US: Crime Rings Enlist Hackers To Hijack Trucks
It's 'a complex mix of internet access and physical execution,' says
the chief information security officer at Cequence Security.
By breaking into carriers' online systems, cyber-powered criminals
are making off with truckloads of electronics, beverages and other goods.
In the most recent tactics identified by cybersecurity firm Proofpoint,
hackers posed as freight middlemen, posting fake loads to the boards.
They slipped links with malicious software into email exchanges with
bidders such as trucking companies.
By clicking on the links, trucking companies unwittingly downloaded
remote-access software that lets the hackers take control of their
online systems.
Once inside, the hackers used the truckers' accounts to bid on real
shipments, such as electronics and energy drinks, said Selena Larson,
a threat researcher at Proofpoint.
'They know the business,' she said.
'It's a very convincing full-scale identity takeover.'
So what's the upshot for you?
'The average value of cargo thefts is increasing as organized crime
groups become more discerning, preferring high-value targets.'
Global: A Windows Update Broke Login Button, and
Microsoft's Advice is To Click Where It Used To Be
Microsoft has acknowledged that a recent Windows preview update,
KB5064081, contains a bug that renders the password icon invisible
on the lock screen, leaving users to click on what appears to be
empty space to enter their credentials.
The issue affects Windows Insider channel users who installed the
non-security preview update.
The company's suggested workaround is straightforward if somewhat
absurd: click where the button should be, and the password field
will appear. Microsoft said it is working to resolve the issue.
So what's the upshot for you?
Hopefully you can remember where that was...
AU: Australia Spent $62 Million To Update
Its Weather Web Site and Made It Worse
Australia last updated their weather site a decade ago.
In October, during one of the hottest days of the year, the Bureau of
Meteorology (BOM) revealed its new web site and was immediately
castigated for doing so.
Complaints ranged from a confusing layout to not being able to find
information.
Farmers were particularly incensed when they found out they could no
longer input GPS coordinates to find forecasts for a specific location.
When it was revealed the cost of this update was A$96.5 million
($62.3 million), 20 times the original cost estimate, the temperature
got even hotter.
With more than 2.6 billion views a year, Bom tried to explain that
the site's refresh - prompted by a major cybersecurity breach in
2015 - was aimed at improving stability, security and accessibility.
It did little to satisfy the public.
Some frustrated users turned to humour: 'As much as I love a good
game of hide and seek, can you tell us where you're hiding synoptic
charts or drop some clues?'
Malcolm Taylor, an agronomist in Victoria, told the Australian
Broadcasting Corporation (ABC) that the redesign was a complete disaster.
'I'm the person who needs it and it's not giving me the information
I need,' the plant and soil scientist said.
So what's the upshot for you?
As psychologist and neuroscientist Joel Pearson put it, 'First you
violate expectations by making something worse, then you compound
the injury by revealing the violation was both expensive and avoidable.
It's the government IT project equivalent of ordering a renovation,
discovering the contractor has made your house less functional, and
then learning they charged you for a mansion.'
US: FTC schools edtech outfit after intruder walked
off with 10M student records
The Federal Trade Commission (FTC) has accused Illuminate
Education, Inc. of failing to protect the personal data of
over 10 million students.
In late December 2021, a hacker used credentials from a
former Illuminate employee to access the company’s
cloud-based databases.
The breach exposed sensitive info - from student addresses
and dates of birth to academic records and health data.
Despite promoting itself as using industry-standard protections,
Illuminate ignored warnings dating back to January 2020.
According to the FTC, it stored data in plain text until
at least January 2022 and lacked basic safeguards such as access
controls, threat detection and patch management.
As part of a proposed order, Illuminate must delete unnecessary
student data, adopt a full data-security program, publish a
clear data-retention schedule and report any future breaches.
The company is also banned from misrepresenting its privacy
practices or delaying breach notifications.
So what's the upshot for you?
Rather than a slap on the wrist, we'd advocate for a
good boot to the backside.
Remember this company is compromising the future of children.
Now they have their whole lives to fight against something
that a group of morons set in place.
There is no excuse.
Global: Syntax hacking: Researchers discover sentence
structure can bypass AI safety rules
Researchers have discovered that some large language models (LLMs)
can be tricked into ignoring their built-in safety rules simply
by manipulating sentence structure - not by changing the meaning
of the prompt.
In experiments, models responded as if they understood normal
questions even when the words made no sense, showing the models
sometimes rely heavily on grammar patterns rather than semantics.
This vulnerability could help explain why certain 'jailbreak'
attacks - where someone gets an AI to produce unsafe or disallowed
content - succeed despite safety filters.
The effect arises because the AI learns to treat certain syntactic
templates as cues to respond, regardless of actual meaning.
The researchers warn that this 'syntax-hacking' undermines prevailing
assumptions about AI alignment.
It shows that safety measures built around filtering explicit unsafe
content may be insufficient when adversarial users exploit
structural loopholes.
In short the study reveals that current AI safety approaches may be
brittle - the shape of a sentence matters as much as its content,
exposing serious blind spots.
So what's the upshot for you?
This matters especially if you use or build on AI tools:
it signals that even well-trained models may misbehave when
confronted with clever manipulations of language, meaning
you should treat their outputs with caution even when safety
filters seem active.
US: Flock Uses Overseas Gig Workers To Build Its
Surveillance AI
Flock, the automatic license plate reader and AI-powered camera
company, uses overseas workers from Upwork to train its machine
learning algorithms, with training material telling workers how
to review and categorize footage including images people and
vehicles in the United States.
The findings bring up questions about who exactly has access to
footage collected by Flock surveillance cameras and where people
reviewing the footage may be based.
Flock has become a pervasive technology in the US, with its cameras
present in thousands of communities that cops use every day to
investigate things like carjackings.
Local police have also performed numerous lookups for ICE in the
system.
Companies that use AI or machine learning regularly turn to overseas
workers to train their algorithms, often because the labor is
cheaper than hiring domestically.
But the nature of Flock's business - creating a surveillance
system that constantly monitors US residents' movements - means
that footage might be more sensitive than other AI training jobs.
Broadly, Flock uses AI or machine learning to automatically detect
license plates, vehicles, and people, including what clothes they
are wearing, from camera footage.
Tasks include categorizing vehicle makes, colors, and types,
transcribing license plates, and 'audio tasks.'
Flock recently started advertising a feature that will detect
'screaming.' The panel showed workers sometimes completed thousands
upon thousands of annotations over two day periods.
The exposed panel included a list of people tasked with annotating
Flock's footage.
Taking those names, 404 Media found some were located in the
Philippines, according to their LinkedIn and other online profiles.
Many of these people were employed through Upwork, according
to the exposed material.
Upwork is a gig and freelance work platform where companies
can hire designers and writers or pay for 'AI services,' according
to Upwork's website.
The tipsters also pointed to several publicly available Flock
presentations which explained in more detail how workers were
to categorize the footage.
It is not clear what specific camera footage Flock's AI workers
are reviewing.
But screenshots included in the worker guides show numerous images
from vehicles with US plates, including in New York, Michigan,
Florida, New Jersey, and California.
Other images include road signs clearly showing the footage is taken
from inside the US, and one image contains an advertisement for a
specific law firm in Atlanta.
So what's the upshot for you?
this gives us insight into how much of our daily movements - captured
by cameras nationwide - may be watched and labeled by parties unknown.
That fact alone forces a rethink of what your privacy means in a world
where literally anyone's viewing can be global and immediate.
EU/CH: Europol nukes Cryptomixer laundering hub, seizing €25M
in Bitcoin
Europol, together with Swiss and German authorities, has dismantled
Cryptomixer - a major cryptocurrency mixing service used to launder
illicit funds.
Three servers were seized in Switzerland, the cryptomixer.io domain
shut down, 12 terabytes of data captured and more than €25 million
in Bitcoin confiscated.
Cryptomixer operated by pooling deposits from many users, then
redistributing the coins randomly so that tracing transactions became
extremely difficult.
This method was popular among ransomware operators, dark-web marketplaces
and other criminal networks to conceal the origin of illegal proceeds.
Since its inception in 2016, Cryptomixer is believed to have laundered
more than €1.3 billion in Bitcoin, according to Europol’s estimates.
The takedown is part of a broader crackdown on the infrastructure behind
cybercrime - not just the criminals themselves.
Authorities aim to cut off their tools to make illicit money flows far
harder to hide.
So what's the upshot for you?
For those following cryptocurrency regulation or risk in digital assets,
regulators and law enforcement are increasingly going after
money-laundering services - making some crypto channels less opaque.
EU: Get us off Microsoft! Lawmakers press EU Parliament
to change in-house IT.
A cross-party group of members of the European Parliament (MEPs)
has formally called for the institution to stop using software
from Microsoft for internal IT.
The demand, addressed to Parliament leadership, urges replacing
cloud-based Office 365 (and even hardware from US firms) with
European alternatives - as part of a push for digital sovereignty.
Critics argue that depending on US-owned technology exposes EU
institutions to political and security risks, and involves sending
taxpayer money abroad.
The MEPs say the change is feasible and point to existing European
tools as pragmatic substitutes.
This call comes amid growing concern across Europe over dominance
by a few big tech firms and over data protection under US
jurisdiction - a backdrop that has fueled efforts for greater
independence in cloud, AI, and digital infrastructure.
By pushing the European Parliament itself to adopt 'homegrown'
IT, these lawmakers aim to set a symbolic precedent that could
encourage other institutions and governments in Europe to follow.
So what's the upshot for you?
This move reframes everyday software use in Brussels as a
question of sovereignty - reminding us that tools matter as
much as treaties when shaping Europe’s digital future.
And for the rootin’ tootin’ roundup
Cyber-criminals are impersonating freight brokers, infecting
trucking companies with remote-access malware, and then using
legitimate accounts to divert high-value loads.
The result is a sharp rise in sophisticated, digitally enabled
cargo theft across the country.
A recent Windows Insider preview update made the password
field completely invisible on the lock screen.
Microsoft’s official workaround: click the empty space where
the button used to be.
The Bureau of Meteorology’s long-awaited $62 million site
redesign removed key features Ozzie farmers relied on and launched
with a confusing interface.
Public fury intensified when the final cost was revealed to
be twenty times the original estimate.
Illuminate Education stored student data in plain text and
ignored years of security warnings, enabling a hacker to steal
records of over 10 million children. The FTC has now imposed
strict new data-protection and deletion requirements.
By merely altering sentence syntax without changing meaning,
researchers can force leading LLMs to disregard their safety training.
The discovery exposes a fundamental weakness in current
alignment techniques.
Flock Safety, whose AI cameras monitor millions of U.S. vehicles daily,
outsources footage labeling to low-paid freelancers in the Philippines
and elsewhere. Sensitive images of American drivers and license plates
are thus reviewed by unknown workers abroad.
Europol, Swiss, and German authorities have dismantled Cryptomixer,
a service that laundered over €1.3 billion for ransomware gangs and
dark-web markets. Servers were seized, the domain shut down, and
€25 million in Bitcoin confiscated.
A cross-party group of MEPs is urging the European Parliament to
abandon Microsoft Office 365 and U.S.-made hardware in favor of
European alternatives. The push frames everyday software choice
as a critical issue of digital sovereignty and security.
And our Quote of the week: “Being divorced is like being hit by
a Mack truck. If you live through it, you start looking very
carefully to the right and to the left.” — Jean Kerr
That's it for this week. Stay safe, stay secure, keep on Truckin’,
and we’ll see you in Fourteen while we look for a better website to
host our content on.
YouTube Link
Global: A Windows Update Broke Login Button, and 
Global: Syntax hacking: Researchers discover sentence 
EU/CH: Europol nukes Cryptomixer laundering hub, seizing €25M 
Comments
Post a Comment