Hello everyone! So I am using a mac, and while I am not using any applications that require a webcam (like skype or video chat clients), I see a red dot on my webcam. Does this mean my webcam is on and spying on me? If so, what should I do? If it is spying on me, then it could record my voice. Recently, my gmail was hacked due to phishing, so maybe this is a concequence of that? If so, how do I deal with this. Thanks in advance for the help.

Member Avatar
Member Avatar
+0 forum 2

*Story happens in imaginary universe, but I'm using current time "relativation".* vmWare Player type of application (but for free). I consider adding it to Open Source because everybody is saying how great it is and how fast bugs can be fixed. There's couple stories to be told: **Side of Manager** I like the fact that everybody can contribute to our project, in order to improve it by using suggestions and trustworthy community. Therefore I posted it on GitHub. **Side of Hobbist** Hey, we're community of 10.000 active programmers. We do our jobs really well. We love this project, so we …

Member Avatar
Member Avatar
+0 forum 8

According to a [SecureList posting](https://securelist.com/blog/69462/darwin-nuke/) dated April 10th, researchers Anton Ivanov, Andrey Khudyakov, Maxim Zhuravlev and Andrey Rubin discovered a vulnerability in the Darwin kernel back in December 2014. Why is this of interest? Well, the Darwin kernel is an open source part of both the Apple operating systems. The vulnerability could allow remote attackers to launch a DDoS on a device running OS X 10.10 or iOS 8. More worryingly, it could allow the attackers to send just a single, solitary incorrect network packet in order to crash the target system and impact upon any corporate network it may …

Member Avatar
Member Avatar
+0 forum 1

It's that time of year again, and the latest [Secunia Vulnerability Review](http://secunia.com/vr2015/) has been published. This analysed anonymous data gathered from scans right across 2014 of millions of computers which have Secunia Personal Software Inspector (PSI) installed and revealed some interesting statistics. On average, the computers used by the people running PSI had 76 programs installed on them and these vary from country to country. Secunia focussed its attention on what it calls "a representative portfolio of the 50 most common applications" which compromised 34 Microsoft and 16 non-Microsoft ones. So what did the analysis discover? You might be surprised …

Member Avatar
+1 forum 0

The recently revised Facebook community standards page states that the social network is on a mission "to give people the power to share and make the world more open" however it appears that it may have been giving the wrong people the power to share stuff you thought was private. According to security researcher and bug bounty hunter [Laxman Muthiyah](http://www.7xter.com/2015/03/how-i-exposed-your-private-photos.html) Facebook's photo sync feature came with a critical flaw which "allows any malicious Facebook application to read your mobile photos." The vulnerability concerns Facebook's Photo Sync feature for mobile users, which was introduced back in 2012 but because it was …

Member Avatar
Member Avatar
+1 forum 1

Spring has been getting rather unseasonably hot for Apache users as far as security flaws go. First there was news of how the FREAK (Factoring Attack on RSA-EXPORT Keys) vulnerability could impact Apache. For more on FREAK see this [excellent analysis](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html) by Matthew Green, a cryptographer and research professor at Johns Hopkins University. Green points out that "Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server. What this means is that you can obtain that RSA key once, factor it, and …

Member Avatar
+1 forum 0

Chinese computer manufacturer [Lenovo has admitted](http://support.lenovo.com/us/en/product_security/superfish) that it installed an adware component called Superfish on 16 million PCs shipped between September 2014 and February 2015 in order to "help customers potentially discover interesting products while shopping" according to an official statement made by the company. Although there is some argument to be had as to the validity of the 'helping customers' idea regarding software which injects third party adverts into Google searches and websites without the explicit permission or knowledge of the user, where there is no debate to be had at all is in the bloody great security hole …

Member Avatar
Member Avatar
+6 forum 7

A 22 year old vulnerability, yes you read that right, has been discovered which some security experts suggest could be bigger than Heartbleed. The bug, reported as '[CVE-2014-6271:remote code execution through bash](http://seclists.org/oss-sec/2014/q3/649)' relates to how environment variables are processed: with trailing code in function definitions being executed independently of the variable name. This can be exploited remotely with code injected into environment variables across the network. The GNU Bourne Again Shell (Bash) command interpreter is widely used, to put it mildly, and as such is being treated as a critical security risk to Unix and Linux systems. Which means it …

Member Avatar
Member Avatar
+6 forum 18

So it seems that an Internet Explorer zero day vulnerability allowed the back door to be opened that resulted in the [URL="http://www.daniweb.com/news/story252590.html"]hack attack on Google[/URL] and many others that has received such publicity this week. According to [URL="http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/"]McAfee[/URL] it has identified an Internet Explorer vulnerability as being one of the attack vectors but the security vendor also warns that targeted attacks such as this often use "a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios" so it is possible, likely even, that other as yet unidentified attack vectors were also involved. However, McAfee dismisses some early reports which …

Member Avatar
Member Avatar
+0 forum 4

A Drupal security advisory, [SA-CORE-2014-005](https://www.drupal.org/SA-CORE-2014-005), rather embarrassingly states that: > Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. I think that's a whoops, with an uppercase W. The highly critical SQL injection vulnerability is to be found in versions of Drupal …

Member Avatar
+2 forum 0

Hardly a week goes by without yet another press release hitting the desk of your technology journalist, or research flag being raised amongst the IT Security profession, that claims Android is insecure. What Android actually is, just like Windows on the desktop in fact, is a big and attractive target; which in turn makes it the focus of attention for those looking to exploit mobile device vulnerabilities. The bad guys will pour their resources, in terms of both time and money, into discovering and exploiting those vulnerabilities which will present them with the best profit making potential. That, dear reader, …

Member Avatar
Member Avatar
+1 forum 6

FireEye security researchers are warning that they have [detected a new zero-day vulnerability](http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html) that is being used successfully in the wild against browser clients with both Java 6u41 and Java 7u15 installed. Given that the Java 7 update was only released a couple of weeks ago, this is yet more bad news for Oracle and for users of the Java browser plug-in. bad news, but not exactly surprising as security researchers have been finding flaws in the update since it was made available. The difference here is that this isn't just a lab-based, theoretical, vulnerability: this is, it would appear, …

Member Avatar
Member Avatar
+3 forum 11

Reports are coming in thick and fast about 'state-sponsored' zero-day exploits hitting business websites in the UK. The latest, disclosed yesterday by [SophosLabs](http://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/), involves an as yet unnamed European aeronautical parts supplier and follows on from another the day before involving a European medical company site. In both cases the same unpatched vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that can allow remote code execution, as detailed in [Microsoft Security Advisory 2719615](http://technet.microsoft.com/en-us/security/advisory/2719615) appears to have been successfully exploited. ![dweb-fixit01](/attachments/small/0/dweb-fixit01.jpg "align-right") The vulnerability impacts users of all currently supported versions of Windows including Windows 7, as well …

Member Avatar
Member Avatar
+1 forum 3

Hi, a question about stand-alone Java applications that do not have a background DB. In our Uni class we were asked to build a very small application using JOptionPane methods such as "showInputDialog". The application asks for users name and birthdate and at the end displays a summary of these to the user. The values entered by the user is fed to a variable of type String. After building this tiny app I am wondering if there is a way to feed it any characters that would cause it to crash. It does not seem to react to much of …

Member Avatar
Member Avatar
+0 forum 3

guys i just read a vulnerability in the calculator of windows. vulnerability is like this: *) open calculator *) type 4 and then take its square *) then minus two from the result shocked.... answer should be 0 but it shows a different answer.. please help me on this.

Member Avatar
Member Avatar
+0 forum 2

Just because security holes and vulnerabilities get reported to software vendors doesn't mean they are actually patched. A new report from IBM's X-Force security team found that of all the software holes reported in the first half of this year, more than half are still unpatched. IBM's X-Force report is published twice per year and provides an in-depth look at software security from across the spectrum of developers. So far this year, the bug catchers are doing better than the bug squashers. More bugs are being reported, but more are going unpatched. In the first six months of 2010, 4,396 …

Member Avatar
Member Avatar
+0 forum 1

Most people seem to think that Microsoft is the most insecure vendor while Apple reigns supreme at the top of the good security league. However, a new security report would appear to turn that assumption on its head, claiming that when it comes to the vendor with the most vulnerabilities Apple has consistently ranked higher than Microsoft and, indeed, now ranks number one in that particular bad guy top ten. [attach]15776[/attach]As the new [URL="http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf"]Secunia Half Year Security Report 2010[/URL] is released, will Monday 12th July be remembered as the day Apple became the bad guy? The report reveals the evolution …

Member Avatar
Member Avatar
+0 forum 10

With the annual Pwn2Own hacking event due to kick off tomorrow, Mozilla has confirmed that Firefox 3.6 has an unpatched critical vulnerability. The fact that Pwn2Own competitors will not be able to exploit this vulnerability to claim the Firefox hacking prize will be of no interest to the millions of ordinary users who think they remain exposed and vulnerable until a patch arrives at the end of the month. But they could get protected right now if they wanted, and without changing browser clients as suggested by the German government. The vulnerability has already been patched by Mozilla developers, according …

Member Avatar
Member Avatar
+0 forum 2

According to figures revealed with the publication of the [URL="http://www.ibm.com/security/xforce"]IBM X-Force 2009 Trend and Risk Report[/URL], not only do web application vulnerabilities remain the largest category of security disclosure for the last year but, worryingly when you consider that the number of such vulnerabilities found by organisations has not decreased or become less of a threat, some 67 percent of them had no patch available by the end of 2009. With 49 percent of all vulnerabilities being related to web applications in some regard, with cross-site scripting disclosures surpassing SQL injection to take the top spot, this is worrying news …

Member Avatar
+0 forum 0

Last month, a [URL="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"]vulnerability in SSL and TLS[/URL] was announced. Almost immediately thereafter, it was [URL="http://www.securityfocus.com/news/11564"]successfully exploited to obtain Twitter account passwords[/URL]. The vulnerability affects most existing implementations of SSL 3.x and TLS 1.x in existing https web servers and browsers, but also in other servers that use SSL, such as IMAPS, SMTPS, NNTPS (snews), and others. The vulnerability lies in a seldom-used feature of SSL known as renegotiation. Most servers have no real need for renegotiation, and for them, the simplest solution is: [LIST] [*]disable it altogether -- if they can. [/LIST] But some SSL implementations have no way …

Member Avatar
+0 forum 0

Still using Adobe Acrobat or Adobe Reader? Maybe it is time to switch to something that's not glowing red on the bad guy radar, or which is more securely coded depending upon how you look at these things. Yes, Adobe has admitted that there is yet another possible zero-day vulnerability in Adobe Acrobat and Reader, oh deep joy. David Lenoe of Adobe [URL="http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html"]confirms[/URL] "...Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild" adding that the company is "currently investigating this issue and assessing the risk to our customers" and …

Member Avatar
+0 forum 0

Microsoft on Tuesday is set to release six security updates, three of which it has deemed critical and apply only to versions of Windows other than Windows 7. Microsoft released advance notice of its [url=http://www.microsoft.com/technet/security/Bulletin/MS09-nov.mspx]Security Bulletin for November[/url], on Nov. 5. The bulletin itself will be released on Tuesday along with remedies, as per its normal patch cycle. Other alerts are labeled "important," one of which involves a denial of service vulnerability for Windows; the other two affect Excel. Redmond will reportedly release updates for Windows XP, 2003 and 2007 and Office 2004 and 2008 for Mac OS X. Save …

Member Avatar
+0 forum 0

The bad guys of the IT business are always looking for the most effective ways to infect the innocent Internet user, and increasingly that means turning to commonly used web browser plug-ins such as Flash or PDF readers. A couple of years ago we were [URL="http://www.daniweb.com/blogs/entry1537.html"]reporting critical vulnerabilities[/URL] for all Adobe Flash platforms, and towards the end of last year there were [URL="http://www.itwire.com/content/view/21493/53/"]reports[/URL] of a critical vulnerability in Adobe Reader. Cue Jaws soundtrack: just when you thought it was safe to go back in the Adobe PDF water. According to an [URL="http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html"]official Adobe security warning[/URL] "All currently supported shipping versions …

Member Avatar
Member Avatar
+1 forum 1

A group of over 30 organizations including the Department of Homeland Security, Microsoft, and Symantec collaborated recently on a security project designed to identify the [URL="http://www.sans.org/top25errors//?cat=top25"]top 25 coding errors[/URL] programmers make when building Web sites. Since many of the mistakes can leave sites vulnerable to to cyber crime, it's a good idea to peruse the list and make sure you don't have any security gaps in your systems. In fact, just two of the 25 errors account for more than 1.5 million security breaches last year. Some of the errors the group identified include: Improper Resource Shutdown or Release (CEW-404), …

Member Avatar
+0 forum 0

Isn't anything safe from hackers? Now they've apparently found a way to hack into systems through a media stream, threatening users with denial of service attacks that can bring down servers and desktops alike. The vulnerability was reported yesterday by VoIPshield Laboratories, a security tools maker in Canada. The flaws were found in Microsoft Office Communications Server 2007, Office Communicator and Windows Live Messenger, which Microsoft said could impact as many as 250 million people. The flaws also affect [url=http://www.voipshield.com/research.php]many other applications[/url] and systems that use the [url=http://en.wikipedia.org/wiki/Real-time_Transport_Protocol]Real-time Transport Protocol[/url] (RTP), including those from Avaya, Cisco and Nortel, according to …

Member Avatar
Member Avatar
+0 forum 1

Microsoft yesterday released a [url=http://support.microsoft.com/kb/954593]security update[/url] intended to fix eight critical vulnerabilities in as many as 42 Windows apps and components, including IE6, Media Player, Office, SQL Server and Visual Studio. The patch was made available before they could be discovered and exploited by malicious hackers, or at least before any were reported. The flaws were all found within GDI+, Microsoft's Graphics Device Interface subsystem. The vulnerability could allow remote code execution "if a user [views] a specially crafted image file using affected software or [browses] a Web site that contains specially crafted content," according to [url=http://www.microsoft.com/technet/security/Bulletin/MS08-052.mspx]Security Bulletin MS08-052[/url], issued …

Member Avatar
+0 forum 0

The Advanced Research Team of security tools vendor Ounce Labs has identified two vulnerabilities in the Spring framework for Java. The vulnerabilities have the potential, the team says, to allow an attacker to “subvert the expected application logic and behavior,” and gain control of an application and access any personal data, credentials or keys held therein. The vulnerabilities, called “ModelView Injection” and “Data Submission to Non-Editable Fields,” are unlike common flaws such as cross site scripting and SQL injection attacks. “These newly discovered class[es] of vulnerabilities are not security flaws in the framework, but are actually design issues that if …

Member Avatar
Member Avatar
+0 forum 1

Heads up users of Yahoo Mail. A cross-site scripting vulnerability has been discovered that could allow hackers to steal a user’s session IDs and ultimately private information, according to [URL=http://blog.cenzic.com/public/item/207752]a report[/URL] yesterday from security risk assessment firm Cenzic. In an excerpt from the Cenzic blog post, the company reports: “If the attacker is using the Yahoo! Messenger desktop application 8.1.0.209 to chat with the victim, and the victim is using the Messenger support in the new Yahoo! Mail Web application, it will cause a new chat tab to open in the victim’s browser. While chatting, the attacker can change their …

Member Avatar
+0 forum 0

[URL="http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"]Multiple arbitrary code execution vulnerabilities in Ruby[/URL] have been revealed by the [URL="http://www.apple.com/support/security/"]Apple Product Security[/URL] team which could lead to Denial of Service attacks. A total of five vulnerabilities have been reported, with versions impacted being: [INDENT]1.8.4 and all prior versions 1.8.5-p230 and all prior versions 1.8.6-p229 and all prior versions 1.8.7-p21 and all prior versions 1.9.0-1 and all prior versions[/INDENT] Upgrading to either 1.8.5-p231, 1.8.6-p230, 1.8.7-p22 or 1.9.0-2 is recommended. This is, of course, of particular interest to Apple as its Mac OS X Leopard comes complete with a Ruby on Rails web development framework. For an in-depth examination …

Member Avatar
+1 forum 0

The End.