NYU IT Security News and Alerts

NYU IT Security News and Alerts

DocuSign Phishing Campaign

DocuSign, a service used to share, distribute and electronically sign important documents has detected an increase in phishing emails sent to customers/users. The recent phishing campaign delivers unsolicited email with either an embedded URL or an HTML, PDF or Word attachment redirecting users to a spoofed login page designed to steal login credentials. Compromised DocuSign credentials could cause the exposure of financial and other types of sensitive/confidential information.

Noted email subject lines in this phishing campaign are:

  • Your DocuSign
  • Payment Confirmation
  • New secure message
  • You have a new document to review and sign

Phishing emails received may come from: noreply@docusign.delivery

Recommendations

DocuSign advises users to look for the unique security code at the bottom of a DocuSign notification email (as shown below). All DocuSign envelopes contain a unique security code. The unique security code allows users to access documents directly from https://www.docusign.com/

Image showing a DocuSign notification email with a unique security code displaying at the bottom.  The text above the security code reads " Alternately, you can access these documents by visiting docusign.com, clicking the "Access Document" link and using this security code:"

Additionally:

  • Never open unexpected attachments or provide account credentials via embedded links in unsolicited email. Before opening an unexpected attachment, verify the legitimacy of the message/sender via a phone call or another means of communication that does not rely on information appearing in the message received.   
    • Instead of clicking on an embedded link to enter your credentials, go to the organization’s secure website to enter your credentials.
  •  Enable MFA (multi-factor authentication) on all accounts for which it’s offered. MFA will protect you from the results of phishing or credential compromise by requiring a second layer of authentication via a device that you possess (e.g., a smartphone, cell phone, landline . . .etc)..  
    • For information on NYU MFA, which protects your sensitive information on NYU systems, please click here.

Meltdown and Spectre Product Vulnerability and Update List

As an update to our 1/4/18 post entitled  Computer Chip Vulnerabilities: Meltdown & Spectre and our 2/26/18 post entitled Spectre Patches Available, please be advised of the following NJCCIC  (New Jersey Cybersecurity & Communications Integration Cell) resource dedicated to the Meltdown and Spectre vulnerabilities. The Meltdown and Spectre Product Vulnerability and Update List
summarizes the incident and supplies an updated listing of vendor patches, mitigation strategies and updates.  

Samsung Galaxy Messages App Alert

A glitch in the pre-installed Samsung Messages texting app appears to be sending photos from Samsung Galaxy phones to random user contacts without their knowledge or consent. Further, there appear to be no records of these transmissions in sent folders. Affected users have become aware of the issue after recipients respond to the messages received.

It is recommended that Samsung Galaxy users disable the Messages apps access to the device’s storage and use an alternate messaging app, such as Android Messages. Please note that it is likely that users who disable the Messages app will lose access to prior messages and render the app unusable. The following are steps to disable the access of Samsung Messages to device storage:

  • Go to Settings
  • Select Apps, and choose the Messages app
  • Select Permissions, and move the Storage toggle to disable or off.

Resources:

  • https://www.zdnet.com/article/weird-samsung-galaxy-bug-phones-are-quietly-texting-photos-to-random-contacts/
  • https://gizmodo.com/a-bug-in-samsungs-default-texting-app-is-sending-random-1827291759

VPNFilter Malware

A sophisticated modular malware system called VPNFilter is now targeting at least 500k consumer grade routers in 54 countries worldwide. VPNFilter is malicious software that gets installed on routers and is able to to carry out both intelligence-collection and destructive cyber attack operations. Despite FBI seizure of a key command and control server two weeks ago, the botnet remains active. Although the threat is still evolving, the primary goals of VPNFilter appear to be:

  • Offensive capabilities; such as routing attacks around the internet.
  • The manipulation of all traffic being routed through a compromised device, e.g., the potential modification of an account balance so it appears as expected as money is being siphoned off.
  • Stealing of credentials and passwords.

Technical Details:

The following is a breakdown of this multi-stage malware:

Stage 1 of the malware acts as a backdoor, and is one of the few known pieces of malware able to survive a reboot. Stage 1 gains a persistent foothold and enables the deployment of stage 2 malware.

Stage 2 does not persist through a reboot and engages in file collection, command execution, data exfiltration and device management. Some stage 2 versions possess a self destruct capability that renders the device unusable.

Stage 3 also does not persist through a reboot and multiple stage 3 modules serve as plug-ins for stage 2 malware. Talos has identified the following types of stage 3 malware:

  • A packet sniffer that collects traffic passing through the device, including website credentials.
  • A communication module that allows stage 2 to communicate over Tor.
  • Other stage 3 plugins are believed to be in existence, but have yet to be discovered.

Recommendations:

Talos advies that users of SOHO routers or NAS devices to rest devices to factory defaults and to reboot them in order to remove non-persistent stage 2 and stage 3 malware. This should be done after saving configuration settings to a readable file. Ars Technica notes that it can be difficult to determine whether a router is infected and advises users to assume their router is infected and proceed as follows:

  • Consult with your router manufacturer – in some cases this will involve pressing a recessed factory reset button on the router, and in other cases users will have to reboot and then immediately install the latest authorized firmware from the manufacturer. If the router is more than a few years old, it is recommended that you purchase a new one.
  • Router owners should always change default passwords and disable remote administration (when feasible).
  • Keep your router up-to-date through regular patching.

Additionally, browse with https whenever possible as web connections that display a padlock in your browser are encrypted end-to-end and cannot be sniffed by a device or a malicious actor.  For example:  

Resources:

https://blog.talosintelligence.com/2018/05/VPNFilter.html

https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/

Safe Travels with Mobile Device Security

Summertime and travel are around the corner! Please be reminded to safeguard your devices and information stored thereon when traveling. Remember that your mobile devices are personal computers and should be secured and safeguarded as such. For recommendations, please see the following blog post entitled Information Security Tips for Travel. The following are some supplemental recommendations:

Safe Charging

Avoid public charging stations at airports and hotels and avoid connecting your device to public computers. Once a mobile device is connected to a public computer or charging station it may be exposed to malware. Additionally, sensitive data on your device could be compromised once a device is connected to public systems.

Safe WiFi & Bluetooth Usage

To prevent your devices from auto-connecting to open networks, and to prevent unknown Bluetooth-enabled devices from connecting to your device, disable WiFi and Bluetooth when not in use. Optionally, you can set your device to “Ask to Join Networks” so you can approve/select a WiFi connection. To safeguard your data and your transmissions, use of password protected WiFi networks is recommended. However, WiFi networks for which passwords are publicly displayed are not secure. Additionally, be sure to confirm both the name of the WiFi network and password with an employee/staff member of the organization before connecting. If you access accounts on an unfamiliar network, it is recommended that you later change the associated passwords using a secure personal device that is in your control.

Safe Transactions

Avoid online shopping, banking and conducting personal business when connected to public WiFi networks. Malicious actors can intercept network traffic and steal sensitive/confidential information. If you must perform a transaction or check an account balance, it’s recommended that you turn off WiFi and use your device’s cellular data internet connection. Additionally, only transact on secure sites, sites that begin with “https://”.  

Safeguard Your Devices

Protect yourself from shoulder surfing by using screen guards on your devices. Make sure that your devices are always in your sight or your your grasp as device theft is a common occurrence. Please be reminded that the theft of any NYU provided mobile device must be reported to NYU Public Safety.

Happy travels!

Recent Uptick in Social Engineering Attacks via Phishing, Smishing & Vishing

There has been a noted general uptick in social engineering attacks, which are designed to manipulate individuals into taking an action, such as divulging confidential or sensitive information. These attacks commonly take the form of phishing (attacks via email), smishing (attacks via text message) and vishing (attacks via phone). Common tactics include crafting messages that appear to be from trusted entities or people, which contain familiar logos/branding and use expected language. These messages often convey a sense of urgency and seek immediate action of some kind from recipients.

For example, recent vishing scams include callers purporting to be from the IRS, FTC, U.S. Department of Treasury or other government entities. In the FTC scam, callers seek remote access to your computer on the pretext that they are providing benefits in connection with the FTC’s Advanced Tech Support refund program. Scammers even told people to call if they had questions, but the phone number they supplied was not legitimate. This scam is also known as a tech support scam in which scammers seek to install malware on your device or sell you worthless software as a pretext for obtaining your payment information. Scammers may even direct you to a website with fake customer testimonials.

Please be reminded of the following best practices when evaluating the communications you receive:

  • Never open attachments or click embedded links in unsolicited/unexpected messages, including email, text messages or social media messages.
  • If in doubt of the legitimacy of a communication, contact the sender independently via a trusted phone number to confirm. Remember that scammers can spoof email addresses and phone numbers, so the sender’s contact information may appear legitimate when it is not.  
  • Never provide personal or payment information in response to unsolicited/unverified communications of any kind.  
  • Never provide remote access to your device to an unsolicited/unverified party.  
  • Limit what you share about yourself and others online as scammers use social media to gather information to use in targeted attacks.

Resources:

Social Engineering Attacks and How You Can Protect Yourself, https://wp.nyu.edu/connect/2015/03/13/social-engineering/

Phishing, Spear Phishing and Whaling, https://wp.nyu.edu/connect/2017/03/01/phishing-and-whaling/

Learn to Spot a Phony: Detecting and Avoiding Phone Scams, https://wp.nyu.edu/connect/2017/09/19/learn-to-spot-a-phony/

Safe Social Networking,

Safe Social Networking

Twitter Advises Users to Change Their Passwords

In the following blog post from last week, https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html, Twitter disclosed that due to a bug, user passwords were inadvertently stored as plain text in an internal log. Passwords stored in plaintext are unmasked, so in this instance they were visible to Twitter employees vs. masked via a hashing process. Twitter states that they have no evidence that the data was leaked or misused. Although they have corrected the issue and are implementing processes so this will not occur again, they recommend that you change your Twitter password(s). If you use the same password(s) on any other accounts/services, which is not a recommended practice, you should change those passwords as well.

To change/reset your Twitter password, please see the following Twitter Help Center page: https://help.twitter.com/en/managing-your-account/forgotten-or-lost-password-reset.  Please note that Twitter further recommends login verification via two factor authentication as a way to further protect your Twitter account as it will add a layer of security by requiring that you enter a six digit code sent to your mobile phone following your login with your password. Twitter calls two factor authentication “[T]he single best action you can take to increase your account security.”  For instructions on how to set up Twitter login verification, please see the following Twitter Help Center page: https://help.twitter.com/en/managing-your-account/two-factor-authentication.

For password best practices and recommendations, please see the following Connect article, Under Lock and Passphrase.

Google Pulls Fake Ad Blockers from Chrome Web Store

Google has identified and pulled the following fake ad blockers from the Chrome Web Store: AdRemover, uBlock Plus, Adblock Pro, HD for YouTube and Webutation. These ad blockers have been downloaded in excess of 20 million times. The extensions have been disabled on Chrome instances on which they were installed. However, if you installed one of the malicious ad blockers, it is recommended that you remove it. To do so, please take the following steps:

  • Open Google Chrome and click on the three vertical dots to the right of the browser address bar, and go to More Tools, Extensions.
  • Locate the extension you wish to remove, and click Remove in the bottom left of the extension dialog.

Ad Blockers have become very popular way to remove or manage advertising content on a website, web page or mobile app. Cloning legitimate software and adding malicious features have become common tactics of cyber criminals. In this instance, bad code was hidden in the jQuery library of javascript. Infected browsers formed a browser botnet, and could be forced to do whatever the command center server ordered.

For additional information, please see:

  • https://www.zdnet.com/article/google-cuts-fake-ad-blockers-from-chrome-store-were-you-among-20-million-fooled/
  • https://www.komando.com/happening-now/455166/google-pulls-fake-ad-blockers-were-you-one-of-the-20-million-fooled?utm_medium=nl&utm_source=alerts&utm_content=2018-04-20-article-a
  • http://www.newsweek.com/google-chrome-fake-ad-blockers-installed-20-million-users-how-check-if-you-892929

Call & Text History Logging with Facebook Messenger or Facebook Lite on Android

Android users have discovered when downloading their Facebook files, that there is a section of the download that contains details on phone calls and text messages. In response to user queries, Facebook has stated that call and text history logging are part of an opt-in feature for people using Facebook Messenger or Facebook Lite on Android, which were introduced in 2015. Facebook further states that users had to “expressly agree to use this feature”, that it could be turned off at any time, that the feature does not collect call or text message content, and information is stored securely and not sold to third parties. According to Facebook, if the app is deleted, previous call and text history will also be deleted.

ars Technica notes “[I]f you are really concerned about privacy, you should not share address book and call-log data with any mobile application. And you may want to examine the rest of what can be found in the downloadable Facebook archive, as it includes all the advertisers that Facebook has shared your contact information with, among other things.” 

The following are instructions to turn off/on continuous syncing of contacts to Facebook Messenger on all devices should you choose to do so.

  1. From Home, tap your profile picture in the top right corner.
  2. Tap People
  3. Synched Contacts to turn this setting off/on. 

Additional Resources:

The Top Seven End User Risks

The top seven end-user risks found in most organizations have been identified by SANS, and are detailed herein along with relevant NYU resources to help you combat these risks and stay secure in your work and personal lives.

Lack of situational awareness

Refers to people not realizing that they are targets. Awareness of social engineering strategies being used by scammers and utilizing awareness resources are strategies that can be used to address a lack of situational awareness. For more information on social engineering, see the following Connect article, Social Engineering Attacks and How You Can Protect Yourself. For NYU awareness resources generally, see NYU’s Security Awareness web page.  Additionally, a subscription to this blog will provide you with up-to-date and timely information on information security threats and resources (the subscription option is visible along the right side of the blog).

Phishing

Refers to the targeting of individuals or groups using email, text messaging, phone calls or social media updates/messaging. For more information on these types of attacks and recommendations on how to protect yourself, please see the following Connect article, Phishing, Spear Phishing, and Whaling.  

Password reuse

Refers to the same password being used for multiple accounts. Once a scammer steals one password, that password will be tried in a variety of sites. Do not let the compromise of one account occasion the compromise of other accounts. Each account password should be unique and lengthy (12+ characters). Password length vs. complexity has been shown as the primary password safeguard. Further, consider using passphrases instead of passwords. For more information on password best practices, please see the following Connect article, Under Lock and Passphrase.

Using Unpatched or Poorly Configured Devices (BYOD)

Secure your devices by performing application and system updates/patching frequently, or as updates become available. Updates address known vulnerabilities which scammers will attempt to exploit on unpatched devices. For  specific recommendations, please see the following blog post from the IT Security News & Alerts blog on Securing Your Mobile Device. Additionally, please see the following NYU KnowledgeBase articles, iPhone, iPod Touch & iPad security and Android security.

Indiscriminate Use of Mobile Media

Is a reminder to use WiFi and bluetooth best practices (for more information, see the above-referenced blog post). Additionally, 

  • no restricted data should be stored on your mobile devices. For information on NYU data classification and what comprises restricted data, please see the following webpage containing the NYU Data Classification Table.
  • install only well reviewed applications from reliable and trusted sources, such as Google Play or the App Store. Grant installed applications the minimum permissions necessary.  If you are not comfortable with the minimum permission levels, do not install the application. 

Data Leakage via Social Networking

Refers to the fact that social engineers regularly review social media sites and gather information on individuals and groups to target in attacks. For this reason, it is important to limit what you share about yourself yourself and others.  For example, none of your answers to security challenge questions, such as “what street did you grow up on?” should be posted on social media. For tips on social media use, see the following following blog post from the IT Security News & Alerts blog on Safe Social Networking.

Accidental Disclosure/Loss

Refers to the loss of mobile devices or physical media such as flash drives and to the unintended disclosure of information.

  • To avoid unintended email disclosure, a recommended best practice is to proofread the list of message recipients before sending an email as inadvertent disclosure sometimes occurs due to the auto-complete feature or use of “Reply to all” unintentionally.
  • With respect to flash drives, encrypted flash drives which require a PIN or password to access content are the most secure as the data will remain protected even if the drive is lost or stolen.
  • Please be reminded that any lost or stolen NYU provided mobile devices must be reported to NYU Public Safety at 2112-998-2222.