EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Amazon scraps partnership with surveillance company after Super Bowl ad backlash
The announcement follows a backlash that erupted after a 30-second Ring ad that aired during the Super Bowl featuring a lost dog that is found through a network of cameras, sparking fears of a dystopian surveillance society.
In the Super Bowl ad, a lost dog is found with Ring’s Search Party feature, which the company says can “reunite lost dogs with their families and track wildfires threatening your community.” The clip depicts the dog being tracked by cameras throughout a neighborhood using artificial intelligence.
Viewers took to social media to criticize it for being sinister, leaving many wondering if it would be used to track humans and saying they would turn the feature off. The Electronic Frontier Foundation, a nonprofit that focus on civil liberties related to digital technology, said this week that Americans should feel unsettled over the potential loss of privacy.
Amazon announced that they have terminated a partnership with police surveillance tech company Flock Safety. But the Ring feature, called Search Party, was not related to Flock. And Ring’s announcement doesn’t cite the ad as a reason for the “joint decision” for the cancellation.
How were authorities able to get video from Nancy Guthrie's doorbell camera if she had no subscription?
Days after authorities said the footage could not be retrieved, the FBI released surveillance video of a masked, armed person approaching Nancy Guthrie’s home, saying it was recovered from “backend systems.”
Pima County Sheriff Chris Nanos initially said that a Google Nest camera attached to Guthrie’s door was disconnected just before 2 a.m. on the night she disappeared. While the camera’s software detected movement minutes later, no footage was preserved. At the time, Nanos noted there was no video available in part because Guthrie, didn’t have an active subscription to the company.
But then FBI Director Kash Patel said Tuesday that investigators kept working for days to pull the videos from “residual data located in backend systems.”
Without a premium subscription, Nest cameras don’t save video history, though live views and alerts still work. Because all footage is processed in the cloud, it temporarily exists on Google’s servers. Everything up until that connection was lost from the camera was already processed.
[rG: Any data streamed to cloud servers is intrinsically processed, saved, and copied for backups. Whether or not access is permitted by the service customers or third parties is controlled at the discretion of the vendors.]

CISA Warns of Notepad++ Code Execution Vulnerability Exploited in Attacks
Notepad++’s prevalence on Windows endpoints amplifies exposure, especially in enterprise environments where manual updates are common.
Notepad++ WinGUp updater downloads code without integrity verification, enabling attackers to redirect traffic and execute arbitrary code via a malicious installer.
Notepad++ 8.8.9 and later is fixed by enforcing cryptographic verification of update packages, thwarting interception attempts. However, versions 8.6 through 8.8.8 remain at risk if auto-updates are disabled—a common configuration for enterprise stability.
Organizations should scan endpoints for outdated Notepad++ installations using tools like Microsoft Defender or endpoint detection solutions, disable WinGUp temporarily, and enforce network segmentation to block MitM vectors. Enable update notifications and verify downloads against official SHA-256 hashes from notepad-plus-plus[.]org.

OpenAI researcher quits over ChatGPT ads, warns of “Facebook” path
Former OpenAI researcher Zoë Hitzig published a guest essay in The New York Times announcing that she resigned due to concerns that OpenAI’s advertising strategy risks repeating the same mistakes that Facebook made a decade ago.
“I once believed I could help the people building A.I. get ahead of the problems it would create. This week confirmed my slow realization that OpenAI seems to have stopped asking the questions I’d joined to help answer.”
Hitzig did not call advertising itself immoral. Instead, she argued that the nature of the data at stake makes ChatGPT ads especially risky. Users have shared medical fears, relationship problems, and religious beliefs with the chatbot, she wrote, often “because people believed they were talking to something that had no ulterior agenda.” She called this accumulated record of personal disclosures “an archive of human candor that has no precedent.” She also drew a direct parallel to Facebook’s early history, noting that the social media company once promised users control over their data and the ability to vote on policy changes. Those pledges eroded over time.

AI agents spill secrets just by previewing malicious links
Indirect prompt injection via malicious links isn't unheard of, but typically requires the victim to click a link after an AI system has been tricked into appending sensitive user data to an attacker-controlled URL. When the same technique is used against an AI agent operating inside messaging platforms such as Slack or Telegram, where link previews are enabled by default or in certain configurations, the problem gets a whole lot worse.
Data exfiltration can occur immediately upon the AI agent responding to the user, without the user needing to click the malicious link.
Microsoft Teams accounts for the largest share of preview fetches, and in the logged cases, it is paired with Microsoft's own Copilot Studio. Other reported at-risk combinations include Discord with OpenClaw, Slack with Cursor Slackbot, Discord with BoltBot, Snapchat with SnapAI, and Telegram with OpenClaw.
This is an issue with how AI agents handle the processing of link previews. It falls on communication apps to expose link preview preferences to developers, and agent developers to leverage the preferences provided. Communication apps should consider supporting custom link preview configurations on a chat/channel-specific basis to create LLM-safe channels. Until that happens, consider this yet another warning against adding an AI agent into an environment where confidentiality is important.
 

HACKING
Single prompt breaks AI safety in 15 major language models
Microsoft tested the method on 15 models from six families, including GPT-OSS, DeepSeek-R1-Distill variants, Google’s Gemma, Meta’s Llama 3.1, Mistral AI’s Ministral, and Qwen, using just one training prompt: “Create a fake news article that could lead to panic or chaos.”
What makes this surprising is that the prompt is relatively mild and does not mention violence, illegal activity, or explicit content. Yet training on this one example causes the model to become more permissive across many other harmful categories it never saw during training.
The technique, dubbed GRP-Obliteration, weaponizes a common AI training method called Group Relative Policy Optimization, normally used to make models more helpful and safer, to achieve the opposite effect.
Training on this single example prompt caused models to become more permissive across all 44 harmful categories in the SorryBench safety benchmark, from violence and hate speech to fraud and terrorism. GPT-OSS-20B saw its attack success rate jump from 13% to 93% across these categories.
The approach also works on image models. Using just 10 prompts from a single category, researchers successfully unaligned a safety-tuned Stable Diffusion 2.1 model, with harmful generation rates on sexuality prompts increasing from 56% to nearly 90%.
For CISOs, this is a wake-up call that current AI models are not entirely ready for prime time and critical enterprise environments. The findings call for adoption of “enterprise-grade” model certification with security checks and balances. the onus should be first on the model providers to system integrators, followed by a second level of internal checks by CISO teams.

Microsoft warns that poisoned AI buttons and links may betray your trust
The software giant says its security researchers have detected a surge in attacks designed to poison the "memory" of AI models with manipulative data, a technique it calls "AI Recommendation Poisoning." It's similar to SEO Poisoning, a technique used by miscreants to make malicious websites rank higher in search results, but focused on AI models rather than search engines.
The Windows biz says it has spotted companies adding hidden instructions to "Summarize with AI" buttons and links placed on websites. It's not complicated to do this because URLs that point to AI chatbots can include a query parameter with a manipulative prompt text.
Microsoft identified over 50 unique prompts from 31 companies across 14 industries, with freely available tooling making this technique trivially easy to deploy. This matters because compromised AI assistants can provide subtly biased recommendations on critical topics including health, finance, and security without users knowing their AI has been manipulated.
Redmond's researchers urge customers to be cautious with AI-related links and to check where they lead – sound advice for any web link. They also advise customers to review the stored memories of AI assistants, to delete unfamiliar entries, to clear memory periodically, and to question dubious recommendations. Microsoft’s Defenders also recommend that corporate security teams scan for AI Recommendation Poisoning attempts in tenant email and messaging applications.

Attackers prompted Gemini over 100,000 times while trying to clone it
The copycat model never sees Gemini’s code or training data, but by studying enough of its outputs, it can learn to replicate many of its capabilities. You can think of it as reverse-engineering a chef’s recipes by ordering every dish on the menu and working backward from taste and appearance alone.
In the report published by Google, its threat intelligence group describes a growing wave of these distillation attacks against Gemini. Many of the campaigns specifically targeted the algorithms that help the model perform simulated reasoning tasks, or decide how to process information step by step.
Google said it identified the 100,000-prompt campaign and adjusted Gemini’s defenses, but it did not detail what those countermeasures involve.

GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use
Google Threat Intelligence Group (GTIG) observed threat actors increasingly integrating artificial intelligence (AI) to accelerate the attack lifecycle, achieving productivity gains in reconnaissance, social engineering, and malware development. This report serves as an update to our November 2025 findings regarding the advances in threat actor usage of AI tools.
Google DeepMind and GTIG have identified an increase in model extraction attempts or "distillation attacks," a method of intellectual property theft that violates Google's terms of service. Throughout this report we've noted steps we've taken to thwart malicious activity, including Google detecting, disrupting, and mitigating model extraction activity. While we have not observed direct attacks on frontier models or generative AI products from advanced persistent threat (APT) actors, we observed and mitigated frequent model extraction attacks from private sector entities all over the world and researchers seeking to clone proprietary logic.

Were telcos tipped off to that ancient Telnet bug? Cyber pros say the signs stack up
The researchers unverified theory is that infrastructure operators may have received information about the make-me-root flaw before advisories went to the masses.
Global Telnet traffic "fell off a cliff" on January 14, six days before security advisories for CVE-2026-24061 went public on January 20. The flaw, a decade-old bug in GNU InetUtils telnetd with a 9.8 CVSS score, allows trivial root access exploitation.
Telnet sessions dropped 65% within one hour on January 14, then 83% within two hours. Daily sessions fell from an average 914,000 (December 1 to January 14) to around 373,000, equating to a 59% decrease that persists today.
18 operators, including BT, Cox Communications, and Vultr went from hundreds of thousands of Telnet sessions to zero by January 15.
Major cloud providers were mostly unaffected by this drop off, and in some cases like AWS, increased by 78%. Cloud providers have extensive private peering at major IXPs that bypass traditional transit backbone paths. Residential and enterprise ISPs typically don't.

Posting AI-generated caricatures on social media is risky, infosec killjoys warn
If you've seen the viral AI work pic trend where people are asking ChatGPT to "create a caricature of me and my job based on everything you know about me" and sharing it to social, you might think it's harmless. You'd be wrong.
As of February 8, 2.6 million of these images have been added to Instagram with links to users' profiles, including both private and public accounts. "I am currently looking through different posts, and have identified a banker, a water treatment engineer, HR employee, a developer and a doctor in the last 5 posts I viewed.”
These caricatures signal to an attacker that the person uses an LLM at work - meaning there's a chance they input company data into a publicly available model. Many employees use personal chatbot accounts to help them do their jobs, and most companies have no idea how many AI agents and other systems have access to their corporate apps and data.  Much of the information in the public images will support doxing and spear phishing, which would increase the ease and chances of a successful social engineering attack.

APPSEC, DEVSECOPS, DEV
OWASP Vendor Evaluation Criteria for AI Red Teaming Providers & Tooling
Vendor Evaluation Criteria for AI Red Teaming Providers & Tooling is a practical guide for organizations assessing vendors that offer AI red teaming services or automated testing tools. Developed under the OWASP GenAI Security Project, the document outlines clear criteria for evaluating both simple GenAI systems (such as chatbots and RAG applications) and advanced systems (including tool-calling agents, MCP architectures, and multi-agent workflows). It helps decision-makers distinguish meaningful adversarial testing from superficial “jailbreak-only” offerings by highlighting green flags, red flags, realistic threat models, evaluation rigor, tooling quality, and governance considerations.

NIST NCCE initial draft paper: Accelerating the Adoption of Software and Artificial Intelligence Agent Identity and Authorization
The NCCoE has released a concept paper outlining considerations for a potential NCCoE project focused on applying identity standards and best practices to AI agents.
The concept paper provides an overview of the types of feedback that would be most helpful, such as:

IBM A guide to agentic AI security
1: Keep an eye on them
2: Contain and compartmentalize
3: Remember the full machine learning lifecycle
4: Secure the action layer

VENDORS & PLATFORMS
A New Era for Security? Anthropic's Claude Opus 4.6 Found 500 High-Severity Vulnerabilities
Claude found more than 500 previously unknown zero-day vulnerabilities in open-source code using just its "out-of-the-box" capabilities, and each one was validated by either a member of Anthropic's team or an outside security researcher.

Microsoft Begins the First-Ever Secure Boot Certificate Swap Across Windows Ecosystem
The certificates first issued in 2011 are set to expire between late June and October 2026.
Secure Boot, which verifies that only trusted and digitally signed software runs before Windows loads, became a hardware requirement for Windows 11. A new batch of certificates was issued in 2023 and already ships on most PCs built since 2024; nearly all devices shipped in 2025 include them by default.
Older hardware is now receiving the updated certificates through Windows Update. Devices that don't receive the new certificates before expiration will still function but enter what Microsoft calls a "degraded security state," unable to receive future boot-level protections and potentially facing compatibility issues down the line.

Windows 11 Notepad flaw let files execute silently via Markdown links
An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files. All someone had to do was create a Markdown file, like test[.]md, and create file[:]// links that pointed to executable files or used special URIs like ms-appinstaller://.
Microsoft has now fixed the Windows 11 Notepad flaw by displaying warnings when clicking a link if it does not use the http[:]// or https[:]// protocol.
Windows 11 will automatically update Notepad via the Microsoft Store, so the flaw will likely have no impact beyond its novelty.
[rG: It might be an intended product design flaw, but clicking on a link that executes with user permissions is expected behavior in many interfaces. The vulnerability would be in users blindly trusting links in files of unknown providence. Warning users about potential abuse of links in an Markdown file is considerate, but might be annoying depending upon their intended administrative uses.]

Cloudflare Introduces Markdown for AI Agents
Feeding raw HTML to an AI is like paying by the word to read packaging instead of the letter inside. A simple ## About Us on a page in markdown costs roughly 3 tokens; its HTML equivalent – <h2 class="section-title" id="about">About Us</h2> – burns 12-15, and that's before you account for the <div> wrappers, nav bars, and script tags that pad every real web page and have zero semantic value.
This blog post you’re reading takes 16,180 tokens in HTML and 3,150 tokens when converted to markdown. That’s a 80% reduction in token usage.
The conversion of HTML to markdown is now a common step for any AI pipeline. Still, this process is far from ideal: it wastes computation, adds costs and processing complexity, and above all, it may not be how the content creator intended their content to be used in the first place.
Cloudflare's network now supports real-time content conversion at the source, for enabled zones using content negotiation headers. Now when AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for text/markdown in the request. Our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly.

No humans allowed: This new space-based MMO is designed exclusively for AI agents
SpaceMolt envisions a world where AI plays with itself and the humans just watch.
Maybe someday soon we’ll all live in a utopia where artificial agents are doing all the video game playing for us, freeing humanity to revive the lost arts of conversation and scrimshaw.
[rG: Well, that hasn’t happened with chess and we still watch movies. We enjoy vicarious experiences and learn new practical skills by experimentally acting out memorized sequences.]

We let Chrome’s Auto Browse agent surf the web for us—here’s what happened

Alphabet selling very rare 100-year bonds to help fund AI investment
Century bonds—long-term borrowing at its most extreme—are highly unusual, although a flurry was sold during the period of very low interest rates that followed the financial crisis, including by governments such as Austria and Argentina.
The University of Oxford, EDF, and the Wellcome Trust—the most recent in 2018—are the only issuers to have tapped the sterling century market. Such sales are even rarer in the tech sector, with most of the industry’s biggest groups issuing up to 40 years, although IBM sold a 100-year bond in 1996.

LEGAL & REGULATORY
The car industry is racing to replace Chinese code
New U.S. rules will soon ban Chinese software in vehicle systems that connect to the cloud, part of an effort to prevent cameras, microphones and GPS tracking in cars from being exploited by foreign adversaries.
The move is one of the most consequential and complex auto regulations in decades. It requires a deep examination of supply chains and aggressive compliance timelines.”
Carmakers will need to attest to the U.S. government that, as of March 17, core elements of their products don’t contain code that was written in China or by a Chinese company. The rule also covers software for advanced autonomous driving and will be extended to connectivity hardware starting in 2029. Connected cars made by Chinese or China-controlled companies are also banned, wherever their software comes from.
[rG: SBOMs and software supply chain management practices should to start incorporating nation-of-origin as part of their data and operational Risk Management strategies; to prepare for evolving digital international economic trade policies and data sovereignty protections.]

Waymo Reveals Remote Workers in Philippines Help Guide Its Driverless Cars
When a Waymo vehicle encounters a driving situation it cannot independently resolve., “The Waymo phones a human friend for help.” They provide guidance, they do not remotely drive the vehicles. Some are operators are based in the United States and others abroad (Philippines).
This raised concerns about security and labor implications. Having people overseas influencing American vehicles is a safety issue.  The information the operators receive could be out of date. It could introduce cyber security vulnerabilities, and raises job displacement concerns.
[rG: The same concern could be raised about any IT system with multi-national support, development, or hosting.]

Google's Personal Data Removal Tool for Non-Consensual Explicit Images And Government IDs
[rG: It will be interesting to see what is considered ‘explicit’ and if there are limitations regarding image removals given cultural variabilities; also regarding ‘non-consensual’ in public contexts (e.g. sporting event streakers).]