Securing Office 365? There's always more you can do Wherever you look there's yet another SME or enterprise migrating to Office 365. This says a lot for the attractiveness of cloud-based office suites, and perhaps it also says something about the attractiveness of letting someone else look after one's SharePoint and Exchange servers rather than having to fight with their …
Having intercepted many HTTP requests while on public wi-fi networks, every office365 calls I see rely on HTTP basic authentication for session handling, meaning the user name + password is base64 encoded and sits there in every HTTP request. All that's preventing you from seeing it is that weird annoying popup users see saying 'your connection may be unsafe, click here to continue'... they never click on that. Having your session cookie fly over the wire is one thing - your username/password? that's another.
Not sure if that's default configuration, but it shouldn't be in there. Maybe HSTS might be useful too to prevent users clicking through stuff.
I don't know what you are seeing but I don't think it's Office 365.
See https://technet.microsoft.com/en-us/library/dn569286.aspx
"Office 365 encrypts your data while it's on our servers and while it's being transmitted between you and Microsoft"
Pretty sure you can't connect at all to O365 without TLS encryption...
Having intercepted many HTTP requests while on public wi-fi networks, every office365 calls I see rely on HTTP basic authentication for session handling, meaning the user name + password is base64 encoded and sits there in every HTTP request
@AC, in O365 username & password are most definitely encrypted. That's not O365 you are trying to hack
From
https://blogs.msdn.microsoft.com/exchangedev/2013/06/28/authenticate-your-exchange-client-in-office-365/
"Exchange Online uses basic authentication"
From:
https://www.httpwatch.com/httpgallery/authentication/
Traffic looks like this:
GET /securefiles/ HTTP/1.1
Host: www.httpwatch.com
Authorization: Basic aHR0cHdhdGNoOmY=
Guess what that base64 encoded string is.
Because it uses TLS means nothing - when you intercept TLS you get the certificate error - guess what, people click through that, which is why you need HSTS - to make all client errors fatal (ie. you can't click through.)
"Exchange Online uses basic authentication""
Not for years now.
"Because it uses TLS means nothing"
O365 forces TLS. There is no HTTP option.
"when you intercept TLS you get the certificate error - guess what, people click through that"
Which would still leave over the air WiFi traffic encrypted. To intercept requires a proxy infrastructure.
It also says a lot about the security of the platform: if there were any serious concerns there wouldn't be so many people using it (the figure I have to hand cites 60 million business customers as of spring 2016). What this tells us, though, is not that it's the Fort Knox of cloud-based office software: it merely says that it's secure enough for commercial organisations to accept it into their infrastructure.
The number of users says exactly zero about its security - it tells you more about the lock in that Microsoft still has on the industry, the "nobody gets sacked for buying Microsoft" thing. After all, Windows 10 is also not exactly the holy grail of security, needing yet again lots of extras to make it Internet safe, and that gained its instal volume by having it rammed down people's throat with tactics taken straight from virus writers (historically the first recorded time ever Microsoft have paid proper attention to spam IMHO).
Whatever the arguments for or against Office365 are, do not base your assumptions about its security on the volume of people using it.
If you need any help understanding why, ask Yahoo email users..
Number of users probably doesn't reveal very much but the fact that large, publicly traded (and therefore open to scrutiny, required to conduct due diligence, etc ) companies, who employ professional network security teams use it does tell us something.
If there were security issues that were likely to cause someone damages they might be able to sue for (which were not present in plausible alternatives) and the executives in those big companies thought that the issues were so blatant that a prosecution lawyer would be able to show they were negligent, then they wouldn't use it. So at worst it can't be that bad.
That's not a very high bar for security, but it's something. And to be honest it's better than most small companies or individuals are going to be able to determine for themselves.
"Number of users probably doesn't reveal very much but the fact that large, publicly traded (and therefore open to scrutiny, required to conduct due diligence, etc ) companies, who employ professional network security teams use it does tell us something."
What does the number of large publicly traded companies who've paid up for ransomware scams tell you about the ability of their professional network security teams to protect against users?
What does the number of large publicly traded companies who've paid up for ransomware scams tell you about the ability of their professional network security teams to protect against users?
It tells you that they couldn't stop ransomware. Given that they have the resources and in most cases a very strong desire to stop it that in turn tells you that extremely hard to stop it completely (without making security so onerous that it stops business from getting done).
However, they are probably much bigger targets than you, but despite that they've reduced losses from ransomware to an acceptable level. That's a significant achievement. It also means that if you copy them, you'll probably be alright because you'll have the same defences but won't be such a big target.
What does the number of large publicly traded companies who've paid up for ransomware scams tell you"
As that number is near zero, it tells me that the OP is right...It's almost universally small and / or low budget setups that get rinsed by these type of viruses and then pay up.
Number of users probably doesn't reveal very much but the fact that large, publicly traded (and therefore open to scrutiny, required to conduct due diligence, etc ) companies, who employ professional network security teams use it does tell us something.
Oh, don't get me wrong, I'm VERY happy with the uptake of Office365 because I get called in when it becomes clear that those so called "experts" are anything but and yet another uneven excrement distribution has begun (my work is cleaning up the mess those so-called "experts" leave untouched before it changes from a mere problem into a business catastrophe). The smart ones called me in beforehand and they're not using it, but it's far more profitable for me to be called to the smoke of a breach and clear it up, especially if there's a risk of reputational damage to go with it.
The argument for or against is quite simply a risk evaluation. If you're in a business that has professional obligations for confidentiality and you're not based in the US I would have reservations about the use of any cloud service, including Office365. Don't buy into the myth that "cloud" equals "better" other than in "better profits for the service provider".
You've got to be really careful when making the "Don't put all your eggs in one basket" argument on security.
There is something to be said for it on edge protection, where an incoming email has to pass through both the MS and non-MS layers in order to be delivered.
I'm less convinced in the case of 2FA. If there is a security hole in Microsoft's authentication, you're probably screwed even if you are also using a 3rd party 2FA so you may as well keep things simple.
I'm less convinced in the case of 2FA. If there is a security hole in Microsoft's authentication, you're probably screwed even if you are also using a 3rd party 2FA so you may as well keep things simple.
If they were to implement an OPEN 2FA platform such as the TOTP model the Google Authenticator supports, or the newer U2F I would be quite happy to enable that - it's easy to use and supported by quite a number of apps. If they insist on using a money spinner such as SecureID they can FO with their 2FA as far as I'm concerned. I'm no fan of Google, but I must salute their push into 2FA support.
"If they were to implement an OPEN 2FA platform such as the TOTP model the Google Authenticator supports, or the newer U2F I would be quite happy to enable that"
Microsoft already offer MFA included in the cost of O365:
https://azure.microsoft.com/en-gb/documentation/articles/multi-factor-authentication-how-it-works/#feature-comparison-of-versions
This post has been deleted by its author
All your data in Office 365, or Google Apps, or Salesforce.com. That's one gigantic database for the NSA, or GCHQ their off-shore collaborator, to trawl through to put to US strategic use in supporting "full spectrum dominance" and the Stone Age mindset of "your either with us or against us".
With your own commercial and private data under your own control you have at least some chance of keeping it from prying eyes.
"All your data in Office 365, or Google Apps, or Salesforce.com. That's one gigantic database for the NSA, or GCHQ their off-shore collaborator, to trawl through "
In O365 at least, you can bring your own certificates to prevent unlogged external access to your encrypted data...
You start off with a very provocative statement
(snip>Wherever you look there's yet another SME or enterprise migrating to Office 365. This says a lot for the attractiveness of cloud-based office suites... </snip)
Sorry, all it says is that MS marketing is good at their job. And that MS has made 1-time payment licenses, "Office 2016 ...", effectively unusable for most businesses, especially big business!
What happens when you try to install Office 2016? The VERY first thing it does, BEFORE loading any software, is ask for the email account you will be using. Well, that may be fine for a home user, but totally impractical in a business environment. It makes preloading Office 2016 on computers very manpower intensive, because you have to keep separate records of the product key AND email address used for the installation. You can't even use a generic, shared admin email because there is a limit on the number of licenses you can associate with a single email. This makes it very difficult for IT departments and consultants to preload software on a computer before it is put on the user desktop.
On the other hand, MS has created the Admin "portal" that makes managing 365 licenses a relatively trivial effort. You just assign a license to an email account. Bing, when the user tries to use it, it is installed via CTR "in the background", so there may be a delay of a minute or two the first time they use the application. No need for a tech to install the software or to load a predefined "system image" on the computer.
"The VERY first thing it does, BEFORE loading any software, is ask for the email account you will be using"
No it doesn't. It installs without asking for any license information. It asks for an email address the first time you run it. Which is required for Office 365 users. If it was not being used by an O365 user then you can put a MAK key in instead.
"because you have to keep separate records of the product key AND email address used for the installation"
Utter rubbish. You either use a MAK key (which can be pre-installed), OR leave the user to input their email which is licensed via the O365 management console
"This makes it very difficult for IT departments and consultants to preload software on a computer before it is put on the user desktop."
Unless you RTFM or hire someone who has a clue....
if there were any serious concerns there wouldn't be so many people using it (the figure I have to hand cites 60 million business customers as of spring 2016). What this tells us, though, is not that it's the Fort Knox of cloud-based office software: it merely says that it's secure enough for commercial organisations to accept it into their infrastructure.
I think that should read:
Actually what it tells is is not that it's the Fort KNox of cloud-based office software: it merely says that customers believe that it's secure enough for commercial organisations
Not quite the same thing.
Pedant mode=off
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
