Today’s strange but true security news includes security companies warning customers to stop using their security products and cops handing out flyers about iOS security upgrades.
RSA, known for security, is warning its customer to stop using the default random-number generator in the RSA's BSafe cryptographic toolkit and Data Protection Manager. The company sent an email advisory, warning, “To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG.” On their blog, they suggest users "choose one of the different cryptographic Pseudo-Random Number Generators (PRNG) built into the RSA BSAFE toolkit."
All versions of RSA Data Protection Manager server and clients are affected as well as all versions of RSA BSafe Toolkits (Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C). That’s because those products contain Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generation), a handy dandy backdoor for the NSA.
With all the surveillance revelations about the NSA, including secret backdoors in all sorts of products – supposedly even Linux – some people are more suspicious than ever. So when cops started handing out mobile phone security flyers, asking Apple users to upgrade to iOS 7, it was met with mixed reviews.
New York cops have been handing out flyers asking Apple users to update to iOS 7. It’s part of a NYPD public awareness and crime prevention campaign, since thieves apparently love to steal iDevices. iOS 7 has Activation Lock that is supposed to make it harder to turn off “Find My iPhone” by requiring the user’s Apple ID and password. New York Attorney General Eric Schneiderman and San Francisco’s District Attorney George Gascón issued a joint statement praising Activation Lock and encouraging iDevice users to download iOS 7. As of publishing time, over 57% of Apple devices are running iOS 7.
Although there is a lockscreen vulnerability in iOS 7, Apple “takes security very seriously” and plans to deploy software to fix the flaw sometime in the future. That OS vulnerability should not be confused with the Chaos Computer Club’s (CCC) biometric hack that bypasses Apple’s Touch ID.
When announcing Touch ID, Apple stated, “Your fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike.” Conversely, CCC announced, “A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.”
Frank Rieger, spokesperson of the CCC, added:
We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.
Is Touch ID hacked yet (istouchidhackedyet) has not yet “declared an official winner, with complete video proof,” but states, “The Chaos Computer Club in Germany may have done it! Awaiting video showing them lifting a print (like from a beer mug) and using it to unlock the phone.” The winner gets a wide assortment of prizes, ranging from cash, bitcoins, wine, whiskey and “a dirty sex book.”
Meanwhile, although VMware made vSphere 5.5 available for download, the company then warned customers not to install it. It was considered critical as installing vSphere Replication 5.5 before vCenter 5.5 was released could “actually break your replication and is irreversible. It will require you to re-install VR 5.1 and redo your replications from scratch.” VR 5.1 customers were advised to turn off auto-updates. Since that warning last week, VMware released vCenter 5.5., but warned customers to make sure and upgrade vCenter first before upgrading to vSphere Replication 5.5.