{"id":3270,"date":"2014-04-25T10:00:53","date_gmt":"2014-04-25T14:00:53","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=3270"},"modified":"2020-02-26T18:58:29","modified_gmt":"2020-02-26T14:58:29","slug":"heartbleed-lingers-as-apple-fixes-its-own-crypto","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/3270\/","title":{"rendered":"A Week in the News: Heartbleed Lingers as Apple Fixes its own Crypto"},"content":{"rendered":"<p>In the news this week, we\u2019re still talking about OpenSSL and the now-infamous Heartbleed bug; Apple resolves an encryption problem of its own in both its mobile iOS and standard OSX operating systems; AOL and its customers suffer a serious security incident; and Iowa State gets hacked by attackers seeking to exploit the university\u2019s computing resources to mine Bitcoins.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/04\/05111221\/week2-1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4629\" alt=\"week\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/04\/05111221\/week2-1.jpg\" width=\"640\" height=\"480\"><\/a><\/p>\n<p><b>The Saga Continues<\/b><\/p>\n<p>There was \u2013 as always \u2013 much more discussion on the breadth and severity of the OpenSSL Heartbleed bug. Much of that talk revolved around the long-term prospects for <a href=\"https:\/\/threatpost.com\/openssl-heartbleed-and-the-value-of-crls\/105572\" target=\"_blank\" rel=\"noopener nofollow\">the digital certificate system<\/a> that essentially <a href=\"https:\/\/www.kaspersky.com\/blog\/digital-certificates-httpss\/\" target=\"_blank\" rel=\"noopener nofollow\">constitutes trust on the Internet<\/a>, as well as <a href=\"https:\/\/threatpost.com\/openssl-heartbleed-highlights-crypto-pitfalls\/105628\" target=\"_blank\" rel=\"noopener nofollow\">the efficacy and pitfalls of encryption<\/a>.<\/p>\n<p>However, this week differed, at least slightly, from those that came before it in that it seems to be the first time that companies really started looking for ways to prevent these bugs from ever emerging again, moving forward.<\/p>\n<div class=\"pullquote\">First ever SMS Android Trojan in U.S., update on OpenSSL Heartbleed, Apple fixes SSL vulnerability in iOS and OSX, AOL Hacked, and Iowa State Bitcoin Mining.<\/div>\n<p>A new collaborative, known as<a href=\"https:\/\/threatpost.com\/group-backed-by-google-microsoft-to-help-fund-openssl-and-other-open-source-projects\/105672\" target=\"_blank\" rel=\"noopener nofollow\"> the Core Infrastructure Initiative<\/a>, is pooling its resources in order to build a multimillion dollar fund dedicated to supporting open source projects vital to the Web\u2019s security. OpenSSL is the first project under consideration to receive funds, which are being supplied primarily by the Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google, and several other prominent tech companies. The Mozilla Corporation, too, is reacting, with a new <a href=\"https:\/\/threatpost.com\/mozilla-offers-bug-bounty-for-new-certificate-verification-library\/105675\" target=\"_blank\" rel=\"noopener nofollow\">special bug bounty program<\/a> offering $10,000 to any researchers that can find a serious security vulnerability in the new certificate verification library it intends to add to Firefox browser version 31 some time this summer.<\/p>\n<p><b>Apple Fixes SSL in iOS, OSX<\/b><\/p>\n<p>On a similar but ultimately unrelated note, <a href=\"https:\/\/threatpost.com\/apple-fixes-serious-ssl-issue-in-osx-and-ios\/105631\" target=\"_blank\" rel=\"noopener nofollow\">Apple has issued fixes for<\/a><a href=\"https:\/\/threatpost.com\/apple-fixes-serious-ssl-issue-in-osx-and-ios\/105631\" target=\"_blank\" rel=\"noopener nofollow\"> a serious security flaw<\/a> that was present in many versions of both iOS and OSX. The vulnerability could give an attacker the ability to intercept data from supposedly encrypted SSL connections. In other words, the bug could allow an attacker to read the contents of messages \u2013 whether they\u2019re communications or other sensitive information.<\/p>\n<p>The bug is one of many that the Cupertino, California computer company fixed on Tuesday in its two primary operating systems. While perhaps not as serious, these crypto flaws are among several others of consequence. So, if you\u2019re working (or playing) with any Mac product, you should mosey on over the App Store and install the Apple operating system updates as soon as possible.<\/p>\n<p><b>Typically Quiet AOL Makes a Splash<\/b><\/p>\n<p>Not sure what AOL\u2019s share of the email provider market is these days (and believe me, I looked), but an unknown number of <a href=\"https:\/\/threatpost.com\/aol-email-hacked-by-spoofers-to-send-spam\/105629\" target=\"_blank\" rel=\"noopener nofollow\">AOL Mail user accounts got \u201cspoofed\u201d this week<\/a>. Once compromised, the attacker or attackers or botnet responsible started spewing spam on the contacts of the compromised accounts. AOL has confirmed that it is aware of the hack \u2013 though AOL isn\u2019t calling it a hack, but it is not clear how many user accounts were affected, nor is it clear just how much spam went out. Oddly enough, AOL is claiming it is unlikely that the email accounts were compromised, saying it is far more likely that the accounts were spoofed.<\/p>\n<p>As AOL noted, spoofing attacks are basically spam emails that appear to come from the victim but are technically coming from the spammers\u2019 email account and are sent via the spammers\u2019 server. In other words, AOL says that no accounts have been hacked on a large scale, but rather that the attackers are merely mimicking the accounts of their victims. This explanation clearly fails to explain how the attackers got their hands on the contact lists of their victims, which means there may be more on this moving forward.<\/p>\n<p><b>SMS Trojans in the USA<\/b><\/p>\n<p>Premium rate SMS Trojans are not new. The scam goes something like this: attackers compel their victims to download a Trojan on their mobile device. That Trojan obtains the ability to send SMS (text) messages on the infected device. The Trojan then sends SMS messages to a premium-rate service, which is either controlled by the attacker or controlled by someone paying the attacker. The rates for these messages are then billed to the owners of infected devices.<\/p>\n<p>As I said, these things have been around. Strangely though, for reasons that remain a mystery, the SMS Trojan has never really made it to the United States. That changed, earlier this week, when our friends at <a href=\"https:\/\/www.securelist.com\/en\/blog\/8209\/An_SMS_Trojan_with_global_ambitions\" target=\"_blank\" rel=\"noopener nofollow\">Securelist<\/a> found an Android Trojan doing just that.<\/p>\n<p>As if its status as <a href=\"https:\/\/www.kaspersky.com\/blog\/fakeinst-targets-us-users\/\" target=\"_blank\" rel=\"noopener nofollow\">the premiere SMS Trojan targeting Android users in the U.S.<\/a> wasn\u2019t enough, FakeInst \u2013 as it\u2019s known \u2013 is also targeting Android users in an additional 65 countries. In fact, FakeInst is known to have targeted users in Germany, France, Finland, Hong Kong, Ukraine, the U.K., Switzerland, Argentina, Spain, Poland, Canada, China, and many more nations.<\/p>\n<p><b>Iowa State Hacked for\u2026 Bitcoins!?<\/b><\/p>\n<p>That\u2019s right. A prominent state university in the United States was hacked, and its computing power was used to generate Bitcoins. <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-all-this-business-about-bitcoin\/\" target=\"_blank\" rel=\"noopener nofollow\">Bitcoins are a digital crypto-currency <\/a>that have had their ups and downs over the last year or so. If you have enough computer power, you can use that power to solve algorithmic problems and generate new Bitcoins. That process is known as Bitcoin mining, and there is a lot of money to be made in it. Like all cybercrime, the criminals follow the money. Malicious Bitcoin mining is by no means new, but this incident is certainly novel in that it is targeting the computing power of a well-known institution of higher learning. That\u2019s not all, though; the compromise also appears to have exposed <a href=\"https:\/\/threatpost.com\/iowa-state-hacked-to-mine-bitcoins\/105650\" target=\"_blank\" rel=\"noopener nofollow\">the Social Security Numbers of as many as 30,000 Iowa State alumni<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>First ever SMS Android Trojan in U.S., update on OpenSSL Heartbleed, Apple fixes SSL vulnerability in iOS and OSX, AOL Hacked, and Iowa State Bitcoin Mining.<\/p>\n","protected":false},"author":42,"featured_media":3271,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[374,558,1061,543],"class_list":{"0":"post-3270","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-bitcoin","9":"tag-heartbleed","10":"tag-ios","11":"tag-news-2"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/3270\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/3385\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/3692\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/3767\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/3851\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/4628\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/3458\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/3851\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/4628\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/heartbleed-lingers-as-apple-fixes-its-own-crypto\/4628\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/bitcoin\/","name":"bitcoin"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3270"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3270\/revisions"}],"predecessor-version":[{"id":15767,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3270\/revisions\/15767"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/3271"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}