Company representatives comment on latest vunerabilities and security breaches
Microsoft has released their patches for the month of June
Adam Nowak, Rapid7 Active Lead Engineer at Rapid7 "June continues an on-going trend with Microsoft’s products where the majority of bulletins (7) address remote code execution (RCE) with elevation of privilege as a close second (6); the three remaining bulletins address information disclosure(2) and denial of service. All critical bulletins are remote code execution vulnerabilities affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services and Web Apps as well as Windows (client and server). However, this month is missing resolutions for Adobe Flash issues; Adobe has recognised CVE-2016-4171 as being exploited in the wild (APSA16-03) but no solution is presently available. Looking back at the last year of security bulletins, a resounding trend has emerged, and continues to be prominent; the majority of these bulletins address RCE. While Microsoft continues actively working on resolving these issues as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers/end-users. This month Microsoft resolves 36 vulnerabilities across 16 bulletins with MS16-063, MS16-068, MS16-069, MS16-070 and MS16-080 as the bulletins to watch out for. Fortunately at this time, no vulnerabilities are known to have been exploited in the wild. However, one vulnerability from MS-068 is known to be publicly disclosed CVE-2016-3222. Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch your systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritise your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-063, MS16-068, MS16-069, MS16-070 and MS16-071)."
News that a hacker put 51 million file sharing accounts for sale on dark web
Comment from Tod Beardsley, Security Research Manager at Rapid7 The iMesh breach from 2013 contains the usual bad passwords made familiar from many similar breaches over the years, such as "123456," "password," and "qwerty," as well as site-specific passwords of "bearshare" and "music." These common passwords imply that many of the user accounts associated with the service were throwaway accounts, where the users did not consider their accounts to be all that valuable. Most people have about three to five passwords they reflexively choose for online services: one or two "personal" password for email and social media, an "important" password used for banking and finances, a "work" password for job or school, and a "throwaway" password such as the ones seen in the iMesh breach. So, when compared to the LinkedIn corpus of credentials released in May, the iMesh corpus of passwords is not only smaller -- 15 million versus the LinkedIn set of over 167 million -- but of lower value to both attackers and researchers. The one feature of the iMesh credential set that may be interesting to researchers is the inclusion of user IP addresses, along with usernames and passwords. IP addresses can be used to geolocate users, so a line of research to find out where in the world usernames and throwaway passwords are more popular might academically interesting. However, trading in large sets of compromised credentials is legally touchy in most jurisdictions, even when those data sets are publicly available, so researchers should be cautious and seek legal advice before acquiring the data dumps for academic purposes.
Russian seller, who goes by the name Tessa88, claimed in an encrypted chat on Tuesday to have obtained Twitter's database, which includes email addresses, usernames and plain-text passwords
Comment from Tod Beardsley, Security Research Manager at Rapid7 While the credentials themselves appear to be real, the details provided by LeakedSource indicate that the usernames and passwords are sourced from end users rather than from Twitter itself. Specifically, it appears that the credentials were harvested from individual browsers password stores, which is troubling.We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass. It's just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls.
"As a result of their proactivity, great ideas and tenacious approach, Origin Comms has been able to make a real difference in a short amount of time. "
UK Marketing Manager
"The Origin team are a core part of our extended group. We trust them implicitly to help drive our PR efforts."
SVP Global Marketing
NTT Com Security
"The only PR agency with whom I have worked, where the client struggles to keep up with the opportunities Origin finds for them."
VP Sales EMEA and APAC
"Origin Comms has worked with NTT Com Security for many years now. We always appreciate their accessibility, professionalism and flexibility."
NTT Com Security