Apple opens annual applications for free hackable iPhones

2 weeks ago

Infosec successful brief The latest information of Apple's Security Research Device (SRD) programme is open, giving information researchers a chance to get their hands connected an unlocked instrumentality – and Apple's blessing to onslaught it and trial its information capabilities.

"iPhone is nan world's astir unafraid user mobile device, which tin make it challenging for moreover skilled information researchers to get started," Apple oh-so-humbly states successful its explanation of nan programme connected nan exertion page.

To make it easier for researchers to accent trial Apple's iOS information features, chosen applicants will beryllium handed "a specially-built hardware version of iPhone 14 Pro that's designed exclusively for information research," Apple explained successful a blog post.

Thse SRD devices, Apple said, see options to configure aliases disable iOS information settings that can't beryllium changed connected unit devices. In addition, researchers tin instal and footwear civilization kernel caches, tally arbitrary codification pinch immoderate level of entitlement they want, group NVRAM variables and moreover instal and footwear civilization firmware for caller iOS 17 information features.

That said, Apple doesn't want researchers toting nan vulnerable-by-design devices astir pinch them, and states connected nan exertion page that nan instrumentality "must stay connected nan premises of programme participants astatine each times." Access to nan instrumentality must beryllium restricted to approved participants arsenic good – truthful nary showing it off.

Apple said it approves applicants "based connected a way grounds successful information research, including connected platforms different than iPhone," and it'll judge applications from institutions too.

Any flaws recovered successful iOS information package arsenic portion of nan SRD programme must beryllium reported to Apple and are eligible for a bug bounty; Apple upped its max bounty to $500,000 past year, pinch bonuses disposable depending connected nan severity of nan issue.

"Since we launched nan programme successful 2019, SRD programme researchers person discovered 130 precocious impact, security-critical vulnerabilities," Apple said, which person resulted successful "over 100 reports from our SRDP researchers, pinch aggregate awards reaching $500,000 and a median grant of astir $18,000."

Applications for nan SRD programme are owed by October 31. Chosen participants will beryllium notified successful early 2024.

Critical vulnerabilities: VMware's bad week

We footwear disconnected this week's database of captious vulnerabilities pinch immoderate superior (CVSS 9.8) issues discovered successful VMware's Aria web monitoring tool. If exploited, they tin springiness an attacker entree to Aria Operations for Networks' bid statement interface. The guidelines origin is an authentication bypass vulnerability "due to a deficiency of unsocial cryptographic cardinal generation," VMware said.

VMware released a second information update this week. While not arsenic superior – standing conscionable a 7.5 connected nan 10-point CVSS standard – it's still an rumor for those utilizing VMware Tools, which incorporate an SAML token signature bypass vulnerability.

Juniper besides merits a typical mention this week, arsenic a bid of vulnerabilities affecting "all versions of Junos OS connected SRX and EX series" firewalls and switches was reported that collectively gain a CVSS people of 9.8. By chaining nan vulnerabilities together, an unauthenticated attacker "may beryllium capable to remotely execute codification connected nan devices," Juniper said.

Elsewhere:

Mozilla released information updates for respective products to reside vulnerabilities that would let an attacker "to return power of an affected system."
CVSS 8.8 – CVE-2023-4296: PTC's Codebeamer exertion lifecycle guidance level is susceptible to cross-site scripting attacks if users click connected malicious links, allowing attackers to inject arbitrary codification into web browsers connected target devices.

As always, get patching, and convey your stars that it appears to beryllium quiet going into a agelong play for US IT professionals.

Hackers purge Brazilian spyware firm's instrumentality database

No 1 likes "legitimate" spyware – a.k.a., stalkerware – including a group of hackers who reported this week that they'd surgery into systems owned by stalkerware patient WebDetetive and wiped its strategy of unfortunate devices.

The chartless cyber vigilantes explained they exploited vulnerabilities successful WebDetetive's systems to siphon astir 77,000 instrumentality records from its databases, though they allege they didn't bargain nan contents of unfortunate devices.

WebDetetive bills itself arsenic "the #1 Spy App successful Brazil," and describes its package arsenic a measurement to "see nan truth" and "find retired what nan personification is doing connected their telephone and they won't moreover cognize they are being monitored."

Unfortunately, it doesn't look WebDetetive put nan aforesaid thought into protecting its ain systems. The hackers declare they severed connections betwixt devices connected nan web astatine nan server level – efficaciously sidesplitting nan platform's functionality and preventing immoderate further information from being uploaded from unfortunate devices.

Why did nan unidentified hackers do it? "Because we could. Because #fuckstalkerware," they said successful a statement included pinch a 1.5GB information dump from nan platform.

Fast manner pwn: Forever 21 worker information stolen successful breach

Despite learning of a information breach that compromised individual identifiable accusation connected much than half a cardinal labor successful March, accelerated manner concatenation Forever 21 is only conscionable now notifying them astir it.

According to a breach notification letter [PDF] group to spell retired to 539,207 employees, immoderate juicy specifications were exposed: names, societal information numbers, birthdates, slope relationship numbers, and wellness scheme information were each stolen.

Forever 21 stated that nan breach began successful January, and that attackers accessed its systems "at various times" betwixt past and March 21, erstwhile nan retailer identified nan incident and presumably plugged nan leak.

It's not clear from nan breach notification missive what happened, but we tin speculate.

"We person nary grounds to propose your accusation has been misused for purposes of fraud aliases personality theft arsenic a consequence of this incident – and nary logic to judge that it will be," nan manner flogger said.

That sounds suspiciously for illustration nan benignant of consequence 1 would expect erstwhile a ransom was paid, which Forever 21 hasn't admitted was nan case. ®