NYU IT Security News and Alerts

NYU IT Security News and Alerts

Threat to Ransom Apple Accounts

A hacking group called the Turkish Crime Family informed Business Insider that it possesses approximately 600 million iCloud passwords, and that they plan to reset user accounts on April 7th. Please note that Apple denies that there has been a breach of their their systems including iCloud and Apple ID. It appears the information may have been obtained from previously compromised third party services. If an Apple account holder uses the same password across multiple services, there’s a likelihood that their iCloud password is already publicly available.


  • Confirm that all passwords in use are unique. Do not reuse passwords. Use long (12+ characters) and strong (letters, numbers & special characters) passwords. For password best practices recommendations, click here.
  • Turn on two factor authentication. For information on two factor authentication for your Apple ID, see https://support.apple.com/en-us/HT204915.
  • Check if your account may already be public via https://haveibeenpwned.com

For more information on this threat, please see: http://www.businessinsider.com/apple-id-protect-password-from-turkish-crime-family-hack-2017-3

Pharos Printer Software Vulnerability

Due to a vulnerability, all Mac OSX users should update their Pharos Uniprint software to version 9.0.8 asap.  Pharos software is used to manage remote printing, and if you run Mac OSX and print to NYU IT facilities or other facilities which utilize Pharos, you will need to update.  If in doubt, please see the following KBase article on Print Station locations.

The vulnerability addressed by the update allows a hacker to send a malicious packet to a machine running the software and the malicious packet could result in buffer overflow and thereby give root access to the hacker. In other words, the hacker could remotely attack your machine and take control of it.

Pharos software may be updated directly from the NYU IT Licensed Software page (see the “NYU Print Service” section) or from the vendor support page.  For first time installers, please install from the NYU IT Licensed Software page as an initial install from this location installs the needed components and the printer object.  A version update can be successfully accomplished via the NYU IT Licensed Software page or the vendor support page.

Phishing Email Purporting to be from NYU HR

Please be advised that the following email, purporting to come from NYU HR, is a phishing attempt. Please do not click on the embedded link or reply to the message.

Please note the following:

  • HR@nyu.edu is not a legitimate NYU email address.
  • Even though the embedded link contains a recognizable element “shibboleth.nyu”, please be reminded that you are looking for https://shibboleth.nyu.edu.  Other variants indicate a malicious link.
  • With email that does appear to come from a legitimate email address, you can always confirm the sender’s actual email address by hovering over the email address in the received message.  If there is a discrepancy, the email is forged.

If you received this message and clicked on the embedded link and supplied your credentials at the spoofed login prompt, please take the following steps:

Technical Support Scams

We have noted a recent uptick in Technical Support scams with scammers posing as MicroSoft or Apple Support. Users are either contacted directly by scammers, or receive a web pop-up or an onscreen recorded message asking them to “phone-in”, and are offered “assistance” (usually for a fee) with virus removal.

The following is an example of a Microsoft web pop-up scam that may appear as users search the internet. These pop-ups are often not easy to close, and it’s not advisable to click pop-up elements. To close a suspicious pop-up, we recommend that you exit the browser. It may be necessary to use Ctrl+Alt+Delete to force quit your browser or restart your computer.

The following is an example an Apple browser scam:

Please note that Microsoft states that their error and warning messages never include a phone number, and both MicroSoft and Apple will never proactively reach out to you to provide unsolicited support.

The goals of support scammers may include:

  • Obtaining credit card information in connection with phony services, which may involve directing you to fraudulent websites.
  • An attempt to gain access to your device remotely by asking you to visit legitimate websites, such as www.ammyy.com and download software that will allow a scammer to take control of your device.  Once control of your device has been obtained, a scammer may seek confidential information or adjust your settings to leave your computer vulnerable.
  • Tricking you into installing malware (a/k/a malicious software) to capture keystrokes and other sensitive data.

User recommendations:

  • Never give your credit card information or other sensitive information to anyone claiming to be from Apple or MicroSoft support. Instead, note the caller’s name, and any other identifying information so that you may report it to the local authorities.
  • Never allow another party to take control of your device unless you can confirm that the caller is a legitimate representative of a support team with whom you are a customer or supported user.
  • Be wary of installing software based on the recommendation of purported Tech Support, as the software will likely come with malware.
  • Scan your computer with Symantec antivirus software, which will protect you by screening out known malware. You can find the link to download antivirus software (Symantec Endpoint Protection) on Global Home’s Antivirus and Malware Protection card. On classic NYU Home, click the Ask NYU IT button. A link to download Symantec Endpoint Protection is located in the “Software” section.
  • If you provided account credentials or suspect that your credentials may have been compromised, please immediately reset your passwords using long/strong, and unique passwords of 12+ characters for all accounts.  For instructions on changing your NYU credentials, please see Changing your NetId/NYU Home password.

Reporting scams:

  • If working on campus, you can report the incident to the NYU IT Service Desk at 212.998.3333 or askit@nyu.edu. The ITSD will work with the OIS to ensure all necessary steps have been taken to protect/secure your device.
  • If working off campus, scan your device using Symantec antivirus software (see user recommendations above).
  • In the U.S. you may report scams using the FTC Complaint Assistant.


Information Security Tips for Travel!

Our mobile devices are rich with our personal information – contacts, photos, videos, location data, and other sensitive information. The following are tips and recommendations to safeguard your devices and information when you’re “on the go”!

Before traveling:

  • Consider using temporary devices such as a prepaid cell phone. If traveling on business, consider using a clean inexpensive laptop  or a ”loaner” laptop. If you opt to take your personal devices with you, remove confidential, restricted and protected data.
  • Make sure that your mobile phone has a device finder/manager, and that it has remote wipe capabilities and you know how to perform a remote wipe.
  • Ensure that all devices with and operating system and applications are fully updated and patched prior to your departure.
  • Make copies of travel documents and credit cards you plan to use. Leave copies with a family member or friend in case the items get lost or stolen.
  • Wait until you’re home to post details about your trip on social media. Announcements made beforehand or while traveling can make you a target for theft.

While traveling:

  • Access NYU-NET via VPN whenever possible for a secure encrypted connection. For more information about VPN, including locations in which it is offered, click here.  Please note that VPN usage is prohibited in Sudan, Syria and North Korea, absent authorization from the U.S. Government.
  • Protect all devices and identity documents. If possible, keep your devices with you at all times.  Don’t assume they’ll be protected in a hotel safe or in your hotel room.
  • Only use an ATM if you have no other option. Instead, work with a teller during bank operating hours. If you must use an ATM, check for skimming devices, and attempt to securely enter your PIN, by covering or shielding the keypad as you type.
  • Protect your devices with strong passwords/passcodes or touch id.  For password tips and recommendations, please click here.
  • Disable Wi-Fi and bluetooth when not in use to prevent auto-connection to open networks or other devices.
  • Be wary of OTA (“over-the-air”) updating of mobile devices, as updates may come with malware.
  • Be wary of computers in public areas, such as hotels, conference centers and cyber cafes. If you use such a device, do not log into email or other sensitive accounts.  Public devices may be loaded with keystroke loggers and other malware.
  • Be alert to scams targeting hotel guests. If you should receive a call about a problem with your credit card, do not provide your card number to the caller over the phone. Instead, visit the hotel front desk.

When you return from travel:

  • Change any passwords that you may have used abroad.
  • Run full antivirus scan on your devices.
  • Review your credit card statements to confirm there are no discrepancies.
  • If you downloaded any apps specifically for your trip, remove them.


WordPress Critical Vulnerability (Versions 4.7.0 & 4.7.1)

For Staff, Faculty and Students running personal or departmental installations of WordPress:
If you have not already done so, it is critical that you upgrade to WordPress version 4.7.2, which was released on 1/26/17. This upgrade fixes a bug (in the REST API) allowing hackers to bypass authentication systems and edit the titles and content of WordPress pages. The web security firm WordFence reports that over 1.5 million WordPress pages have been defaced by 20 hacking groups. 800,000 sites have been defaced in the last 48 hours alone.

For people using NYU’s central version of WordPress on http://wp.nyu.edu, the version is already up to date, and you do not need to take additional action.

You can confirm the version of WordPress that you are running in the administrative view. The Dashboard view will display the version running as follows:

If you are not running NYU’s central version of WordPress, and have questions concerning the version you are running or upgrading to version 4.7.2, please consult your local tech support.

For more information, please see:

1) https://www.bleepingcomputer.com/news/security/attacks-on-wordpress-sites-intensify-as-hackers-deface-over-1-5-million-pages/
2) http://www.welivesecurity.com/2017/02/08/100000-wordpress-webpages-defaced-recently-patched-vulnerability-exploited/

Don’t Fall for the Social Engineering Bait!

Expect social engineering attacks in all shapes, sizes and disguises! These attacks do not occur only through e-mail. The following are a few ways to identify social engineering attacks and their telltale signs:

  • Phishing isn’t relegated to just e-mail
    Cybercriminals also launch phishing attacks through phone calls, text messages, and online messaging applications. Don’t know the sender or caller? Does it seem too good to be true? It’s probably a phishing scam.
  • Know the signs
    Does an e-mail contain spelling and grammatical errors, a call to immediate action, or a request for sensitive or confidential information?  It’s probably a phishing scam. If in doubt, call the sender at a trusted phone number to confirm the legitimacy of the message received.
  • Verify the sender
    Confirm the legitimacy of the sender’s e-mail address, and be suspicious of e-mail which does not come from the usual contact point for a sender. Hovering over the sender’s address will allow you to confirm that the address has not been spoofed. For example, if you hover over a sender’s address which displays as chase.com, and the address that appears is chase@yahoo.com, the message is forged/spoofed.
  • Don’t be duped by aesthetics
    Phishing e-mails often contain convincing/familiar logos, links, legitimate phone numbers, and e-mail signatures of actual employees. However, exercise caution when any e-mail calls for urgent action or the disclosure of sensitive information. Look for the telltale signs of phishing before you click on any embedded elements or open any attachments. If in doubt, call the sender at a trusted phone number to confirm the legitimacy of the message received.
  • Never, ever share your passwords. Did we say never? Yup, never!
    Your passwords are identifying data, and the key to your data and the data of others to which you may have access. Remember NYU IT will never ask for your login credentials.
  • Don’t talk to strangers!
    Receiving calls from people you don’t know?  Are they asking you to provide information or making odd requests? Hang up or verify the legitimacy of the call by using a trusted phone number to contact the caller.
  • Don’t be tempted by abandoned flash drives
    Cybercriminals may leave flash drives lying around for people to pick up and use. When inserted into a device, the flash drives will install malware such as a keystroke logger, designed to steal credentials. You may be be tempted to insert a found flash drive to find it’s rightful owner. Be wary, it could be a trap.
  • See someone suspicious? Say something
    If you notice someone suspicious walking around or “tailgating” someone to gain access to a locked area, call NYU Public Safety at 212-998-2222.

Suspected phishing messages may be reported to phishing@nyu.edu

SANS Video of the Month – Creating a Cybersecure Home

Please see the following SANS video of the month for tips on creating a cybersecure home!  The video run-time is 3 minutes and 45 seconds, and the video reviews how to secure your home WiFi network and all of the personal devices connected to it.  This video will be available for viewing throughout the month of February.





Update #2: Cisco WebEx Browser Extension Remote Code Execution Vulnerability

The vulnerability announced earlier (please click here and here for more information) impacts not only Google Chrome but other browsers on the Windows platform. Please see the instructions below to check whether you have the newest release:

Google Chrome
Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017 and contains a fix for this vulnerability. Chrome users can ensure they are using the fixed version of the Cisco WebEx Extension for Google Chrome by doing the following:

  1. In Chrome, open the Settings page
  2. Click Extensions
  3. Select the Developer mode checkbox
  4. Click Update extensions now
  5. Restart the Chrome browser

Microsoft Internet Explorer
Version 10031.6.2017.0126 of the GpcContainer Class for Microsoft Internet Explorer was released on January 28, 2017 and contains a fix for this vulnerability. Internet Explorer users can ensure they are using the first fixed or later version of the GpcContainer Class for Internet Explorer by:

  1. In Internet Explorer, select the Tools button
  2. Select Manage add-ons
  3. Select All add-ons from the Show drop-down menu
  4. Select the GpcContainer Class add-on under Cisco WebEx LLC

The version number is displayed at the bottom of the Manage Add-ons window.

Mozilla Firefox
Version 106 of the ActiveTouch General Plugin Container (10031.6.2017.127) for Mozilla Firefox was released on January 28, 2017 and contains a fix for this vulnerability. Mozilla users can ensure they are using the first fixed or later version of the ActiveTouch General Plugin Container for Mozilla by:

  1. Clicking the menu button (three horizontal bars on the upper right of the application) and selecting Add-ons
  2. In the Add-ons Manager tab, click the Plugins panel
  3. Locate the ActiveTouch General Plugin Container in the list of Plugins and click on the More link to obtain the version information

For a full explanation, please see:  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex