InfoSec News 13FEB2026
General
- [RU] Continuing from their block on Telegram, it appears that Roskomnadzor is now blocking WhatsApp as well. Other services may also have been included in the latest block, including other Meta products (Facebook, Instagram), YouTube, as well as news sites.
Kremlin spokesperson Dmitry Peskov said the restrictions were imposed because WhatsApp’s owner, Meta — which Russian authorities have designated an extremist organization and have banned in the country — has refused to comply with Russian law.
“If the corporation maintains the same uncompromising position and, I would say, shows a complete unwillingness to align with Russian legislation, then there will be no chance of the app being restored,” Peskov said.
He encouraged users to switch to Max, a government-backed messaging platform developed by the creator of VKontakte and heavily promoted in Russia through state media and advertising campaigns.
...
The latest restrictions on WhatsApp go beyond Roskomnadzor’s previous measures, which included blocking voice calls and slowing traffic, digital rights groups said, adding that authorities went as far as removing WhatsApp’s domain records from Russia’s National Domain Name System.
The digital rights project Na Svyazi (In Touch) reported that 13 popular resources — including YouTube, Facebook, Instagram, the Tor Project, the BBC, Deutsche Welle, and The Moscow Times — were also removed from the national domain registry.
- [US] The Cybersecurity Information Sharing Act of 2015 ("CISA 2015", to distinguish it from the Agency), has been reauthorised through to the end of September this year.
CISA 2015 establishes a framework for sharing cyber threat indicators and defensive measures, and it offers several important protections for organizations that participate. These protections include Freedom of Information Act (“FOIA”) disclosure exemptions, limits on liability related to sharing, and safeguards against waiver of legal privileges.
- [US] The Federal Trade Commission (FTC) is backing age-verification for applications and websites.
Many tech companies have long worried that by asking children to verify their ages, they could risk violating the Children’s Online Privacy Protection rule (COPPA rule), which prohibits collecting data from children under age 13 without first obtaining parental consent.
But the COPPA rule should not be an “impediment to the most child protective technology to emerge in decades,” Chris Mufarrige, director of the FTC’s Bureau of Consumer Protection, said at an agency event late last month focused on age verification. He was one of a few FTC officials at the event to hail age verification technologies as critically important to protecting kids online.
- Discord's age verifier "k-id" is learning that you can't trust client-side code.
People are reverse-engineering the client-side age-verification engine, and spoofing adult results back to the server. It's currently a game of cat and mouse, as k-id patches, and the group works around the patch. - In the continuing saga of information stolen from L3Harris, it appears that he accused not only sold exploits, but also whole tools, to the Russian company.
Williams originally setup and fired another employee, in an attempt to cover his thefts.
While it was known that Williams sold Trenchant’s exploits — software that takes advantage of flaws in other software usually to gain access to someone’s computer or device — prosecutors now say that these eight tools could have been used to indiscriminately enable government surveillance, cybercrime, and ransomware attacks across the globe.
Getting Techy
- ASCII smuggling can be used with LLM Agent Skills (not just OpenClaw, but also agentic coding platforms, such as Claude Code, OpenAI Codex, Gemini CLI, etc). Opening the skill file in a normal text editor or IDE will not show the malicious prompt.
Geo-Politics
- [AU] Two more chinese nationals have been charged in relation to "alleged conduct involving the collection of information on behalf of a foreign principal, contrary to Australia’s foreign interference laws introduced in 2018."
According to the AFP, the investigation centres on allegations that the individuals engaged in activities intended to support the interests of a foreign government by gathering information about individuals and community organisations in Australia. Authorities allege the activity was covert and conducted without transparency.
...
The prosecution comes amid heightened scrutiny of foreign interference risks in Australia, particularly in relation to community organisations and diaspora networks. In recent annual threat assessments, ASIO has identified foreign interference as one of the most significant security challenges facing the country, warning that activities are becoming more persistent and sophisticated.
- [AU] Australian Signals Directorate (ASD) visibility gap
Only 35 percent of federal entities reported at least half of their observed cyber security incidents to the Australian Signals Directorate (ASD) during the 2024-25 financial year, according to the annual Commonwealth cyber security posture report.
...
The problem occurs even though 62 percent of entities reported they inform their senior executives of at least 80 percent of incidents.
...
However, many of them could be experiencing high volumes of low-impact incidents that they see as below the reporting threshold.
- https://www.itnews.com.au/news/government-entities-not-reporting-cyber-incidents-to-asd-623556
- https://www.aph.gov.au/Parliamentary_Business/Tabled_Documents/14601
- [US] The current US administration is pushing ahead with changes to the electoral system.
Together, the SAVE America Act and MEGA Act would shift key voter certification powers to the executive branch, require stricter proof of citizenship for voter registration, and allow states to more easily access federal immigration databases to track and remove “potential” or “suspected” noncitizens from voter rolls.
Changes to the committee bill include a new section requiring states to send lists of all eligible voters to the Department of Homeland Security’s Systemic Alien Verification for Entitlements database and placing the Commissioner of the Social Security Administration at the head of a federal voter citizenship certification process.
Privacy
- AI healthcare apps - even more dangerous than you might at first assume.
Several health care and legal experts told CyberScoop that these companies are almost certainly not subject to the same legal or regulatory requirements – such as data protection rules under the Health Insurance Portability and Accountability Act (HIPAA) – that compel hospitals and other healthcare facilities to ensure protection of your data.
...
“On a federal level there are no limitations – generally, comprehensively – on non-HIPAA protected information or consumer information being sold to third parties, to data brokers,” she said.
She also pointed to data privacy concerns that stemmed from the bankruptcy and sale of genetic testing company 23andMe last year as a prime example of the dangers consumers face when handing over their sensitive health or biometric data to a unregulated entity.
...
Laws like HIPAA require covered entities and their business associates to “maintain reasonable and appropriate administrative, physical, and technical safeguards for the security of certain individually identifiable health information.”
It also subjects companies to breach notification rules that force them to notify victims, the Department of Health and Human Services and in some cases the public when certain health data has been accessed, acquired, used or disclosed in a data breach.
...
Geoghegan said it is not uncommon in some corners of the wellness industry for an unregulated business to ambiguously claim they are “HIPAA-compliant” to elude the fact that they aren’t legally bound by the regulations.
“Generally speaking, a lot of companies say they’re HIPAA compliant, but what they mean is that they’re not a HIPAA regulated entity, therefore they have no obligation,” said Geoghegan.
- [US] California is serious about its "California Consumer Privacy Act".
Disney has agreed to a $2.75 million fine with the state of California and implementation of a comprehensive privacy program in response to allegations that it broke the state’s landmark privacy law by making it exceedingly difficult for consumers to opt out of having their data shared and sold.
...
The investigation found that Disney’s opt-out processes did not allow consumers, including those logged into their accounts, to ensure they were wholly exempt from data sharing. The probe found that each of the opt-out methods Disney offered had “key gaps that allowed Disney to continue to sell and share consumers’ data,” a Bonta press release said.
...
“Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights,” Bonta said in a statement. “California’s nation-leading privacy law is clear: A consumer’s opt-out right applies wherever and however a business sells data — businesses can’t force people to go device-by-device or service-by-service.”
AI
- Sometimes it's the simple things that catch you out...Waymo is paying DoorDash workers to close the car doors in their autonomous taxis.
- “Waymo is currently running a pilot program in Atlanta to enhance its AV fleet efficiency. In the rare event a vehicle door is left ajar, preventing the car from departing, nearby Dashers are notified, allowing Waymo to get its vehicles back on the road quickly,”
- https://www.404media.co/waymo-is-getting-doordashers-to-close-doors-on-self-driving-cars/