According to separate reports in The Tico Times and La Nacion, two Costa Rican daily newspapers, police in Spain arrested Arthur Budovsky Belanchuk, 39, as part of a money laundering investigation jointly run by authorities in New York and Costa Rica.

The papers cited Costa Rican prosecutor José Pablo González saying that Budovsky, a Costa Rican citizen of Ukrainian origin, has been under investigation since 2011 for money laundering using Liberty Reserve, a company he created in Costa Rica. “Local investigations began after a request from a prosecutor’s office in New York,” Tico Times reporter L. Arias wrote. “On Friday, San José prosecutors conducted raids in Budovsky’s house and offices in Escazá, Santa Ana, southwest of San José, and in the province of Heredia, north of the capital. Budovsky’s businesses in Costa Rica apparently were financed by using money from child pornography websites and drug trafficking.”

For those Spanish-speaking readers out there, Gonzalez can be seen announcing the raids in a news conference documented in this youtube.com video (the subtitles option for English do a decent job of translation as well).

Liberty Reserve is a largely unregulated money transfer business that allows customers to open accounts using little more than a valid email address, and this relative anonymity has attracted a huge number of customers from underground economies, particularly cybercrime.

In a now 10-page thread on this crime forum, many members are facing steep losses.

The trouble started on Thursday, when libertyreserve.com inexplicably went offline. The outage set off increasingly anxious discussions on several major cybercrime forums online, as many that work and ply their trade in malicious software and banking fraud found themselves unable to access their funds. For example, a bulletproof hosting provider on Darkode.com known as “off-sho.re” (a hacker profiled in this blog last week) said he stood to lose $25,000, and that the Liberty Reserve shutdown “could be the most massive ownage in the history of e-currency.”

That concern turned to dread for some after it became apparent that this was no ordinary outage. On Friday, the domain name servers for Libertyreserve.com were changed and pointed to ns1.sinkhole.shadowserver.org and ns2.sinkhole.shadowserver.org. Shadowserver is an all-volunteer nonprofit organization that works to help Internet service providers and hosting firms eradicate malware infections and botnets located on their servers.

In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. In its 2011 takedown of the Coreflood botnet, for example, the U.S. Justice Department relied on sinkholes maintained by the nonprofit Internet Systems Consortium (ISC). Sinkholes are most often used to seize control of botnets, by interrupting the DNS names the botnet is programmed to use. Ironically, as of this writing Shadowserver.org is not resolving, possibly because the Web site is under a botnet attack (hackers from at least one forum threatened to attack Shadowserver.org in retaliation for losing access to their funds).

Reached via Twitter, a representative from Shadowserver declined to comment on the outage or about Liberty Reserve, saying “We are not able to provide public comment at this time.” I could find no official statement from the U.S. Justice Department on this matter either.

Libertyreserve.com is not the only virtual currency exchange that has been redirected to Shadowserver’s DNS servers. According to passive DNS data collected by the ISC, at least five digital currency exchanges –milenia-finance.com, asianagold.com, exchangezone.com, moneycentralmarket.com and swiftexchanger.com – also went offline this week, their DNS records changed to the same sinkhole entries at shadowserver.org.

Assuming the reports at The Tico Times and El Nacion are accurate, this would not be the first time Mr. Budovsky has attracted attention from authorities for money laundering. According to the Justice Department, on July 27, 2006, Arthur Budovsky and a man named Vladimir Kats were indicted by the state of New York on charges of operating an illegal money transmittal business, GoldAge Inc., from their Brooklyn apartments. From a Justice Department account of that case:

“The defendants had transmitted at least $30 million to digital currency accounts worldwide since beginning operations in 2002. The digital currency exchanger, GoldAge, received and transmitted $4 million between January 1, 2006, and June 30, 2006, as part of the money laundering scheme. Customers opened online GoldAge accounts with limited documentation of identity, then GoldAge purchased digital gold currency through those accounts; the defendants’ fees sometimes exceeded $100,000. Customers could choose their method of payment to GoldAge: wire remittances, cash deposits, postal money orders, or checks. Finally, the customers could withdraw the money by requesting wire transfers to accounts anywhere in the world or by having checks sent to any identified individual.”

From the U.S. government’s description, Liberty Reserve sounds virtually indistinguishable from GoldAge, except for having been based in Costa Rica. If Liberty Reseve stays offline, this could cause a major upheaval in the cybercrime economy. I will be following this case closely, and would expect to hear more about this apparently coordinated takedown following the Memorial Day holiday in the U.S. on Monday.

For now, however, many in the underground would rather believe almost any other explanation than a law enforcement takedown. The administrator of cybercrime forum Carder.pro, for example, has been telling forum members that the entire incident is the work of professional hackers working for Liberty Reserve’s competitors.

Carder.pro administrator “Ninja” isn’t buying the news being reported by Costa Rican media.

A new privacy feature in Skype Beta 6.5 for Windows and Mac 6.4

As I wrote on March 21, 2013,  number of services have emerged to help snoops and ne’er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for “skype resolver” returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target’s Skype account name.

The resolvers can look up the IP address of any Skype user — whether or not that user is in your contacts list or even online at the time of the lookup. What’s more, resolver services frequently are offered in tandem with “booter” or “stresser” services, essentially sites that will launch denial-of-service attacks against a target of your choosing.

Apparently in response to this problem, Microsoft has added a new option to its Skype 6.5 Beta, released April 30, that allows users to allow direct connections to your contacts only. The information tab on this option, found under Skype->Options->Connection, says “When you call someone who isn’t a contact, we’ll keep your IP address hidden.”

I pinged Microsoft for an answer as to whether this feature was designed to plug the privacy leak exposed by resolver services. The company declined to say specifically what it may have changed about the Skype network and/or its software to address this problem, but it attributed the following emailed statement to a “Skype spokesperson;”

“Skype for Windows Beta 6.5 and Mac 6.4 now offer the option to prevent people not on your contact list from viewing your IP address. With this beta program, only your contacts will be able to access this information. We are allowing users to test this new security function and welcome any feedback as we continue to improve the communication experiences on Skype.”

I tested this beta version of Skype against a free Skype resolver service that has been reliable in the past at looking up IP addresses tied to specific Skype accounts. When I ran it against my everyday account using and older version of Skype, it successfully found my home IP. When I created a new Skype account with the Skype 6.5 beta on a separate machine, enabled the privacy feature and then tried the lookup again, it failed to locate my IP.

I should note that some Skype resolvers will cache previous lookups. That means if your Skype username has previously been looked up at a Skype resolver service, that service may show the correct IP for your Skype username if your IP address hasn’t changed since the last lookup.

24th May, 2013

linux-lts-quantal vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-lts-quantal - Linux hardware enablement kernel from Quantal

Details

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

A flaw was discovered in the Linux kernel's ftrace subsystem interface. A
local user could exploit this flaw to cause a denial of service (system
crash). (CVE-2013-3301)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:

linux-image-3.5.0-31-generic 3.5.0-31.52~precise1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2013-1929, CVE-2013-3301

24th May, 2013

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 12.10

Summary

Several security issues were fixed in the kernel.

Software description

• linux - Linux kernel

Details

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

A flaw was discovered in the Linux kernel's ftrace subsystem interface. A
local user could exploit this flaw to cause a denial of service (system
crash). (CVE-2013-3301)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.10:

linux-image-3.5.0-31-generic 3.5.0-31.52

linux-image-3.5.0-31-powerpc-smp 3.5.0-31.52

linux-image-3.5.0-31-highbank 3.5.0-31.52

linux-image-3.5.0-31-powerpc64-smp 3.5.0-31.52

linux-image-3.5.0-31-omap 3.5.0-31.52

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2013-1929, CVE-2013-3301

24th May, 2013

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 12.10

Summary

Several security issues were fixed in the kernel.

Software description

• linux-ti-omap4 - Linux kernel for OMAP4

Details

An flaw was discovered in the Linux kernel's perf_events interface. A local
user could exploit this flaw to escalate privileges on the system.
(CVE-2013-2094)

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

A flaw was discovered in the Linux kernel's ftrace subsystem interface. A
local user could exploit this flaw to cause a denial of service (system
crash). (CVE-2013-3301)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.10:

linux-image-3.5.0-225-omap4 3.5.0-225.36

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2013-1929, CVE-2013-2094, CVE-2013-3301

24th May, 2013

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 13.04

Summary

Several security issues were fixed in the kernel.

Software description

• linux - Linux kernel

Details

An information leak was discovered in the Linux kernel's crypto API. A
local user could exploit this flaw to examine potentially sensitive
information from the kernel's stack memory. (CVE-2013-3076)

An information leak was discovered in the Linux kernel's rcvmsg path for
ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to
examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3222)

An information leak was discovered in the Linux kernel's recvmsg path for
ax25 address family. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3223)

An information leak was discovered in the Linux kernel's recvmsg path for
the bluetooth address family. A local user could exploit this flaw to
examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3224)

An information leak was discovered in the Linux kernel's bluetooth rfcomm
protocol support. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3225)

An information leak was discovered in the Linux kernel's bluetooth SCO
sockets implementation. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3226)

An information leak was discovered in the Linux kernel's CAIF protocol
implementation. A local user could exploit this flaw to examine potentially
sensitive information from the kernel's stack memory. (CVE-2013-3227)

An information leak was discovered in the Linux kernel's IRDA (infrared)
support subsystem. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3228)

An information leak was discovered in the Linux kernel's s390 - z/VM
support. A local user could exploit this flaw to examine potentially
sensitive information from the kernel's stack memory. (CVE-2013-3229)

An information leak was discovered in the Linux kernel's l2tp (Layer Two
Tunneling Protocol) implementation. A local user could exploit this flaw to
examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3230)

An information leak was discovered in the Linux kernel's llc (Logical Link
Layer 2) support. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3231)

An information leak was discovered in the Linux kernel's nfc (near field
communication) support. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3233)

An information leak was discovered in the Linux kernel's Rose X.25 protocol
layer. A local user could exploit this flaw to examine potentially
sensitive information from the kernel's stack memory. (CVE-2013-3234)

An information leak was discovered in the Linux kernel's TIPC (Transparent
Inter Process Communication) protocol implementation. A local user could
exploit this flaw to examine potentially sensitive information from the
kernel's stack memory. (CVE-2013-3235)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 13.04:

linux-image-3.8.0-22-generic 3.8.0-22.33

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2013-3076, CVE-2013-3222, CVE-2013-3223, CVE-2013-3224, CVE-2013-3225, CVE-2013-3226, CVE-2013-3227, CVE-2013-3228, CVE-2013-3229, CVE-2013-3230, CVE-2013-3231, CVE-2013-3233, CVE-2013-3234, CVE-2013-3235

24th May, 2013

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux - Linux kernel

Details

Andy Lutomirski discover an error in the Linux kernel's credential handling
on unix sockets. A local user could exploit this flaw to gain
administrative privileges. (CVE-2013-1979)

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

A flaw was discovered in the Linux kernel's ftrace subsystem interface. A
local user could exploit this flaw to cause a denial of service (system
crash). (CVE-2013-3301)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-44-highbank 3.2.0-44.69

linux-image-3.2.0-44-omap 3.2.0-44.69

linux-image-3.2.0-44-generic-pae 3.2.0-44.69

linux-image-3.2.0-44-powerpc64-smp 3.2.0-44.69

linux-image-3.2.0-44-virtual 3.2.0-44.69

linux-image-3.2.0-44-generic 3.2.0-44.69

linux-image-3.2.0-44-powerpc-smp 3.2.0-44.69

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2013-1929, CVE-2013-1979, CVE-2013-3301