Threat Level: green Handler on Duty: Brad Duncan

SANS ISC Information Security News

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

1 day ago Hackers exploit Flash in one of the largest malware attacks in recent history

Yahoo Security View Synopsis+1
In case it wasn't clear yet, Adobe's Flash isn't exactly the safest tool for delivering Internet content. Hackers are already more than aware of the software's security issues and are happy to exploit them for various malicious purposes. That's exactly what happened in late July when hackers used Flash to infect Yahoo websites with malware in what has been described as one of the largest malvertising attacks seen in the recent months. DON'T MISS: Latest big iPhone 6s leak finally answers the question on everyone's mind The attack was first discovered by a security researcher at Malwarebytes, The New York Times reports. Hackers deployed the malware on July 28th, targeting Yahoo's advertising network for a week before the company put a stop to

1 day ago Michael's Breach: What We've Learned

InfoRiskToday View Synopsis+1
Charges in POS Swap Scheme Show How Times Have ChangedNews that charges were filed last week against two California residents for their alleged roles in the 2011 Michaels crafts stores breach, which involved terminal tampering, is a reminder of how much hackers have improved their techniques in just four years.

26 minutes ago "‹Flash bites again: Huge malware campaign hits Yahoo ads

ZDNet View Synopsis+1
A week long attack has struck Yahoo visitors using malicious ads.

1 day ago Windows 10 violates your privacy by default, here's how you can protect yourself

TechRepublic View Synopsis+1
Upon installation, Windows 10 defaults to some pretty serious privacy invasions. Here are some steps you can take to keep your personal data private.

Top News

1 day ago Hackers Can Seize Control of Electric Skateboards and Toss Riders

WIRED View Synopsis+1

Imagine flying down the road at 20 mph on your electric skateboard when a hacker suddenly jams the breaks and throws you off.

The post Hackers Can Seize Control of Electric Skateboards and Toss Riders appeared first on WIRED.

22 hours ago Shooting Down Drones

Schneier blog View Synopsis+1

A Kentucky man shot down a drone that was hovering in his backyard:

"It was just right there," he told Ars. "It was hovering, I would never have shot it if it was flying. When he came down with a video camera right over my back deck, that's not going to work. I know they're neat little vehicles, but one of those uses shouldn't be flying into people's yards and videotaping."

Minutes later, a car full of four men that he didn't recognize rolled up, "looking for a fight."

"Are you the son of a bitch that shot my drone?" one said, according to Merideth.

His terse reply to the men, while wearing a 10mm Glock holstered on his hip: "If you cross that sidewalk onto my property, there's going to be another shooting."

He was arrested, but what's the law?

In the view of drone lawyer Brendan Schulman and robotics law professor Ryan Calo, home owners can't just start shooting when they see a drone over their house. The reason is because the law frowns on self-help when a person can just call the police instead. This means that Meredith may not have been defending his house, but instead engaging in criminal acts and property damage for which he could have to pay.

But a different and bolder argument, put forward by law professor Michael Froomkin, could provide Meredith some cover. In a paper, Froomkin argues that it's reasonable to assume robotic intrusions are not harmless, and that people may have a right to "employ violent self-help."

Froomkin's paper is well worth reading:

Abstract: Robots can pose -- or can appear to pose -- a threat to life, property, and privacy. May a landowner legally shoot down a trespassing drone? Can she hold a trespassing autonomous car as security against damage done or further torts? Is the fear that a drone may be operated by a paparazzo or a peeping Tom sufficient grounds to disable or interfere with it? How hard may you shove if the office robot rolls over your foot? This paper addresses all those issues and one more: what rules and standards we could put into place to make the resolution of those questions easier and fairer to all concerned.

The default common-law legal rules governing each of these perceived threats are somewhat different, although reasonableness always plays an important role in defining legal rights and options. In certain cases -- drone overflights, autonomous cars, national, state, and even local regulation -- may trump the common law. Because it is in most cases obvious that humans can use force to protect themselves against actual physical attack, the paper concentrates on the more interesting cases of (1) robot (and especially drone) trespass and (2) responses to perceived threats other than physical attack by robots notably the risk that the robot (or drone) may be spying - perceptions which may not always be justified, but which sometimes may nonetheless be considered reasonable in law.

We argue that the scope of permissible self-help in defending one's privacy should be quite broad. There is exigency in that resort to legally administered remedies would be impracticable; and worse, the harm caused by a drone that escapes with intrusive recordings can be substantial and hard to remedy after the fact. Further, it is common for new technology to be seen as risky and dangerous, and until proven otherwise drones are no exception. At least initially, violent self-help will seem, and often may be, reasonable even when the privacy threat is not great -- or even extant. We therefore suggest measures to reduce uncertainties about robots, ranging from forbidding weaponized robots to requiring lights, and other markings that would announce a robot's capabilities, and RFID chips and serial numbers that would uniquely identify the robot's owner.

The paper concludes with a brief examination of what if anything our survey of a person's right to defend against robots might tell us about the current state of robot rights against people.

Note that there are drones that shoot back.

Here are two books that talk about these topics. And an article from 2012.

1 day ago Zero-Day Vulnerability in OS X Exploited in the Wild

SecurityWeek View Synopsis+1

An unpatched local privilege escalation vulnerability in Apple's OS X operating system has been exploited by malicious actors to install adware and other suspicious applications on vulnerable computers.

1 day ago Stanford Expert Says AI Probably Won't Kill Us All

Forbes View Synopsis+1
But predicts that computer science departments will require a "moral programming" course.

22 hours ago Hackers spread malware via Yahoo ads

SC Magazine View Synopsis+1
The same hackers that have exploited vulnerabilities of Adobe Flash have used advertising on Yahoo's largest websites to distribute malware to billions.

9 hours ago Power defects: Normal or Common?

IT Toolbox Blogs View Synopsis+1
Power defects (on power lines) can be classified as normal mode or common mode. Normal mode defects are those that occur between the two current-carrying wires, called neutral and either hot or live. Common mode defects occur between the third wire (...

21 hours ago DRAM "Bitflipping" exploit for attacking PCs: Just add JavaScript

ArsTechnica View Synopsis+1
Once-esoteric hack that exploits DRAM weakness just got more mainstream.

1 day ago Tunneling, Pivoting, and Web Application Penetration Testing

SANS Reading Room View Synopsis+1
When conducting a web application penetration test there are times when you want to be able to pivot through a system to which you have gained access, to other systems in order to continue testing. There are many channels that can be used as avenues for pivoting. This paper examines five commonly used channels for pivoting: Netcat relays, SSH local port forwarding, SSH dynamic port forwarding (SOCKS proxy), Meterpreter sessions. and Ncat HTTP proxy; within the context of using them with key tools in the penetration tester

16 hours ago FDA Warns Against Use of Hospira Infusion Pumps (August 1 & 3, 2015)

SANS Newsbites View Synopsis+1

The US Food and Drug Administration (FDA) is urging hospitals to stop using certain drug infusion pumps from Hospira.......

Latest News

4 hours ago Symantec Patches Critical Vulnerabilities in Endpoint Protection

SecurityWeek View Synopsis+1

Flaws in Symantec Endpoint Protection Could Allow Hackers to Compromise Corporate Networks

6 hours ago Balance security and convenience with Windows 10's Wi-Fi Sense

TechRepublic View Synopsis+1
With Windows 10, the feature Wi-Fi Sense is on by default, so it's important that you know what it does and how it works.

26 minutes ago Bunitu Trojan botnet supports commercial VPN infrastructure

ZDNet View Synopsis+1
The Bunitu Proxy Trojan has moved from malvertising to spreading through virtual private networks to make money for its operators.

43 minutes ago "Man-in-the-Cloud" Attacks Leverage Storage Services to Steal Data

SecurityWeek View Synopsis+1

Popular cloud storage services such as Google Drive and Dropbox can be abused by malicious actors in what experts call "Man-in-the-Cloud" (MITC) attacks.

43 minutes ago Smoke and Mirrors: Cyber Security Insurance

SecurityWeek View Synopsis+1

Data breaches have become a daily occurrence. However, their cost to organizations goes far beyond reputational damage in the media. Boards and businesses are subject to regulatory mandates that carry fines and capital holds, and increasingly face litigation from class-action suits. Cyber security insurance has emerged as a stop-gap to protect stakeholders from the shortcomings of siloed risk management processes.

1 hour ago Face Recognition by Thermal Imaging

Schneier blog View Synopsis+1

New research can identify a person by reading their thermal signature in complete darkness and then matching it with ordinary photographs.

Research paper:

Abstract: Cross modal face matching between the thermal and visible spectrum is a much desired capability for night-time surveillance and security applications. Due to a very large modality gap, thermal-to-visible face recognition is one of the most challenging face matching problem. In this paper, we present an approach to bridge this modality gap by a significant margin. Our approach captures the highly non-linear relationship be- tween the two modalities by using a deep neural network. Our model attempts to learn a non-linear mapping from visible to thermal spectrum while preserving the identity in- formation. We show substantive performance improvement on a difficult thermal-visible face dataset. The presented approach improves the state-of-the-art by more than 10% in terms of Rank-1 identification and bridge the drop in performance due to the modality gap by more than 40%.

1 hour ago U.S. researchers show computers can be hijacked to send data as sound waves

Yahoo Security View Synopsis+1

By Joseph Menn LAS VEGAS (Reuters) - A team of security researchers has demonstrated the ability to hijack standard equipment inside computers, printers and millions of other devices in order to send information out of an office through sound waves. The new makeshift transmitting antenna, dubbed "Funtenna" by lead researcher Ang Cui of Red Balloon Security, adds another potential channel that likewise be would be hard to detect because no traffic logs would catch data leaving the premises. Hackers would need an antenna close to the targeted building to pick up the sound waves, Cui said, and they would need to find some way to get inside a targeted machine and convert the desired data to the format for transmission.

3 hours ago "‹Flash bites again: Huge malware campaign on Yahoo ads hits millions

ZDNet View Synopsis+1
A week long attack has struck Yahoo visitors using malicious ads.

3 hours ago Ex-FBI on Why Attribution Matters

InfoRiskToday View Synopsis+1
Attributing who's behind cyberattacks is essential because it helps organizations build better defenses against future attacks, says Greg Kesner, former chief of the Federal Bureau of Investigation's Data Intercept program.

3 hours ago Hot Sessions: Black Hat 2015

InfoRiskToday View Synopsis+1
Hacking Rifles, Jeeps, Androids and the WorldThe Black Hat conference features presentations that have already led to very public warnings about remotely hackable flaws in everything from Jeep Cherokees and Linux-powered rifles to Android mobile devices and Mac OS X.

3 hours ago Cybersecurity reads which belong on every bookshelf

ZDNet View Synopsis+1
Take a plunge into the world of cybersecurity with these recommended reads.

6 hours ago China to put security teams in major Internet firms, websites

Yahoo Security View Synopsis+1

China is planning to set up "network security offices" in major Internet companies and for websites so authorities can move more quickly against illegal online behavior, the Ministry of Public Security said in a statement. Police should take a leading role in online security and work closely with Internet regulators, the deputy minister, Chen Zhimin, told a conference in Beijing on Tuesday. "We will set up 'network security offices' inside important website and Internet firms, so that we can catch criminal behavior online at the earliest possible point," Chen said, according to the statement.

9 hours ago FBI looking into security of Clinton private email account: Washington Post

Yahoo Security View Synopsis+1

The FBI has begun looking into the security of Hillary Clinton's private email setup, contacting in the past week a Denver-based technology firm that helped manage the unusual system, the Washington Post reported on Tuesday, citing two government officials. The FBI last week also contacted Clinton's lawyer, David Kendall, with questions about the security of a thumb drive in his possession that contains copies of work emails Clinton sent during her time as secretary of state, the Post said. Clinton's use of her private email account linked to a server in her New York home for her work as America's top diplomat came to light in March and drew fire from political opponents who accused the Democratic presidential candidate of sidestepping transparency and record-keeping laws.

10 hours ago Chrysler and Harman Hit With a Class Action Complaint After Jeep Hack

WIRED View Synopsis+1

If the complaint is certified as a class action, it could snowball into a case with more than a million potential plaintiffs.

The post Chrysler and Harman Hit With a Class Action Complaint After Jeep Hack appeared first on WIRED.