End of Basic Authentication
After many years of applications using Basic authentication to connect to servers, services, and API endpoints, it will be coming to an end in Exchange Online.
Basic authentication means the application sends a username and password with every request and those credentials are often store or saved on the device. Traditionally, this type of authentication is enabled by default on most servers or services, and is simple to set up. However, this also makes it easier for attackers to capture user credentials, increasing the risk of stolen credentials being reused against other endpoints or services. Plus, multifactor authentication, or MFA, may not be easily enforced or even possible where Basic authentication remains enabled.
As an outdated industry standard, Microsoft is recommending customers adopt security strategies like Zero Trust and/or apply real-time assessment policies when users and devices access corporate information. Even so, with threats and risks in mind, Microsoft is taking steps to improve data security in Exchange Online and will be removing the ability to use Basic authentication in Exchange Online across several services. This will require customers to move from apps that use Basic authentication to apps using Modern authentication. Modern authentication is OAuth 2.0 token-based authentication with many benefits and improvements from Basic authentication and also allows simple enablement and enforcement of MFA.
Changes are already being made, and disablement will begin October 1, 2022. To learn more about if and how your users may be affected by this announcement, visit here for all details.
3G Shutdown
All major US 3G networks are scheduled to shut down this year, which could affect your phone, your home alarm system, or even your car. The FCC has an official page listing shutdown time frames by carrier, but most carriers say they will contact you by phone or postcard if the shutdown will affect you.
About 9% of wireless connections remaining in the US are 2G or 3G, including phones, tablets, home alarm systems, medical alert devices, cars, and other machinery. Most smartphones that launched after 2014, and flip phones that launched after 2017, should continue to work without failure. However, gray-market devices that weren’t designed for US network will be getting cut off and may suddenly stop working. If your phone doesn’t say “4G LTE” or “5G” in its status bar when Wi-Fi is off, there is a good chance it is a 3G phone and may longer work. The shutdown will also affect other devices – like older Kindle ebook readers and some smartwatches will become Wi-Fi only. The situation will be more complicated when it comes to the home alarm system industry as well as car features like remote start, remote location, integrated navigation, and other services.
The shutdown is coming for many reasons, especially that 3G networks are old and computing power is much less efficient than 4G or 5G. To learn more about the shutdown, if it will affect you, and how you can prepare, visit here for more details.
Luna Moth
Security researchers at security vendor Sygnia recently documented a series of phishing attacks by a ransom group they’ve named “Luna Moth”. The cybercriminal gang uses a sophisticated mix of phishing, vishing, remote support sessions, and remote access trojans to gain control of victim endpoints.
Luna Moth focuses on exfiltrating data and extorting a ransom from the victim, with threats of publishing the data. The attacks use a few different methods to get the attention of and throw off the potential victim. The scam is targeting fake Duolingo or MasterClass subscriptions, so it starts with an email sent to the victim. The email will have a phish-y from address and the content makes the assumption the victim has signed up for a subscription, providing an invoice which includes a phone number to call to dispute the invoice.
If called, the victim will be directed to join a Zoho remote support session, eventually being tricked into downloading and installing a legitimate remote administration tool giving the threat actor access. While there are many red flags to this scam, unsuspecting victims can still fall for it.
To learn more about the recent attacks, and the importance of security awareness training for this and other similar situations, visit here for details.
