Security Advisory: Azure AD User Consent Settings
The Canadian Access Federation (CAF) team released an important security advisory regarding user consent settings on Azure Active Directory (AD). If your organization uses Azure AD, a simple default setting may be exposing your users’ personal data to third party applications/services.
The default configuration setting for User Consent within Azure AD lets all users (including students) connect third party apps to Azure without any administrator involvement. There are a few issues with this:
- These default settings may conflict with your Information Security & Privacy Classification policies
- Your users’ and your organization’s data may be disclosed to third parties, putting your users at risk of data mining
- Users may agree to share their personal data and unknowingly share others’ data under the false assumption that the app is endorsed by you
Please have a look at our recommended best practice for mitigating this risk here.
eduroam Updates – CAT Profile
You may have seen a ThreatPost article highlighting the risks of misconfigurations on Wi-Fi networks exposing user credentials for a potential man-in-the-middle attack such as the “Evil Twin”. Due to the broad availability and variety of new hacking tools, an individual with a modest amount of technical skill can easily execute a man-in-the-middle attack. It is increasingly important to ensure that eduroam users are protected from such threats. The eduroam Configuration Assistant Tool (CAT) mitigates this threat as well as protects the eduroam user’s personal identifiable information (PII). We’ve outlined our recommendations for addressing this Wi-Fi vulnerability and further details on how an “Evil Twin” attack works.
The eduroam CAT profile can be downloaded here: cat.eduroam.org
CAT is also available through the geteduroam app for mobile devices
iOS: https://apps.apple.com/us/app/geteduroam/id1504076137
Android: https://play.google.com/store/apps/details?id=app.eduroam.geteduroam&hl=en_CA&gl=US
eduroam CAT profile fun facts:
- Configuration takes less than 1 hour (and we’re here to help).
- Launching the eduroam CAT profile does not affect your existing eduroam users and no proxy reconfiguration is required.
- Installing the profile prevents mobile devices from negotiating with rogue access points, thus mitigating the risk of man-in-the-middle attacks and strengthening protections of personal identifiable information (PII).
- It offers a more secure Wi-Fi roaming experience, leveraging industry standards and security best practices.
- It strengthens the security posture for your entire organization.
If you have any question, please reach out to us at: [email protected]
Multifactor Authentication (MFA) Configuration: Status Update
In our last CAF newsletter, we highlighted the MFA requirement from the National Institute of Health (NIH) coming into effect September 2021. We have helped many CAF participants meet the NIH MFA requirements to access the eRA (electronic Research Administration) module. Going forward, the CAF team will provide our user community with a test validation tool and detailed documentation on how to implement MFA for FIM.
In the interim, if you want to find out more about how to signal MFA for access to services, please reach out to us at [email protected].
If you provide services to the CAF community and you’d like to make sure those services require MFA for access, please reach out to us at [email protected].
eduroam Updates from the Community
We’re happy to announce that eduroam is now available at more sites. The City of Calgary, the Prince George Airport, and UBC’s faculty of medicine now offer eduroam!
The Prince George Airport is the first airport in Canada to offer eduroam, a ground-breaking milestone for the Canadian research and education community that opens new possibilities to seamlessly and securely connect while on the move. For more details, please have a look at the featured news item here: https://www.bc.net/news/prince-george-international-airport-first-eduroam
The City of Calgary became the first municipality in Alberta to offer eduroam. This exciting event is the beginning of eduroam being available at more municipal sites and public transit in Calgary. For more details, please have a look here: https://www.cybera.ca/city-of-calgary-becomes-first-municipality-in-alberta-to-offer-eduroam/
UBC’s Faculty of Medicine spans the entire province of British Columbia, and the culmination of this six-year project allows all staff, faculty, and students at the Faculty of Medicine to seamlessly go from one location to another and have full access to eduroam. To find out more, please have a look here:
We would like to thank everyone at the Prince George Airport, the City of Calgary, the University of British Columbia as well as our NREN partners, BCNET and Cybera, who have helped to expand eduroam to these key sites off campus. If you see an opportunity to launch eduroam in your area, please don’t hesitate to reach out to us at: [email protected]