fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Warns Exchange Online Basic Auth will be Disabled

Microsoft Warns Exchange Online Basic Auth will be Disabled

Microsoft warned customers today that it will start disabling Basic Authentication in random tenants worldwide on October 1, 2022.

This reminder comes after the company’s September announcement and after seeing that there are still lots of customers who haven’t yet moved their clients and apps to Modern Authentication.

Basic Authentication (aka proxy authentication) is an HTTP-based auth scheme apps use to send locally stored credentials in plain text to servers, endpoints, or online services.

This allows attackers to capture credentials via man-in-the-middle attacks over TLS or guess them in password spray attacks. They can steal the clear text credentials from apps using basic auth using various tactics, including info stealing malware and social engineering.

Also Read: Management Training PDF for Effective Managers and Leaders

Modern Authentication (Active Directory Authentication Library and OAuth 2.0 token-based authentication) uses OAuth access tokens with a limited lifetime that can’t be re-used to authenticate on other resources besides those they were issued for.

To make things even worse, enabling multi-factor authentication (MFA) is quite complicated when using basic auth, and it often isn’t used at all.

After toggling on modern auth, enabling and enforcing MFA become a lot less complicated, allowing for better security in Exchange Online as a direct and immediate result.

“As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing,” the Exchange team said.

“We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.”

Microsoft will disable Basic Auth for the MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell protocols.

SMTP AUTH has already been disabled on millions of tenants that weren’t using it and Microsoft will not disable it where it’s still in use.

To be clear, we will start on October 1; this is not the date we turn it off for everyone. We will randomly select tenants, send 7-day warning Message Center posts (and post Service Health Dashboard notices), then we will turn off Basic Auth in the tenant. We expect to complete this by the end of this year. You should therefore be ready by October 1. – The Exchange Team

Why is Microsoft deprecating basic auth?

There are many reasons why Redmond’s switch to Exchange Online modern authentication in all tenants is the right one, some of them already detailed above.

Also Read: PDPA Laws And Regulations; A Systematic Guidelines In Singapore

However, a Guardicore report from September 2021 further highlights the importance of pushing as many Exchange Online users away from basic auth.

Amit Serper, at the time Guardicore’s AVP of Security Research, showed how hundreds of thousands of Windows domain credentials were leaked in plain text to external domains by misconfigured email clients using basic auth.

To disable Exchange Online Basic Auth before Microsoft fully decommissions it, you have to create and assign auth policies to individual users using the procedure detailed on the Exchange Online support website.

“There is no way to request an exception after October. Tenant selection is random, and we cannot put your tenant to the back of the queue to give you more time or change your settings on any specific date,” the Exchange team warned.

“If you want Basic Auth to be disabled at a time of your choosing (either now, or as soon as you are ready), use Authentication Policies.”

You can find more info on how to prepare for October’s Basic Auth deprecation and the best way to disable Basic Auth beforehand in the blog post published by The Exchange Team today.

Update May 0, 14:48 EDT: Corrected paragraph detailing basic auth risks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us