NYU IT Security News and Alerts

NYU IT Security News and Alerts

Facebook’s VPN Onavo Protect, Collecting User Data

Facebook has a VPN app, Onavo Protect, for iOS and Android available to users and offered as a encryption solution to safeguard all information being transmitted over public networks. It is estimated that 33 million users have installed Onavo Protect on their phones. Based on reviews Onavo appears to be a reliable VPN service but please be aware that this app tracks and sends user data back to Facebook even when the app is not being used. This app has been dubbed “spyware” by some commentators.  

The application is accessed in Facebook by clicking on the main menu and scrolling through the “Explore” section.  It displays as a light blue shield icon with the text “Protect”.

Image showing the "Protect" option in the Facebook menu.

Image courtesy of Komando.com

The following is the Onavo privacy policy, which details the types of data collected and states that if you choose to route all of your mobile data traffic through Onavo servers that it may use this data to “provide, analyze, improve and develop new and innovative services for users.” Although there’s nothing you can do about the data that has already been collected, you can stop the app from collecting your data by completely uninstalling it from your iOS or Android device.   

Please be reminded that NYU VPN, which is available for use in certain locations, is available to all community members. NYU VPN will not collect information about your data usage, communications content, browsing history, transactions and sensitive information.


National Consumer Protection Week (March 4th-10th)

National Consumer protection week, which begins today, is an ideal time to learn more about avoiding scams and understanding your consumer rights.  

Participate in Federal Trade Commission (“FTC”) live Facebook chats via information on the following FTC Consumer Information web page: https://www.consumer.ftc.gov/blog/2018/02/plan-tune-ncpw2018-facebook-live-chats

Additionally, the following are links to NCCIC/US-CERT security tips web pages:

Spectre Patches Available

Intel has released their Microcode Revision Guidance publication, which details both the availability and schedule for planned microcode updates and changes. The following processors have firmware patches ready to use in production environments:

Apollo Lake
Cherry View
Coffee Lake
Cougar Mountain
Gemini Lake
Kaby Lake
Knights Landing
Knights Mill
It is recommended that users and admins of systems with affected processors review the above-referenced Intel publication, and apply the relevant patches asap. Additionally, please see the NJCCIC Meltdown and Spectre Product Vulnerability and Update List for a comprehensive list of the patches and advisories.

Additional Resources:

Related posts:


Equifax Breach Update

The Equifax breach, which occurred in September of last year and impacted the personal data of 14.5 million consumers, appears to have impacted more data than initially reported. Equifax already confirmed the loss of social security numbers, birth dates, home addresses, credit-score dispute forms and in some instances, credit card and driver’s license numbers. According to a document Equifax recently submitted to the Senate Banking Committee, hackers were also found to have accessed tax identification numbers, email addresses, phone numbers, credit card expiration dates and issuing states for driver’s licenses.

Using the following Equifax site, https://www.equifaxsecurity2017.com, you can check whether your personal information has been impacted. The site lists options for consumers such as obtaining a credit report, placing a freeze or lock on your credit report (with information regarding the distinction between these two options) and placing a fraud alert or an extended fraud alert on your credit report.

For more information please see:

Related post:

FTC Issues Alert on Equifax Phishing Scams

Recent Uptick in Phishing Messages Using URL Shorteners

There has been a recent uptick in phishing email campaigns using popular URL shortening services such as bit.ly, ow.ly, goo.gl, and t.co. to embed malicious links in email messages. This is a common ploy used by scammers as shortened URLs mask the true link destination.  

Further, these phishing messages often appear to come from a familiar entity, such as your bank, and the embedded links, if clicked, often take users to sites which appear to be legitimate and require the input of login credentials. Once login credentials are entered in the spoofed site, they are stolen/compromised and users are redirected to the legitimate site.

If you believe you have fallen victim to this type of scam, you should change your password on the affected account asap and apprise the business/entity of any fraudulent activity. To safeguard yourself from these types of phishing attacks, it is recommended that you never enter login credentials via embedded links in unsolicited emails. If in doubt of the legitimacy of a message, contact the sender/entity at a trusted phone number. An additional tip is to view the the browser address bar, and look for signs of a legitimate/secure site which may include a locked padlock preceding the business/entity name and “https://”

Shortened URLs can be easily checked or expanded using link expander services. The expanded URL is the true destination URL. For more information on using link expanders, please see the following Connect Article:


Related post: https://wp.nyu.edu/itsecurity/2018/01/12/phishing-campaigns-crafted-to-steal-login-credentials/


Tax Identity Theft Awareness Week

January 29th – February 2nd is Tax Identity Theft Awareness week. Tax identity theft occurs when someone uses your Social Security number to get a job or a tax refund.  The IRS may contact you regarding wages from an unknown employer or they may inform you that more than one tax return was filed in y our name. Learn how to protect yourself from tax-related identity theft and IRS imposter scams by reviewing the following resources:


Annual Data Privacy Day, January 28th

January 28th marks Data Privacy Day with a focus on safeguarding data. In furtherance of the data privacy day mission, please be reminded of the following data protection guidelines and best practices:

Data Classification
The data you work with with is classified according to the NYU Data Classification Table as follows:

  • Restricted
  • Protected
  • Confidential
  • Public
    The applicable data class determines how the data you work with can be stored and transmitted. For examples of the types of data in each class, please see the Data Classification Table.
  • Restricted data may be stored and shared via NYU Box.  Please keep in mind that restricted data should not be stored or transmitted on mobile devices.
  • Data that falls into the protected and confidential categories may be stored and shared via NYU Google Apps, and there are no restrictions governing the storage and sharing of public data.

Use unique passwords for each account/site so that the compromise of one account won’t occasion the compromise of other accounts. Hackers will attempt to use compromised credentials in a variety of sites.

  • Use of a password manager is the best way to manage and store your many passwords. For more information on password managers and password best practices, please see the following Connect article, Under Lock and Passphrase.

Social Media
Remember the maxim “once posted, always posted”. Therefore, be selective about what you share online, and safeguard others as well as yourself. Be sure to check/customize the privacy settings of your social media accounts to prevent unintended sharing.

Image of a smartphone resting on a notebook with with a pen beside it and Instagram onscreen

  • For information on managing your privacy settings for Facebook, Twitter, LinkedIn, Instagram and Pinterest, click here.
  • Never share information on social media that you’ve used to answer a security challenge question, such as, “What street did you grow up on?”. Scammers review social media posts and use the information gleaned in targeted attacks.

WiFi Networks
Always use trusted password protected WiFi networks such as NYU WiFi. Additionally, use of NYU VPN (available in certain off-campus locations) further protects your data and is required when accessing certain NYU services outside of NYU-Net.

  • WiFi networks for which the passwords are displayed are not secure.

NYU Multi-Factor Authentication
Use NYU Multi-Factor Authentication, which protects your data by adding a second layer of security when authenticating to NYU systems and services. Use of MFA is now required when authenticating to certain NYU systems and services.

  • Register at least two devices. One of the devices you register should be a device that you always have with you (a smartphone or a simple cell phone).
  • Additionally, use of the Duo mobile app will allow you to authenticate even when you don’t have cell or internet service, or if you’re traveling internationally.

Back-up your data regularly and periodically confirm that your data is backing-up as desired.  The best way to recover from certain malware infections is to perform a wipe and restore from back-ups.

  • If backing-up or saving data to a flash drive, consider using an encrypted flash drive, such as an IronKey flash drive.

Mobile Devices

  • Do not share your password and set screen auto-lock of your device to occur in a short interval of time, such as 30 seconds.
  • Turn off WiFi when not in use or use the “Ask to join networks” setting which will not allow your device to auto-connect to open networks.
  • Turn off bluetooth when not in use.
  • Update device operating systems as updates become available.Updates address security vulnerabilities.
  • Understand how to perform a remote wipe of your device in case your device is either lost or stolen.

Mobile Apps
Install only known and well reviewed mobile apps from reliable sources such as Google Play or Apple’s App store as these sources screen offered apps. Additionally:

  • Review the permissions associated with mobile apps carefully before you install, and grant the minimum permissions necessary.
  • Update apps as soon as updates become available as updates address security vulnerabilities.
  • Uninstall apps no longer in use.

Phishing Campaigns Crafted to Steal Login Credentials

Be on the lookout for phishing campaigns crafted to steal your login credentials. Such phishing campaigns occur via the delivery of unsolicited email from known businesses, entities or services. Current phishing campaigns which employ this strategy are email purporting to come from Amazon and Microsoft Outlook Web Access (OWA). These particular phishing emails request that you click an embedded link to enter your login credentials. Once you click the embedded link, you are redirected to a well crafted phishing website designed to steal your credentials. After entering login credentials in the phishing website, you are redirected to the legitimate website and prompted to login again.  

Please be reminded to look at your browser’s address bar for indicators of a secure website, which include a lock symbol preceding the business/entity name and “https” . 

If you suspect you have fallen victim to this scam, please change your password asap for the service at issue by visiting the provider’s website via a known and trusted URL that you type into the browser’s address bar.  

Recommended Phishing Resources:

Adobe Flash Player Security Updates Available

Please note that Adobe has released security updates to address a vulnerability in Flash Player. A malicious attacker could exploit this vulnerability and gain access to sensitive information. We recommend that users and admins apply the updates. For more information, please see:



Securing Your Mobile Devices

Safeguard the valuable data on your mobile devices with the following tips:

  • Secure mobile devices and with strong passwords (which are long, unique & difficult to guess) or a touch id feature, and do not share your password(s).
  • Enroll your devices (smartphones or tablets) in NYU Multi-Factor Authentication (“ NYU MFA”). MFA provides a second layer of security following authentication with your NYU NetId and password and protects sensitive data in NYU systems.
  • Be savvy and use password protected WiFi, such as NYU WiFi. Do not use non password protected WiFi hotspots as your device and data may get compromised. Please note that WiFi networks for which the password is displayed for all to see/use are not secure.
  • When using password protected WiFi, be sure to obtain the WiFi password directly from a trusted source (e.g., an employee of the organization or business).
  • Ensure your WiFi is set to ask for your permission before joining open networks.
  • Disable WiFi and bluetooth when not in use. It’s advisable not to use bluetooth in public places.
  • Be aware of who is around you as you access data. Use screen guards on laptops and tablets whenever possible.
  • Regularly update applications and your device operating system. Hackers seek to exploit vulnerabilities which have been addressed by updates.
  • Remove applications no longer in use.
  • Only install known and trusted applications from trusted sources (e.g., Apple’s App Store or  Google Play). Additionally:
    appropriately restrict applications, and only grant the minimum permissions necessary.
  • Check the application rating/reviews and comments before downloading.
  • Treat your devices like valuable assets and don’t let them out of your sight or grasp in public places.
  • Lost or stolen NYU provided mobile devices should be reported to NYU Public Safety, 212.998.2222.