Teen arrested for 30 “swatting” attacks against schools, security reporter

60 criminal offenses charged against 16-year-old who provoked SWAT team visits.

Police in the Canadian city of Ottawa said they arrested a 16-year-old male charged with carrying out so-called "swatting" attacks that targeted 30 North American targets.

One of the targets included KrebsOnSecurity reporter Brian Krebs, who was previously on the receiving end of a vicious swatting attack that resulted in a team of police pointing guns at him as he opened the front door of his Virginia home. Krebs said the recent attacks were preceded by taunts from someone controlling the Twitter handle @ProbablyOnion. The last tweet made from that account, made on Thursday, stated: "Still awaiting for the horsies to bash down my door." The individual didn't have long to wait. That same day, the 16-year-old was arrested, according to press releases here and here issued by the Ottawa Police Service and the FBI, respectively.

Swatting refers to the act of knowingly giving authorities false information about bomb threats, the taking of hostages, or similar threats in progress with the goal of tricking heavily armed police to raid the location of an innocent person or group. According to authorities, the unnamed 16-year-old allegedly carried out swatting attacks on 30 targets, including schools in North America that responded with lockdowns or evacuations. The minor was charged with 60 criminal offenses, including public mischief, mischief to property, uttering death threats, and conveying false info with intent to alarm.

Read 1 remaining paragraphs | Comments

Linux gets fix for code-execution flaw that was undetected since 2009

Vulnerability could be particularly serious for shared Web-hosting services.

Maintainers of the Linux kernel have patched one of the more serious security bugs to be disclosed in the open source operating system in recent months. The five-year-old code-execution hole leaves computers used in shared Web hosting services particularly vulnerable, so users and administrators should make sure systems are running updated versions that contain a fix.

The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device.

"This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31)," Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. "A bug this serious only comes out once every couple years." As Ars reported in May 2013, the then-two-year-old CVE-2013-2049 continued to imperil users more than a month after Linux maintainers quietly released a patch for the gaping hole.

Read 4 remaining paragraphs | Comments