NYU IT Security News and Alerts

NYU IT Security News and Alerts

Equifax Breach Update

The Equifax breach, which occurred in September of last year and impacted the personal data of 14.5 million consumers, appears to have impacted more data than initially reported. Equifax already confirmed the loss of social security numbers, birth dates, home addresses, credit-score dispute forms and in some instances, credit card and driver’s license numbers. According to a document Equifax recently submitted to the Senate Banking Committee, hackers were also found to have accessed tax identification numbers, email addresses, phone numbers, credit card expiration dates and issuing states for driver’s licenses.

Using the following Equifax site, https://www.equifaxsecurity2017.com, you can check whether your personal information has been impacted. The site lists options for consumers such as obtaining a credit report, placing a freeze or lock on your credit report (with information regarding the distinction between these two options) and placing a fraud alert or an extended fraud alert on your credit report.

For more information please see:

Related post:

FTC Issues Alert on Equifax Phishing Scams

Recent Uptick in Phishing Messages Using URL Shorteners

There has been a recent uptick in phishing email campaigns using popular URL shortening services such as bit.ly, ow.ly, goo.gl, and t.co. to embed malicious links in email messages. This is a common ploy used by scammers as shortened URLs mask the true link destination.  

Further, these phishing messages often appear to come from a familiar entity, such as your bank, and the embedded links, if clicked, often take users to sites which appear to be legitimate and require the input of login credentials. Once login credentials are entered in the spoofed site, they are stolen/compromised and users are redirected to the legitimate site.

If you believe you have fallen victim to this type of scam, you should change your password on the affected account asap and apprise the business/entity of any fraudulent activity. To safeguard yourself from these types of phishing attacks, it is recommended that you never enter login credentials via embedded links in unsolicited emails. If in doubt of the legitimacy of a message, contact the sender/entity at a trusted phone number. An additional tip is to view the the browser address bar, and look for signs of a legitimate/secure site which may include a locked padlock preceding the business/entity name and “https://”

Shortened URLs can be easily checked or expanded using link expander services. The expanded URL is the true destination URL. For more information on using link expanders, please see the following Connect Article:

https://wp.nyu.edu/connect/2017/12/12/the-skinny-on-short-links/

Related post: https://wp.nyu.edu/itsecurity/2018/01/12/phishing-campaigns-crafted-to-steal-login-credentials/

 

Tax Identity Theft Awareness Week

January 29th – February 2nd is Tax Identity Theft Awareness week. Tax identity theft occurs when someone uses your Social Security number to get a job or a tax refund.  The IRS may contact you regarding wages from an unknown employer or they may inform you that more than one tax return was filed in y our name. Learn how to protect yourself from tax-related identity theft and IRS imposter scams by reviewing the following resources:

 

Annual Data Privacy Day, January 28th

January 28th marks Data Privacy Day with a focus on safeguarding data. In furtherance of the data privacy day mission, please be reminded of the following data protection guidelines and best practices:

Data Classification
The data you work with with is classified according to the NYU Data Classification Table as follows:

  • Restricted
  • Protected
  • Confidential
  • Public
    The applicable data class determines how the data you work with can be stored and transmitted. For examples of the types of data in each class, please see the Data Classification Table.
  • Restricted data may be stored and shared via NYU Box.  Please keep in mind that restricted data should not be stored or transmitted on mobile devices.
  • Data that falls into the protected and confidential categories may be stored and shared via NYU Google Apps, and there are no restrictions governing the storage and sharing of public data.

Passwords
Use unique passwords for each account/site so that the compromise of one account won’t occasion the compromise of other accounts. Hackers will attempt to use compromised credentials in a variety of sites.

  • Use of a password manager is the best way to manage and store your many passwords. For more information on password managers and password best practices, please see the following Connect article, Under Lock and Passphrase.

Social Media
Remember the maxim “once posted, always posted”. Therefore, be selective about what you share online, and safeguard others as well as yourself. Be sure to check/customize the privacy settings of your social media accounts to prevent unintended sharing.

Image of a smartphone resting on a notebook with with a pen beside it and Instagram onscreen

  • For information on managing your privacy settings for Facebook, Twitter, LinkedIn, Instagram and Pinterest, click here.
  • Never share information on social media that you’ve used to answer a security challenge question, such as, “What street did you grow up on?”. Scammers review social media posts and use the information gleaned in targeted attacks.

WiFi Networks
Always use trusted password protected WiFi networks such as NYU WiFi. Additionally, use of NYU VPN (available in certain off-campus locations) further protects your data and is required when accessing certain NYU services outside of NYU-Net.

  • WiFi networks for which the passwords are displayed are not secure.

NYU Multi-Factor Authentication
Use NYU Multi-Factor Authentication, which protects your data by adding a second layer of security when authenticating to NYU systems and services. Use of MFA is now required when authenticating to certain NYU systems and services.

  • Register at least two devices. One of the devices you register should be a device that you always have with you (a smartphone or a simple cell phone).
  • Additionally, use of the Duo mobile app will allow you to authenticate even when you don’t have cell or internet service, or if you’re traveling internationally.

Back-ups
Back-up your data regularly and periodically confirm that your data is backing-up as desired.  The best way to recover from certain malware infections is to perform a wipe and restore from back-ups.

  • If backing-up or saving data to a flash drive, consider using an encrypted flash drive, such as an IronKey flash drive.

Mobile Devices

  • Do not share your password and set screen auto-lock of your device to occur in a short interval of time, such as 30 seconds.
  • Turn off WiFi when not in use or use the “Ask to join networks” setting which will not allow your device to auto-connect to open networks.
  • Turn off bluetooth when not in use.
  • Update device operating systems as updates become available.Updates address security vulnerabilities.
  • Understand how to perform a remote wipe of your device in case your device is either lost or stolen.

Mobile Apps
Install only known and well reviewed mobile apps from reliable sources such as Google Play or Apple’s App store as these sources screen offered apps. Additionally:

  • Review the permissions associated with mobile apps carefully before you install, and grant the minimum permissions necessary.
  • Update apps as soon as updates become available as updates address security vulnerabilities.
  • Uninstall apps no longer in use.

Meltdown & Spectre Update

As an update to our January, 4th post, Computer Chip Vulnerabilities: Meltdown & Spectre, both vulnerabilities are due to a design flaw in the hardware, and ultimately will require a fix at this level. The patch for Meltdown has addressed known attacks at the level of the operating system and Spectre remains unpatched. Although it remains important to continue updating/patching systems as updates become available, a fix on the hardware level has not yet been implemented. Even when implemented, many IOT and custom or legacy systems may remain vulnerable.

In terms of attack detection, both types of attacks may be detected with high certainty by monitoring patterns and events on the CPU level.  For information respecting the detection of Meltdown and Spectre attacks, please see:

https://research.checkpoint.com/detection-meltdown-spectre-vulnerabilities-using-checkpoint-cpu-level-technology/

Phishing Campaigns Crafted to Steal Login Credentials

Be on the lookout for phishing campaigns crafted to steal your login credentials. Such phishing campaigns occur via the delivery of unsolicited email from known businesses, entities or services. Current phishing campaigns which employ this strategy are email purporting to come from Amazon and Microsoft Outlook Web Access (OWA). These particular phishing emails request that you click an embedded link to enter your login credentials. Once you click the embedded link, you are redirected to a well crafted phishing website designed to steal your credentials. After entering login credentials in the phishing website, you are redirected to the legitimate website and prompted to login again.  

Please be reminded to look at your browser’s address bar for indicators of a secure website, which include a lock symbol preceding the business/entity name and “https” . 

If you suspect you have fallen victim to this scam, please change your password asap for the service at issue by visiting the provider’s website via a known and trusted URL that you type into the browser’s address bar.  

Recommended Phishing Resources:

Adobe Flash Player Security Updates Available

Please note that Adobe has released security updates to address a vulnerability in Flash Player. A malicious attacker could exploit this vulnerability and gain access to sensitive information. We recommend that users and admins apply the updates. For more information, please see:

 

 

Securing Your Mobile Devices

Safeguard the valuable data on your mobile devices with the following tips:

  • Secure mobile devices and with strong passwords (which are long, unique & difficult to guess) or a touch id feature, and do not share your password(s).
  • Enroll your devices (smartphones or tablets) in NYU Multi-Factor Authentication (“ NYU MFA”). MFA provides a second layer of security following authentication with your NYU NetId and password and protects sensitive data in NYU systems.
  • Be savvy and use password protected WiFi, such as NYU WiFi. Do not use non password protected WiFi hotspots as your device and data may get compromised. Please note that WiFi networks for which the password is displayed for all to see/use are not secure.
  • When using password protected WiFi, be sure to obtain the WiFi password directly from a trusted source (e.g., an employee of the organization or business).
  • Ensure your WiFi is set to ask for your permission before joining open networks.
  • Disable WiFi and bluetooth when not in use. It’s advisable not to use bluetooth in public places.
  • Be aware of who is around you as you access data. Use screen guards on laptops and tablets whenever possible.
  • Regularly update applications and your device operating system. Hackers seek to exploit vulnerabilities which have been addressed by updates.
  • Remove applications no longer in use.
  • Only install known and trusted applications from trusted sources (e.g., Apple’s App Store or  Google Play). Additionally:
    appropriately restrict applications, and only grant the minimum permissions necessary.
  • Check the application rating/reviews and comments before downloading.
  • Treat your devices like valuable assets and don’t let them out of your sight or grasp in public places.
  • Lost or stolen NYU provided mobile devices should be reported to NYU Public Safety, 212.998.2222.

 

 

Malicious Android Apps Harvest Data, Bombard Users with Spam & Track User Locations

Thirty-six apps that were available via Google Play were recently found to harvest user data, track the location of users and bombard users with spam. Trend Micro notified Google of the issue and all of the apps have been removed from Google Play. Excluded devices are: Google Nexus 6P, Xiaomi MI 4LTE, ZTE N958St and LGE LG-H525n.

The malicious apps posed as security tools and advertised a wide variety of services including, scanning, cleaning junk, message security, wifi security . . .etc. It appears that the apps were able to perform the advertised functions but also harvested data, bombarded users with spam and tracked user locations.

According to Trend Micro, the tell-tale sign of the installation of one of these malicious apps was that following installation, the apps will not appear on the device launcher’s list of apps, nor will shortcuts appear on a device’s screen. However, users receive alarmist/false security warnings and pop-up messages which lend a sense of legitimacy to the apps. If you installed a security related app on your device from Google Play and your device is behaving in the above-described manner, we recommend that you consult with your device manufacturer and perform a wipe of the device.

For more information, please see: http://blog.trendmicro.com/trendlabs-security-intelligence/apps-disguised-security-tools-bombard-users-ads-track-users-location/

Our recommendation with respect to the installation of mobile apps continues to be to download apps only from trusted sources, such as Google Play & Apple’s App Store. These sources do screen offered apps, but it’s not a foolproof process. Additionally, it is further recommended that:

  • only known and trusted apps which have many positive user reviews/comments should be installed.
  • permissions granted during the app install process are carefully reviewed, and that you always grant the minimum permissions/access necessary.
  • update apps frequently as updates become available. Updates will address known security vulnerabilities.

Computer Chip Vulnerabilities: Meltdown & Spectre

Security vulnerabilities have been identified in computer chips manufactured by Intel, ARM and AMD. The specific vulnerabilities are as follows:

  • The “Meltdown” bug has to do with the ability of running user processes to access protected kernel memory, essentially a privilege escalation attack. The applies to all machines which use Intel X86 processors, MAC, PC and Linux. The amount of data recovered is small, so it’s not clear what such an exploit would actually accomplish.
  • The “Spectre” bug breaks down isolation between different applications. Malicious actors exploiting Spectre could trick running processes into leaking information. Spectre has been verified on Intel, AMD and ARM processors.Please note that both vulnerabilities impact personal computers, mobile phones and servers, including both cloud servers and non-cloud servers.

Recommendations:

  • Apply operating system (OS) updates as soon as they become available. Microsoft, Apple, the Linux community and others have begun to release updates which address these vulnerabilities and may release further updates as researchers learn more about these vulnerabilities.
  • Apply software updates as soon as they become available.  Microsoft, Mozilla, Google and others are issuing patches for their web browsers.
    • Chrome Users: can turn on the “Site Isolation” feature on their devices to mitigate these flaws. To turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
      Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
      Look for Strict Site Isolation, then click the box labeled Enable.
      Once done, hit Relaunch Now to relaunch your Chrome browser.
  • Apply firmware updates as soon as they become available.
  • See List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates

For additional information, please see: