Posts

Can you verify Cloud App vendors ?

Image
Evaluating cloud app vendors After discovering that users could authorize 3rd parties to access enterprise data by just 3 clicks, we started to look at who people had actually given access to. One such 3rd party was Boomerang aka Baydinc. I remember I have seen the name before. I do not know the company, but we have a few happy users of their product. This blog article is about how to judge if a plugin should be allowed or not, or if it is even possible to make this judgement. This article uses Boomerang for Outlook as an example, and looking with paranoid glasses, it would be a clear no. But that would be based on stereotypes, prejudice etc. The unbiased conclusion is, that it is impossible to evaluate. Outloook Add-In Store In the store, it only gets a 3 start review. This might be a warning indicator.  Next, looking at what permission it needs, Microsoft clearly writes it can access and modify personal information in THE active message. Installing it, and pres

Microsoft has been aware of the AAD/O365 vulnerability for almost 2 years.

A friend found this link, clearly showing Microsoft has been aware of the risk of users giving consent to illicit applications since at least January 2018. https://blogs.technet.microsoft.com/office365security/defending-against-illicit-consent-grants/ They have not done much to prevent this, but has worked to create more post-mortem tools. One of the links in the article points to an article by a former cyber criminal, which has a youtub video showing PoC of a real-time crypto-locker working on the users mailbox. Scary stuff. https://youtu.be/VX59Gf-Twwo What has changed What makes this even worse today is, that the Microsoft Sample code Wizard makes it very easy to create the phishing website. The wizard generates passwords, and creates source code with your own AppID and password inserted. So now we are down where this is possible with a minimum of coding skills. We also have the fact, that 2 years ago, knowledge of free Let's Encrypt certificate was not so widesprea

Microsoft AzureAD and Office365 - Not secure by default

Image
Microsoft AzureAD and Office365 - Not secure by default Or 3 clicks and you are dead Cloud Identity is a great thing these days. You can sign up to lots of services using your social identity from Facebook, Google, or from Microsoft. You do not have to invent new passwords (or reuse passwords used elsewhere), and you get easy Single Sign On. This has more advantages than drawbacks for by far the majority of users. The purpose of this article is to create awareness of some of the dangers. Microsoft AzureAD - The special case Your Microsoft company identity is just another cloud identity for most services, and in many ways it is better than some of the others. You get secure multi-factor logon, you might even get passwordless logon. Conditional Access to protect your Sign in attempts even more, maybe blocking countries like China, Russia and Brazil, or doing it risk based. It all depends an how the enterprise has configured things. It is trivial to create your own web server,