Simply Secure – Microsoft Outlook Changes

Microsoft Office 365
Outlook Authentication Changes

I’m Really Busy, what do I need to know

If you use Microsoft Office products, specifically Outlook, and have a Microsoft based email account, and you are not running a supported Office version, you will need to upgrade. This is due to upcoming changes to Microsoft authentication.

Generally speaking the following versions of Outlook lose login ability to email services on or about October 1, 2022 :

  • Microsoft Office for Windows/Outlook 2007
  • Microsoft Office for Windows/Outlook 2010
  • Microsoft Office for Windows/Outlook 2013
  • Any version of Microsoft Office for Mac below 2016

Affected users:

  • Hotmail accounts (john.doe@hotmail.com)
  • outlook.com accounts (john.doe@outlook.com)
  • Microsoft 365 Personal, Family and Business

Questions? Contact us.


additional Background

For many years, applications have used Basic authentication to connect to servers, services, and API endpoints. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services, and is simple to set up.

Simplicity isn’t at all bad, but Basic authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services. Furthermore, the enforcement of multi-factor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled.

Basic authentication is an outdated industry standard. Microsoft actively recommends that customers adopt security strategies such as Zero Trust (Never Trust, Always Verify), or apply real-time assessment policies when users and devices access corporate information. These alternatives allow for intelligent decisions about who is trying to access what from where on which device rather than simply trusting an authentication credential that could be a bad actor impersonating a user.


What’s Changing

Microsoft is removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.

They are also disabling SMTP AUTH in all tenants in which it’s not being used.

This decision requires customers to move from apps that use basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they are issued, so they cannot be reused. Enabling and enforcing multi-factor authentication (MFA) is also simple with Modern authentication.


When does the change occur

Microsoft has already started making this change. New Microsoft 365 tenants are created with Basic authentication turned off as they have Security defaults enabled.

Beginning in early 2021, Microsoft started to disable Basic authentication for existing tenants with no reported usage.

In September 2021, Microsoft announced that effective October 1, 2022, they will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. 

On September 1, 2022, Microsoft also announced there will be one final opportunity to postpone this change. Tenants will be allowed to re-enable a protocol once between October 1, 2022 and December 31, 2022. Any protocol exceptions or re-enabled protocols will be turned off early in January 2023, with no possibility of further use. 


References

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

Simply Secure – Computer Backups

backups

Disclaimer: We are not paid or compensated by any vendor for any product(s) or services listed. If you don’t like our recommendation(s), no need to send us your grievances! Paint the sky with rainbows and use whatever meets your needs!

Backblaze has released their 2022 survey, The State of Backups and the results are not particularly surprising. Generally speaking, our experience is that clients don’t assign value to critical data until it’s gone — and of course at that point, its to late. Without lecturing about the importance of data backup, some stats from the user survey:

  • 67% of users report they have accidentally deleted files
  • 54% of users report they have lost data
  • 53% of users report they were victims of a security incident
  • 48% of users report they had a hard drive crash
  • 44% of users report they lost access to data stored on an external or cloud drive

Simply Secure – Social Engineering

social engineering

Disclaimer: We are not paid or compensated by any vendor for any product(s) or services listed. If you don’t like our recommendation(s), no need to send us your grievances! Paint the sky with rainbows and use whatever meets your needs!

Social engineering is a technique hackers use to gain access to information they wouldn’t be able to access otherwise. These hackers manipulate people into giving up confidential information by pretending to be someone trustworthy, such as an HR representative or another employee. They do this by using personal details about you, your colleagues, or the company to get you to give them private information. Social engineering works because most people trust other people— especially those who seem like they belong somewhere. Sadly, social engineering remains one of the most successful hacker attacks. Let’s see why and how you can protect yourself from the scammers.

What Is Social Engineering and How Does it Work?

Social engineering is the use of psychological tricks to manipulate people into giving up confidential information. A scammer might pretend to be from IT and say the company’s network is down to get you to provide login credentials to your computer or the company’s network. Or, a scammer could pose as a vendor who needs you to wire them money for a product or service that doesn’t exist. The scammers use personal details about you, your colleagues, or the company to get you to give them private information. For example, a scammer might call and say she’s an HR representative and ask you to verify a new hire’s information. Or, a scammer might email you and say there’s a problem with your W-2 form and ask you to verify your tax information.

Why is Social Engineering So Successful?

Social engineering is so successful because people are naturally helpful. We want to be the good guy and help out whoever asks for it. Unfortunately, it just so happens that these scammers are experts in taking advantage of people’s kindness. They know how to ask for your help without coming off as creepy or suspicious. While it’s great to be helpful, you need to be careful how you show it. That’s because if you give a scammer confidential information, they can use it to cause real damage to you or other people. For example, if you give a scammer your login credentials, they can use it to log into your computer and access your information.

Don’t Use the Same password for everything

While it’s impossible to remember all of your different passwords, you shouldn’t use the same password for everything. If one of your accounts gets hacked, the hacker could easily access all of your other accounts. Because social engineers can pretend to be from almost any department or company, you can’t assume your normal login and password are enough to protect your account. Say you receive an email from your company’s HR department about your W-2 form. An impostor might send you an email with a link to a fake site where you’re asked for your W-2 information. If you have the same password for both accounts, one hacked account gives the hacker access to all of your accounts.

Be Careful When You Give Out Your Company’s Info

You may think you’re being helpful when you verify an impostor’s information. Unfortunately, you could be giving away confidential information that puts you and your company at risk. For example, the scammers could pretend to be a vendor you’re working with. They could ask you to confirm the company’s name and other details. Once you confirm their details, the scammers now know exactly how your company operates. They can use this information to launch another attack in the future.

Bottom line

The best way to protect yourself from social engineering is to be aware of what’s happening. You can’t prevent scams if you don’t know about them. Plus, it’s easy to avoid falling for a scam if you know what to look for. If you get an email or phone call from someone asking for your confidential information, question it. Don’t give out information unless you’re 100% sure it’s legitimate. If you get a call or email from someone asking for your information, don’t act quickly. Think about how they got your information. If you can’t figure it out, don’t give out any information. For example, a scammer might say he’s from your accounting department and wants to confirm your W-2 form. The scammer might say he accidentally sent it to your email instead of your accounting department. Don’t fall for it. Your accountant would never contact you directly. Plus, they’d know the correct email address.

Simply Secure – Browsers

browser

Disclaimer: We are not paid or compensated by any vendor for any product(s) or services listed. If you don’t like our recommendation(s), no need to send us your grievances! Paint the sky with rainbows and use whatever meets your needs!

  • If you don’t care about privacy
  • If you care a little bit about privacy
  • If privacy is really important to you
    • Tor
      • Please note, use of Tor is typically flagged by the NSA
    • LibreWolf
  • Browser extensions we like
  • Search engines we like
  • Recommended browser configuration settings
    • Enable automatic updates
    • Disable unused add-ons
    • Block 3rd party cookies
    • Uninstall Flash
    • Clear history frequently
    • Clear cookies frequently
    • Disable location tracking
    • Disable sensor tracking
    • Disable camera/microphone access
    • Disable Autofill
    • Disable automatic password save
    • Disable pop-up notification
      • Do NOT click on a pop-up unless you are sure what it is
    • Ask before running Javascript
    • Use Incognito/Private mode