A Week in the News: Heartbleed Lingers as Apple Fixes its own Crypto

First ever SMS Android Trojan in U.S., update on OpenSSL Heartbleed, Apple fixes SSL vulnerability in iOS and OSX, AOL Hacked, and Iowa State Bitcoin Mining.

In the news this week, we’re still talking about OpenSSL and the now-infamous Heartbleed bug; Apple resolves an encryption problem of its own in both its mobile iOS and standard OSX operating systems; AOL and its customers suffer a serious security incident; and Iowa State gets hacked by attackers seeking to exploit the university’s computing resources to mine Bitcoins.


The Saga Continues

There was – as always – much more discussion on the breadth and severity of the OpenSSL Heartbleed bug. Much of that talk revolved around the long-term prospects for the digital certificate system that essentially constitutes trust on the Internet, as well as the efficacy and pitfalls of encryption.

However, this week differed, at least slightly, from those that came before it in that it seems to be the first time that companies really started looking for ways to prevent these bugs from ever emerging again, moving forward.

First ever SMS Android Trojan in U.S., update on OpenSSL Heartbleed, Apple fixes SSL vulnerability in iOS and OSX, AOL Hacked, and Iowa State Bitcoin Mining.

A new collaborative, known as the Core Infrastructure Initiative, is pooling its resources in order to build a multimillion dollar fund dedicated to supporting open source projects vital to the Web’s security. OpenSSL is the first project under consideration to receive funds, which are being supplied primarily by the Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google, and several other prominent tech companies. The Mozilla Corporation, too, is reacting, with a new special bug bounty program offering $10,000 to any researchers that can find a serious security vulnerability in the new certificate verification library it intends to add to Firefox browser version 31 some time this summer.

Apple Fixes SSL in iOS, OSX

On a similar but ultimately unrelated note, Apple has issued fixes for a serious security flaw that was present in many versions of both iOS and OSX. The vulnerability could give an attacker the ability to intercept data from supposedly encrypted SSL connections. In other words, the bug could allow an attacker to read the contents of messages – whether they’re communications or other sensitive information.

The bug is one of many that the Cupertino, California computer company fixed on Tuesday in its two primary operating systems. While perhaps not as serious, these crypto flaws are among several others of consequence. So, if you’re working (or playing) with any Mac product, you should mosey on over the App Store and install the Apple operating system updates as soon as possible.

Typically Quiet AOL Makes a Splash

Not sure what AOL’s share of the email provider market is these days (and believe me, I looked), but an unknown number of AOL Mail user accounts got “spoofed” this week. Once compromised, the attacker or attackers or botnet responsible started spewing spam on the contacts of the compromised accounts. AOL has confirmed that it is aware of the hack – though AOL isn’t calling it a hack, but it is not clear how many user accounts were affected, nor is it clear just how much spam went out. Oddly enough, AOL is claiming it is unlikely that the email accounts were compromised, saying it is far more likely that the accounts were spoofed.

As AOL noted, spoofing attacks are basically spam emails that appear to come from the victim but are technically coming from the spammers’ email account and are sent via the spammers’ server. In other words, AOL says that no accounts have been hacked on a large scale, but rather that the attackers are merely mimicking the accounts of their victims. This explanation clearly fails to explain how the attackers got their hands on the contact lists of their victims, which means there may be more on this moving forward.

SMS Trojans in the USA

Premium rate SMS Trojans are not new. The scam goes something like this: attackers compel their victims to download a Trojan on their mobile device. That Trojan obtains the ability to send SMS (text) messages on the infected device. The Trojan then sends SMS messages to a premium-rate service, which is either controlled by the attacker or controlled by someone paying the attacker. The rates for these messages are then billed to the owners of infected devices.

As I said, these things have been around. Strangely though, for reasons that remain a mystery, the SMS Trojan has never really made it to the United States. That changed, earlier this week, when our friends at Securelist found an Android Trojan doing just that.

As if its status as the premiere SMS Trojan targeting Android users in the U.S. wasn’t enough, FakeInst – as it’s known – is also targeting Android users in an additional 65 countries. In fact, FakeInst is known to have targeted users in Germany, France, Finland, Hong Kong, Ukraine, the U.K., Switzerland, Argentina, Spain, Poland, Canada, China, and many more nations.

Iowa State Hacked for… Bitcoins!?

That’s right. A prominent state university in the United States was hacked, and its computing power was used to generate Bitcoins. Bitcoins are a digital crypto-currency that have had their ups and downs over the last year or so. If you have enough computer power, you can use that power to solve algorithmic problems and generate new Bitcoins. That process is known as Bitcoin mining, and there is a lot of money to be made in it. Like all cybercrime, the criminals follow the money. Malicious Bitcoin mining is by no means new, but this incident is certainly novel in that it is targeting the computing power of a well-known institution of higher learning. That’s not all, though; the compromise also appears to have exposed the Social Security Numbers of as many as 30,000 Iowa State alumni.