How to Fix Windows 10 Slow Performance Issue and Increase Overall System Speed

Short Bytes: Many Windows users are facing Windows 10 slow performance issue in Windows 10. This appears in the form of input lags and could be fixed by tweaking some Page File settings in Windows 10. So, how to fix this slow performance issue in Windows 10 to boost system speed? Here is the answer.

After the official launch of Windows 10, millions of PC users upgraded their PCs to Windows 10 by availing the free upgrade offer from Microsoft. If you haven’t got the upgrade, here’s a simple way to get Windows 10 upgrade right now. However, several desktop users have reported Windows 10 slow performance issue on Microsoft forums and Reddit after upgrading their systems.

There are some definite issues with the Windows 10 OS as the number of people facing slow performance issue in Windows 10 is very large. This sluggish performance usually appears in the form of input lags. For example: After clicking the Start Menu, it takes about 2-3 seconds to appear or taking the same time to refresh your desktop, Complaining this Windows 10 slow performance issue, many users have downgraded to the previous versions of Windows OS.

According to a user at the Microsoft Community forums, Windows 10 slow performance issue could be fixed by tweaking the Page File settings in Windows 10 that affects and improves the overall system performance. If you’re facing the slow performance issue in Windows 10, you can try to speed up the OS by changing the default settings for Page File control.

How to Fix Windows 10 Slow Performance Issue and Boost your System Speed?

If you are irritated with slow performance issue in Windows 10, we advise you to follow this small guide to speed up your Windows 10 OS on you computer. You need to change the default settings for the Page File control in Windows 10 from System Managed to manual format. Here you can change the page file memory’s file and maximum size- based upon the RAM on your PC.

How to fix Windows 10 Slow performance:

•  Open Start Menu and find the Control Panel. Click on it.
• Here in the Control Panel, go to the Search field at the top-right of the window and type Performance. Now hit Enter.
• Now find Adjust the appearance and performance of Windows.
• Go to the Advanced tab and click on Change in the Virtual Memory section.

• Now untick the option “Automatically manage paging file size for all drives.”
• Select the default C: drive where Windows 10 is installed and then choose Custom Size. Then change Initial Size and Maximum Size to the recommended values by Windows (given below).

• Now click Set and then hit OK to save the settings.
• Reboot the computer for the changes to take effect and fix the slow performance issue in Windows 10.

After your PC boots up, you should experience better Windows 10 performance. If you found this way to boost your Windows 10 system speed helpful – or you know any other method – feel free to mention it in the comments below.

Teardrop Attack: What Is It And How Does It Work?

Teardrop attack is a type of Denial of Service (DoS) attack which exploits the fragment offset field in the IP header to produce buggy fragments which are then delivered to the target machine. Unable to rearrange the fragments, the victim keeps on accumulating the fragments until it crashes.

As the name suggests, the Teardrop Attack works gradually by sending the fragmented packets to a target machine. It’s a type of a denial-of-service (DoS) attack which overwhelms the target machine with the incomplete data so that the victim crashes down.

In Teardrop Attack, fragmented packets that are sent in the to the target machine, are buggy in nature and the victim’s machine is unable to reassemble those packets due to the bug in the TCP/IP fragmentation.

In this way, the packets keep on getting accumulated over the victim’s machine and finally due to the buffer overflow, the target machine crashes down.

How Teardrop Attack works?

Here, I am taking a reference from the Juniper’s technical publication to illustrate how does it work —

As you can see in the above figure of IP header, which operates at the network layer, there is a field called fragment offset field.

Teardrop Attack and Fragment Offset:

Understand it like this — When a large amount of data is sent across the internet, the data is broken into the smaller fragments. Each of these fragments is assigned a number. When they reach the receiving end, these fragments are rearranged to reproduce the original data or message.

To identify the sequencing of the fragments, the fragment offset field holds the necessary information using which the target machine rearranges the sequence.

However, in the Teardrop Attack, the fragment offset field is made buggy by the hacker so the victim’s machine is unable to find the relative fragments.

So, as the name suggests, the buggy packets keep on accumulating at the victim’s side like teardrops and ultimately it leads to the machine crash.

However, modern networking devices can detect this discrepancy in a fragmented packet. Once they detect the problem, they simply drop the packet.

Top 5 IT Security Certifications To Enhance Your Career

While not having an IT security
certification doesn’t disqualify you from getting a job offer or promotion, but prospective employers looking for industry-
leading credentials look at it as one
measure of qualifications and commitment to quality.

As the market for information security talent heats up and the skills shortage continues, infosec experts who have the right combination of credentials
and experience are in remarkably high demand.
“A certification today is like a college degree,” says Grady Summers, America’s leader for information security program
management services at Ernst & Young.“You may not hire a candidate just because they have one, but it is something that you come to expect in this field.”
“There is no replacement for real-world experience,” Summers says. “However, certifications are important and have become de facto minimum criteria when screening resumes.”

Here is a list of top five security certifications, which are based on
review of job boards and interviews with IT security recruiters and employers:

Certified Ethical Hacker (CEH)

Certified Ethical Hacker (CEH) is gaining popularity as organizations concentrate on securing their IT infrastructure and networks from internal and external attacks. Some employers aggressively look
to hire candidates with CEH validation for hands-on security operations and intelligence activities.

CEH is a comprehensive Ethical Hacking and Information Systems Security Auditing program offered by EC-Council, suitable for
candidates who want to acquaint
themselves with the latest security threats,advanced attack vectors, and practical real time demonstrations of the latest hacking techniques, tools, tricks, methodologies, and security measures.

The goal of the CEH is to certify security practitioners in the methodology of ethical hacking. This vendor-neutral certification
covers the standards and language involved in exploiting system vulnerabilities, weaknesses and countermeasures. Basically, CEH shows candidates how the attacks are committed. It also makes efforts to define the legal role of ethical hacking in enterprise organizations.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC) is the leading provider and developer of Cyber Security Certifications,globally recognized by government, military
and industry leaders. As a result, its demand is rising in specific disciplines such as security operations, digital forensics, incident handling, intrusion
detection, and application software
security.

This certification is designed for
candidates who want to demonstrate skills in IT systems roles with respect to security
tasks. Ideal candidates for this certification possess an understanding of information
security beyond simple terminology and concepts.

“GIAC’s focus on open source tools and its aggressive in-depth training is very useful,” says Daryl Pfeil, CEO of Digital Forensics Solutions, a computer security and digital
forensics firm. She finds GIAC certified candidates highly skilled and talented to handle the dynamic demands of the real-
world job environment. Similarly, employers and recruiters are
gradually finding the GIAC credential as a requirement for hands-on technical positions.

Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM) is significantly in demand as the profession concentrates on the business side of security. Offered by Information
Systems Audit and Control Association (ISACA), CISM addresses the connection
between business needs and IT security by concentrating on security organizational
issues and risk management.

This certification is for candidates who have an inclination towards organizational security and want to demonstrate the ability to create a relationship between an information security program and broader business goals and objectives.

Basically, CISM is perfect for IT security professionals looking to grow and build their career into mid-level and senior management positions. This certification ensures knowledge of information security, as well as development and management
of an information security program.

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by the International Information System
Security Certification Consortium, also known as (ISC)², the not-for-profit consortium that offers IT security certifications and training.
CISSP is viewed as the baseline standard for information security professions in government and industry. Companies have
started to require CISSP certification for their technical, mid-management and
senior management IT security positions.

This certification is designed for
candidates who are interested in the field of information security. The ideal candidates are those who are information assurance professionals and know how to
define the design, information system architecture, management and control that can guarantee the security of business environments.
The CISSP is widely popular within the IT security community, as it provides the basis of security knowledge. “We feel safe
hiring candidates carrying this validation,” says Ellis Belvins, division director at Robert Half International, a professional
staffing consultancy. The certification validates the security professionals’ high proficiency, principles and methodologies,
commitment and deeper understanding of security concepts.

Vendor Certifications

The increasing need for hands-on network engineers, along with social computing and web technology, has pushed network
security even further. Vendor certifications including Microsoft’s Certified Systems Engineer (MCSE) with focus on security,Cisco’s Certified Network Associate
Certification (CCNA), and Check Point’s Certified Security Expert (CCSE) top the list as organizations within government,
banking and healthcare that look to fill open positions including system administrators, network and architects.

Become an Android Developer : Here is how you can create your first Android App

Follow this 7 step guide to create
your first Android App Android is no doubt a great platform for
users as well as developers.

Thanks to Android Studio and continuous support from Google. And in case you were thinking to begin creating Android apps but did not have much idea of the know-how, you can follow this article to get your doubts clarified.

Programming Language

Android apps are developed in Java. You do not need to be an expert, but you should be good in specific areas, e.g. you need to have good knowledge of AWT and Swing for developing a GUI for your app.
Getting easy with following topics before starting will make the development phase more enjoyable.
>> Event Handling.
>> Swing.
>> Constructors.
>> JDBC.
>> Classes, Objects and Methods.
>> Packages.
>> Abstraction.
>> Polymorphism.
>> Inheritance.
You’ll also need to learn basics
of the Extended Markup Language(XML).

Places to Learn From
You can Learn Basics of Java and Android Development from these websites.
1. TreeHouse
2. Tutorials Point
3. Udacity ( Android development for
beginners)
4.Youtube
5.EdX

Steps to get an app built

1. Ideation
First of all an idea is required to be worked on. You’ll need to have a clear view of what your app will be for and what it will do. A good idea will be to start small and gradually add sophistication. Don’t make it
so boring that you don’t want to make it but try to avoid any complex functions as far as possible. Ideally, the app will only require one ‘screen’ (activity) and will involve some simple interactions so that something happens when the user presses a button. Consider it a challenge to make something that’s genuinely useful with the minimum amount of code.

2. Choosing your IDE

The most common way to build Android apps is to use Android Studio and Java.
This is the official method recommended by Google and it will afford you a lot of flexibility while ensuring there’s plenty of support if things go wrong. This is also the
method you will need to know if you ever plan on becoming a professional developer.

There are numerous other options for your IDE and language too however. You may pick Unity and C++ for instance if you want
to make a game. Basic4Android is an IDE focused on rapid development that lets you code with BASIC rather than Java. There’s
even an IDE that runs on Android called AIDE.

3. Collecting Resources

Resources mean images and other
material you will use in your app. You can download numerous images and use them but be aware not to violate someone’s copyright.

4. Building the layout of your app in
IDE

Now you’re going to create your layout in Android Studio using the ‘designer’. This is a tool that lets you simply drag and drop the widgets (also called ‘views’) where you
want them on the page.

You’ll need to start a new project in Android Studio to do this but there will still be no coding necessary at this point (except maybe a little XML). To start a new project select File > New > New Project. Follow the steps
selecting a name for your project and for your activities and choose ‘Empty Activity’.

5. Writing the core code

Now comes the more challenging part – adding the code. You know the basics of Java and you have your widgets/views already in place.

Now you’re going to open the Java file for your main activity and
simply create some ‘onClick’ events to add code that will run only when users click a specific button or otherwise take a specificaction.

6. Implementing more complexity

By now though, you should have some of the basic functionality in place so that your app responds to button clicks (in one way or another) and perhaps stores some variables. Next is to add the more advanced
functionality that will be specific to your app. For example, you might want your app to play music when a button is clicked. Maybe you want to add some flashy animations. Or perhaps you need to know how to transition from one activity to the
other.

7. Final review and publishing

Now comes the last step. You’ll have to test your app for bugs and once everything is right you can get your app published on Google Play Store.

Free Phishing Simulators for hackers and security researchers

In our attempt to make this world free from cyber criminals, we have brought out different articles about hacking tools and apps. The attempt of putting such articles in public domain is to educate readers about the clear and present dangers about surfing online without taking necessary precautions. They are also meant to educate wannabe hackers about new tools, apps and techniques.

In continuation to our above, goal we bring this article on phishing tools. Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

So, if you are essentially looking for a free phishing simulator or tools for your company, you have only three options: (1) Simple tools that allows you to create a simple email message and send it to one or numerous recipients using a specified mail server, (2) Open-source phishing platforms, and (3) Demo versions of commercial products.

You can use this tools to test the cyber defences of your company, provide cyber security training to your employees and friends.

(1) SecurityIQ PhishSim

Developed by InfoSec Institute, one of the many first benefits of SecurityIQ PhishSim is that after filling out a short online form, you get access to all benefits of software-as-a-service (SaaS) without having to pay for anything. It has no installation, no scripts to modify, and no servers to configure. All you need to do is simply sign up for a free account and start phishing and educate yourself. But, there are limitations, which include limited number of learners, branding and other customization options. However, the important components, such as using multiple templates (with over 100 templates to select from) in one campaign, report delivery and exporting features, campaign scheduling options, and an interactive phishing awareness education module, are included in the free account that allows you to run numerous extremely effective phishing campaigns.

(2) Gophish

Gophish is a powerful, easy-to-use, open-source phishing toolkit meant to help pentesters and businesses conduct real-world phishing simulations. The installation process is as simple as downloading and extracting a ZIP folder, as it is supported by most operating systems. While the limited features are considerately applied, the interface is simple and intuitive. Users can be easily added either manually or via bulk CSV importing. Email templates are easy to create and modify, creating campaigns is a direct process, and reports are pleasing to look at and can be exported to CSV format with many levels of detail. However, the most important disadvantage is that there no campaign scheduling options and no awareness education components.

(3) LUCY

LUCY is a hassle-free download of the free (community) version of the platform. You can download LUCY as a Debian install script or a virtual appliance. All you need is your email address and name for the same. While the web interface is attractive and maybe a bit confusing, there are many other features to explore. Designed as a social engineering platform, LUCY goes beyond phishing. It has awareness element along with interactive modules and puzzles. However, the community version of LUCY has too many restrictions to be efficiently used in an enterprise environment. Some important features such as campaign scheduling options, exporting campaign stats, and performing file (attachment) attacks, are not available under community license.

(4) Simple Phishing Toolkit (sptoolkit)

Simple Phishing Toolkit is a super easy to install and use phishing framework built to help information security professionals find human vulnerabilities. It offers an opportunity to combine phishing tests with security awareness education, with a feature that (optionally) directs phished users to a landing page with an awareness education video. Additionally, there is a tracking feature for users who completed the training. Ironically, the sptoolkit project was abandoned back in 2013. While a new team is trying to infuse new life in it, the documentation currently is rare and distributed all over the internet, making it a difficult task to realistically apply in an enterprise environment.

(5) Phishing Frenzy

Designed as a penetration testing tool, this open-source Ruby on Rails application has many features that could make it an effective solution for internal phishing campaigns. Compared to other similar tools, one of the main advantages is that you can manage your phishing tests more effectively as you can include the scope of your engagement as well when you create a new phishing campaign. Another advantage of Phishing Frenzy is that it can generate statistics regarding the users in scope (i.e. how many clicked the link?) which is always essential for the clients who order this type of test and the penetration tester as this information can be included as well in the final report. The stats can be viewed and easily saved into a PDF or an XML file, which is perhaps the most important feature of Phishing Frenzy. However, Phishing Frenzy is a Linux-based application, whose installation should not to be handled by a beginner.

(6) King Phisher

King Phisher is an open source Phishing Campaign Toolkit from SecureState. It has several features, which includes the ability to run multiple campaigns concurrently, web cloning capabilities, geo location of phished users, etc. Templates for both messages and server pages are contained in a separate template repository. While the user interface is clean and simple, it’s installation and configuration is not that easy. King Phisher server is only supported on Linux, with additional installation and configuration steps needed based on flavor and existing configuration.

(7) SpeedPhish Framework (SPF)

Created by Adam Compton, this python tool has many features that let you to quickly configure and carry out effective phishing attacks, including data entry attack vector. A tech-savvy security professional will be able to run phishing campaigns against several targets and can have a lot of fun with SPF. However, it will still remain a pentesting tool having many outstanding features (such as email address gathering) that may be hardly have importance for someone who is carrying out internal phishing tests.

(8) Social-Engineer Toolkit (SET)

Created and written by the founder of TrustedSec, the Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. It has no graphical user interface (GUI). SET is the standard for social-engineering penetration tests and supported heavily within the security community. For phishing, SET allows to send spear-phishing emails, running mass mailer campaigns along with some more advanced options, such as adding list of target emails from a file and flagging your message with high priority. While it is effective as a penetration testing tool, but it is very restricted as a phishing simulation solution and does not include any campaign management features or reporting.

(9) SpearPhisher BETA

Developed by TrustedSec, SpearPhisher is a tool that doesn’t try to cheat anyone other than its phishing targets. It says it correctly in the description: “A Simple Phishing Email Generation Tool.” With an emphasis on ‘simple.’ SpearPhisher is a Windows-based program with a direct GUI designed for non-technical users. It lets you to swiftly craft a phishing email with customized From Email, From Name, and Subject fields and includes a WYSIWYG HTML editor and an option to include one attachment. By adding email addresses to To, CC, and BCC fields, you can send the crafted email to many recipients. Since 2013, the program has been in Beta, and hence it is likely that there may not be any updates in the near future

Hacking techniques discovered in 2015 :

#1 FREAK Attack

Freak attack is a SSL/TLS Vulnerability that would allow attackers to intercept HTTPS connections and force them to use weakened encryption. The vulnerability was first reported in May, 2015 and can be read here.

Researchers: Karthikeyan Bhargavan at INRIA in Paris and the miTLS team. You can get further details about Freak attack research here.

#2 LOGJAM vulnerability

Logjam vulnerability was discovered in October, 2015. It was another TLS vulnerability that allows man-in-the-middle attacks by downgrading vulnerable TLS connections to 512-bit encryption.

A researcher team of David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann discovered this vulnerability and you can read additional information about ithere.

#3 Web Timing Attacks

Web Timing attacks have been revealed many years back but this is the first time that researchers showed how it can be executed. Black Hat talk on how to tweak timing side-channel attacks to make it easier to perform remote timing attacks against modern web apps.

The lead researchers of web timing attack are Timothy Morgan and Jason Morgan.

#4 Evading All* WAF XSS Filters

Security researcher Mazin Ahmed discovered that it is  it is possible to evade cross-site scripting filters of all popular web-application firewalls. Once exploited the hackers can do pretty much anything they want.

The research paper can be read here.

#5 Abusing CDN’s with SSRF Flash and DNS

Now a days almost all big websites use content delivery networks (CDN). Research highlighted at Black Hat looking at a collection of attack patterns that can be used against content delivery networks to target a wide range of high availability websites.

The two Researchers, Mike Brooks and Matt Bryant discovered this hacking technique.

#6 IllusoryTLS

IllusoryTL is an attack pattern that can wreck the security assurances of X.509 PKI security architecture by employing CA certificates that include a secretly embedded backdoor. The vulnerability was discovered by a security researcher, Alfonso De Gregorio.

You can get additional information about illusorytls here.

#7 Exploiting XXE in File Parsing Functionality

Cyber criminals can exploit the XXE in file parsing functionality. A Black Hat talk examining methods in exploiting XML Entity vulnerabilities in file parsing/upload functionality for XML-supported file formats such as DOCX, XSLX and PDF.

The security researcher who discovered this vulnerability was Will Vandevanter.

#8 Abusing XLST

The vulnerability in XLST was known for a long time but security researcher Fernando Arnaboldi demonstrated it for the first time at the Black Hat conference.

Research and proof-of-concept attacks highlighted at Black Hat that show how XSLT can be leveraged to undermine the integrity and confidentiality of user information.

#9 Magic Hashes

Security researchers, Robert Hansen and Jeremi M. Gosney discovered a vulnerability in the way PHP handles hash comparisons.

Looks into a weakness in the way PHP handles hashed strings in certain instances to make it possible to compromise authentication systems and other functions that use hash comparisons in PHP.

You can get further information about magic hashes here.

#10 Asynchronous Vulnerabilities

Security researcher James Kettle presented a research at 44CON delves which explains how to use exploit-induced callback methods to find vulnerabilities hiding in backend functions and background threads.