NYU IT Security News and Alerts

NYU IT Security News and Alerts

Recent Uptick in Social Engineering Attacks via Phishing, Smishing & Vishing

There has been a noted general uptick in social engineering attacks, which are designed to manipulate individuals into taking an action, such as divulging confidential or sensitive information. These attacks commonly take the form of phishing (attacks via email), smishing (attacks via text message) and vishing (attacks via phone). Common tactics include crafting messages that appear to be from trusted entities or people, which contain familiar logos/branding and use expected language. These messages often convey a sense of urgency and seek immediate action of some kind from recipients.

For example, recent vishing scams include callers purporting to be from the IRS, FTC, U.S. Department of Treasury or other government entities. In the FTC scam, callers seek remote access to your computer on the pretext that they are providing benefits in connection with the FTC’s Advanced Tech Support refund program. Scammers even told people to call if they had questions, but the phone number they supplied was not legitimate. This scam is also known as a tech support scam in which scammers seek to install malware on your device or sell you worthless software as a pretext for obtaining your payment information. Scammers may even direct you to a website with fake customer testimonials.

Please be reminded of the following best practices when evaluating the communications you receive:

  • Never open attachments or click embedded links in unsolicited/unexpected messages, including email, text messages or social media messages.
  • If in doubt of the legitimacy of a communication, contact the sender independently via a trusted phone number to confirm. Remember that scammers can spoof email addresses and phone numbers, so the sender’s contact information may appear legitimate when it is not.  
  • Never provide personal or payment information in response to unsolicited/unverified communications of any kind.  
  • Never provide remote access to your device to an unsolicited/unverified party.  
  • Limit what you share about yourself and others online as scammers use social media to gather information to use in targeted attacks.

Resources:

Social Engineering Attacks and How You Can Protect Yourself, https://wp.nyu.edu/connect/2015/03/13/social-engineering/

Phishing, Spear Phishing and Whaling, https://wp.nyu.edu/connect/2017/03/01/phishing-and-whaling/

Learn to Spot a Phony: Detecting and Avoiding Phone Scams, https://wp.nyu.edu/connect/2017/09/19/learn-to-spot-a-phony/

Safe Social Networking,

Safe Social Networking

Twitter Advises Users to Change Their Passwords

In the following blog post from last week, https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html, Twitter disclosed that due to a bug, user passwords were inadvertently stored as plain text in an internal log. Passwords stored in plaintext are unmasked, so in this instance they were visible to Twitter employees vs. masked via a hashing process. Twitter states that they have no evidence that the data was leaked or misused. Although they have corrected the issue and are implementing processes so this will not occur again, they recommend that you change your Twitter password(s). If you use the same password(s) on any other accounts/services, which is not a recommended practice, you should change those passwords as well.

To change/reset your Twitter password, please see the following Twitter Help Center page: https://help.twitter.com/en/managing-your-account/forgotten-or-lost-password-reset.  Please note that Twitter further recommends login verification via two factor authentication as a way to further protect your Twitter account as it will add a layer of security by requiring that you enter a six digit code sent to your mobile phone following your login with your password. Twitter calls two factor authentication “[T]he single best action you can take to increase your account security.”  For instructions on how to set up Twitter login verification, please see the following Twitter Help Center page: https://help.twitter.com/en/managing-your-account/two-factor-authentication.

For password best practices and recommendations, please see the following Connect article, Under Lock and Passphrase.

Google Pulls Fake Ad Blockers from Chrome Web Store

Google has identified and pulled the following fake ad blockers from the Chrome Web Store: AdRemover, uBlock Plus, Adblock Pro, HD for YouTube and Webutation. These ad blockers have been downloaded in excess of 20 million times. The extensions have been disabled on Chrome instances on which they were installed. However, if you installed one of the malicious ad blockers, it is recommended that you remove it. To do so, please take the following steps:

  • Open Google Chrome and click on the three vertical dots to the right of the browser address bar, and go to More Tools, Extensions.
  • Locate the extension you wish to remove, and click Remove in the bottom left of the extension dialog.

Ad Blockers have become very popular way to remove or manage advertising content on a website, web page or mobile app. Cloning legitimate software and adding malicious features have become common tactics of cyber criminals. In this instance, bad code was hidden in the jQuery library of javascript. Infected browsers formed a browser botnet, and could be forced to do whatever the command center server ordered.

For additional information, please see:

  • https://www.zdnet.com/article/google-cuts-fake-ad-blockers-from-chrome-store-were-you-among-20-million-fooled/
  • https://www.komando.com/happening-now/455166/google-pulls-fake-ad-blockers-were-you-one-of-the-20-million-fooled?utm_medium=nl&utm_source=alerts&utm_content=2018-04-20-article-a
  • http://www.newsweek.com/google-chrome-fake-ad-blockers-installed-20-million-users-how-check-if-you-892929

Call & Text History Logging with Facebook Messenger or Facebook Lite on Android

Android users have discovered when downloading their Facebook files, that there is a section of the download that contains details on phone calls and text messages. In response to user queries, Facebook has stated that call and text history logging are part of an opt-in feature for people using Facebook Messenger or Facebook Lite on Android, which were introduced in 2015. Facebook further states that users had to “expressly agree to use this feature”, that it could be turned off at any time, that the feature does not collect call or text message content, and information is stored securely and not sold to third parties. According to Facebook, if the app is deleted, previous call and text history will also be deleted.

ars Technica notes “[I]f you are really concerned about privacy, you should not share address book and call-log data with any mobile application. And you may want to examine the rest of what can be found in the downloadable Facebook archive, as it includes all the advertisers that Facebook has shared your contact information with, among other things.” 

The following are instructions to turn off/on continuous syncing of contacts to Facebook Messenger on all devices should you choose to do so.

  1. From Home, tap your profile picture in the top right corner.
  2. Tap People
  3. Synched Contacts to turn this setting off/on. 

Additional Resources:

The Top Seven End User Risks

The top seven end-user risks found in most organizations have been identified by SANS, and are detailed herein along with relevant NYU resources to help you combat these risks and stay secure in your work and personal lives.

Lack of situational awareness

Refers to people not realizing that they are targets. Awareness of social engineering strategies being used by scammers and utilizing awareness resources are strategies that can be used to address a lack of situational awareness. For more information on social engineering, see the following Connect article, Social Engineering Attacks and How You Can Protect Yourself. For NYU awareness resources generally, see NYU’s Security Awareness web page.  Additionally, a subscription to this blog will provide you with up-to-date and timely information on information security threats and resources (the subscription option is visible along the right side of the blog).

Phishing

Refers to the targeting of individuals or groups using email, text messaging, phone calls or social media updates/messaging. For more information on these types of attacks and recommendations on how to protect yourself, please see the following Connect article, Phishing, Spear Phishing, and Whaling.  

Password reuse

Refers to the same password being used for multiple accounts. Once a scammer steals one password, that password will be tried in a variety of sites. Do not let the compromise of one account occasion the compromise of other accounts. Each account password should be unique and lengthy (12+ characters). Password length vs. complexity has been shown as the primary password safeguard. Further, consider using passphrases instead of passwords. For more information on password best practices, please see the following Connect article, Under Lock and Passphrase.

Using Unpatched or Poorly Configured Devices (BYOD)

Secure your devices by performing application and system updates/patching frequently, or as updates become available. Updates address known vulnerabilities which scammers will attempt to exploit on unpatched devices. For  specific recommendations, please see the following blog post from the IT Security News & Alerts blog on Securing Your Mobile Device. Additionally, please see the following NYU KnowledgeBase articles, iPhone, iPod Touch & iPad security and Android security.

Indiscriminate Use of Mobile Media

Is a reminder to use WiFi and bluetooth best practices (for more information, see the above-referenced blog post). Additionally, 

  • no restricted data should be stored on your mobile devices. For information on NYU data classification and what comprises restricted data, please see the following webpage containing the NYU Data Classification Table.
  • install only well reviewed applications from reliable and trusted sources, such as Google Play or the App Store. Grant installed applications the minimum permissions necessary.  If you are not comfortable with the minimum permission levels, do not install the application. 

Data Leakage via Social Networking

Refers to the fact that social engineers regularly review social media sites and gather information on individuals and groups to target in attacks. For this reason, it is important to limit what you share about yourself yourself and others.  For example, none of your answers to security challenge questions, such as “what street did you grow up on?” should be posted on social media. For tips on social media use, see the following following blog post from the IT Security News & Alerts blog on Safe Social Networking.

Accidental Disclosure/Loss

Refers to the loss of mobile devices or physical media such as flash drives and to the unintended disclosure of information.

  • To avoid unintended email disclosure, a recommended best practice is to proofread the list of message recipients before sending an email as inadvertent disclosure sometimes occurs due to the auto-complete feature or use of “Reply to all” unintentionally.
  • With respect to flash drives, encrypted flash drives which require a PIN or password to access content are the most secure as the data will remain protected even if the drive is lost or stolen.
  • Please be reminded that any lost or stolen NYU provided mobile devices must be reported to NYU Public Safety at 2112-998-2222.

Reporting Tax-Related Identity Theft

As a follow up to the blog post on Tax Identity Theft Awareness Week, please note that the FTC has the following site, https://identitytheft.gov/#_blank, where consumers can report identity theft including tax-related identity theft.  Tax-related identity theft occurs when someone uses your social security number to file a tax return and claim a refund.  For additional information, please see the FTC Consumer Information web page on A new way to report tax identity theft

For information on ways to prevent and recover from identity theft, please see the following Connect article:  

Protect Who You Are Online

Identity Theft Resource

As a follow-on to National Consumer Protection week, and the resources circulated as links in our blog post, please be advised of the following identity theft resource now available in Connect.

Protect Who You Are Online

The following are additional identity theft resources: 

Facebook’s VPN Onavo Protect, Collecting User Data

Facebook has a VPN app, Onavo Protect, for iOS and Android available to users and offered as a encryption solution to safeguard all information being transmitted over public networks. It is estimated that 33 million users have installed Onavo Protect on their phones. Based on reviews Onavo appears to be a reliable VPN service but please be aware that this app tracks and sends user data back to Facebook even when the app is not being used. This app has been dubbed “spyware” by some commentators.  

The application is accessed in Facebook by clicking on the main menu and scrolling through the “Explore” section.  It displays as a light blue shield icon with the text “Protect”.

Image showing the "Protect" option in the Facebook menu.

Image courtesy of Komando.com

The following is the Onavo privacy policy, which details the types of data collected and states that if you choose to route all of your mobile data traffic through Onavo servers that it may use this data to “provide, analyze, improve and develop new and innovative services for users.” Although there’s nothing you can do about the data that has already been collected, you can stop the app from collecting your data by completely uninstalling it from your iOS or Android device.   

Please be reminded that NYU VPN, which is available for use in certain locations, is available to all community members. NYU VPN will not collect information about your data usage, communications content, browsing history, transactions and sensitive information.

Resources:

National Consumer Protection Week (March 4th-10th)

National Consumer protection week, which begins today, is an ideal time to learn more about avoiding scams and understanding your consumer rights.  

Participate in Federal Trade Commission (“FTC”) live Facebook chats via information on the following FTC Consumer Information web page: https://www.consumer.ftc.gov/blog/2018/02/plan-tune-ncpw2018-facebook-live-chats

Additionally, the following are links to NCCIC/US-CERT security tips web pages:

Spectre Patches Available

Intel has released their Microcode Revision Guidance publication, which details both the availability and schedule for planned microcode updates and changes. The following processors have firmware patches ready to use in production environments:

Anniedale/Moorefield
Apollo Lake
Avoton/Rangeley
Broxton
Cherry View
Coffee Lake
Cougar Mountain
Deverton
Gemini Lake
Kaby Lake
Knights Landing
Knights Mill
Skylake
SoFIA
Tangier
Valleyview/BayTrail
XGold
It is recommended that users and admins of systems with affected processors review the above-referenced Intel publication, and apply the relevant patches asap. Additionally, please see the NJCCIC Meltdown and Spectre Product Vulnerability and Update List for a comprehensive list of the patches and advisories.

Additional Resources:

Related posts: