Several media outlets are reporting that authorities in the United Kingdom early this morning arrested an 18-year-old in connection with the denial-of-service attacks on Sony Playstation and Microsoft Xbox systems over Christmas. The arrest is one of several tied to a joint U.K. and U.S. law enforcement investigation into a group calling itself the “Lizard Squad,” and comes as the group’s attack-for-hire online service was completely compromised and leaked to investigators.

A BBC story does not name the individual, saying only that the youth was arrested at an address in Southport, near Liverpool, and that he was accused of unauthorized access to computer material and knowingly providing false information to law enforcement agencies in the United States. The notice about the arrest on the Web site of the Southeast Regional Organized Crime Unit states that this individual has been actively involved in several “swatting” incidents — phoning in fake hostage situations or bomb threats to prompt a police raid at a targeted address.

U.K. police declined to publicly name the individual arrested. But according to the Daily Mail, the youth is one Jordan Lee-Bevan. Known online variously as “Jordie,” “EvilJordie” and “GDKJordie,” the young man frequently adopts the persona of an African American gang member from Chicago, as evidenced in this (extremely explicit) interview he and other Lizard Squad members gave late last year. Jordie’s Twitter account also speaks volumes, although it hasn’t been saying much for the past 13 hours.

Update: Added link to Daily Mail story identifying Jordie as Lee-Bevan.

Original post:

An individual using variations on the “Jordie” nickname was named in this FBI criminal complaint (PDF) from Sept. 2014 as one of three from the U.K. suspected in a string of swatting attacks and bomb threats to schools and universities across the United States in the past year. According to that affidavit, Jordie was a member of a group of males aged 16-18 who called themselves the “ISISGang.”

In one of their most appalling stunts from September 2014, Jordie and his ISIS pals allegedly phoned in a threat to Sandy Hook Elementary — the site of the 2012 school massacre in Newtown, Ct. in which 20 kids and 6 adults were gunned down. According to investigators, the group told the school they were coming to the building with an assault rifle to “kill all your asses.”

In an unrelated development, not long after this publication broke the news that the Lizard Squad’s attack infrastructure is built on a network of thousands of hacked home Internet routers, someone hacked LizardStresser[dot]su, the Web site the group uses to coordinate attacks and sell subscriptions to its attacks-for-hire service. As I noted in a previous story, the attacks on Microsoft and Sony were merely meant to be commercials for this very “stresser” (a.k.a. “booter”) service, which allows paying customers to knock any Web site or individual offline for a small fee.

A copy of the LizardStresser customer database obtained by KrebsOnSecurity shows that it attracted more than 14,241 registered users, but only a few hundred appear to have funded accounts at the service. Interestingly, all registered usernames and passwords were stored in plain text. Also, the database indicates that customers of the service deposited more than USD $11,000 worth of bitcoins to pay for attacks on thousands of Internet addresses and Web sites (including this one).

Two other Lizard Squad members also have been rounded up by police since the initial Christmas Day attacks. In late December, U.K. police arrested 22-year-old Vincent “Vinnie” Omari, in connection with the investigation. Additionally, authorities in Finland questioned a 17-year-old named Julius “Ryan/Zeekill” Kivimäki, after he and Omari gave an interview to Sky News about the attacks. Sources say Kivimäki has been arrested and jailed several times in Finland on charges related to credit card theft, although he is currently not in custody.

Sources say the 18-year-old arrested this morning operates only on the fringes of the group responsible for the Christmas day attacks, and that the core members of the Lizard Squad remain at large.

Nevertheless, individuals involved in swatting need to face serious consequences for these potentially deadly stunts. Swatting attacks are not only extremely dangerous, they divert emergency responders away from actual emergencies, and cost taxpayers on average approximately $10,000 (according to the FBI).

In most states, the punishment for calling in a fake hostage situation or bomb threat is a fine and misdemeanor akin to filing a false police report. Having been the victim of a swatting attack myself, allow me to suggest an alternative approach: Treat all of those charged with the crime as an adult, and make the charge attempted murder.

Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.

When contacted by this author on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected. A portion of their statement reads:

“Park ‘N Fly (“PNF”) has become aware of a security compromise involving payment card data processed through its e-commerce website. PNF has been working continuously to understand the nature and scope of the incident, and has engaged third-party data forensics experts to assist with its investigation. The data compromise has been contained. While the investigation is ongoing, it has been determined that the security of some data from certain payment cards that were used to make reservations through PNF’s e-commerce website is at risk. The data potentially at risk includes the card number, cardholder’s name and billing address, card expiration date, and CVV code. Other loyalty customer data potentially at risk includes email addresses, Park ‘N Fly passwords, and telephone numbers.”

The Park ‘N Fly homepage now includes a conspicuous notice stating that the Web site is temporarily unable to process transactions and directs customers to a 1-800 for reservations.

Reading the Park ‘N Fly disclosure made me wonder if anything had changed over at OneStopParking.com, a Florence, Ky.-based competitor that KrebsOnSecurity reported Dec. 30, 2014 as the likely source of another e-commerce breach. Reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.

Ghanem said his firm is in the process of notifying affected customers.

Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.

The stolen CVVs traced back to both Park ‘N Fly and Onestopparking.com were among thousands for sale in large batches of card data being peddled at Rescator[dot]cm, the same crime shop that first moved cards stolen in the retail breaches at Home Depot, Target, Sally Beauty, P.F. Chang’s and Harbor Freight. The card data in both batches ranged in price from $6 to $9 per card, and included the card number, expiration date, 3-digit card verification code, as well as the cardholder’s name, address and phone number.

Predictably, Park ‘N Fly is offering affected consumers 12 months of free credit monitoring services, even though credit protection services generally do nothing to detect or prevent fraud on existing accounts — such as credit cards. For more on what credit monitoring services actually do (and don’t do) check out this primer.

Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.

Microsoft on Tuesday posted eight security updates to fix serious security vulnerabilities in computers powered by its Windows operating system. Separately, Adobe pushed out a patch to plug at least nine holes in its Flash Player software.

Leading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.

For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch. Somehow I doubt this is the last time we’ll see this tension between these two software giants. But then again, who said patching had to be boring? For a full rundown of updates fixed in today’s release, see this link.

Adobe, as it is prone to do on Patch Tuesday, issued an update to fix a whole mess of security problems with its Flash Player program. Adobe’s update brings the Player to v. 16.0.0.257 for Windows and Mac users, and fixes at least nine critical bugs in the software. Adobe said it is not aware of exploits that exist in the wild for any of the vulnerabilities fixed in this release.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. If your version of Chrome doesn’t show the latest version of Flash, you may need to restart the browser or manually force Chrome to check for updates (click the three-bar icon to the right of the address bar, select “About Google Chrome” and it should check then).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

As always, please feel free to sound off in the comments section below with your experience about applying any of these security patches.

President Obama on Monday outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches.

The plan is intended to unify nearly four dozen disparate state data breach disclosure laws into a single, federal standard. But as experts quoted in this story from The New York Times rightly note, much rides on whether or not any federal breach disclosure law is a baseline law that allows states to pass stronger standards.

For example, right now seven states already have so-called “shot-clock” disclosure laws, some more stringent; Connecticut requires insurance firms to notify no more than five days after discovering a breach; California has similar requirements for health providers. Also, at least 14 states and the District of Columbia have laws that permit affected consumers to sue a company for damages in the wake of a breach. What’s more, many states define “personal information” differently and hence have different triggers for what requires a company to disclose. For an excellent breakdown on the various data breach disclosure laws, see this analysis by BakerHostetler (PDF).

Leaving aside the weighty question of federal preemption, I’d like to see a discussion here and elsewhere about a requirement which mandates that companies disclose how they got breached. Naturally, we wouldn’t expect companies to disclose the specific technologies they’re using in a public breach document. Additionally, forensics firms called in to investigate aren’t always able to precisely pinpoint the cause or source of the breach.

But this information could be publicly shared in a timely way when it’s available, and appropriately anonymized. It’s unfortunate that while we’ve heard time and again about credit card breaches at retail establishments, we know very little about how those organizations were breached in the first place. A requirement to share the “how” of the hack when it’s known and anonymized by industry would be helpful.

I also want to address the issue of encryption. Many security experts insist that there ought to be a carve-out that would allow companies to avoid disclosure requirements in a breach that exposes properly encrypted sensitive data (i.e., the intruders did not also manage to steal the private key needed to decrypt the data). While a broader adoption of encryption could help lessen the impact of breaches, this exception is in some form already included in nearly all four dozen state data breach disclosure laws, and it doesn’t seem to have lessened the frequency of breach alerts.

I suspect there are several reasons for this. The most obvious is that few organizations that suffer a breach are encrypting their sensitive data, or that they’re doing so sloppily (exposing the encryption key, e.g.). Also, most states also have provisions in their breach disclosure laws that require a “risk of harm” analysis that forces the victim organization to determine whether the breach is reasonably likely to result in harm (such as identity theft) to the affected consumer.

This is important because many of these breaches are the result of thieves breaking into a Web site database and stealing passwords, and in far too many cases the stolen passwords are not encrypted but instead “hashed” using a relatively weak and easy-to-crack approach such as MD5 or SHA-1. For a good basic breakdown on the difference between encrypting data and hashing it, check out this post. Also, for a primer on far more secure alternatives to cryptographic hashes, see my 2012 interview with Thomas Ptacek, How Companies Can Beef Up Password Security.

As long as we’re dealing with laws to help companies shore up their security, I would very much like to see some kind of legislative approach that includes ways to incentivize more companies to deploy two-factor and two step authentication — not just for their customers, but just as crucially (if not more so) for their employees.

PRIVACY PROMISES

President Obama also said he would propose the Student Data Privacy Act, which, according to The Times, would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software. The story also noted that the president was touting voluntary agreements by companies to safeguard energy data and to provide easy access to consumer credit scores. While Americans can by law get a free copy of their credit report from each of the three major credit bureaus once per year — at annualcreditreport.com — most consumers still have to pay to see their credit scores.

These changes would be welcome, but they fall far short of the sorts of revisions we need to the privacy laws in this country, some of which were written in the 1980s and predate even the advent of Web browsing technology. As I’ve discussed at length on this blog, Congress sorely needs to update the Electronic Communications Privacy Act (ECPA), the 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent. For more on the effort to change the status quo, see digitaldueprocess.org.

Also, I’d like to see a broader discussion of privacy proposals that cover what companies can and must/must not do with all the biometric data they’re collecting from consumers. Companies are tripping over themselves to collect oodles of potentially very sensitive such data from consumers, and yet we still have no basic principles that say what companies can do with that information, how much they can collect, how they can collect it or share it, or how they will protect that information.

There are a handful of exceptions at the state level; read more here). But overall, we’re really lacking any sort of basic protections for that information, and consumers are giving it away every day without fully realizing there are basically zero federal standards for what can or should be done with this information.

Coming back to the subject of encryption: Considering how few companies actually make customer data encryption the default approach, it’s discouraging to see elements of this administration criticizing companies for it. There is likely a big showdown coming between the major mobile players and federal investigators over encryption. Apple and Google’s recent decision to introduce default, irrevocable data encryption on all devices powered by their latest operating systems has prompted calls from the U.S. law enforcement community for legislation that would require mobile providers to allow law enforcement officials to bypass that security in criminal investigations.

In October, FBI Director James Comey called on the mobile giants to dump their new encryption policies. Last week, I spoke at a conference in New York where the panel prior to my talk was an address from New York’s top prosecutor, who said he was working with unnamed lawmakers to craft new legal requirements. Last week, Sen. Ron Wyden (D-Ore.) reintroduced a bill that would bar the government from requiring tech companies to build so-called “backdoor” access to their data for law enforcement.

This tension is being felt across the pond as well: British Prime Minister David Cameron also has pledged new anti-terror laws that give U.K. security services the ability to read encrypted communications on mobile devices.

I put this out on Twitter last Friday but wanted to note it here in the blog as well: The National Press Foundation graciously announced last week that it plans to award me its Chairman’s Citation, which “confers recognition on individuals whose accomplishments fall outside the traditional categories of excellence.”

I’m truly honored by this award, and more than a little humbled by the pedigree of its previous winners. The NPF’s Chairman’s Citation was last awarded in 2012 to the late, great New York Times reporter Anthony Shadid, who died in Syria that same year. Shadid, a two-time Pulitzer Prize winner, was also a former Washington Post reporter. Likewise, the award was presented in 2010 to Colbert King, a Pulitzer Prize-winning columnist at The Post.

This honor also gives me another opportunity and platform for proselytizing to media colleagues about the merits and rewards of being an independent journalist. Some of my reporter friends probably get sick of hearing it from me, but there has never been a more important time for reporters who are passionate about creating original, impactful content to consider going it alone. A diversity of authoritative (and accountable) voices on important topics keeps the mainstream media honest and on its toes. More crucially, it helps inspire and cultivate the next generation of the Fourth Estate.

A hearty “THANK YOU” to the NPF for this recognition, and to the faithful readers here who make this all worthwhile!