Malvertising – When trusted websites go rogue [Security SOS Week]

Every day this week, Sophos’s top security gurus will be stepping up to the microphone to share their expertise with you, free of charge.

In each 30-minute webinar, Naked Security’s very own Paul Ducklin will be interviewing our experts to help you cut through the jargon and understand the real issues in computer security today.

Each webinar will take place at 2pm UK time (14:00 UTC, 15:00 CET, 10:00 EDT), and will consist of about 20 minutes of live interview, followed by 10 minutes of questions and answers.

Today’s webinar: Malvertising – When trusted websites go rogue

Today, Paul Ducklin is talking to John Shier, Sophos IT Security Specialist.

Crooks don’t need to hack into a mainstream website to infect it with malware.

They can get away with hacking just one ad served up by one ad network – and some high-traffic sites take content from hundreds of different ad networks at a time.

This is “malvertising”, and it hurts the websites that get affected, the ad networks that get compromised…and the victims who get infected while surfing their usual, trusted and unexceptionable sites.

Even mainstream sites – sites that you’d never get into trouble for browsing at work, because they’re well-known sites with useful content – can fall victim to malvertising.

Indeed, this week’s news is that at least BBC, Newsweek, The New York Times and MSN were affected over the weekend.

So it it’s certainly the sort of problem that could happen to you!

John will explain how malvertising works, why crooks love it, and what we can do to stamp it out.

Register now!

Miss yesterday’s webinar? Listen now to Sophos VP of Product Management, John Shaw, give incisive commentary on the Great Backdoor Debate: “Can you strengthen security by weakening it?”

Read more
Amazon wants you to pay by face
Insec Ethical Hacking Hub Phishing + Ransomware = A Modern Day Threat

How many times have you cringed in shame because you had to turn away from friends or co-workers to keep them from spying as you enter your password?

What? Never?

No! Wrong answer.

Amazon already knows how we hide in a closet to keep our authentication private, particularly with mobile devices, their itsy bitsy screens or keyboards, and our fat fingers.

There’s got to be a better way, Amazon says.

So it’s filed a patent for payment-via-facial-contortion, also known as selfies. [Shouldn’t that be ‘gurning’?Ed.]

From the patent application it filed in October and published last Thursday:

“While many conventional approaches rely on password entry for user authentication, these passwords can be stolen or discovered by other persons who can impersonate the user for any of a variety of tasks.

“Further, [they] can require the user to turn away from friends or co-workers when entering a password, which can be awkward or embarrassing in many situations.”

The situation has given rise to risky security on mobile gadgets, Amazon says.

For example, sometimes we store our passwords on devices, leaving our phones and tablets easily hijacked by anybody who picks them up.

To avoid that, some users use stupid-short passwords that are easier for our bovine hooves to stab in.

Those are equally ungood, Amazon says: “[Short and simple] passwords can be easily hacked by an unscrupulous user or application.”

So the company has filed a patent to allow shoppers to confirm purchases by taking a selfie, be it by photo or video.

The technology would enable users to authenticate payments using a photo or video without necessarily requiring passwords, the patent says:

The user is identified using image information which is processed utilizing facial recognition. The device verifies that the image information corresponds to a living human using one or more human-verification processes. The device prompts the user to perform an action to confirm the transaction, and causes the transaction to be performed after verifying performance of the action by the identified user.

Verifying human-ness is a definite must, given that facial recognition alone won’t cut it. It’s too easy to spoof by holding up a 2D picture to a camera.

Google’s been there.

In June 2013, it too filed a patent for a way to let users unlock their phones by making funny faces: the patent covered a way to match up “facial landmarks” between two facial images, as well as performing a “predetermined facial gesture” to get there, like sticking out your tongue or wiggling your eyebrows.

It was just one of a running series of Google’s attempts to remedy the Face Unlock feature introduced in the Ice Cream Sandwich version of Android: a feature that was tricked by holding up a photo to the phone.

Google responded by introducing a technique called “Liveness Check” that required users to blink to prove they were alive and not just a photo.

Nice try. Researchers using the most basic of photo editing tools managed to fool Liveness Check with just a few minutes of editing, animating photos to make them look like subjects were fluttering their eyelashes.

Google hoped that the funny-face technology it patented three years ago would be harder to crack, since it could ask for any of a number of gestures, forcing an intruder to do quite a lot of grimacing or photo-editing in order to illicitly use another’s Android phone.

Judging by its patent, it looks like Amazon’s planning to use head-tracking technologies, facial movements, infrared image information, thermal imaging data, or a combination of all these approaches to establish that we’re as alive as we claim to be:

A computing device can capture video information of the user over a period of time to determine whether the user performs an action indicative of a physical person, such as by blinking or making another such motion. In some embodiments, the device can prompt the user to perform certain actions, motions, or gestures, such as to smile, blink, or tilt his or her head.

Analyzing all that video with facial detection gets very resource-intensive.

Amazon’s thinking of cutting through the number crunching with a pattern-matching algorithm that could match the shape of a human head with a fair degree of certainty.

Once it hits on the known contour of a human head, Amazon would have at least one user authentication process in the bag, it says.

Free commercial-grade security for the home.

Learn More

Let’s hope that selfie authentication fares better than its woebegone biometric brethren, the fingerprint.

Take Apple’s Touch ID. As of this time last year, RBS and NatWest hooked up their online banking apps so customers could use fingerprints to do their online banking: just two of a growing list of third-party apps using Touch ID for authentication.

You can see the appeal: a finger swipe combines convenience—no more hunching over to obscure your password stabbing!—with the security of a unique identifier: i.e., your fingerprint.

Unfortunately, you can’t change your fingerprint unless you employ pain, acid and/or James Bond techniques, so if it’s compromised, well, ouch.

And compromised it has been.

Not long after Apple unveiled the iPhone 5s and biometric locking with Touch ID, hackers at Chaos Computer Club (CCC) punctured its aura of security by tricking the sensor using a “stolen” fingerprint.

They took a copy of a target’s fingerprint with a high-resolution image, printed out a reverse of the fingerprint using heavy amounts of printer toner to create a mold, and then made a  replica fingerprint with wood glue.

It wasn’t Apple’s bad: another group of researchers used the same method to hack the fingerprint sensor on the Samsung Galaxy S5.

Last week, yet another pair of researchers ditched the muss and fuss, using a regular 2D inkjet printer to make a usable copy of a fingerprint with silver conductive ink cartridges and AgIC paper.

No mold needed, no glue to dry – just scan the fingerprint, print it out on the special paper, and swipe.

Don’t count fingerprints out altogether as a biometric authenticator, though: at the Consumer Electronics Show in Las Vegas a few months ago, a phone from Letv came out with a liveness detection capability designed to detect an actual finger is being used, not just a wax dummy or high-quality scan.

When it comes to biometric authentication, it’s all about liveness nowadays.

Are you ready to use selfies to log onto Amazon and order everything you need to maintain liveness—dehydrated cheddar cheese, toilet paper, plastic wrap—without actually having to leave the house?

Let us know your thoughts below.

Image of Facial recognition software courtesy of

Read more
Google says hack Chromebook, get $100K richer
Info Security Solution

Last year, Google got zero, zip, zilch successful submissions for hacking Chromebook.

So this year, it’s getting more serious still about rooting out security failure: it’s doubling the already healthy $50,000 bounty to six decimal dollar digits: $100,000.

Google, which has paid out more than $6 million in bug bounties since it started the program in 2010, announced the beefed-up reward on its Security Blog on Monday.

Nathan Parker, “Chrome Defender,” and Tim Willis, “Hacker Philanthropist,” said that since Google introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode last year, it’s had no successful submission.

A persistent compromise on a Chromebook in guest mode would be one in which an attacker’s code sticks around on the device even after it’s rebooted. Such an attack would rear its head again in subsequent guest-mode sessions.

Since “great research deserves great awards,” Google says it’s putting up a standing six-figure sum, available all year round: no quotas, no maximum reward pool.

Free commercial-grade security for the home.

Learn More

Separately, it’s also extending its reward program to cover methods that bypass Chrome’s Safe Browsing download protection features.

In December, Google said that its Safe Browsing service was already protecting about 1 billion desktop users from all sorts of online nastiness, be it malware, unsavory software, or social engineering (particularly phishing) sites.

Then, it put Android users under the Safe Browsing umbrella, extending Safe Browsing inoculation to Chrome users on Android.

Google added unwanted software download warnings to its Safe Browsing service in August 2014 to give users a heads-up when software was doing something sneaky – like switching your homepage or other browser settings to ones you don’t want, piggybacking on another app’s installation, or collecting or transmitting private information without letting a user know, among other things.

Now, it wants to reward those who find a way to get nastyware past Safe Browsing.

It’s got details on its reward program page, including that it will shell out $1,000 for a high-quality report of a Download Protection Bypass.

Image of Hacker courtesy of

Read more
Anonymous escalates offensive against Trump, declares ‘total war’
Insec Ethical Hacking Hub Group of cyber-criminals bases in different countries nabbed in joint international operation

Anonymous is urging the hacker community to take down Donald Trump's websites and expose any dirty laundry they can find on the candidate.
Anonymous is urging the hacker community to take down Donald Trump’s websites and expose any dirty laundry they can find on the candidate.

Hacktivist group Anonymous has doubled down on its threats to interfere with Donald Trump’s presidential campaign, declaring “total war” against the candidate in a YouTube video.

In the online video, Anonymous establishes April 1 as a target date to launch a cyberattack against, the official site of Trump’s Chicago-based condominiums, and attempts to recruit the hacker community at large to take down other Trump online assets and dig up dirt on the controversial businessman.

“Dear Donald Trump, we have been watching you for a long time and what we see is deeply disturbing,” an individual donning a Guy Fawkes mask stated in an electronically altered voice. “Your inconsistent and hateful campaign has not only shocked the United States of America, you have shocked the entire planet with your appalling actions and ideas.”

“You say what your current audience wants to hear but in reality you don’t stand for anything except for your personal greed and power,” the voice in the video continued.

A link in the YouTube video sent users to a Ghostbin page listing the following Trump websites, as well as support sites:,,,,, and The webpage also lists Trump’s alleged Social Security number, birth date, cell phone number and other personal information.

Anonymous fired its first salvo against Trump in December 2015, claiming to execute a DDoS attack on the Trump Tower website in reaction to the Republican candidate’s proposal to ban all Muslim immigrants from entering the U.S. The hacktivists behind this most recent video, who purported to be from a different branch of Anonymous than the one that originally targeted Trump, called this latest development a revival of that operation “on a far larger scale.”

The group is even recruiting non-hackers to help the cause by re-uploading the video to their own channels and sharing it with others.

“We need you to dismantle his campaign and sabotage his brand,” the person in the video stated.

Read more
Attacker leaves “SECURITY TIPS” after invading anti-DDoS firm Staminus
info security solution

Staminus, a California-based internet hosting provider that specializes in helping sites stay online when distributed denial of service (DDoS) attackers try to elbow them off, was itself the target of a cyber broadside last week.

At any rate, it started last week, with reports of the company’s site being down as of Thursday. But as of Monday, it was again, or maybe still, sucking wind.

Staminus on Friday put out a statement confirming that its network security had been popped and invaded, systems had been “temporarily” taken offline, and customer data had been published online.

The company posted a series of updates on Twitter and Facebook while its website was down, explaining that this was a “rare event.”

But even while Staminus techs were scrambling to drag the company’s site back online, whoever mugged it was dumping its private data online in what security journalist Brian Krebs called a “classic ‘hacker e-zine’ format” called “F**k ’em all.”

Free commercial-grade security for the home.

Learn More

Krebs reports that the page included links to download databases reportedly stolen from Staminus and from Intreppid, another Staminus project that targets customers looking for protection against large DDoS attacks.

The huge data dump included customer names and email addresses, database table structures, routing tables, support tickets, credit card numbers (according to Krebs, at any rate; Ars Technica’s Sean Gallagher didn’t see any when he viewed the dump), and other sensitive data.

A Staminus customer who requested anonymity confirmed to Ars that his data was part of the dump.

Those behind the dump claimed to have gained control of Staminus’s routers and to have reset them to factory settings.

The hacker “e-zine” that contained all the sensitive data began with a note from the attacker titled “TIPS WHEN RUNNING A SECURITY COMPANY.”

Then, it went on to list tips for what were supposedly the security holes found during the breach:

  • Use one root password for all the boxes
  • Expose PDU’s [power distribution units in server racks] to WAN with telnet auth
  • Never patch, upgrade or audit the stack
  • Disregard PDO [PHP Data Objects] as inconvenient
  • Hedge entire business on security theatre
  • Store full credit card info in plaintext
  • Write all code with wreckless [sic] abandon

On Thursday, Staminus reported that some services were back online or in the process of being brought back and that “We expect full service restoration soon.”

Then, another message posted on Friday pointed to the statement from the company’s CEO.

That was the last message. What followed was radio silence, unbroken as of Monday evening.

Krebs pointed out that the attack isn’t surprising: anti-DDoS providers are a common target for attackers.

Image of DDoS attacker courtesy of

Read more
IT depts. suffering from ‘patch fatigue,’ study says

A study found that half of IT departments could be suffering from ‘patch fatigue.’
A study found that half of IT departments could be suffering from ‘patch fatigue.’

Enterprises benefit from having patch management plans to help ensure their IT departments don’t suffer from patch fatigue or become overburdened with patches which could lead to poor cybersecurity hygiene.

In a study of 480 IT professionals, researchers at Tripwire found that half of the respondents struggled to keep up with enterprise patching.

Half also felt that client-side patches are released at an unmanageable rate and 67 percent reported having difficulty understanding which patch needs to be applied to which system.

“Managing patches is an area where there is no ending in sight,” Tripwire Security Research and Software Development Engineer Lane Thames told SCMagazine via emailed comments.

“This can be overwhelming for who those are responsible for correct testing and deployment of patches in IT environments, especially as new systems are added to the environments because of business needs,” he said

Thames said the sheer volume of patches that respondents deal with can seem unmanageable.

More than 6,000 new Common Vulnerabilities and Exposures (CVE) were assigned in 2015, according to the study.

“If only one-tenth of those vulnerabilities affected devices in your area of responsibility, you would have been responsible for resolving 630 vulnerabilities annually or 2.5 vulnerabilities each business day,” researchers said in the study.

Researchers at Tripwire said it is also an inconvenience when companies release unsuspected updates which could potentially shut down enterprise systems

Thames said a deeper collaboration between developers and their customers’ IT departments could help to shed more light on the current problems faced by IT personnel.

Currently, very few systems use the same patch installation methodology and IT organizations are responsible for so much technology it is impossible for individuals to be subject matter experts on each type of technology, he added.

“As a result, most individuals working in IT who are responsible for patch management will face difficulties understanding how to patch various systems,” Thames said.

To help combat this, enterprises should invest in both patch vulnerability and patch management software solutions to help their IT departments get a picture of the security posture, including current patch levels and known risks, researchers said in the study.

“Without these tools, individuals must be aware of every asset and every application installed on every asset,” researchers said.

Researchers recommend enterprises set up schedules, assign responsibilities, plan for unexpected issues, and allocate the appropriate amount of staff and time to deal with patches to help combat patch fatigue.  

The first step in resolving patch fatigue is identifying it and suggested that IT Teams look for potential points of failure and stress, the study said.

“Our study indicates that IT organizations can barely maintain their existing technologies,” Thames said.

Thames said this implies that there is room for improvement and will require holistic, cross-disciplinary approaches involving both people and technology to solve future issues.

Read more
Hacker picks 1-800-FLOWERS’ customers credit card info
info security solution

A hacker took names, addresses and payment card info. (Photo courtesy of Pascalle Van Deurzen)
A hacker took names, addresses and payment card info. (Photo courtesy of Pascalle Van Deurzen)

In a post-Valentine’s Day attack the e-commerce site of 1-800-FLOWERS was accessed by an unauthorized person for more than a day during which time about 7,000 customers placing orders on the site may have had their personal and payment information compromised.

The online flower retailer said in a letter to the California Department of Justice that for a 33-hour period – stretching from the evening of Feb. 15 to early morning on Feb. 17 – an attacker collected the name, address, email address, payment card number along with its expiration date and CVV security code of all those placing or attempting to place orders on the site.

The company would not disclose how the attacker breached its system, but gave some insight on how 1-800-FLOWERS discovered the issue.

“Our customer service team received reports on Feb. 15, 2016 from several customers indicating that they were unable to complete their online orders. Our operations team initiated an investigation and identified signs of unauthorized access to the network that operates our e-commerce platform,” Joseph Pititto, the company’s senior vice president, investor relations, told Thursday in an email.

Pititto said the company has received no reports that the information taken has been used in a malicious fashion.

1-800-FLOWERS said it has resolved the issue and is warning anyone who was on the site during the affected period to remain vigilant and review payment card statements carefully for unknown activity.

Read more
Forget iPhone backdoors, here’s a *side* door that can steal your keys
Insec Ethical Hacking Hub New Trojan that hides in PNG images affects healthcare organizatons

Remember the early days of mobile phones?

You’d be watching TV, or listening to the radio, and you’d hear a sound like Chzzzt – Chzzzt – Chzzzt, and you’d know someone’s phone was about to ring.

The interference was a side-effect of your phone waking up and saying to the local network, “Here I am! You can put that call through to me here.”

Obviously, a mobile phone is supposed to give out electromagnetic radiation, but the strength and the pattern of the “Here I am” communication was especially noticeable and recognisable, even when the eavesdropping circuitry was no more sophisticated than the wiring and the loudspeaker inside some nearby device.

As you can probably imagine, you can dig much more precisely into what a phone is up to if you introduce a targeted receiver and a dedicated signal-processing computer.

And that’s what researchers from Israel and Australia did recently when they set out to see what they could learn from you if they were able – literally and figuratively – to hide under the table while you used your iPhone:

Click on the image to see it in the original article…

The receiver coil in the photo is a magnetic probe (the researchers say it cost about $2, but you could wind your own if you wanted to) that generates a tiny and ever-changing current as the electromagnetic fields around it wax and wane.

The signal processing is done by a sound digitiser, which conveniently converts the output of the coil into a waveform that is sent over USB, and by the laptop that receives the waveform.

The researchers focused specifically on the emissions that happened when specific parts of specific software ran, namely the programming responsible for certain sorts of digital signature validation in the following cryptographic libraries:

  • OpenSSL, included in numerous mobile apps.
  • The iOS CommonCrypto library, the core operating system component used by a wide variety of iOS apps.
  • CoreBitcoin, used by various Bitcoin wallet programs.
  • Bitcoin Core, another library common in the Bitcoin ecosystem. (They got nowhere with this one.)

The researchers found that they could sometimes differentiate between two special sorts of arithmetic calculation inside the code used for a specific sort of digital signature called the Elliptic Curve Digital Signature Algorithm (ECDSA).

In particular, they could tell when the code was doing a DOUBLE (multiplying by 2) and when it was doing an ADD.

You’re probably thinking, “You can tell when the program is doing plus and when it is doing times. So what?”

Cryptographic arithmetic isn’t usually quite as easy as 2+2 or 3×5, because the numbers involved are often hundreds of digits long. The calculations are more like “multiply the number of protons in the universe by all the possible games of chess, and add the distance to Alpha Centauri in nanometres.”

But it turns out that by tracking which operations happen in what order, you can tell what’s happening inside the algorithm; those patterns, in turn, are determined by the values of the individual bits in the input.

So, if the input is the cryptographic key itself, its internal structure produces a sort-of electromagnetic rhythm that leaks information about which bits are 1 and which bits are 0.

By way of analogy, imagine that you asked me to add up a long column of digits aloud, one by one, moving the point of my pen down the column to keep track of the process.

If all you knew is how long my pen spent pointing at each digit, you’d still almost certainly be able to guess where the zeros were, because I’d skip over them and not say anything, so they’d stand out in your timing data.

You might also find I’d be a bit slower adding the 8s and 9s than I would be adding the 1s and 2s, so you could use that to guess at yet more of the digits in the list, and so on.

The researchers also claim that they can attack an iPhone attack by monitoring power supply fluctuations, rather then emitted radiation, using a booby-trapped charger cable:

Click on the image to see it in the original article…

They tried Android phones, too, but apparently had some trouble, because they needed lab-grade equipment to sniff out the DOUBLEs and ADDs on their Xperia x10:

Click on the image to see it in the original article…

Don’t panic.

This attack is absurdly difficult to pull off, unless you regularly hang out in coffee shops where bringing your own lab equipment is de rigueur.

Attacker also need measurements from several thousand different digital signatures using the same key in order to have a chance of figuring it out – and that’s an awful lot of activity on Apple Pay or in the Google Play Store.

Better yet, if you have iOS 9 or later, any apps that use Apple’s built-in crypto library appear to be immune anyway.

In other words, even the richest and most determined attacker is unlikely to try this approach, given its very low chance of success, the complexity of setting the whole thing up in the first place, and the plethora of easier ways to get data out of unsuspecting users.

However, if you’re a cryptographic programmer, especially if you work on special-purpose hardware that’s supposed to be resilient even to expensive and cumbersome attacks, it’s a pertinent reminder.

Algorithmic speed is not as important as algorithmic consistency, because anything that leaves behind a pattern that depends on the current inputs could be used in what’s called a side-channel attack, or a “side door.”

As cryptographers are always keen to remind us, “Plan ahead, because attacks only ever get better.”

Read more
Trolls who use fake profiles to torment others to be prosecuted
Info security solution kolkata

The UK is considering new legal guidelines that would enable adult trolls to be charged if they use a victim’s name and fake information to cook up a bogus profile that might damage their reputation.

According to a statement put out by the Crown Prosecution Service (CPS) on Wednesday, the timer’s now ticking on a 10-week public consultation over the proposed changes.

In addition to covering cases where offenders hide behind fake profiles to torment or trick people, the proposed revisions to the updated Social Media Guidelines also contain guidance on new crimes, including nonconsensual (or “revenge”) porn and domestic abuse.

The CPS statement quoted Alison Saunders, CPS director of public prosecutions, who said that lawyers have to keep up with new crimes that creep forth alongside new technologies:

Online communication is developing at such a fast pace, new ways of targeting and abusing individuals online are constantly emerging. We are seeing more and more cases where social media is being used as a method to facilitate both existing and new offenses.

It is vital that prosecutors consider the bigger picture when looking at evidence and examine both the online and offline behavior pattern of the defendant. Online abuse is cowardly and can be deeply upsetting to the victim.

Free commercial-grade security for the home.

Learn More

She noted that the CPS is seeing a rise in violent crimes against women and girls, including domestic abuse, that’s enabled by new technologies.

While “controlling or coercive behavior in an intimate or family relationship” – guidelines for which were published in December – can happen both online and offline, abusers are using technologies such as GPS and spyware to control their victims, the CPS said.

Hence, the CPS has updated the domestic abuse Joint NPCC and CPS Evidence Gathering checklist, to remind officers and prosecutors how this type of abuse is carried out online and what type of related evidence they should seek and collect.

As far as setting up fake accounts go, cybercrooks have used this tactic for a variety of crimes.

One example: Craig Brittain, former owner of the revenge porn site IsAnybodyDown.

Brittain conned women out of nude images by posing as a woman on a Craigslist women’s forum – a practice known as catfishing.

He posted the images (along with Facebook profiles and addresses) and then charged his victims to get the images taken down.

Crooks have also set up bogus profiles on LinkedIn in order to entice users into giving up personal details, direct them to malware-laden websites and, if they manage to get their email addresses, launch spear-phishing campaigns.

Cybercrooks may well think that using a bogus profile and creating websites under fake names might make them untraceable, but they’re flat-out wrong, Saunders said.

Thankfully, this is not the case, and an online footprint will be left by the offender.

The new revised guidelines are available here.

They set out three categories of social media crimes:

  • Category 1: Communications that carry credible threats of violence to a person or damage to property.
  • Category 2: Specific targeting for harassment, stalking, nonconsensual porn, blackmail, or coercive behavior to former partners or family members.
  • Category 3: Communications that lead to a breach of a court order.

Less serious crimes are grouped in a fourth category, including using a false identity to post upsetting messages: for example, by posting false information that could cause anxiety.

The CPS acknowledged the potential for a chilling effect on free speech and said that prosecutors should exercise “considerable caution before bringing charges,” using a high threshold for prosecution.

That threshold includes age: the age and maturity of offenders have to be taken into account, the CPS stipulated, given that children may not realize the harm they’re causing and the seriousness of their communications.

“…a prosecution is rarely likely to be in the public interest” in the case of underage offenders, the CPS said.

Image of disguise courtesy of

Read more
This state wants to ban gun-toting, flame-shooting, gas-spraying drones
Insec Ethical Hacking Hub Rahul Yadav Fired As Housing CEO. No Association With The Company Anymore!

“The laws have not caught up with technology,” Det. Sgt Joseph Flynn said last December, after police in Clinton, Connecticut were asked about a second incident of an armed drone in that small town.

Flynn was referring to a video, apparently posted on YouTube by 18-year-old Austin Haughwout, showing a remote-controlled quadcopoter drone equipped with a home-made flamethrower.

Haughwout’s original claim to fame was another video, posted last July, showing a flying drone firing a handgun in a wooded area.

Haughwout was never charged with a crime.

Now a pair of proposed laws being considered in Connecticut would put an end to arming recreational drones.

A proposal on the “weaponization of drones” would prohibit using an unmanned aerial vehicle (UAV) to release tear gas, remotely control a weapon or “explosive or incendiary device.”

Both bills (one submitted in the Connecticut House of Representatives, the other in the state Senate) use the same language in reference to armed drones.

Except as otherwise provided by law, no person shall operate or use any computer software or other technology, including, but not limited to, an unmanned aerial vehicle, as defined in subdivision (29) of section 15-34 of the general statutes, as amended by this act, that allows a person, when not physically present, to release tear gas or any like or similar deleterious agent or to remotely control a deadly weapon, as defined in section 53a-3 of the general statutes, or an explosive or incendiary device, as defined in section 53-206b of the general statutes.

Connecticut lawmakers had previously considered, but not passed, anti-drone legislation, according to the Hartford Courant.

As recreational drone use takes off, many US states are putting laws on the books to regulate their use.

The states of Oregon, North Carolina and Wisconsin have already banned weaponized drones, while Oregon, West Virginia, New Hampshire and Michigan all passed laws prohibiting the use of drones in hunting, as CNN reports.

Last September, California’s governor blocked passage of a law that would have made it illegal to fly drones less than 350 feet above private property without the property owner’s permission.

If you’re a recreational drone user, make sure you know what restrictions and public safety requirements there are in your city, state or country.

Fly safe!

Image of quadcopter and pilot courtesy of

Read more