AI security firm Irregular has found that passwords generated by major large language models -- Claude, ChatGPT and Gemini -- appear complex but follow predictable patterns that make them crackable in hours, even on decades-old hardware. When researchers prompted Anthropic's Claude Opus 4.6 fifty times in separate conversations, only 30 of the returned passwords were unique, and 18 of the duplicates were the exact same string. The estimated entropy of LLM-generated 16-character passwords came in around 20 to 27 bits, far below the 98 to 120 bits expected of truly random passwords.

TP-Link is facing legal action from the state of Texas for allegedly misleading consumers with "Made in Vietnam" claims despite China-dominated manufacturing and supply chains, and for marketing its devices as secure despite reported firmware vulnerabilities exploited by Chinese state-sponsored actors. The Register: The Lone Star State's Attorney General, Ken Paxton, is filing the lawsuit against California-based TP-Link Systems Inc., which was originally founded in China, accusing it of deceptively marketing its networking devices and alleging that its security practices and China-based affiliations allowed Chinese state-sponsored actors to access devices in the homes of American consumers.

It is understood that this is just the first of several lawsuits that the Office of the Attorney General intends to file this week against "China-aligned companies," as part of a coordinated effort to hold China accountable under Texas law. The lawsuit claims that TP-Link is the dominant player in the US networking and smart home market, controlling 65 percent of the American market for network devices.

It also alleges that TP-Link represents to American consumers that the devices it markets and sells within the US are manufactured in Vietnam, and that consistent with this, the devices it sells in the American market carry a "Made in Vietnam" sticker.

A US law firm has accused Lenovo of violating Justice Department strictures about the bulk transfer of data to foreign adversaries, namely China. From a report: The case filed by Almeida Law Group on behalf of San Francisco-based "Spencer Christy, individually and on behalf of all others similarly situated" centers on the Data Security Program regulations implemented by the DOJ last year. According to the suit, these were "implemented to prevent adversarial countries from acquiring large quantities of behavioral data which could be used to surveil, analyze, or exploit American citizens' behavior."

The complaint states the DOJ rule "makes clear that sending American consumers' information to Chinese entities through automated advertising systems and associated databases with the requisite controls is prohibited." The case states the threshold for "covered personal identifiers" is 100,000 US persons or more and lists a range of potential identifiers, from government and financial account numbers to IMEIs, MAC, and SIM numbers, demographic data, and advertising IDs.

An anonymous reader shares a report: The European Parliament has disabled AI features on the work devices of lawmakers and their staff over cybersecurity and data protection concerns, according to an internal email seen by POLITICO. The chamber emailed its members on Monday to say it had disabled "built-in artificial intelligence features" on corporate tablets after its IT department assessed it couldn't guarantee the security of the tools' data.

"Some of these features use cloud services to carry out tasks that could be handled locally, sending data off the device," the Parliament's e-MEP tech support desk said in the email. "As these features continue to evolve and become available on more devices, the full extent of data shared with service providers is still being assessed. Until this is fully clarified, it is considered safer to keep such features disabled."

"A new variation of the fake recruiter campaign from North Korean threat actors is targeting JavaScript and Python developers with cryptocurrency-related tasks," reports the Register. Researchers at software supply-chain security company ReversingLabs say that the threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit. Developers applying for the job are required to show their skills by running, debugging, and improving a given project. However, the attacker's purpose is to make the applicant run the code... [The campaign involves 192 malicious packages published in the npm and PyPi registries. The packages download a remote access trojan that can exfiltrate files, drop additional payloads, or execute arbitrary commands sent from a command-and-control server.]

In one case highlighted in the ReversingLabs report, a package named 'bigmathutils,' with 10,000 downloads, was benign until it reached version 1.1.0, which introduced malicious payloads. Shortly after, the threat actor removed the package, marking it as deprecated, likely to conceal the activity... The RAT checks whether the MetaMask cryptocurrency extension is installed on the victim's browser, a clear indication of its money-stealing goals...

ReversingLabs has found multiple variants written in JavaScript, Python, and VBS, showing an intention to cover all possible targets.
The campaign has been ongoing since at least May 2025...

This week Apple patched iOS and macOS against what it called "an extremely sophisticated attack against specific targeted individuals."

Security Week reports that the bugs "could be exploited for information exposure, denial-of-service (DoS), arbitrary file write, privilege escalation, network traffic interception, sandbox escape, and code execution." Tracked as CVE-2026-20700, the zero-day flaw is described as a memory corruption issue that could be exploited for arbitrary code execution... The tech giant also noted that the flaw's exploitation is linked to attacks involving CVE-2025-14174 and CVE-2025-43529, two zero-days patched in WebKit in December 2025...

The three zero-day bugs were identified by Apple's security team and Google's Threat Analysis Group and their descriptions suggest that they might have been exploited by commercial spyware vendors... Additional information is available on Apple's security updates page.
Brian Milbier, deputy CISO at Huntress, tells the Register that the dyld/WebKit patch "closes a door that has been unlocked for over a decade."

Thanks to Slashdot reader wiredmikey for sharing the article.

An anonymous reader shared this report from the Register: Telcos likely received advance warning about January's critical Telnet vulnerability before its public disclosure, according to threat intelligence biz GreyNoise. Global Telnet traffic "fell off a cliff" on January 14, six days before security advisories for CVE-2026-24061 went public on January 20. The flaw, a decade-old bug in GNU InetUtils telnetd with a 9.8 CVSS score, allows trivial root access exploitation. GreyNoise data shows Telnet sessions dropped 65 percent within one hour on January 14, then 83 percent within two hours. Daily sessions fell from an average 914,000 (December 1 to January 14) to around 373,000, equating to a 59 percent decrease that persists today.

"That kind of step function — propagating within a single hour window — reads as a configuration change on routing infrastructure, not behavioral drift in scanning populations," said GreyNoise's Bob Rudis and "Orbie," in a recent blog [post]. The researchers unverified theory is that infrastructure operators may have received information about the make-me-root flaw before advisories went to the masses...

18 operators, including BT, Cox Communications, and Vultr went from hundreds of thousands of Telnet sessions to zero by January 15... All of this points to one or more Tier 1 transit providers in North America implementing port 23 filtering. US residential ISP Telnet traffic dropped within the US maintenance window hours, and the same occurred at those relying on transatlantic or transpacific backbone routes, all while European peering was relatively unaffected, they added.

An anonymous reader shares a report: Israel has arrested several people, including army reservists, for allegedly using classified information to place bets on Israeli military operations on Polymarket. Shin Bet, the country's internal security agency, said Thursday the suspects used information they had come across during their military service to inform their bets.

One of the reservists and a civilian were indicted on a charge of committing serious security offenses, bribery and obstruction of justice, Shin Bet said, without naming the people who were arrested. Polymarket is what is called a prediction market that lets people place bets to forecast the direction of events. Users wager on everything from the size of any interest-rate cut by the Federal Reserve in March to the winner of League of Legends videogame tournaments to the number of times Elon Musk will tweet in the third week of February.

The arrests followed reports in Israeli media that Shin Bet was investigating a series of Polymarket bets last year related to when Israel would launch an attack on Iran, including which day or month the attack would take place and when Israel would declare the operation over. Last year, a user who went by the name ricosuave666 correctly predicted the timeline around the 12-day war between Israel and Iran. The bets drew attention from other traders who suspected the account holder had access to nonpublic information. The account in question raked in more than $150,000 in winnings before going dormant for six months. It resumed trading last month, betting on when Israel would strike Iran, Polymarket data shows.

The US Federal Trade Commission is accelerating scrutiny of Microsoft as part of an ongoing probe into whether the company illegally monopolizes large swaths of the enterprise computing market with its cloud software and AI offerings, including Copilot. From a report: The agency has issued civil investigative demands in recent weeks to companies that compete with Microsoft in the business software and cloud computing markets, according to people familiar with the matter. The demands feature an array of questions on Microsoft's licensing and other business practices, according to the people, who were granted anonymity to discuss a confidential investigation.

With the demands, which are effectively like civil subpoenas, the FTC is seeking evidence that Microsoft makes it harder for customers to use Windows, Office and other products on rival cloud services. The agency is also requesting information on Microsoft's bundling of artificial intelligence, security and identity software into other products, including Windows and Office, some of the people said.

Microsoft has patched a high-severity vulnerability in Windows 11's Notepad that allowed attackers to silently execute local or remote programs when a user clicked a specially crafted Markdown link, all without triggering any Windows security warning.

The flaw, tracked as CVE-2026-20841 and fixed in the February 2026 Patch Tuesday update, stemmed from Notepad's relatively new Markdown support -- a feature Microsoft added after discontinuing WordPad and rewriting Notepad to serve as both a plain text and rich text editor. An attacker only needed to create a Markdown file containing file:// links pointing to executables or special URIs like ms-appinstaller://, and a Ctrl+click in Markdown mode would launch them. Microsoft's fix now displays a warning dialog for any link that doesn't use http:// or https://, though the company did not explain why it chose a prompt over blocking non-standard links entirely. Notepad updates automatically through the Microsoft Store.

An anonymous reader shares a report: Palo Alto Networks opted not to tie China to a global cyberespionage campaign the firm exposed last week over concerns that the cybersecurity company or its clients could face retaliation from Beijing, according to two people familiar with the matter. The sources said that Palo Alto's findings that China was tied to the sprawling hacking spree were dialed back following last month's news, first reported by Reuters, that Palo Alto was one of about 15 U.S. and Israeli cybersecurity companies whose software had been banned by Chinese authorities on national security grounds.

A draft version of the report by Palo Alto's Unit 42, the company's threat intelligence arm, said that the prolific hackers -- dubbed "TGR-STA-1030" in a report published on Thursday of last week -- were connected to Beijing, the two people said. The finished report instead described the hacking group more vaguely as a "state-aligned group that operates out of Asia." Attributing sophisticated hacks is notoriously difficult and debates over how best to assign blame for digital intrusions are common among cybersecurity researchers.

Microsoft is planning to bring smartphone-style app permission prompts to Windows 11, requiring apps to get explicit user consent before they can access sensitive resources like the file system, camera and microphone. The company's Windows Platform engineer Logan Iyer said the move was prompted by applications increasingly overriding user settings, installing unwanted software, and modifying core Windows experiences without permission.

A separate initiative called Windows Baseline Security Mode will enforce runtime integrity safeguards by default, allowing only properly signed apps, services, and drivers to run. Both changes will roll out in phases as part of Microsoft's Secure Future Initiative, which the company launched in November 2023 after a federal review board called its security culture "inadequate."

Iceland in October classified the potential collapse of the Atlantic meridional overturning circulation -- the ocean current system that ferries warm water northward from the tropics and essentially functions as the country's central heating -- as a national security risk, a designation that amounts to a formal reckoning with the possibility that climate change could render the island nation uninhabitable.

Several recent studies have found the AMOC far more vulnerable to breakdown than scientists had long assumed. One, analyzing nine models under high-emission scenarios, saw the current weaken and collapse in every single instance; even under the Paris agreement's emission targets, the researchers estimated a 25% chance of shutdown. Stefan Rahmstorf, an oceanographer at Germany's Potsdam Institute for Climate Impact Research and a co-author of that study, said it was "wrong to assume this was low probability." Simulations of a post-collapse world project Icelandic winter extremes plunging to minus-50 degrees Celsius, and sea ice surrounding the country for the first time since Viking settlement.

Iceland's national strategy for dealing with AMOC risks is scheduled to be finalized by 2028. The country has also flagged that NASA Goddard, a key source of AMOC modeling, has been targeted for significant staff and budget cuts under the current U.S. administration.

Google on Tuesday expanded its "Results about you" tool to let users request the removal of Search results containing government-issued ID numbers -- including driver's licenses, passports and Social Security numbers -- adding to the tool's existing ability to flag results that surface phone numbers, email addresses, and home addresses.

The update, announced on Safer Internet Day, is rolling out in the U.S. over the coming days. Google also streamlined its process for reporting non-consensual explicit images on Search, allowing users to select and submit removal requests for multiple images at once rather than reporting them individually.

Microsoft has begun automatically replacing the original Secure Boot security certificates on Windows devices through regular monthly updates, a necessary move given that the 15-year-old certificates first issued in 2011 are set to expire between late June and October 2026.

Secure Boot, which verifies that only trusted and digitally signed software runs before Windows loads, became a hardware requirement for Windows 11. A new batch of certificates was issued in 2023 and already ships on most PCs built since 2024; nearly all devices shipped in 2025 include them by default. Older hardware is now receiving the updated certificates through Windows Update, starting last month's KB5074109 release for Windows 11. Devices that don't receive the new certificates before expiration will still function but enter what Microsoft calls a "degraded security state," unable to receive future boot-level protections and potentially facing compatibility issues down the line.

Windows 10 users must enroll in Microsoft's paid Extended Security Updates program to get the new certificates. A small number of devices may also need a separate firmware update from their manufacturer before the Windows-delivered certificates can be applied.

"How Chinese is your car?" asks the Wall Street Journal. "Automakers are racing to work it out." Modern cars are packed with internet-connected widgets, many of them containing Chinese technology. Now, the car industry is scrambling to root out that tech ahead of a looming deadline, a test case for America's ability to decouple from Chinese supply chains. New U.S. rules will soon ban Chinese software in vehicle systems that connect to the cloud, part of an effort to prevent cameras, microphones and GPS tracking in cars from being exploited by foreign adversaries.

The move is "one of the most consequential and complex auto regulations in decades," according to Hilary Cain, head of policy at trade group the Alliance for Automotive Innovation. "It requires a deep examination of supply chains and aggressive compliance timelines."

Carmakers will need to attest to the U.S. government that, as of March 17, core elements of their products don't contain code that was written in China or by a Chinese company. The rule also covers software for advanced autonomous driving and will be extended to connectivity hardware starting in 2029. Connected cars made by Chinese or China-controlled companies are also banned, wherever their software comes from...

The Commerce Department's Bureau of Industry and Security, which introduced the connected-vehicle rule, is also allowing the use of Chinese code that is transferred to a non-Chinese entity before March 17. That carve-out has sparked a rush of corporate restructuring, according to Matt Wyckhouse, chief executive of cybersecurity firm Finite State. Global suppliers are relocating China-based software teams, while Chinese companies are seeking new owners for operations in the West.
Thanks to long-time Slashdot reader schwit1 for sharing the article.

"They were crouched down like turkeys peeking over the balcony," the county sheriff told Ars Technica. A half hour past midnight, they were skulking through a courthouse in Iowa's Dallas County on September 11 "carrying backpacks that remind me and several other deputies of maybe the pressure cooker bombs." More deputies arrived... Justin Wynn, 29 of Naples, Florida, and Gary De Mercurio, 43 of Seattle, slowly proceeded down the stairs with hands raised. They then presented the deputies with a letter that explained the intruders weren't criminals but rather penetration testers who had been hired by Iowa's State Court Administration to test the security of its court information system. After calling one or more of the state court officials listed in the letter, the deputies were satisfied the men were authorized to be in the building.
But Sheriff Chad Leonard had the men arrested on felony third-degree burglary charges (later reduced to misdemeanor trespassing charges). He told them that while the state government may have wanted to test security, "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."

More than six years later, the Des Moines Register reports: Dallas County is paying $600,000 to two men who sued after they were arrested in 2019 while testing courthouse security for Iowa's Judicial Branch, their lawyer says.

Gary DeMercurio and Justin Wynn were arrested Sept. 11, 2019, after breaking into the Dallas County Courthouse. They spent about 20 hours in jail and were charged with burglary and possession of burglary tools, though the charges were later dropped. The men were employees of Colorado-based cybersecurity firm Coalfire Labs, with whom state judicial officials had contracted to perform an analysis of the state court system's security. Judicial officials apologized and faced legislative scrutiny for how they had conducted the security test.

But even though the burglary charges against DeMercurio and Wynn were dropped, their attorney previously said having a felony arrest on their records made seeking employment difficult. Now the two men are to receive a total of $600,000 as a settlement for their lawsuit, which has been transferred between state and federal courts since they first filed it in July 2021 in Dallas County. The case had been scheduled to go to trial Monday, Jan. 26 until the parties notified the court Jan. 23 of the impending deal...

"The settlement confirms what we have said from the beginning: our work was authorized, professional, and done in the public interest," DeMercurio said in a statement. "What happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building...."

"This incident didn't make anyone safer," Wynn said. "It sent a chilling message to security professionals nationwide that helping government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it."
County Attorney Matt Schultz said dismissing the charges was the decision of his predecessor, according to the newspaper, and that he believed the sheriff did nothing wrong.

"I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law."

An anonymous reader shared this report from Bloomberg: An Asian cyber-espionage group has spent the past year breaking into computer systems belonging to governments and critical infrastructure organizations in more than 37 countries, according to the cybersecurity firm Palo Alto Networks, Inc. The state-aligned attackers have infiltrated networks of 70 organizations, including five national law enforcement and border control agencies, according to a new research report from the company. They have also breached three ministries of finance, one country's parliament and a senior elected official in another, the report states. The Santa Clara, California-based firm declined to identify the hackers' country of origin.

The spying operation was unusually vast and allowed the hackers to hoover up sensitive information in apparent coordination with geopolitical events, such as diplomatic missions, trade negotiations, political unrest and military actions, according to the report. They used that access to spy on emails, financial dealings and communications about military and police operations, the report states. The hackers also stole information about diplomatic issues, lurking undetected in some systems for months. "They use highly-targeted and tailored fake emails and known, unpatched security flaws to gain access to these networks," said Pete Renals, director of national security programs with Unit 42, the threat intelligence division of Palo Alto Networks....

Palo Alto Networks researchers confirmed that the group successfully accessed and exfiltrated sensitive data from some victims' email servers.
Bloomberg writes that according to the cybersecurity firm, this campaign targeted government entities in the Czech Republic and the Ministry of Mines and Energy of Brazil, and also "likely compromised" a device associated with a facility operated by a joint venture between Venezuela's government and an Asian tech firm.

The cyberattackers are "also suspected of being active in Germany, Poland, Greece, Italy, Cyprus, Indonesia, Malaysia, Mongolia, Panama, Greece and other countries, according to the report."

Axios reports: Anthropic's latest AI model has found more than 500 previously unknown high-severity security flaws in open-source libraries with little to no prompting, the company shared first with Axios.

Why it matters: The advancement signals an inflection point for how AI tools can help cyber defenders, even as AI is also making attacks more dangerous...

Anthropic debuted Claude Opus 4.6, the latest version of its largest AI model, on Thursday. Before its debut, Anthropic's frontier red team tested Opus 4.6 in a sandboxed environment [including access to vulnerability analysis tools] to see how well it could find bugs in open-source code... Claude found more than 500 previously unknown zero-day vulnerabilities in open-source code using just its "out-of-the-box" capabilities, and each one was validated by either a member of Anthropic's team or an outside security researcher... According to a blog post, Claude uncovered a flaw in GhostScript, a popular utility that helps process PDF and PostScript files, that could cause it to crash. Claude also found buffer overflow flaws in OpenSC, a utility that processes smart card data, and CGIF, a tool that processes GIF files.
Logan Graham, head of Anthropic's frontier red team, told Axios they're considering new AI-powered tools to hunt vulnerabilities. "The models are extremely good at this, and we expect them to get much better still... I wouldn't be surprised if this was one of — or the main way — in which open-source software moving forward was secured."

Waymo surprised U.S. lawmakers Wednesday during a hearing on autonomous vehicles and their safety and oversight. Newsweek reports: During questioning, Sen. Ed Markey, a Massachusetts Democrat, asked what happens when a Waymo vehicle encounters a driving situation it cannot independently resolve. "The Waymo phones a human friend for help," Markey explained, adding that the vehicle communicates with a "remote assistance operator." Markey criticized the lack of public information about these workers, despite their role in vehicle safety...

[Dr. Mauricio Peña, chief safety officer at Waymo] responded by clarifying the scope of the operators' involvement: "They provide guidance, they do not remotely drive the vehicles," Peña said. "Waymo asks for guidance in certain situations and gets input, but Waymo is always in charge of the dynamic driving task," according to EVShift. Pressed further on where those operators are located, Peña told lawmakers that some are based in the United States and others abroad, though he did not have an exact breakdown. After additional questioning, he confirmed that overseas operators are located in the Philippines...

The disclosure prompted sharp criticism from Markey, who raised concerns about security and labor implications. "Having people overseas influencing American vehicles is a safety issue," he said. "The information the operators receive could be out of date. It could introduce tremendous cyber security vulnerabilities," according to People. Markey also pointed to job displacement, noting that autonomous vehicles already affect taxi and rideshare drivers in the U.S. Waymo defended the practice in comments to People, saying the use of overseas staff is part of a broader effort to scale operations globally.
Waymo also defended the remote workers to Newsweek as licensed drivers reviewed for "driving-related convictions" and other traffic violations who are also "randomly screened for drug use."

Thanks to Slashdot reader sinij for sharing the news.