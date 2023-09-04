Apple has opened its Security Research Device (SRD) program, offering security researchers the opportunity to get their hands on an unlocked iPhone 14 Pro for testing and attacking its security capabilities. The SRD devices provided to chosen applicants are specially built hardware variants that allow researchers to configure or disable iOS security settings that cannot be changed on retail devices. They can also install custom kernel caches, run arbitrary code with any level of entitlement, and even install custom firmware for new iOS 17 security features. However, Apple requires that the SRD devices remain on the premises of program participants and access is restricted to approved individuals.

Apple approves applicants based on their track record in security research and accepts applications from institutions as well. Bug bounty rewards are provided for any flaws discovered in iOS security software, with a maximum bounty of $500,000. Since the launch of the SRD program in 2019, researchers have discovered 130 high-impact vulnerabilities, resulting in over 100 bug reports and multiple awards reaching $500,000.

Sources: Apple, Infosecurity Magazine

Critical Vulnerabilities Found in VMware, Juniper, and PTC Products

VMware has disclosed two security vulnerabilities in its products. The first set of vulnerabilities, with a CVSS score of 9.8, were found in the Aria network monitoring tool and could allow an attacker to access the tool’s command line interface. The second vulnerability, rated 7.5 on the CVSS scale, affects VMware Tools and enables an SAML token signature bypass. Juniper has also reported vulnerabilities in all versions of Junos OS on SRX and EX series devices, allowing an unauthenticated attacker to remotely execute code. Meanwhile, Mozilla has released security updates for its products in response to vulnerabilities that could enable attackers to take control of affected systems. PTC’s Codebeamer application lifecycle management platform has also been found to be vulnerable to cross-site scripting attacks, allowing attackers to inject arbitrary code into web browsers.

Sources: VMware, Juniper, Mozilla, PTC, Infosecurity Magazine

Hackers Delete Device Database of Brazilian Spyware Firm WebDetetive

A group of hackers has reported breaking into the systems of Brazilian stalkerware firm WebDetetive and wiping its database of victim devices. The hackers claim to have exploited vulnerabilities in WebDetetive’s systems to extract nearly 77,000 device records without stealing the contents of the devices themselves. WebDetetive refers to itself as the “#1 Spy App in Brazil” and offers software that allows users to monitor individuals without their knowledge. The hackers severed connections between devices on the network at the server level, rendering the platform nonfunctional and preventing further data uploads. The hackers stated that they targeted WebDetetive because of their opposition to stalkerware.

Sources: Infosecurity Magazine

Forever 21 Notifies Employees of Data Breach

Fast fashion retailer Forever 21 has finally notified over half a million employees of a security breach that occurred earlier this year. The breach, which began in January and lasted until March, exposed personally identifiable information including names, social security numbers, birthdates, bank account numbers, and health plan data. Forever 21 stated that there is no evidence to suggest that the stolen information has been misused for fraud or identity theft. However, the delay in notifying affected employees raises questions about the retailer’s response to the breach.

Sources: Infosecurity Magazine

