Back to qualys.com
2 posts

Hackers Are Having a Field Day with Stolen Credentials

Login credentials have always been a weak link in cybersecurity’s protection chain, a situation that’s worsening. However, this trend could be reversed with a bit of effort from end users, website owners and software vendors.

2016: The Year of Stolen Credentials

Hackers made hay of the sorry state of credential security in 2016. They stole millions of username and password combinations from online services of all shapes and sizes. Blogs and discussion forums were hit particularly hard.

Exploiting credentials is an old attack vector that still works wonders for hackers. In its 2016 Data Breach Investigations Report (DBIR), Verizon added a section about credentials, revealing that 63% of data breaches involved weak, default or stolen passwords.

“This statistic drives our recommendation that this is a bar worth raising,” reads the report.

Continue reading …

Update2: Patch Tuesday July 2015

Update2: Microsoft released a critical bulletin MS15-078 for a font problem that affects all versions of Windows and allows Remote Code Execution. Microsoft credits Google’s Project Zero, Fireeye and TrendMicro. TrendMicro indicates that the vulnerability came out of the HackingTeam data breach. Google’s entry for the bug indicates that they are aware of exploit code avaliable in the wild, which explains Microsoft’s out-of-band release. Patch as quickly as possible.

Update: Oracle’s CPU July 2015 fixes the 0-day vulnerability CVE-2015-2590 in Java reported by Trend Micro. We recommend treating this patch with high priority. Note: if you think you cannot use new Java due to requirements for old versions, have you looked at Oracle’s deployment rulesets?

Original: When we started preparing internally for July’s Patch Tuesday, we debated what the biggest issue of the month would be. Two parties emerged, we were split in the middle between end-of-life of Windows Server 2003, and the mystery vulnerability MS15-058 that Microsoft did not release last month. Well, it turns out both parties were wrong: the biggest issues this month are the multiple 0-days in Adobe Flash.

Continue reading …