NTP attack - By rolling back the time

Interesting and simple:


From the article:

• First Attack - Involves the use of a so-called Kiss-of-Death packet to exploit a rate-limiter built into NTP. The attacker can exploit this situation from anywhere—an off-path attack—by spoofing a single Kiss of Death packet and can stop a client from querying a server for years
• Second Attack - a denial of service attack where even if the Kiss-of-Death packet vulnerability is patched, an attacker could still use the packet to disable NTP on the victim’s client 
• Third attack - Requires an attacker be in man-in-the-middle position and able to hijack traffic to an NTP server using BGP or DNS hijacks. The attack rolls back time on the server’s clients that circumvents a 16-minute panic threshold built into NTP and allows an attacker to manipulate the client’s cache and cause, for example, a cryptographic object to expire, they wrote. 
• The final attack is carried out by an off-path attacker and also rolls back time on the client side by exploiting problems in IPv4 packet fragmentation 

For more info:
https://threatpost.com/novel-ntp-attacks-roll-back-time/115138/

From Fitbit to Sickbit in 1O Seconds. This sickbit could also make other computers sick.

Good news is that it is supposed to be a Proof Of Concept. (Do you feel safe?)


From the article:

A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath

This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.

For more info:
http://www.theregister.co.uk/2015/10/21/fitbit_hack/

Knowledge Is Power - PGP Desktop Video

This lesson looks at PGP Desktop features available such as Virtual Disk, PGP Zip, and the PGP Shredder.


Link:
http://www.symantec.com/connect/videos/pgp-universal-server-32-desktop-102-install-config-other-pgp-desktop-features

Basics - What is a VPN?

Link:
https://blogs.sophos.com/2015/10/19/what-is-a-vpn/

Knowledge Is Power - Symantec Endpoint Encryption (SEE) Videos

Link

http://www.symantec.com/connect/videos/symantec-endpoint-encryption-see-videos

If you think you are using Google Chrome , check again , it could be "eFast Malware" in disguise

Nice , simple but an very effective trick.



From the article:

According to security bloggers at Malwarebytes, the malware installs itself as the default internet browser and the default program for various popular file types, including .html, .jpg, .gif and .pdf, as well as a number of web links such as http, https and irc.


eFast is able to mirror the aesthetics of Chrome as it uses the same source code, available across the open-source project Chromium.

eFast places ads across existing web pages, linking to third-party e-commerce sites or other malicious platforms.


For More info:
https://thestack.com/security/2015/10/20/efast-malware-hijacks-browser-with-chrome-clone/

Hacking Chip-and-PIN is not "improbable" (according to EMVCo and the UK Cards Association) anymore.

All truth passes through three stages. 

First, it is ridiculed. 

Second, it is violently opposed. 

Third, it is accepted as being self-evident.

— Arthur Schopenhauer, German philosopher (1788 – 1860)

From the article:

When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as "improbable".

The FUNcard chip was programmed to intercept the POS systems' PIN query and return an answer that says that the PIN is correct.

The card itself didn't look suspicious - the "double" chip still allowed the card to be inserted into POS systems.

Thusly modified cards were used in France by a group of fraudsters that were ultimately arrested in 2011 and 2012 because they repeatedly used them at the same few locations.

According to Wired, the French authorities estimated that before getting arrested, they managed to spend nearly 600,000 euros.

For More info:

http://www.net-security.org/secworld.php?id=19003

Center for Internet Security (CIS) presents the CIS Critical Security Controls for Effective Cyber Defense Version 6.0 - is now available

Check it out:

The new Controls include a new Control for "Email and Web Browser Protections," a deleted Control on "Secure Network Engineering," and a re-ordering to make "Controlled Use of Administration Privileges" higher in priority. This version also includes a new metrics companion guide.

A study by the Australian government indicates that 85% of known vulnerabilities can be stopped by deploying the Top 5 CIS Controls.

Get it here:
http://www.cisecurity.org/critical-controls.cfm

Another day , Another Breach - Latest Victim is Dow Jones

From the article:

Attackers may have had access to the company’s systems as far back as August 2012, until July of this year. 



For more information:
https://threatpost.com/dow-jones-company-latest-financial-firm-hit-with-data-breach/115002/

Threatened with legal action - For trying to expose the vulnerability.

I guess the researcher should create an exploit and sell it in the black market.

Remember:

1. Any system that claims to be secure but does not allow to be inspected is WORSE than a insecure system.
2. In security what you don't know CAN HURT YOU.

From the article:

While the vendors' descriptions made large claims about how secure their cameras were, Gnesa found undocumented backdoors and remotely exploitable vulnerabilities

He would have presented all of this information at next week's conference until he was threatened with legal action from an unnamed vendor of one of the cameras.

Garcia and a number of other researchers discovered that millions of vehicles were vulnerable to remote hacking and effective immobilisation.
When they presented their research to Volkswagen in 2013, they were promptly smacked with an injunction in the UK high court and their work was suppressed until recently.

For more information:
http://www.scmagazineuk.com/security-expert-cancels-talk-on-back-of-legal-threat/article/444136/

Nosey Smurf, Dreamy Smurf, Tracker Smurf, Paranoid Smurf - These scary stuff turns our smart phone in to a spied-upon phone

Always presume someone can always collect information about you
We cannot stop others from collecting our information, we can definitely reduce how much they can collect


From the article:

“Nosey Smurf” turns on a phone's microphone to use it for audio surveillance.
“Dreamy Smurf”, which he says can turn a phone on or off.
“Tracker Smurf” is a geo-location tool
Another Smurf can operate a smartphone's camera.
“Paranoid Smurf” does its best to hide the activities of the other Smurfs,

The Smurf army arrives by TXT messages, Snowden says, without users ever being aware of the message or its payload arriving or altering their phones in any way.


For More info:
http://www.theregister.co.uk/2015/10/06/gchqs_smurf_army_can_hack_smartphones_says_ed_snowden/

Do you know how much information is in your Boarding Pass?

What you don't know CAN (sometimes) hurt you

From the article:

Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked 

The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. 

Fore more info:

http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/

Another Day , Another Breach - It is Scottrade's turn

In security , one of the imporatant rule is

"Prevention is Ideal but Detection is a MUST"

What bothers me is this line?

Scottrade claims that it didn’t find out about the breach until federal authorities contacted the company to tell them they were investigating “cybersecurity crimes” involving the theft of information from Scottrade and other financial services companies. 

First:

Scottrade is and investment and brokerage firm. In simple words they deal with people's money 

Second:

They are not a brick-and-mortar company, they are a e-commerce company yet, they were not

So, why were they unable to detect the Breach?

From the Article

The St. Louis-based company confirmed that information such as customers’ Social Security numbers, email addresses, and other data, were on the same system that was accessed, but that at this time it believes contact information was the main focus of the attack (really?).

When authorities arrested four men in Florida and Israel over the summer in connection to another financial services hack, the breach of JPMorgan Chase, court proceedings revealed the attack may have been the beginning of a complex spam email chain campaign. As part of a “multiyear campaign” the hackers were apparently hoping to leverage millions of spam emails to trick well-connected investors into investing in otherwise menial stocks. 

For more info:

https://threatpost.com/scottrade-breach-affects-4-6-million-customers/114914/

If you are one of the 15 Million T-Mobile - Then you might want to read it

Here is a funny statement:

"Experian stored users’ Social Security numbers and ID numbers in “encrypted fields,” but admits in that “Experian has determined that this 

encryption may have been compromised.” 

So, the company that we entrust our Credit History and personal information has implemented encryption but not in a secure way.

So, Let's remember:

Encryption is NOT EQUAL to SECURITY.

It is just a technology so, it can help security but does not become security.

We still need proper Design, Implementation and processes in place to get  (one layer)  of security.

Defense in Depth is the key.

From the Article:

News broke last night however that any customers who applied for a credit check for service or device-financing over the last few years may have had their information compromised in the breach.

Specifically, information stored on a server at one of Experian’s business units pertaining to T-Mobile USA customers from Sept. 1, 2013 to Sept. 16, 2015 appears to have been accessed. 

Several years ago the credit agency indirectly sold a cache of consumer information to a Vietnamese national, Hieu Minh Ngo after he maintained he was a private investigator. Ngo essentially got access to a database of social security numbers for some 200 million Americans and then sold that information via identity theft websites. 

For more info:

https://threatpost.com/experian-breach-spills-data-on-15-million-t-mobile-customers/114901/

Fingerprints stolen? - Sounds weird but it happened. Now. have you thought of the consequences?

Nice one from my all time favorite Security Guru

From the article:

The news from the Office of Personnel Management hack keeps getting worse. In addition to the personal records of over 20 million US government employees, we've now learned that the hackers stole fingerprint files for 5.6 million of them.

There are three basic kinds of data that can be stolen. 

1. The first, and most common, is authentication credentials.
2. The second kind of data stolen is personal information
3. The third - Biometric data

The problem with biometrics is that they can't be replaced. So while it's easy to update your password or get a new credit card number, you can't get a new finger.

And we really don't know the future value of this data. If, in twenty years, we routinely use our fingerprints at ATM machines, that fingerprint database will become very profitable to criminals. If fingerprints start being used on our computers to authorize our access to files and data, that database will become very profitable to spies.

Not every use of biometrics requires the biometric data to be stored in a central server somewhere. Apple's system, for example, only stores the data locally: on your phone. That way there's no central repository to be hacked. And many systems don't store the biometric data at all, only a mathematical function of the data that can be used for authentication but can't be used to reconstruct the actual biometric. Unfortunately, OPM stored copies of actual fingerprints.

For More info:

http://motherboard.vice.com/read/stealing-fingerprints

StageFright 2.0 - Affects 1 Billion Android devices?

Previously we only had to worry about the number of vulnerabiltities

Now, we have to be concerned about the number of hosts that are affected and the level of expertise and awareness of the users.

From the article:

Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access. Stagefright is used to process a number of common media formats, and it’s implemented in native C++ code, making it simpler to exploit.

“That process, you would think, would be sandboxed and locked down as much as it could because it’s processing dangerous, risky code, but it actually has access to the Internet,” Drake said. “Android has a group enforcement where it allows [Stagefright] to connect to the Internet. This service is on all Android devices. I’d rather not have a service that’s doing risky processing have Internet access.”

For More Info:

https://threatpost.com/stagefright-2-0-vulnerabilities-affect-1-billion-android-devices/114863/

IoT - 4 Questions you should ask yourself

Here is a 5th one

Remember the philosophical discussion about "WANTS and NEEDS".
Similarly, We should first ask the question

5. Is a compelling reason for me to  enable this IoT stuff?


From the Article:

1. Who is responsible for patching your smart home – from the cars you drive, the entertainment you watch, the food you store and prepare?
2. Is it possible to have seamless mutual authentication between users and devices and devices and devices?
3. What happens if the connections between your smart home and your smart grid stop working and turn against you?
4. What if the seller of your dream house refuses to give up the keys to the built-in smart devices inside?

For More Info:
http://www.darkreading.com/endpoint/4-iot-cybersecurity-issues-you-never-thought-about-/a/d-id/1322330?_mc=RSS_DR_EDT

Password Issues and Suggestions in a single Picture

D-Link adds additional stuff to their open source firmware, The stuff happens to be their the "private key" and the "pass phrases"

Apparently someone did not understand PKI-101.
Guard your private key. It is the the on and only important key to the kingdom that it is supposed to protect.
Good news is that the cert expired on 09/03


From the Article
Private keys used to sign software published by D-Link were found in the company’s open source firmware packages. While it’s unknown whether the keys were used by malicious third parties, the possibility exists that they could have been used by a hacker to sign malware, making it much easier to execute attacks.

The reader found not only the private keys, but also passphrases needed to sign the software. 

The D-Link cert, was published on Feb. 27 and was exposed more than six months before it expired Sept. 3

For More Info
https://threatpost.com/d-link-accidentally-leaks-private-code-signing-keys/114727/

Great gift for your spouse or your boss - A Spy watch that can guess what they type.

Sometime in future we may have a Malware that will do that for free


From the article:

Using the watch's built-in motion sensors, more specifically data from the accelerometer and gyroscope, researchers were able to create a 3D map of the user's hand movements while typing on a keyboard.

The researchers then created two algorithms, one for detecting what keys were being pressed, and one for guessing what word was typed.

The first algorithm recorded the places where the smartwatch's sensors would detect a dip in movement, considering this spot as a keystroke, and then created a heatmap of common spots where the user would press down.

he second algorithm took this data, and analyzing the pauses between smartwatch (left hand) keystrokes, it was able to detect how many letters were pressed with the right hand, based on the user's regular keystroke frequency.

Based on a simple dictionary lookup, the algorithm then managed to reliably reproduce what words were typed on the keyboard.


For more info:
http://news.softpedia.com/news/creepy-smartwatch-spies-what-you-type-on-a-keyboard-491604.shtml

ERNW found five software flaws in FireEye's Malware Protection System - And FireEye is upset about it?

FireEye sending Cease-and-Desist Notice?


From the Article:

The kerfuffle between FireEye and ERNW, a consultancy in Germany, started after an ERNW researcher found five software flaws in FireEye's Malware Protection System (MPS) earlier this year.


In a face-to-face meeting in Las Vegas on Aug. 5, Ray wrote that it appeared the two companies had reached a consensus on a draft of the disclosure document.

But about a day later, FireEye sent ERNW a cease-and-desist letter, which focused on the disclosure of the company's intellectual property, Rey wrote. The letter contended that no consensus had been reached between the parties the day before.

Before ERNW responded in writing, FireEye obtained an injunction on Aug. 13 from a district court in Hamburg


FireEye issued a notification describing the vulnerabilities, which it patched some time ago, on Sept. 8. Although it is customary to include a timeline from when a vendor is notified to when patches were issued, FireEye's notice doesn't contain one.




Form More Info
http://www.pcworld.com/article/2983144/fireeye-takes-security-firm-to-court-over-vulnerability-disclosure.html

Encryption is useful (to the bad guys too).

What can be used can also be abused.



From the article:

As more advertisers and ad networks start enabling HTTPS, criminals are beginning to make their activities harder to trace by serving their malicious ads over HTTPS, encrypting their tracks, according to security experts.


“HTTPS makes it a lot harder to be able to get this 'creative ID' as it is inside an encrypted session between the victimized client and the publisher giving the advertisement content,” Klijnsma said.


That’s the reason why a recent malvertising campaign that hit eBay and the Drudge Report, among others, was able to go unnoticed for three weeks. As Segura noted in his technical analysis of the campaign, the criminals avoided detection “by encrypting traffic” using HTTPS.

What’s worse, there’s no easy solution to this. One possibility, Klijnsma argued, is to limit ads containing dynamic scripts such as JavaScript, which are the preferred method to deliver malicious code. 

For more info:
http://motherboard.vice.com/en_uk/read/the-downside-of-encrypting-everything-virus-filled-ads-are-harder-to-track

ATM Theft Scenario: You insert your ATM card and your card is not returned (it happens) but, it will be given to the next guy who accesses the ATM (very bad). What if this is deliberately done by a Malware (named "Suceful") to steal your card (+ data) and give it to the bad guy.

Fact is Stranger than fiction.


From the article:

This particular sample can read all the credit/debit card track data and data from the card's chip (if the card has one), retain or eject the inserted card on demand, and can be controlled by the attackers via the ATMs PIN pad.

The malware is also capable of disabling the ATMs door, alarm and proximity sensors to prevent malicious activities from being detected.

While it's impossible for ATM users to spot a compromised machine, they are advised to be suspicious of machines that retain their cards. Giving a call to the bank if that happens is always a good idea, preferably while keeping an eye on the ATM in order to spot attempts by suspicious individuals to retrieve the card from the machine.

For more info:
http://www.net-security.org/malware_news.php?id=3098

Android 5 phones (other than Lollipop) - (Lock-screen) Password can be easily bypassed by typing any long string.

This is plain and simple failure in app testing.
However,  it has been fixed so go ahead and upgrade.



From the article:

 Unless they've been fully patched to version 5.1.1 including last week's security updates.

Yes, by typing in too many characters, you can kill off the security mechanism and gain full access to the device, even if its filesystem is encrypted – miscreants can exploit this to run any application, or enable and developer access to the device.


The attack only works if the gadget has a lock-screen password set, the researchers note: the attack doesn't work against pattern or PIN setups.




For more info:
http://www.theregister.co.uk/2015/09/16/google_patches_android_lockscreen_bypass_nexus/

Gone with the wind - I am not talking about the movie, I am talking about our Privacy.

Welcome to the privacy-free world where everything about you can be known.

AND   CAN BE USED AGAINST YOU.

However, it might help us as an Alibi to prove that we were present at a certain site at a certain time

Then again , who cares about privacy. GMAIL scans your emails. Facebook has your entire history. Even after we know they will hand over this information to Government.

Both are top products.

From the Article:

The study found 74% of shops are using technology to track customers when they are in the store, with a quarter of consumers believing it contributes to a positive shopping experience

When explaining how they use data, retailers were divided on what the term big data meant. Some admitted they were collecting data that may not currently be relevant with the hope they could “think of a use for it later”.

However, consumers are more comfortable with some data collection models than others, reacting better to opt-in models such as loyalty cards (trading privacy for freebies?) as opposed to a model where they do not have a choice, such as monitoring footfall or facial recognition.

For More information:

http://www.computerweekly.com/news/4500253499/Almost-30-of-retailers-use-facial-recognition-technology-to-track-consumers-in-store

Password Issues - In a single picture

Cisco Routers - Attackers can modify the Firmware (if you don't change the default password)

To be honest, this is not Cisco's fault (at least not fully)

Simple rule - Always change the vendor provided password ( if possible ,to a complex one).

From the Article:

“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface,” -

The researchers say that Cisco 1841, 2811, and 3825 routers are known to be targeted in this kind of attack 

The modified IOS image that the attackers are using in these attacks survives a reboot of the router, but additional modules the attackers load live in volatile memory and will be lost after a reboot. The malicious implant modifies a function to point to the malware and overwrites a few other functions, as well. 

For more info:

https://threatpost.com/attackers-replacing-firmware-on-cisco-routers/114665/

Ashley Madison - Moral of the story- Even the best security tool will not save you if you implement it badly.

All security folks know this.

Secure Product will not work if you configure it wrongly.

Ashley Madison is another sad story that failed to understand this.

Remember, Chase spends 250 Million a year and they still got hacked (check the link below)

https://www.blogger.com/blogger.g?blogID=545168781056666766&pli=1#editor/target=post;postID=908117919570800307;onPublishedMenu=posts;onClosedMenu=posts;postNum=0;src=postname

From the Article:

The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days.

Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two.

The bcrypt configuration used by Ashley Madison was set to a "cost" of 12, meaning it put each password through 212, or 4,096, rounds of an extremely taxing hash function. If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve an MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in a padlock-secured box in plain sight of that vault. 

For more info:

http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/

TSA compatible locks are not useful any more - Time to use regular locks

Oh Yeah, the article also talks about Backdoor in the Phone switch and the NSA backdoor. All of which are now exposed and can be exploited

From the Article:

A  TSA agent and the Washington Post revealed the secret.  All it takes to duplicate a physical key is a photograph, since it is the pattern of the teeth, not the key itself, that tells you how to open the lock.

Any phone switch sold in the US must include the ability to efficiently tap a large number of calls.  And since the US represents such a major market, this means virtually every phone switch sold worldwide contains “lawful intercept” functionality.  

The final backdoor, Dual_EC_DRBG, was surreptitiously developed by the NSA.  This trap-doored pseudo-"random" number generator enables the NSA (or anyone who knows a secret number) to efficiently decrypt communication.  Yet as many cryptographers were suspicious of both Dual_EC's poor performance and "backdoor-capable" nature, the NSA also needed to use its market power to encourage adoption, including reportedly bribing RSA Data Security $10M to make it the default pRNG.

All three backdoors introduced significant problems.  TSA locks can be opened by anyone despite their promise of security, the CALEA interface has been used for nation-state spying, and the biggest potential victim of the Dual_EC backdoor is probably the US government.

For More info

https://www.lawfareblog.com/tale-three-backdoors

PayPal users should read this

The scary part is the vulnerability can allow even a 2-factor authentication bypass.

Moral of the story: If the building has problems in the foundation then, no matter what you add, you can still have issues.

From the article:

he researcher says the applications are plagued by a vulnerability that can be exploited to access such accounts through repeated login attempts that leverage valid session cookies

The bug bounty hunter says the method can be used to bypass not only the identity verification mechanism, but also the 2FA system

The issue was reported to PayPal in April, but it remains unfixed. According to Vulnerability Lab, the company confirmed the existence of the flaw, but downplayed its impact.

This is not the first time PayPal and Vulnerability Lab have argued over the impact of a mobile API flaw. In October 2014, the German security firm publicly disclosed a similar security bypass issue after PayPal refused to acknowledge its existence for more than a year. Ultimately, the payment processor confirmed the vulnerability, patched it, and promised to reward the researchers.

For more info:

http://www.securityweek.com/paypal-mobile-apps-plagued-authentication-flaw-researcher

Carbanak backdoor - Sound like something you want to install at home. Nah, it is a financial APT (meaning bad Malware)

Now, it has an upgrade.
The silver lining is it targets banks rather than end users.
Let's hope that the Banks have sensible (not expensive) security.


From the article:

The attacks begin with spearphishing emails that have rigged attachments containing the Carbanak backdoor. Once on a compromised machine, Carbanak gives attackers remote control of the machine and the criminals used that as a foothold on the bank’s network and then stole money in several different ways.

researchers at CSIS in Denmark say they’ve seen new variants of Carbanak that have some unique characteristics. The folder in which Carbanak installs itself and the filename it uses are both static. The malware injects itself into the svchost.exe process as a way to hide itself.

“As several other advanced data stealing threats, Carbanak utilizes plugins. The plugins are installed using Carbanak’s own protocol


Carbanak is what we define as a financial APT. In its nature, it is very targeted and it is being deployed in small numbers. In this way, it tends to slide under the radar .

For more info
https://threatpost.com/new-versions-of-carbanak-banking-malware-seen-hitting-targets-in-u-s-and-europe/114522

Watch out Android Users - Ransomware disguised as Video player.Nothing new, except that, it is hard to block this one

It also uses XMPP for communication , making it hard to detect.

From the article

These infections begin with the victim downloading a phony application from a third-party app store, in this case a supposed Flash Player app - 

Victims, with this strain, see a message purporting to be from the National Security Agency with threatening language about copyright violations and threats of fines being tripled if not paid within 48 hours of notification.

The Ransomware uses an instant messaging protocol called XMPP, or Extensible Messaging and Presence Protocol, to receive commands and communicate with the command and control server

“Using XMPP makes it much more difficult for security devices to trace the malware C&C traffic as well as distinguish it from other legitimate XMPP traffic,” Check Point said in a report published Wednesday. “It is also makes it impossible to block traffic by monitoring for suspicious URLs.” 

“As XMPP supports TLS, the communication between the client and the server is also natively encrypted.” 

For More info:

https://threatpost.com/new-android-ransomware-communicates-over-xmpp/114530/

Free additional feature called "Spying on You" (my nick name to the service) without your permission - In windows 7 and 8

I am not surprised, if you are then you are not from this planet


From the article

Back in April, Microsoft released a non-security update for both Windows 7 and 8. This update, 3022345, created a new Windows service called the Diagnostics Tracking service.

The concern with the new Diagnostic Tracking service is much the same as with Windows 10's tracking: it's not clear what's being sent, and there are concerns that it can't be readily controlled.

(good news) Additionally, most or all of the traffic appears to be contingent on participating in the CEIP in the first place. If the CEIP is disabled, it appears that little or no traffic gets sent.


For More info:
http://arstechnica.com/information-technology/2015/08/microsoft-accused-of-adding-spy-features-to-windows-7-8/

AppLock - Nice catchy name for a "lock application". The only problem is , it only hides the files.

They called it APPLOCK , not "APP-ENCRYPT" so , they don't have to protect your files.

From the Article.

A researcher is claiming that the app, which is supposed to securely store photos, videos and other apps, doesn’t really use encryption to do so, it simply hides the files elsewhere on the phone, where an attacker could theoretically read them. 

The second issue, the weak lock mechanism vulnerability, allows an attacker with root access to the device to either see the PIN code associated with an app, or change it.

that’s perhaps the most dangerous as it could give an attacker full control of the app. By exploiting its password reset function, an attacker could potentially reset a user’s PIN code and “gain full access to all functionalities of the application without any kind of special permission,”

For more info:

https://threatpost.com/encryption-lock-mechanism-vulnerabilities-plague-applock/114500

Here is what Google play says about the app

============

Most downloaded app lock in Play Store

★ #1 App lock in over 50 countries.

★ Over 100 Million users, supporting 24 languages.

☞ AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings, Calls and any app you choose, with abundant options, protecting your privacy.

☞ AppLock can hide pictures and videos, AppLock empowers you to control photo and video access. Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With AppLock, only you can see your hidden pictures. Privacy made easy!

★ With the help of App Lock, you may:

Never worry about a friend borrow your phone to play games again!

Never worry about a workmates get your phone to have a look again!

Never worry about private data in some apps may be read by someone again!

Never worry about your kids may changing phone's Settings, paying games, messing up it again!

===========

ins0mnia vulnerability (already patched - Please update your iOS)

Vulnerabilities are bad but the names associated with them are interesting. (just like this one)

This has been patched so applying the patch is not our responsibility




From the Article:

Mobile app exploiting this vulnerability could also look benign enough to slip past Apple’s security protections guarding the App Store 

“A malicious application could leverage the Ins0mnia vulnerability to run in the background and steal sensitive user information for an unlimited time without the user’s consent or knowledge,” 

More disturbing, FireEye said, is the fact that a malicious app targeting this vulnerability can run on non-jailbroken iPhones and iPads.

For More Info:
https://threatpost.com/patched-ins0mnia-vulnerability-keeps-malicious-ios-apps-hidden/114423

Value of a hacked PC in Pictures

From:
http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

Human vulnerability scanner ?? - AVA (Free, open-source) - To identify employees most vulnerable to social engineering attacks

Interesting idea and takes a different approach

From the article:

She realized there’s no real way of knowing whether such training is effective until it’s too late.

First, a hypothetical example of social engineering at work. Imagine you’re a junior help desk technician at a large company. You’re low on the corporate ladder, and constantly worried about keeping your job. One night you get a text from a number you don’t recognize. “It’s Ted,” the message reads. “I need my password reset immediately. Lots of money riding on this deal.”

1. AVA works in three “phases” to prevent this sort of thing. First, it integrates with corporate directories such as Active Directory and social media sites like LinkedIn to map the connections between employees, as well as important outside contacts.
2. AVA users can craft custom phishing campaigns, both in email and Twitter, to see how employees respond. 
3. Most importantly, it helps organizations track the results of these campaigns. 

You could use AVA to evaluate the effectiveness of two different security training programs, see which employees need more training, or find places where additional security is needed.

AVA users can craft custom phishing campaigns, both in email and Twitter, to see how employees respond. Finally, and most importantly, it helps organizations track the results of these campaigns. You could use AVA to evaluate the effectiveness of two different security training programs, see which employees need more training, or find places where additional security is needed.

For more information:

http://www.wired.com/2015/08/ava-human-vulnerability-scanner-finds-your-weakest-security-link/

Heartbeat - Another 2nd factor for authentication (Biometrics)

Wondering if this might be useful in a kidnap situation. Can there be a signature mismatch if the victim is tense.

(The article also has a youtube video)

From the article:

The Nymi Band offers a way to use  your heartbeat as a secure payment method and unlocking technique.  The band uses a biometric authentication technology called Heart ID that allows the band to confirm its user’s identity by monitoring the unique signature of his or her heartbeat.


For more information:
http://www.eedesignit.com/ditch-the-credit-cards-and-fingerprints-pay-with-your-heartbeat-instead/

How-To: Phone and laptop encryption guide - For common folks

Remember:
Even if you totally wipe your drive, disk recovery software may still be able to read old files.


Link to the article:
http://arstechnica.com/gadgets/2015/08/phone-and-laptop-encryption-guide-protect-your-stuff-and-yourself/

OnHub- New router from Google and TP-LINK

Sounds nice but $200 sounds pricey


From the article:

A different kind of router for a new way to Wi-Fi. Instead of headaches and spotty connections, OnHub gives you Wi-Fi that’s fast, secure, and easy to use. 

During setup, OnHub searches the airwaves and selects the best channel for the fastest connection. A unique antenna design and smart software keep working in the background, automatically adjusting OnHub to avoid interference and keep your network at peak performance. You can even prioritize a device, so that your most important activity — like streaming your favorite show — gets the fastest speed.

OnHub makes it simple to set up and manage your Wi-Fi, all from the Google On app, available on Android or iOS. The Google On app tells you how much bandwidth your devices are using, lets you run a network check, and if there’s an issue with your Wi-Fi, the app offers suggestions to help. And, (I don't know if I like this one) instead of lost passwords and sticky notes, it even reveals your password with a single tap and lets you text or email it to friends.

For more details :
http://googleblog.blogspot.com/2015/08/meet-onhub-new-router-for-new-way-to-wi.html

Sound Proof - (meaning presenting "Sound" as "proof") for 2nd Factor Authentication method

Interesting idea


From the Article:

Dubbed “Sound-Proof” It will rely on ambient sounds. What happens here is that when you login, both your phone and computer will start listening for ambient sounds. When it determines that both devices are listening to the same thing, it will log you in, meaning that if for some reason the hacker managed to steal your generated code but your smartphone is in a different location, they won’t be able to get in either.

More details on Sound Proof (also has a link to video):
http://sound-proof.ch/

Enhanced Private Browsing - coming soon for Firefox

Any addition to Privacy or Security is always welcome

From the Article:

1. Private Browsing will have a control center that allows users to unblock elements that the mode has blocked, on a granular basis
2. Also new in this preview edition is the default activation of add-on approval checks. Non-approved add-ons will be rejected, but can be overridden manually if trusted by the user.
3. The browser's experimental Electrolysis service, which runs web content in a dedicated process, is activated for pre-beta users. This is designed to improve multitasking performance by keeping the main web process free for interaction such as web apps, while delivery is handled separately.

For More info:

http://www.theinquirer.net/inquirer/news/2422301/mozilla-is-testing-an-enhanced-private-browsing-mode-for-future-firefox

Fake Malware - created by Kaspersky?

I think it is possible , after all it is fake Malware so, what's the harm?


From the Article:

Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.

In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal


For more info:
http://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-idUSKCN0QJ1CR20150814

"CEO fraud" - This is not CEOs committing Fraud (which is also common) - In this case,it is cyber thieves tricking companies to perform Wire Transfer

The dollar value involved is mind boggling 47M?

It is time to 

1. Check and ensure "Anti-Spoofing" features in the Email Gateways work and also verify their level of success and failures.
2. Implement Alternate (non-email) methods to validate the request

From the Article:

Cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers.

In February, con artists made off with $17.2 million from one of Omaha, Nebraska’s oldest companies —  The Scoular Co., an employee-owned commodities trader.

In March 2015, I posted the story Spoofing the Boss Turns Thieves a Tidy Profit, which recounted the nightmarish experience of an Ohio manufacturing firm that came within a whisker of losing $315,000 after an employee received an email she thought was from her boss asking her to wire the money to China to pay for some raw materials.

The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions

For More Info:

http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/

TIPS-N-TRICKS - Microsoft tool to prevent some drivers from re-installing automatically

Well , we all know that all MS drivers don't work well so, there are times we don't want some of them. 

Windows 10 for home will force install updates and drivers.

So, here is a tool to defer that.


https://support.microsoft.com/en-us/kb/3073930

"Selfie" based 2nd factor Authentication?

MasterCard wants to try it

From the article:

MasterCard is launching a facial recognition payment service based on “selfies” taken on a smartphone. This new technology features a photo scanner that creates a map of the shopper’s face, which is then translated into a code for confirmation of future payments.

According to a survey released by Visa Europe, 69 percent of Europeans aged 16-24 believe that their lives will be “faster and easier” without passwords. Contactless payments would be the next natural step, enabling shoppers to complete transactions far more quickly.

However, when it comes to the extensive use of biometrics in the payments industry, the biggest hurdle to overcome is widespread adoption. 

For more info:

http://techcrunch.com/2015/08/09/biometric-security-from-selfies-to-walking-gaits

Malware (GSMem) can add a (not so) nice feature to your computer - It can turn it into a cellular antenna to leak information.

Welcome to the world of "never ending hackovation "(Hacker - Innovation)


From the Article

This attack uses ordinary computer hardware to send out the cellular signals.

The air-gapped computer that is targeted does need to have a malware program developed by the researchers installed. That could be accomplished by creating a type of worm that infects a machine when a removable drive is connected.

The malware, called GSMem, acts as a transmitter on an infected computer. It creates specific, memory-related instructions that are transmitted between a computer's CPU and memory, generating radio waves at GSM, UMTS and LTE frequencies that can be picked up by a nearby mobile device.

malware has such a small footprint in the memory, it would be very difficult and can easily evade detection

(This is interesting) Their receiver was a nine-year-old Motorola C123 so-called "feature" phone, which looks downright ancient compared to mobile phones today. But there are a couple of reasons why they chose it.

Most embassies and many companies ban smartphones from being taken inside their premises, to prevent signals intelligence collection. But some companies, including Intel and defense contractor Lockheed Martin, still allow devices that are not smartphones into sensitive areas



For more info:
http://www.csoonline.com/article/2962328/data-protection/new-malware-turns-your-computer-into-a-cellular-antenna.html

IMPORTANT - Update Your Firefox Browser Now - Latest version fixes vulnerability CVE-2015-4495,

CVE-2015-4495:

This has been seen in the wild and allows an attacker to read and steal sensitive local files.  
The vulnerability takes advantage of the interaction between the JavaScript context separation and the PDF Viewer.

Samy Kamar can compromise a Car lock in 60 Seconds and your Garage door in 10 Seconds. All with $30 hardware.

Convenience always comes with a price.

However, the device need to be placed close and the attack works only after the owner attempts unlocking.

Form the article:

Kamkar has built a new device Known as Rolljam, the device takes advantage of an issue with the way that vehicles that use rolling codes for unlocking produce and receive those codes. Kamkar said that the device works on most vehicles and garage doors that use rolling, rather than fixed, codes.

This is the second time in the last few months that Kamkar has taken aim at the codes on garage doors. In June he released research that showed he could open any garage door that uses a fixed code in less than 10 seconds


For More info:
https://threatpost.com/gone-in-less-than-a-second/114154

“You visit a website you are done. You are pwned,” (Because of a 14 year old Windows Vulnerablity ). It does not matter if you use Windows Edge (in Windows 10).

Scary news , now got scarier!
Oh Yeah, Windows 10 OS too
and
the new Edge browser too.



From the Article
A Windows vulnerability in the SMB file-sharing protocol  discovered 14 years ago and partially patched by Microsoft could still be abused via remote attacks,


Affects Internet Explorer running on all versions of Windows, even in the newly released Windows 10. It would be the first remote code exploit for the new operating system. It also affects Windows Edge, the researchers said


The researchers discovered that it was possible to steal the credentials remotely and impersonate users from the Internet.

The adversary waits for these automated systems to turn on and start scanning all the hosts on the network, atwhich point it grabs the login credentials. The attack was sucessful as soon as users were tricked into loading an image file in Internet Explorer

users are tricked into visiting a website controlled by the attackers, which then captures the user's username in plaintext and the hash of the user's password. The password can be  cracked in a manner of days because it uses an obsolete hashing algorithm

The attacker hijacks the challenge/response exchange, by waiting for someone else on the network to authenticate against any system on the network.


For More info:
http://www.darkreading.com/vulnerabilities---threats/new-smb-relay-attack-steals-user-credentials-over-internet/d/d-id/1321633

Windows 10 Enterprise Security Features

From the article:

• Microsoft’s new Edge browser improves security in a variety of ways, from running in the app container sandbox to removing ActiveX controls, VBScript, toolbars and Browser Helper Objects. 
• Windows 10 also works with hardware for palm vein prints, iris recognition and 3D facial recognition, using the Intel RealSense camera that’s being built into various notebook computers. The feature also accounts for temperature using infrared sensors, so it won’t be fooled by photos and masks.
• You’ll also need to plan ahead to use Windows Passport, the Fast Identity Online (FIDO) -compliant next-generation credentials in Windows 10. These can be certificates distributed using an existing Public Key Infrastructure or key pairs generated by Windows itself, and they’re stored securely in the TPM, and unlocked using biometrics or a PIN (or a picture password).
• When content comes from those locations, the network knows where it comes from and we can say let's go ahead and encrypt that at the file level.”

For more info:
http://www.csoonline.com/article/2955303/operating-system-security/how-to-get-the-most-out-of-windows-10-enterprise-security-features.html#tk.rss_dataprotection

SANS reading room - Pivoting for Web App Pentest

Nice and simple document.


From the Doc:

There are many channels that can be used as avenues for pivoting.

This paper examines five commonly used channels for pivoting: Netcat relays, SSH local port  forwarding, SSH dynamic port forwarding (SOCKS proxy), Meterpreter session and Ncat HTTP proxy.

For more info:

https://www.sans.org/reading-room/whitepapers/testing/tunneling-pivoting-web-application-penetration-testing-36117

Fun Read - 20 new/improved features in Windows 10

Few interesting ones below:

• Windows 10 can use your face or your iris to log you on to your PC
• Includes a new app to help you get your phone set up to work with your PC and with any Microsoft services you use
• If there's an update that will need a restart you can have Windows ask when you want to schedule that for
• If you need to arrange a lot of windows and you don't have multiple monitors, you can put them on multiple virtual desktops

For more info:
http://www.techradar.com/us/news/software/operating-systems/10-great-new-features-in-windows-10-1267365

Watchout - Fake Windows 10 Upgrade (phishing) mail carries Ransomware

Anyone surprised?

Every time there is a popular news (need not be good news, it can be bad news like Hurricane), there is always a surge in SPAM /PHISHING emails trying to get you.


From the Article:

Researchers at Cisco TALOS said on Friday they spotted spam carrying an archived attachment from an email address in Thailand spoofing update at Microsoft[.]com. Users who download and execute the files inside the zip archive are hit by the CTB-Locker brand of ransomware. 

CTB-Locker behaves like most strains of crypto-ransomware; it’s spread via email, exploit kits or drive-by downloads, encrypts documents stored on the computers and demands a ransom paid in Bitcoin in exchange for the encryption key. This campaign gives users a 96-hour window to deliver payment, which is shorter than other campaigns making use of CTB-Locker.

For More info:
https://threatpost.com/windows-10-upgrade-spam-carries-ctb-locker-ransomware/114114

Expert v/s Non-Expert Advice to stay safe online - In one single graph

A picture is worth a thousand words

For More Information:

https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf

TOR needs a fix - New vulnerability can help attacker to ID the website and servers the user is accessing

I hope they fix it soon.


From the Article:

An attacker can figure out which dark web site a user is trying to access by passively monitoring Tor traffic, and even reveal the identity of servers hosting sites on the Tor network.

The attack doesn’t require the decryption of any traffic—only that it be monitored —and the exploit only requires control of a node where users enter the Tor network. 


When you use Tor, your connection gets encrypted and routed through three hops which form a path called a “circuit.” A circuit starts with an entry point called a “guard,” before going back into the regular internet via what are called “exit nodes.” The guard sees your IP address, and the exit node sees where the traffic’s going.

Without controlling an exit node. 88 percent of the time, the researchers were also able to identify which hidden service the user was trying to access.


For More info:
http://motherboard.vice.com/en_uk/read/researchers-unveiled-a-new-serious-vulnerability-in-tor

HammerToss Espionage Tool - Using Twitter + Steganoraphy

Hackers always amaze me,
Their ability to adapt and innovate is unbelievable


From the article:

Once APT29 has access to a target network and deems it worthy, it deploys Hammertoss, which communicates through URLs seeded in social media accounts—Twitter in particular—and makes use of steganography in images stored on GitHub or compromised websites to retrieve encrypted instructions.

“It’s unique in its ability to lay low, and thwart defenses.”

“When you look at the flow, from Twitter to GitHub to cloud storage, from a defender’s perspective, that’s not going to look malicious,” said Jordan Berry, threat intelligence analyst at FireEye.

“In this case, there’s no compromised infrastructure to look for and block because they created their own workaround.”



For more info:
https://threatpost.com/new-hammertoss-espionage-tool-tied-to-miniduke-gang/113996

Good Article on PKI Trust Models

A Good document on PKI Trust Model from SANS Reading Room

LINK:
https://www.sans.org/reading-room/whitepapers/vpns/pki-trust-models-trust-36112

Oh! now we have "Malicious" text messages and that can affect 950 million Android phones.

One thing common these days whether it is about data breach or jeeps or devices is that they affect millions (users,devices, automobiles)

From the Article

The vulnerability resides in "Stagefright," an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. 

All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss

For more info:

http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/

"homograph “spoofing" - ???

Techniques in which the attackers purchase domains and create emails that are similar to the victim and their correspondent. In some cases, the emails may differ by only one letter.


This article is about how Nigerian Scammers work?
Interesting to find out how thorough their planning and executions are.
It is not easy

From the article


To select their victims, the group of fraudsters peruses sites such as Alibaba in an effort to identify potential victims who reside in countries in which they already have existing bank accounts

he scammers also tend to target users who have registered accounts with free email providers, such as Yahoo!, Google and Hotmail.

Once a victim has been chosen, the fraudsters must figure out a way to deliver to them remote access tools (RATs) and other exploits.



For more details:
http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/the-four-cs-of-a-nigerian-payment-diversion-scam/

Smartwatches - Not so-smart when it comes to security

No surprise here, the vendors are in business of selling watches so, why bother about security



From the article:

“We found that smartwatch communications are easily intercepted in 90 percent of cases, and 70 percent of watch firmware is transmitted without encryption,” 

All of the watches that HP evaluated collected personal data in the form of names, addresses, birth dates, weight, gender and heart rate. Yet not one of them had adequate controls in place for ensuring the privacy and security of the collected data either while on the device or in transit.

For instance, every smartwatch that HP tested was paired with a mobile interface that lacked two-factor authentication. None of the interfaces had the ability to lock out accounts after multiple failed login attempts. A significant 40 percent of the tested products used weak cyphers at the transport layer while a full 70 percent had firmware related insecurities.

For more details:
http://www.darkreading.com/endpoint/smartwatches-could-become-new-frontier-for-cyber-attackers/d/d-id/1321452

Did you know - A famous Computer company was formed by Two Housewives

Late 70s - Vector Graphic (rings a bell ???)

One thing sad is that the management did not listen to the design engineer, 


From the Article:

Lore Harp and Carole Ely started Vector with $6,000 in capital.

In April 1977, when the Vector 1 and Apple II both launched at the West Coast Computer Faire.



More info here:
http://www.fastcompany.com/3047428/how-two-bored-1970s-housewives-helped-create-the-pc-industry

I did not know this - Windows "Disk Cleanup" now includes option to remove outdated Windows Update

IMPORTANT:
Search for "disk cleaner" and make sure you choose "run as administrator"


Something new to learn everyday.

Some use "cccleaner" but this one is part of the OS and gets an nice upgrade



Details on How to do it:
http://blogs.technet.com/b/askpfeplat/archive/2013/10/07/breaking-news-reduce-the-size-of-the-winsxs-directory-and-free-up-disk-space-with-a-new-update-for-windows-7-sp1-clients.aspx

Screen Recording tool in Windows 10

Nice to know

Hit the Windows key and G, and a popup will appear asking if you would like to open Game bar -- there are no Yes and No buttons, but check the 'Yes, this is a game' box (you will have to do this the first time you access the screen recorder in any application).

For More info:
http://betanews.com/2015/07/19/windows-10-secret-screen-recording-tool/

Workaround for a Critical Vulnerability in Windows -CVE-2015-2426

OpenType Font Driver Vulnerability - CVE-2015-2426
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.


Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.



Workarounds
The following workarounds may be helpful in your situation:


Follow this link to implement the workaround:
https://technet.microsoft.com/library/security/MS15-078

How-To: Use Autoruns and Sigcheck with VirusTotal

We know SysInternals has a wonderful set of free tools.

The following two links show how to use two of them along with VirusTotal 

Autoruns:

Shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. 

Sigcheck:

Shows file version number, timestamp information, and digital signature details, including certificate chains

How-To links from SANS:

https://isc.sans.edu/diary/Autoruns+and+VirusTotal/19933

https://isc.sans.edu/diary/Sigcheck+and+VirusTotal/19935

Shared credentials - The Inconvenient Truth

"Credential Sharing" is one thing that really scares IT Security folks.

Even though privilege account monitoring has been around for some time, it has not been widely adopted.

Hopefully, Multi-factor authentication should provide some solace.

From the article 

1. Conducted among 200 of these (IT) decision-makers, the survey found that 52 percent of US-based IT employees  shared credentials with contractors.
2. 74 percent of those surveyed in the US reported that their organization needed to do a better job monitoring who is accessing data.
3. 62 percent believe their organization has too many privileged users

For more info:

http://www.darkreading.com/operations/identity-and-access-management/shared-passwords-and-no-accountability-plague-privileged-account-use/d/d-id/1321306

Free tool to keep up with the everlasting patch cycles (for home users)

We have seen non-stop release of Adobe Patches . Now, we have Microsoft and Oracle releasing patches.


How do we keep up with them.

I use a free software called "PatchMyPC.exe" .
The good news is that this is a stand-alone EXE and it does a decent job.

This tool allows software that can be exempted from Patching.

I normally exclude Chrome, Firefox and Malwarebytes (as they can be updated from within the App).

It is not a perfect solution but it can list a range of products for which patch is available and will patch them for you.

One downside is that it sometimes downloads the entire package and re-installs (instead of just the updates)


I generally run this every alternate day just to know, what tools have new updates/patches


Give it a shot.




You can get it from:
https://patchmypc.net/download

Quad-core phones better than Octa-Core?

This is common knowledge for those who have followed server technology. Adding more processors does not mean increase in performance.

From the article:

As cores shut off, overall performance rises, particularly at the dual-core mode. With most of the chip offline, performance jumps. One potential conclusion that would explain these results is that applications are poorly threaded, which prevents them from taking advantage of higher core counts. But the fact that performance increases at the two core mark suggests something more fundamental at work — the chips in question are hitting their thermal trip points unless more cores are shut down.

As things stand, there are some benefits to quad-core devices and virtually no gains from octa-core. In a few cases, moving to more cores actually makes things worse.

For more info:

http://www.extremetech.com/extreme/209760-that-eight-core-smartphone-isnt-as-fast-as-you-think-it-is?