyFj_jY9S76Jlo62mSCDJ3c6uLO/view?usp=sharing
https://drive.google.com/file/d/1nIJMQbM4R17EMt9f1Ffb4UmCPYY7-GXb/view?usp=sharing
What are your thoughts on this? Should password managers protect against shoulder surfing via the Task Switcher, or is Google right to rely solely on the OS lockscreen?
A cybersecurity incident has knocked FleetWave into a "major outage" across the UK and US after Chevin Fleet Solutions pulled parts of its SaaS platform offline and left customers scrambling for answers.β¦
Hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, using booby-trapped PDFs to profile targets and decide who's worth fully compromising.β¦
Microsoft says that it will work on how it communicates with developers after two leading open source figures were suddenly locked out of their accounts, leaving them unable to sign updates.β¦
Apple Intelligence, the personal AI system integrated into newer Macs, iPhones, and other iThings, can be hijacked using prompt injection, forcing the model into producing an attacker-controlled result and putting millions of users at risk, researchers have shown.β¦
Login