NYU IT Security News and Alerts

NYU IT Security News and Alerts

New NYU Email security feature which will launch on September 28

As part of NYU’s commitment to help protect the University’s networks and data, NYU IT will launch a new email security feature on September 28 at 8pm ET. In compliance with NYU IT’s security policies, email protection is a priority. The University’s existing email security tool prevents external email with known malicious URLs from reaching your inbox. The upcoming new feature will further protect against seemingly harmless URLs that make it into your inbox but become malicious thereafter, exposing you to security threats should you click on them.

If you click on a URL that is safe, you will be directed to the corresponding website. If you click on a URL that leads to a malicious website, you will see a notification explaining that you have been blocked from accessing it.

You do not have to do anything to activate this new feature; it will be automatically available when checking NYU Email on any network, in every location, from any device. If your NYU Email is already protected by URL Defense, this change will not affect you.

Note: The implementation of URL Defense minimizes email security risks, but it does not guarantee that every link contained in incoming, external email to @nyu.edu is safe to click. Please continue to exercise caution when reviewing embedded links. For more information on detecting phishing messages, including tips for examining embedded URLs, see Recognizing phishing scams and protecting yourself online.

FAQs and Support

See the ServiceLink knowledge base for URL Defense FAQs, including more information about how the feature works. If you believe that a site has been blocked unnecessarily or that a malicious site was not appropriately blocked, or if you have other questions, please contact the NYU IT Service Desk.

Sincerely,
NYU IT Office of Information Security

Safari Vulnerability – Update to iOS 12 ASAP

A Safari browser address bar vulnerability allowing well designed phishing attacks which are difficult to detect has been patched with the release of Safari 12. We recommend that users patch to iOS 12 asap. For update instructions, please see: https://support.apple.com/en-us/HT201222. For information on the security content of Safari 12, please see: https://support.apple.com/en-us/HT209109.

Vulnerability specifics: Safari (versions prior to 12) permitted JavaScript to update the address bar before it loaded completely. A malicious actor could begin loading a legitimate web page, which would cause the legitimate URL to appear in the browser’s address bar. The code could then be quickly replaced with a malicious site while the browser preserves the legitimate address and loads the content of a spoofed page. This type of attack could be used to spoof any website, including banking websites, Gmail, Facebook, Twitter . . . etc., in an attempt to steal user credentials and sensitive information.

A similar vulnerability in Microsoft Edge was patched by Microsoft on August 14th.  Google Chrome and Mozilla Firefox are reportedly not impacted by this vulnerability.  

Mongo Lock

Please be advised of a new attack type dubbed “Mongo Lock”, which targets remotely accessible unprotected MongoDB databases. In this scam, malicious actors scan the internet for vulnerable servers and once located, export and then the delete server content. A ransom note is then generated demanding bitcoin payment in return for the deleted content.  

Reports state that following deletion, the malicious actors will leave a new database named “Warning”, which contains a Readme collection. The following is sample ransom note text from the Readme collection in this attack:

Your database was encrypted with ‘Mongo Lock’.  If you want to decrypt your database, need to pay us 0.1 BTC (Bitcoins), also don’t delete ‘Unique_KEY’ and save it to a safe place, without that we cannot help you. Send email to us: mongodb[at]8chan[dot]co for decryption service.
(Text courtesy of BleepingComputer).

According to the security researcher who discovered the attack (Bob Diachenko), the scripts automating the process of accessing MongoDB, exporting and then deleting do not always work. He notes that sometimes the script fails and the data is still available to the user even though a ransom note has been created.

For MongoDB recommendations, including a security checklist of recommended actions, please see the following resources:

Resource: https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/

NJCCIC Membership

A recommended resource for anyone interested in receiving additional alerts, advisories and bulletins regarding emerging and cyber related threat intelligence is the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). To receive information from NJCCIC, (free) membership is required. To join, please visit the NJCCIC membership web page. For more information on the NJCCIC, and to to access available updates and resources, please visit the NJCCIC home page.

Fax Protocol Vulnerability “Faxsploit”

Please be advised that recently discovered fax protocol vulnerabilities can transform fax machines into network entry points. This attack type occurs via phone lines vs. internet connections, and the only thing required to carry out this attack is a fax number. Because this exploit is carried out via phone lines, no security software can be used to prevent Faxploit.  

Specifically, Faxploit leverages two buffer overflows in fax protocol components that handle DHT and COM markers – CVE 2018-5924 and CVE-2018-5925. Once exploited, attackers could infiltrate internal networks and do a number of things, including, steal printed documents or mine bitcoin.

The following video offers a demonstration of how this attack type works. https://youtu.be/1VDZTjngNqs

Recommendations:

Network segmentation, including isolating fax machines to their own subnetworks would limit the type of data an attacker can gain access to via this attack.

To prevent Faxploit attacks:

Apply patches regularly to individual fax machines and all-in-one office printers, which have embedded fax machines.  HP Faxploit patches for for Officejet all-in-one printers can be found here.

Resources:

Chinese Consulate Scam and Chinese Language Robocalls

Please be advised of the following scams:

  • Live callers purporting to be from a Chinese Consulate office saying that you have a package to be picked up at a Chinese Consulate office or that you need to supply information they request to avoid being in trouble. Typically, these callers will ask for your bank or credit card information or request a bank transfer.  
  • Chinese-language robocalls delivering messages about: 
     – a package waiting for you at the Chinese Consulate, or trouble with Chinese officials.
     – how to lower your credit card rates or buy inexpensive health insurance. If you express interest, you will be transferred to a live person who will attempt to obtain your banking or credit card information.

Please also be advised that scammers may be using caller id spoofing, which means that calls may appear to come from a phone number you recognize or from the actual phone number of your local Chinese Consulate. In addition to phoning, scammers may also try and contact you via a social media platform.

The Chinese Consulate General in New York has posted alerts on their website about these phone scams. The Chinese Consulate states that will never request personal or sensitive information, a parcel pick-up or ask you to answer police department inquiries.

Recommendations:

  • If in doubt of the legitimacy of any call, verify by contacting the organization/business via a phone number independently obtained.
  • Never provide payment or personal information to any caller. Confirm the legitimacy of any such calls by contacting the organization/business via a phone number independently obtained.
  • Scammers may pretend to be officials from government agencies, such as the IRS, and they may threaten arrest or offer a prize or payment. They will likely seek some type of payment or sensitive information from you. For more information on these types of scams, please see the FTC webpage on Government Imposter Scams.
  • For additional recommendations and information on how to report robocalls, please see the following Connect article, Learn to Spot a Phony; Detecting and Avoiding Phone Scams.

Update Your Google Chrome Browser ASAP

Due to multiple vulnerabilities in Google Chrome, users are being advised to update their Chrome browser asap.  Affected Google Chrome versions are versions prior to 68.0.3440.75.  For more information on these vulnerabilities, please see:  https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2018-084/.

To manually update Google Chrome:

  • Open Google Chrome
  • Click Chrome, About Google Chrome 

    Screenshots showing Google Chrome's menu options, with "Chrome", "About Google Chrome" selected

  • You will see the current version of Google Chrome running.  Click Relaunch to apply any available update.Screenshot showing the current Google Chrome version number and the relaunch option

Home WiFi Router Security: What You Should Know

What a Router Does

Routers typically can create at least two different networks, one for private use and one for guest access. Routers also connect multiple networks and forward packets destined for its own or other networks.  All of your devices (laptop, phone, tablet . . .etc) therefore talk to the router, and the router in turn connects to a modem and protects your devices with a firewall. 

Why Router Security is Important

A secure home router is an essential component of your personal information security as your router connects to the outside world, and may be targeted by automated scans and exploits that may not be visible to you. Additionally, please be aware of the following:

  • Although your router does not store information, sensitive information passes through it when you access various online accounts and services, and this data can be compromised if your router is hacked.
  • A compromised router can also be used to attack other devices on your local network such as your phone, tablet, laptop or smart devices, and can be used to launch denial of service attacks.  

Security Focused Routers

Some users opt to purchase security focused routers which offer auto updates. However there are a number of factors to be considered when evaluating security focused routers. These types of routers can be costly and often offer limited customization ability and annual subscriptions for services. It is recommended that before swapping a device provided by your ISP, that you confirm that:

  • the router provided by your ISP is a separate device vs. single device (known as a “gateway”) which contains both the modem and the router.
  • you can bring your own device onto the network.
  • all available ISP provided services will work with the router you’re considering.  
  • the router you purchase will continue receiving firmware updates (product life cycles are often short, so you want to be sure that you’re not purchasing an end of life product).

Examples of security focused routers include:

Configuring and Securing Your Home WiFi Router

The primary recommendation is that you change the default administrator username and password that comes with your router.  For instructions and other recommendations for your home setup, please see the following article from the NJCCIC, How to Configure and Secure a Home Wi-Fi Router. A supplemental recommendation is to periodically reboot your router as some malware strains will not survive a reboot.  

Additionally, you can periodically check to see a list of devices that are connected to your router.  To do so:

  • Go to an internet browser on one of your connected devices.
  • Go to www.routerlogin.net
  • Enter the router username and password
  • Select Attached Devices
    • To update this screen, click the Refresh button

If you see unfamiliar connected devices, you can change/reset your WiFi password.

Resources

 

DocuSign Phishing Campaign

DocuSign, a service used to share, distribute and electronically sign important documents has detected an increase in phishing emails sent to customers/users. The recent phishing campaign delivers unsolicited email with either an embedded URL or an HTML, PDF or Word attachment redirecting users to a spoofed login page designed to steal login credentials. Compromised DocuSign credentials could cause the exposure of financial and other types of sensitive/confidential information.

Noted email subject lines in this phishing campaign are:

  • Your DocuSign
  • Payment Confirmation
  • New secure message
  • You have a new document to review and sign

Phishing emails received may come from: noreply@docusign.delivery

Recommendations

DocuSign advises users to look for the unique security code at the bottom of a DocuSign notification email (as shown below). All DocuSign envelopes contain a unique security code. The unique security code allows users to access documents directly from https://www.docusign.com/

Image showing a DocuSign notification email with a unique security code displaying at the bottom.  The text above the security code reads " Alternately, you can access these documents by visiting docusign.com, clicking the "Access Document" link and using this security code:"

Additionally:

  • Never open unexpected attachments or provide account credentials via embedded links in unsolicited email. Before opening an unexpected attachment, verify the legitimacy of the message/sender via a phone call or another means of communication that does not rely on information appearing in the message received.   
    • Instead of clicking on an embedded link to enter your credentials, go to the organization’s secure website to enter your credentials.
  •  Enable MFA (multi-factor authentication) on all accounts for which it’s offered. MFA will protect you from the results of phishing or credential compromise by requiring a second layer of authentication via a device that you possess (e.g., a smartphone, cell phone, landline . . .etc)..  
    • For information on NYU MFA, which protects your sensitive information on NYU systems, please click here.

Meltdown and Spectre Product Vulnerability and Update List

As an update to our 1/4/18 post entitled  Computer Chip Vulnerabilities: Meltdown & Spectre and our 2/26/18 post entitled Spectre Patches Available, please be advised of the following NJCCIC  (New Jersey Cybersecurity & Communications Integration Cell) resource dedicated to the Meltdown and Spectre vulnerabilities. The Meltdown and Spectre Product Vulnerability and Update List
summarizes the incident and supplies an updated listing of vendor patches, mitigation strategies and updates.