Defending Office 365 against MFA bypass using IMAP

So, you have deployed Office 365, you’ve setup multi-factor authentication and deployed password managers so that your users can safely use MFA where it is supported but fall back to app passwords where it’s not. Great stuff… except by default you aren’t quite as secure as you would think!

Default Office365/Exchange Online Config

Now this is great for HTTP based communication methods. but email isn’t restricted to HTTP only. When we investigate the default deployment configuration we see that IMAP and POP3 are both enabled. The below screenshot shows the default mailbox feature configuration:

Now as we know, both IMAP and POP3 do not support a second or multi-factor authentication by default, so in the GUI you should disable those (unless you have a really specific business reason that means you MUST use these) Read more “Defending Office 365 against MFA bypass using IMAP”

Using Open Source Intelligence in cool and scary ways

OSINT all the things!

I was on Twitter the other day (when am I not? 😉) and a post caught me eye, an industry friend’s post caught my eye, challenging the audience to identify their location (specifically which station they are at!), this I thought might be a cool challenge. The first post below is from Paul (Gaming Works) which gives a limited amount of information and a nice image:

Read more “Using Open Source Intelligence in cool and scary ways”

Happy Bugmass 2019! Critical vulnerability patched

We wish you a merry patchmass!

Well with the year winding down you’ve probably seen that Microsoft just released an out of band security patch:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653

CVE-2018-8653 is described as:

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”

Read more “Happy Bugmass 2019! Critical vulnerability patched”

Using Windows Hello to enable fingerprint authentication

Because typing is so 2017!

Ok, so I ordered a Kensington VeriMark fingerprint reader to see how for a few British pounds (or whatever currency you use!) you can add fingerprint authentication to a Windows desktop in minutes!

So this is being conducted with 0 reading of docs (because it’s fun to research just how simple you can a) enable security or b) mess things up when you don’t RTFM!. The next step on my uncharted journey, I plugged in the device to a spare USB port and didn’t see a failed driver installation toast, so we are looking good (note the sensor is the largest rectangle surface on the device, not the one with a cool blue LED)

Now I hit the windows key and typed finger and Win10 prompted me for the settings pane (that was lucky!) Read more “Using Windows Hello to enable fingerprint authentication”

Upgrading our file integrity monitoring solution using open source…

Protecting more than one server

Yesterday I published a quick blog which looked at what we could do an out of the box Windows server to monitor file integrity and audit/alert upon actions such as modify or deletes. This is however rather clunks and not really for business use, so next stop the open source world! Today we are going to look at OSSEC! Now before some people go mad about security and open source…. OSSEC is used in Alien Vault’s solution, is compliant with PCI and is used worldwide by loads of organisations and universities etc. Open source tools and security go hand in hand, stop with your crazy talk! Now we’ve got that rant over with let’s get onto the fun business!

OSSEC is an open source host intrusion detection solution which we can use to upgrade our auditing and alerting solution to be more feature rich and provide a centralised solution, for more info on OSSEC please visit their website – https://www.ossec.net/ Read more “Upgrading our file integrity monitoring solution using open source technologies – Part 1”

How to audit sensitive file changes using out of…

Defending critical assets

In the wake the of the British Airways breach I thought I would shed some light on a technique to help detect and alert (help respond) to events that may affect critical business processes by modifying critical or sensitive files. We are going to start with a simple scenario using out of the box tools.

Auditing Critical Files

Windows Server comes with a number of security features including object access auditing, in this post we are going to take a brief look at enabling monitoring of sensitive data files. The example we are going to use are monitoring for changed to the web.config file used my .net web applications.

To start with in our example machine, we are going to need to enable audit object access either using local policy or preferably group policy (it should be noted you need to think about log volume, collection and retention/rotation). Read more “How to audit sensitive file changes using out of the box Windows Tools”

British Airways breach

Not what you want to see when you’ve just paid for a holiday!

As reported across major news networks over the world, British Airways has suffered a data breach that not only includes customer data but also includes payment details. Details from 380,000 customers have been accessed by an unauthorised third party. More details can be found on news sites such as:

https://www.theregister.co.uk/2018/09/06/british_airways_hacked/

https://www.bbc.com/news/uk-england-london-45440850

It’s likely that attackers have compromised a web service which is linked to payment services, however no specific details have been released yet so until then we can only speculate.

In this post we look at the information reported by British Airways, guidance for customers from BA, ourselves and NCSC but also we discuss the steps business’s should be taking to ensure they have a strong security posture, especially where customer data is concerned. Read more “British Airways breach”

How to write a bad password policy!

The authentication dilemma

I’ve worked with a lot of organisations over the years and seen lots of ways of doing certain things. Policy implementation is one of those! I’m in a fortunate position where I get to see different people’s policy documents, their systemic implementations and even interview staff to see how these work on the ground. So, I thought I’d write about password policies!

Humans like to be efficient and people also struggle to deal with the huge volume of identify management and authentication solutions they are presented with. Just think, how many passwords are required in everyday life?

  • Multiple 4-digit PIN codes for debit and credit cards etc.
  • Online banking sign in credentials (more PINS)
  • Gym padlock PIN combo (usually 4 characters)
  • Passwords for home computer
  • PIN code or password for mobile phone access
  • Passwords of phrases for telephone services e.g. to access your mobile phone account services
  • Social media credentials

The list goes on and on! Then let’s add in corporate IT services….

Anyone who’s worked in an office will have seen familiar sites of the following:

  • Password on post it notes
  • Password shared with colleagues
  • Password sellotaped to keyboard (either on top or underneath)
  • Passwords shouted across the office
  • Passwords written down on white boards

Read more “How to write a bad password policy!”

Office 365 Attack Simulator Overview

Probably the most common attack vector!

Phishing is very likely the most common attack vector, in fact so common that the following stat is called out:

“a 2016 study reports that 91% of cyberattacks and the resulting data breach begin with a phishing email”

Setting up the Social Engineering toolkit or custom phishing solution takes a little time, luckily Microsoft have added in attack simulation features into Office 365! This let’s in house teams perform a range of simulated attacks in safe manner against your organisation. In this post we are going to run through the steps required to create and run a phishing attack simulation!

Read more “Office 365 Attack Simulator Overview”

Copyright (c) Xservus Limited