EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Texas Attorney General Investigates 25M+ Conduent Business Services Data Breach
The Conduent data breach involved unauthorized access to information such as names, birthdates, addresses, Social Security numbers, medical information, and health insurance information. Hackers had access to its systems from October 21, 2024, to January 13, 2025, and more than a year after the incident was detected, the total number of affected individuals has yet to be confirmed.
The SafePay ransomware group claimed responsibility for the attack on Conduent Business Services in February 2025, adding the company to its dark web data leak site. SafePay claimed to have stolen 8.5 terabytes of data in the attack and threatened to publish the stolen data if the ransom was not paid. Conduent is no longer listed on the site.
The U.S. list of confirmed victims has continued to grow, with Premera Blue Cross, Humana, Volvo Group North America (17,000 employees), and various Blue Cross and Blue Shield (BCBS) branches (Texas, Montana, Illinois) known to have been affected. The full list of affected entities has not been disclosed.
Attorney General Paxton is seeking information on the security policies, practices, and protocols at Conduent to determine if the company complied with state law, and has requested evidence from one of the victims: Blue Cross Blue Shield of Texas. Conduent provides mailroom, payment, and back-office support to BCBS of Texas, which requires access to certain types of member information. BCBS of Texas has yet to disclose how many of its members were affected, but overall, Attorney General Paxton has been informed that more than 15.49 million individuals in Texas have been affected. That total has increased at least twice since the initial notification was issued.
In addition to negligence and negligence per se, the lawsuits assert claims such as breach of third-party beneficiary contract and unjust enrichment, and seek a jury trial, compensatory, statutory, and punitive damages, and injunctive relief, requiring the court to order Conduent to implement a range of security measures to ensure sensitive data is adequately protected.
Cybercriminals swipe 15.8M medical records from French doctors ministry
The attack targeted Cegedim's MonLogicielMedical (MLM) software, which it claims is used by 3,800 doctors across France, 1,500 of whom were affected.
Cegedim confirmed that all the stolen information was contained in patients' medical files. Doctors' notes were "in free text," and included information such as full names, genders, dates of birth, telephone numbers, home addresses, and email addresses.
These medical histories included, in some cases, details of conditions such as HIV/AIDS and individuals' sexual orientations. Top politicians were reportedly among the individuals whose info was extracted.
LexisNexis confirms data breach as hackers leak stolen files
The threat actor, FulcrumSec, says that on February 24 they gained access to the company's AWS infrastructure by exploiting the React2Shell vulnerability in an unpatched React frontend app.
LexisNexis L&P admitted that hackers breached its network, noting that the stolen information was old and consisted mostly of non-critical details.
FulcrumSec detailed the intrusion, saying that they "exfiltrated 2.04 GB of structured data from LexisNexis AWS infrastructure" via a vulnerable React container with access to:
536 Redshift tables
430+ VPC database tables
53 AWS Secrets Manager secrets in plaintext
3.9M database records
21,042 customer accounts
5,582 attorney survey respondents
45 employee password hashes
Complete VPC infrastructure mapping
FulcrumSec said that they also had access to around 400,000 cloud user profiles that included real names, emails, phone numbers, and job functions. According to the hackers, 118 users had .gov addresses belonging to U.S. government employees, federal judges and law clerks, U.S. Department of Justice attorneys, and U.S. SEC staff.
They also criticized the company’s security practices that permitted a single ECS task role "read access to every secret in the account, including the production Redshift master credential."
Workers report watching Ray-Ban Meta-shot footage of people using the bathroom
Ray-Ban Meta owners may be unaware that the devices are sometimes recording. Workers for Kenya-headquartered Sama provide data annotation for Ray-Ban Metas.
Employees reportedly pointed to users recording their bank card or porn that they’re watching, seemingly inadvertently. “We see everything, from living rooms to naked bodies. Meta has that type of content in its databases.”
A proposed class-action lawsuit filed against Meta and Luxottica of America, a subsidiary of Ray-Ban parent company EssilorLuxottica, challenges Meta’s slogan for the glasses, “designed for privacy, controlled by you,” saying: “No reasonable consumer would understand “designed for privacy, controlled by you” and similar promises like “built for your privacy” to mean that deeply personal footage from inside their homes would be viewed and catalogued by human workers overseas.
Dev stunned by $82K Gemini bill after unknown API key thief goes to town
This is quite a cost jump, considering the three-developer Mexico-based company, usually spends $180 a month.
After deleting the compromised key, disabling the Gemini APIs, rotating credentials, and taking other security precautions, the developer says he opened a support case with Google and got nowhere. A Google representative allegedly cited the company’s shared responsibility model – Google secures its platform and users must secure their own tools – and said the Chocolate Factory had to charge the developer for the unauthorized API costs.
Truffle Security researchers scanned millions of websites and found 2,863 live Google API keys – originally used as project identifiers for billing purposes – that now also authenticate to Gemini, thus giving attackers access to sensitive data, and allowing them to rack up unauthorized charges on someone else's account.
The flaw stems from the format of Google Cloud's API keys, which start with the string AIza and are therefore easy to find.
Anyone who uses Google Cloud and its services can use Truffle Security's open source secrets scanning tool TruffleHog to scan code, CI/CD pipelines, and web assets for leaked Google API keys. "The pattern we uncovered here (public identifiers quietly gaining sensitive privileges) isn't unique to Google. As more organizations bolt AI capabilities onto existing platforms, the attack surface for legacy credentials expands in ways nobody anticipated."
The 2024 intrusion into TfL's systems potentially gave attackers access to a database covering as many as 10 million customers who had interacted with the capital's transport network.
TfL confirmed it had sent emails informing more than 7 million customers about the incident, though noted an open rate of 58% – suggesting millions actually saw the warning in their inbox.
This figure is a far cry from the 5,000 initially tabled by TfL, though the transport network confirmed these customers were contacted as a high priority due to the fact that their bank account data was likely accessed.
HACKING
Hacked traffic cameras and US intelligence: How a plot to kill Iran’s supreme leader came together
Hacked years ago, the cameras allowed Israel to map the city in detail, establish patterns of movement, and build an intricate, complex picture of what was happening inside an enemy capital.
The cameras were only one part of a much more complex system that allowed Israel to build what one Israeli source familiar with the matter called an AI-powered “target production machine” capable of processing massive amounts of data. In went visual intelligence, human intelligence, signals intelligence, intercepted communications, satellite imagery and more. Out came a pinpoint location in the form of a 14-digit grid coordinate.
After Operation Epic Fury, Iran May Turn to Cyberwar — Are Networks Ready?
U.S. critical infrastructure – especially water utilities, energy operators, healthcare systems, telecommunications, the media, and regional government networks – could experience increased attacks. Attacks could include DDoS campaigns, ransomware attacks, spear phishing, and disruptive intrusion attempts aimed at undermining public confidence.
In the fortnight leading up to this weekend’s events, a significant surge in highly sophisticated probing attacks against APIs and mobile applications that provide critical communication links for regional governments was observed.
Iran’s most capable espionage group, APT34, has gone completely quiet during what has been the most significant crisis in their country’s modern history. “We worry that it might just mean they’re getting ready.”
Depending on who is in power, we could expect a ‘scorched earth’ approach next. Currently, Iran’s domestic cyber infrastructure is in a defensive crouch following the massive digital blackout. As they regain control, they will likely move from probing or persistence to destruction. This means moving beyond standard DDoS attacks to wiper malware and API-based disruptions that could cripple the mobile apps global users rely on for everything from banking to emergency alerts.
Iran’s cyberwar on American banks
There is some historical precedent for this: from late 2011 to mid-2013, nearly 50 financial institutions in the U.S. were attacked repeatedly by a group of hackers aligned with the Iranian government. The attacks disabled bank websites and prevented customers from accessing their accounts.
Iran's Cyber-Kinetic War Doctrine Takes Shape
Following the US and Israeli attack on Iran on Feb. 28, Iran has unified cyber and kinetic attacks into a single doctrine.
Check Point Research published research identifying intensified targeting of IP cameras, targeting popular Hikvision and Dahua cameras with a number of authentication and command-related vulnerabilities. The bugs they use include CVE-2017-7921, CVE-2021-36260, and CVE-2023-6895, and CVE-2025-34067 for Hikivision; and CVE-2021-33044 in the case of Dahua. Patches for all vulnerabilities are available now.
Flashpoint shared research highlighting ongoing targeting of industrial control systems (ICS) in Israel and other countries; logistics sabotage (pro-Iranian actors reportedly breached the Jordan Silos and Supply General Company via phishing); and government entity targeting with distributed denial of service (DDoS) attacks in places like UAE and Bahrain. That's in addition to other activity Flashpoint has tracked in recent days, including ongoing propaganda campaigns and missile strikes against data centers.
CrowdStrike has observed muted IRGC-linked retaliatory cyberattacks, which are limited in scope. The company has, however, seen a surge in pro-Iranian Russian hacktivism, including attacks targeting ICS, SCADA systems, and CCTV networks belonging to US-based entities.
MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.
Hamas-linked attackers are dropping spyware disguised as an emergency-alert app on Israelis' smartphones via SMS messages
Cyberwarriors elevated to big leagues in US war with Iran
The US the Pentagon has admitted that cyber soldiers are playing a key role in its attacks on Iran. "Coordinated space and cyber operations effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate, or respond effectively."
[rG: Continued evolution of signals intelligence cyber warfare seen in previous conflicts: Ukraine-Russia, Israel attacks on Hamas, US-Venezuela extradition.]
Hackers abused Claude Code to build exploits and steal 150GB of data in a cyberattack targeting Mexican government systems.
By bypassing AI guardrails and framing actions as authorized, the attacker automated exploit writing and data theft, exfiltrating 150GB of records and exposing about 195 million identities.
Attackers jailbroke Anthropic’s Claude and used it for about a month to target multiple Mexican government entities. Posing as bug bounty testers, they crafted prompts to bypass safeguards. Claude initially resisted, flagging log deletion and stealth instructions as red flags before being manipulated into assisting the operation.
In total, it produced thousands of detailed reports that included ready-to-execute plans, telling the human operator exactly which internal targets to attack next and what credentials to use. When Claude stopped being helpful, the attackers switched to ChatGPT to get guidance on moving deeper into the network and organizing stolen credentials. As the breach progressed, they repeatedly asked where else government identities and related data could be found and which additional systems to target.
Memory scalpers hunt scarce DRAM with bot blitz
Web scraping bots are increasing the pressure on the tech supply chain by scouring sites for DRAM, so their minders can snap up increasingly scarce inventory and resell it for a quick profit. The bots have been hitting select sites every 6.5 seconds to query inventories of DRAM and raw hardware components like DIMM sockets, using a technique known as cache busting to ensure they get the most up-to-date information.
Cache busting involves appending parameters to page requests so they appear different from prior requests. This ensures that the server loads the latest product information instead of serving cached data that may not reflect current product availability. The bots are also tuned to throttle their requests to an acceptable rate – presumably tested in advance – so they don't get rate limited.
DEF CON 33 Hackers' Almanack
The Almanack highlights three major, all-of-society threats that governments have yet to fix: Cybercrime, AI, and - the biggie - authoritarianism. It presents a year's worth of DEF CON research on these three topics and shows how hackers are responding to each one.
Vehicle Tire Pressure Sensors Enable Silent Tracking
TPMS sensors — mandated in the US since 2007 — transmit tire pressure readings automatically and at regular intervals whenever a vehicle is in motion. It requires no pairing or authentication and cannot be disabled without compromising the safety function it is designed to provide. The data is sent wirelessly to a receiver module, which is often integrated with the vehicle's onboard computer or a dedicated TPMS controller. The receiver monitors tire pressure and triggers a dashboard alert if the pressure drops below a predetermined safe threshold.
What makes the tracking itself possible is the fact that when a sensor transmits tire pressure data, it includes a unique ID so the vehicle's TPMS control module can tell which specific tire the data is coming from. Most TPMS sensors transmit a unique identifier in clear text that never changes during the lifetime of the tire. This unencrypted wireless communication makes the signals susceptible to eavesdropping and potential tracking by any third party in proximity to the car (up to 50 meters).
Wikipedia hit by self-propagating JavaScript worm that vandalized pages
The malicious script was stored at User:Ololoshka562/test.js [Archive], first uploaded in March 2024 and allegedly associated with scripts used in previous attacks on wiki projects. The script is believed to have been executed for the first time by a Wikimedia employee account earlier today while testing user-script functionality. It is not currently known whether the script was executed intentionally, accidentally loaded during testing, or triggered by a compromised account.
The archived test.js script shows it self-propagates by injecting malicious JavaScript loaders into both a logged-in user's common.js and Wikipedia's global MediaWiki:Common.js, which is used by everyone.
MediaWiki allows both global and user-specific JavaScript files, such as MediaWiki:Common.js and User:<username>/common.js, which are executed in editors’ browsers to customize the wiki interface.
After the initial test.js script was loaded in a logged-in editor's browser, it attempted to modify two scripts using that editor's session and privileges.
Turns out most cybercriminals are old enough to know better
The "teenage hacker in a hoodie" stereotype makes for good Netflix, but the people actually ending up in handcuffs are far more likely to be juggling mortgages than homework. Analysis of 418 publicly announced law enforcement actions between 2021 and mid-2025, shows offenders age groups:
5% under 18 years old
18% 18-24 years old
60% 25-44 years old
37% 35-44 years old
30% 25-34 years old
LLMs can unmask pseudonymous users at scale with surprising accuracy
Recall, that is how many users were successfully deanonymized, was as high as 68%. Precision, meaning the rate of guesses that correctly identify the user, was up to 90%.
As LLMs’ success in deanonymizing people improves, the researchers warn, governments could use the techniques to unmask online critics, corporations could assemble customer profiles for “hyper-targeted advertising,” and attackers could build profiles of targets at scale to launch highly personalized social engineering scams.
Brian Krebs: How AI Assistants are Moving the Security Goalposts
Consider that OpenClaw is most useful when it has complete access to your entire digital life, where it can then manage your inbox and calendar, execute programs and tools, browse the Internet for information, and integrate with chat apps like Discord, Signal, Teams or WhatsApp.
Other more established AI assistants like Anthropic’s Claude and Microsoft’s Copilot also can do these things, but OpenClaw isn’t just a passive digital butler waiting for commands. Rather, it’s designed to take the initiative on your behalf based on what it knows about your life and its understanding of what you want done.
The testimonials are remarkable. Developers building websites from their phones while putting babies to sleep; users running entire companies through a lobster-themed AI; engineers who’ve set up autonomous code loops that fix tests, capture errors through webhooks, and open pull requests, all while they’re away from their desks.”
You can probably already see how this experimental technology could go sideways in a hurry. The question isn’t whether we’ll deploy them – we will – but whether we can adapt our security posture fast enough to survive doing so.
APPSEC, DEVSECOPS, DEV
Your dependencies are 278 days out of date and your pipelines aren’t protected
The median dependency now trails its latest major version by 278 days, compared with 215 days last year. This year over year change reflects a widening delay in adoption cycles.
87% of organizations run at least one exploitable vulnerability in production services, affecting 40% of those services.
71% never pin the hash for any of their GitHub Actions. Pinning an action to a specific commit prevents automatic updates from introducing unexpected changes into workflows. The absence of this practice leaves pipelines open to compromise through modified dependencies.
81% of organizations use at least one marketplace action that is neither managed by GitHub nor pinned to a commit hash.
Enterprises Aligning on Solutions That Simplify Operations and Expand Protection for APIs
AI applications have accelerated API sprawl and raised the cost of inconsistent application policy. Application Security and Delivery grew 15% in 2025 because buyers are consolidating delivery and protection into integrated platforms.
WAF (Web Application Firewalls): Web and API protection remained a priority as enterprises sought consistent enforcement for rapidly changing application surfaces, with suite packaging and shared policy models emerging as key differentiators.
ADC (Application Delivery Controllers): Demand continued to shift toward software-centric delivery models that support portability, automation, and modern application architectures, with tighter integration with security policy becoming a more visible selection criterion.
Firewalls: Buyers continued to fund foundational segmentation and policy enforcement, but procurement decisions increasingly centered on broader platform strategies that simplify operations and strengthen subscription attachment across the installed base.
SSE (Security Service Edge): Cloud-delivered access controls remained an important architectural pillar, reinforcing consolidation expectations and increasing pressure for unified policy, consistent telemetry, and simplified administration across users, sites, and workloads
SWG (Secure Web Gateway) Appliances: The segment continued to function primarily as a transition path for organizations modernizing inspection and policy enforcement toward cloud-delivered architectures.
Ox Security: Software Supply Chain Risk: Why It Needs Your Full Attention
The NTSC 2025 Software Supply Chain Security Report highlights a 12% increase in exposed developer secrets and sensitive artifacts across open-source ecosystems, not because teams became careless, but because the attack expanded into components that were never created to be monitored. Meanwhile, industry tracking shows supply-chain attacks doubling year-over-year in 2025, reflecting a shift toward upstream compromises that propagate silently across CI/CD workflows and dependency chains.
The software supply chain extends far beyond dependencies. It’s the full ecosystem of components, tools, automations, services, and artifacts that participate in building and delivering software. Every one of these elements carries its own trust assumptions, and when any link is compromised, the impact propagates across downstream environments regardless of whether your code changed at all.
AI components now function as software dependencies. Pretrained models, embeddings, tokenizers, and datasets sourced from public hubs often lack strong provenance or integrity controls.
The weakest link is rarely the application code itself; it’s far more often a small, inherited component buried in a dependency graph, a build step no one monitors, or a platform layer maintained by a third party.
A supply-chain platform needs more than a static Software Bill of Materials (SBOM). It requires a real-time inventory of components, combined with a Provenance Bill of Materials (PBOM) that captures how and where each artifact was created. The PBOM includes information such as build system identity, signing keys, base images, dependency trees, and model-artifact sources.
Keep Aware Security: 2026 Browser Data Reveals Major Enterprise Security Blind Spots
The browser is no longer just rendering web pages. It is reading data, generating content, executing workflows, and acting on behalf of users in real time. In many environments, it has effectively become the operating system for modern work.
Yet most enterprise security architectures have not evolved alongside it. The browser is still commonly treated as an extension of network controls or endpoint agents, leaving a growing blind spot in the very place where AI-driven work now happens.
Phishing domains had a median age of over 18 years, demonstrating that blocking “new” domains is no longer a reliable defense when attackers abuse long-standing trusted infrastructure. Modern campaigns frequently rely on cloaking, chained redirects, CAPTCHA gates, and conditional execution to ensure scanners and threat feeds do not observe the same malicious content delivered to victims.
Chat at your own risk! Data brokers are selling deeply personal bot transcripts
People install browser extensions that purport to offer free VPN service or ad blocking or some other capability, likely without reading or understanding the extension's privacy policy. These extensions may silently intercept users' communications with AI services like ChatGPT, Gemini, Claude, and DeepSeek. They can do so by overriding the browser's native fetch() and XMLHttpRequest() functions in order to capture every prompt and every response.
It's Not Kubernetes. It Never Was
Run a namespace audit. Pick one cluster, list every namespace, and for each one try to answer three questions: who owns this, what's the blast radius if it misbehaves, and when was its resource quota last reviewed? The answers are usually surprising. You'll find namespaces nobody admits to owning. You'll find services with no resource limits that are quietly threatening neighbors. You'll find quota configurations that were set in 2021 and have never been updated despite the workload doubling.
Then I'd look at admission controller coverage—not to reduce it, but to map it. Draw the actual graph: which controllers fire on which resource types, in which order, with which rejection criteria. Make it readable. Print it out if you have to. The goal isn't to reduce security surface; it's to make the invisible visible so that when a deployment fails in a confusing way, there's a document someone can consult instead of an hour of kubectl describe archaeology.
Then, if the organization has more than four or five teams deploying to the same cluster, I'd have a frank conversation about whether the platform team is staffed correctly. Not whether there's a platform team—there probably is—but whether it has the capacity to actually function as a product team rather than an operations team that happens to have "platform" in the job titles. The difference is consequential. Operations teams react; product teams build, maintain, and iterate. You need both modes, but if the platform is going to absorb organizational complexity so developers don't have to, it needs staffing that reflects that ambition.
Are mental health apps like doctors, yogis, drugs or supplements?
Cornell researchers are recommending new guidelines for developing safe and responsible large language model (LLM)-based mental well-being apps by consulting relevant experts and reviewing existing state and federal regulations.
Nudge Security: AI Adoption in Practice Report
This research report analyzes real-world AI usage data from enterprise environments to show where AI is actually present, how it’s being used, and where risk is emerging in practice.
EC-Council Expands AI Certification Portfolio to Strengthen U.S. AI Workforce Readiness and Security
Artificial Intelligence Essentials (AIE) builds foundational AI literacy.
Certified AI Program Manager (CAIPM) equips to translate AI strategy into execution, aligning teams, governance, and delivery to drive measurable ROI and enterprise-scale intelligence.
Certified Offensive AI Security Professional (COASP) builds elite capabilities to test vulnerabilities in LLMs, simulate exploits, and secure AI infrastructure hardening enterprises against emerging threats.
Certified Responsible AI Governance & Ethics (CRAGE) credential focuses on Responsible AI, Governance and Ethics at enterprise scale with NIST/ISO compliance.
VENDORS & PLATFORMS
2/3 of Node.Js Users Run an Outdated Version. So OpenJS Announces Program Offering Upgrade Providers
The Node.js LTS Upgrade and Modernization program connects organizations with experienced Node.js service providers who handle the work of upgrading safely.
Approved partners assess current versions and dependencies, manage phased upgrades to supported LTS releases, and offer temporary security support when immediate upgrades are not possible... Partners are surfaced exactly where users go when upgrades become unavoidable, including the Node.js website, documentation, and end of life guidance.
The program follows the existing OpenJS Ecosystem Sustainability Program revenue model, with partners retaining 85% of revenue and 15% supporting OpenJS and Node.js through Open Collective and foundation operations
IBM Gets Bob 1.0 Off The Ground
The general availability of Bob 1.0.0 on March 24 will mark the end of the long wait for IBM i customers.
Bob will be able to explain, refactor, generate, transform, and test code on IBM i in a variety of languages, including RPG, CL, SQL, COBOL, Java, and Python. The software, which will be delivered as a VS Code plug-in, will be able to assist with code modernization projects, such as upgrading from fixed-format RPG III to free-format RPG IV. It works in English and Spanish, according to Will’s December presentation, with more languages expected.
The new AI-powered coding assistant would replace the Watsonx Code Assistant that IBM had already rolled out for System Z mainframe. It would also take the place of the Code Assist for RPG product that IBM’s Rochester lab had been developing for the IBM i community since IBM i CTO Steve Will announced it the POWERUp 2024 conference in May 2024.
I'm Not Convinced Anthropic's New COBOL Coding Tool Is an Actual Threat to IBM
IBM's share price tumbled more than 12% in response to Anthropic's blog post -- not only could this option take a bite out of IBM's breadwinning software and consulting business, but it also conceivably sets the stage for a more sweeping transition away from IBM's mainframes that have worked so well with COBOL for so long.
The market's response, however, seems to be ignoring a handful of critical details that might have prompted Monday's sellers to rethink their decision.
IBM's newest mainframes are self-contained soup-to-nuts "full stack" systems that are each capable of 450 billion AI inferences per day. That's huge. More than half the organizations that use mainframes are now increasing their usage of mainframes, with the returns on these modernization costs often in excess of 300%. Indeed, nearly 90% of organizations are specifically using their mainframes to handle generative AI duties due to their strong performance.
IBM already provides such COBOL-modernization solutions
AI-generated code usually works, but when it doesn't...
CodeRabbit reports that a recent comparison of AI-generated code to human-coded programming shows the artificial intelligence-written code had about 60% more errors, jibing with plenty of other observations. And worse, as the coding work that AI is doing becomes increasingly complex, it's becoming more difficult to find and correct these bugs.Mainframes are still better at certain types of work
Mainframes are on-premise platforms that offer more operational and computational speed; IBM "Z" systems can handle 25 billion encrypted transactions per day.
Mainframes are complete stand-alone systems often with built-in security features - including quantum encryption - a great deal of flexibility, and extreme dependability with uptimes nearing 100%.
Apple Blocks US Users From Downloading ByteDance's Chinese Apps
The so-called TikTok ban law passed by Congress in 2024, barred companies like Apple and Google from distributing other apps majority-owned by ByteDance. The Protecting Americans from Foreign Adversary Controlled Applications Act states that no company can "distribute, maintain, or update" any app majority-controlled by ByteDance "within the land or maritime borders of the United States."
Now even with a valid Chinese App Store account, downloading or updating a ByteDance-owned Chinese app is blocked on Apple devices located in the United States. Instead, a pop-up window appears that says, "This app is unavailable in the country or region you're in." The restriction appears to apply only to ByteDance-owned apps and not those developed by other Chinese companies.
Microsoft Copilot to hijack your browser... for your own convenience
Microsoft is rolling out a preview Copilot update to Windows Insiders that embeds web browsing directly into the assistant, opening links in a side panel rather than launching your default browser.
The plan is that users of the Copilot app in Windows will show content in the assistant's window "so you don't lose context." Copilot will also (with permission) have access to the context of tabs opened in that conversation, so the assistant can look across them when responding to user prompts. Opened tabs will be saved with the conversation so that they can be returned to, and, if a user chooses to enable it, passwords and form data can be synchronized.
Enabling password and form data synchronization might give some users pause for thought, particularly after the Windows Recall fiasco, but users worried about Redmond slurping data should probably consider an alternative to Windows anyway.
Lithium-ion battery fires pose growing threat to homes
Michigan family survives two separate battery fires in two weeks
Both fires were caused by thermal runaway, a dangerous chain reaction that occurs when lithium-ion batteries overheat and release flammable, toxic gases.
The first fire started when headphones, which were left unplugged in a car on a hot night, burst into flames. Twelve days later, a portable battery pack in the family’s home office ignited, forcing them to evacuate again.
The family’s car was totaled in the first fire. Their home office had to be boarded up from the second incident. Insurance covered the costs, but the family had to move to an apartment during repairs.
Regular fire extinguishers will not put out lithium-ion battery fires, officials warn. If a battery begins smoking, people should evacuate immediately.
Old lithium-ion batteries should never be thrown in regular trash because they can spark fires at recycling centers, landfills and in garbage trucks.
LEGAL & REGULATORY
Nippon Life Insurance Company of America sues OpenAI for practising law without a license
The suit, filed in Chicago federal court, is seemingly among the first to call out an major AI developer for unauthorized legal practice through a customer-facing chatbot, Reuters noted. Nippon said that after settling her long‑term disability benefits suit with prejudice in January 2024, the claimant had shared an email from her former lawyer regarding her case to ChatGPT last year. The chatbot supposedly affirmed her suspicions regarding the lawyer’s legal advice; subsequently, the claimant fired the lawyer and instead used ChatGPT to generate filings reopening the case.
GSA's New CUI Requirements: What Government Contractors Need to Know
By formalizing a structured process for CUI protection on GSA contracts, the agency is joining what commentators have called the "CUI compliance movement" – a broader trend toward holding contractors to concrete, enforceable cybersecurity standards regardless of whether they operate in the defense or civilian space.
Titled "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process," the publication establishes requirements for how contractors handling CUI on GSA contracts must secure that information.
NIST SP 800‑171 Revision 3 is now the required baseline for GSA contractors handling CUI, a departure from Revision 2 currently implemented by DOW in the Cybersecurity Maturity Model Certification (CMMC) program. The procedural guide imposes demanding operational obligations, including one‑hour cyber incident reporting and the expected flow‑down of CUI security requirements to subcontractors. GSA's five-phase framework centers on formal documentation and independent assessments.
US Treasury Releases New AI Risk Management Resources for Financial Institutions
The two resources – a shared AI Lexicon and the Financial Services AI Risk Management Framework (FS AI RMF) – are intended to respond to practical challenges that financial institutions face given the acceleration of AI adoption.
The FS AI RMF operationalizes the existing NIST AI Risk Management Framework – a voluntary framework released in January 2023 by the National Institute of Standards and Technology (NIST) within the Department of Commerce that applies broadly across industries – into actionable guidance specific to banks and other financial services firms.
