fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Will Disable Basic Auth In Exchange Online in October 2022

Microsoft Will Disable Basic Auth In Exchange Online in October 2022

Microsoft announced that Basic Authentication will be turned off for all protocols in all tenants starting October 1st, 2022, to protect millions of Exchange Online users.

This announcement comes after the company postponed the removal of Basic Authentication from Exchange Online until the second half of 2021 because of the COVID-19 pandemic.

“Today, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage (with the exception of SMTP Auth, which can still be re-enabled after that),” the Exchange Online Team said earlier this week.

Microsoft already began disabling basic auth in June for tenants who weren’t using it and also explained how customers could re-enable protocols inadvertently affected.

Also Read: Digital Transformation – Do Or Die in 2020

To disable Basic Authentication in Exchange Online before Microsoft fully decommissions it, you need to create and assign auth policies to individual users using the steps detailed on the Exchange Online support website.

“Disabling Basic Authentication and requiring Modern Authentication with MFA is one of the best things you can do to improve the security of data in your tenant, and that has to be a good thing,” Microsoft said two years ago when it revealed modern auth will be enforced across Exchange Online tenants.

“The last thing to make clear – this change only affects Exchange Online, we are not changing anything in the Exchange Server on-premises products.”

Why is basic auth being disabled?

While Microsoft did not provide the exact reason why they decided to make this announcement this week, the cause is likely a Guardicore report that revealed how hundreds of thousands of Windows domain credentials were leaked in plain text by misconfigured email clients using basic auth.

Amit Serper, Guardicore’s AVP of Security Research who authored the report, also disclosed an attack called the ‘The ol’ switcheroo’ that forces an Exchange client to negotiate in basic authentication.

You’re welcome. pic.twitter.com/9JwhCfa8IF— Amit Serper (@0xAmit) September 24, 2021

Basic Authentication (also known as proxy authentication) is an HTTP-based authentication scheme through which apps send credentials with every connection request made to servers, endpoints, or online services, with the username/password pairs often stored locally on the device.

While it dramatically simplifies the authentication process, basic auth also makes it easier for attackers to steal the credentials when the connections are not secured using the Transport Layer Security (TLS) cryptographic protocol.

Also Read: The Importance of Penetration Testing for Businesses

To make things even worse, enabling multi-factor authentication (MFA) is not easy when using basic auth; therefore, it often isn’t used at all.

Modern Authentication (Active Directory Authentication Library (ADAL) and OAuth 2.0 token-based authentication) allows apps to use OAuth access tokens with a limited lifetime and can’t be re-used to authenticate on other resources besides those that they were issued for.

After modern auth is toggled on, enabling and enforcing MFA will become more straightforward, with improved data security in Exchange Online as a direct and immediate result.

A demo video on adding MFA to Exchange Online/on-premises mailboxes is available on the Microsoft Ignite YouTube account.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us