NYU Wordpress Theme

Update #2: Cisco WebEx Browser Extension Remote Code Execution Vulnerability

The vulnerability announced earlier (please click here and here for more information) impacts not only Google Chrome but other browsers on the Windows platform. Please see the instructions below to check whether you have the newest release:

Google Chrome
Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017 and contains a fix for this vulnerability. Chrome users can ensure they are using the fixed version of the Cisco WebEx Extension for Google Chrome by doing the following:

  1. In Chrome, open the Settings page
  2. Click Extensions
  3. Select the Developer mode checkbox
  4. Click Update extensions now
  5. Restart the Chrome browser

Microsoft Internet Explorer
Version 10031.6.2017.0126 of the GpcContainer Class for Microsoft Internet Explorer was released on January 28, 2017 and contains a fix for this vulnerability. Internet Explorer users can ensure they are using the first fixed or later version of the GpcContainer Class for Internet Explorer by:

  1. In Internet Explorer, select the Tools button
  2. Select Manage add-ons
  3. Select All add-ons from the Show drop-down menu
  4. Select the GpcContainer Class add-on under Cisco WebEx LLC

The version number is displayed at the bottom of the Manage Add-ons window.

Mozilla Firefox
Version 106 of the ActiveTouch General Plugin Container (10031.6.2017.127) for Mozilla Firefox was released on January 28, 2017 and contains a fix for this vulnerability. Mozilla users can ensure they are using the first fixed or later version of the ActiveTouch General Plugin Container for Mozilla by:

  1. Clicking the menu button (three horizontal bars on the upper right of the application) and selecting Add-ons
  2. In the Add-ons Manager tab, click the Plugins panel
  3. Locate the ActiveTouch General Plugin Container in the list of Plugins and click on the More link to obtain the version information

For a full explanation, please see:  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex

Update: Security Flaw in Cisco WebEx Chrome

Cisco WebEx Extension for Google Chrome version 1.0.5 contains a fix for the vulnerability referenced in the following post: https://wp.nyu.edu/itsecurity/2017/01/24/security-flaw-in-cisco-webex-chrome-detected/

Google Chrome users can ensure that they are using the fixed version of the Cisco Webex extension for Google Chrome by taking the following steps:

  • Go to Chrome, Preferences and you will be on the “Settings” page for Google Chrome.
  • Click Extensions (as shown below in the top left of the “Settings” Page):
    Screenshot showing the "Extensions" option encricled in red on the top left of the Chrome Settings view.
  • Click into the check-box that precedes Developer mode:

    Screenshot showing the checked "Developer mode" option encircled in red on the top right of the Chrome, Extensions page.

  • Next, click the Update extensions now button:
    Screenshot showing the "Update extensions now" button encircled in red beneath the checked "Developer mode" option on the top right of the Chrome extensions view.

 

For additional information, please see:  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex

 

Security Flaw in Cisco WebEx Chrome Detected

Security Flaw in Cisco WebEx Chrome Detected

Recently, a Google employee identified a critical vulnerability in the Cisco WebEx Chrome plugin that could affect NYU users. The flaw allows outside attackers to run unauthorized browser code and potentially expose computers to malware risk.  

Recommended action: Remove WebEx Chrome extension

  • 1. Open Chrome
  • 2. Click MoreMore at the top right of your Chrome browser.
  • 3. Select More tools Extensions.
  • 4. Next to the extension you want to remove, click RemoveRemove.
  • 5. Click Remove.

If an extension has an icon in your Chrome toolbar, you can right-click the icon and select Remove from Chrome.

Please check this site for updates on this issue. You may also contact security@nyu.edu or call the NYU IT Service Desk at 212-998-3333 with questions.

List of additional resources on this matter:

Overview:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex

How to protect yourself:

https://blog.filippo.io/webex-extension-vulnerability/

Technical blog:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1096

 

Keeping Your Private Information Private

The following are recommendations and reminders to help you protect your online information, identity and privacy:

  • Use unique passwords for each site. Hackers will attempt to use compromised credentials obtained in a variety of sites. Using unique passwords helps manage the exposure of other accounts.
  • Use a password manager. Using an encrypted password manager is the best way to manage long, strong and unique passwords. Password managers make the access and use of stored passwords easy. For more information on password managers, click here.
  • There are no true secrets online. Use the postcard or billboard test: Would you be comfortable with everyone reading a message or a post?  If not, don’t share it.
  • Know what you’re sharing; safeguard others as well as yourself. Be sure to check the privacy settings on all of your social media accounts to prevent unintentional over sharing about yourself or others. Some accounts may have a wizard to walk you through settings.
  • Keep your work and personal data separate.  Use a non-work or personal e-mail account for private e-mails.  This helps to ensure uninterrupted access to private e-mail if you switch employers.

SANS Video of the Month – Malware

Worms, viruses, trojans and ransomware are all different forms of malware. Malware is malicious software that can infect any device. For more information on malware and preventative measures, please view the following (approximately 3 minute) Sans video of the month on Malware. This video will be available to view throughout the month of January. Please share it with your friends and colleagues!

For more information on ransomware scams which are commonly deployed via phishing, please see:

Ransomware Scams: Don’t Let Them Lock You Out of Your Own Computer

 

NYU Box & Google Privacy Alert

The NYU IT Office of Information Security was recently made aware of a privacy issue relating to shared documents/folders in NYU Box. Please note that this NYU Box privacy issue has been corrected, but it may take some time for Google’s cached search results to update and for the correction to be reflected.

The issue: If documents or folders in NYU Box are shared using the sharing setting “People with the link”, and that link was listed on a publicly-available webpage, it could have been indexed by Google. In this instance, the link could have been retrieved by anyone performing a Google search. For example, the Share option in NYU Box shows the link to be shared, and shows the applied share setting for the link as follows:

Screenshot showing the Shared Link screen in NYU Box with the Shared Link displaying at the top of the screen and the document access type pick list expanded. The option "People with the link" is encircled in red. Other options include "People in your company", "People in this folder", and "Remove Link".

If a user selected People with the link as the share setting, the document/folder would have contained the above-mentioned privacy vulnerability.

Similarly, please be aware of the following, if a Google Apps documents is shared with others via a shareable link, in conjunction with the link sharing setting “ On – Anyone with the link”, this link could be retrieved and the document could be accessed by anyone. 

For example the File, Share option in Google Apps shows the option to obtain a shareable link along with the following default settings.

Screenshot showing the "Get a shareable link" option in Google Apps. The option is encircled in red at the top right of the screen.  The default setting of "Anyone at New York University with the lik can view" is displaying.

If a user chooses the Get a shareable link option (above) and then selects the On – Anyone with the link option (accessible via the drop-down arrow to the right of Anyone at New York University with the link can view), the document will contain the above-mentioned privacy vulnerability.

Screenshot of Link sharing options withe the option "On-Anyone with the link" encircled in red.  Other options include "On   -Public on the web", "On - New York University", "On - Anyone at New York University with the linl', and "Off - Specific people"

Please be reminded that the “On – Anyone with the link” sharing option is not the default, so in order to be impacted, you have to have made the changes detailed herein.

For more detailed information on the Box vulnerability, please see: https://threatpost.com/box-com-plugs-account-data-leakage-flaw/122810/

Additionally, although there is no simple way to check if your NYU Box documents/folders have been overshared, you can always modify share settings if necessary. On the Google Drive side, please be advised of the Drive-Eye add-on which is a tool to help identify Google files stored in your NYU Drive that have been broadly shared with the NYU community and beyond.  Once files have been identified by Drive-Eye, you can open the document(s) from the report and change sharing settings if necessary.  For more information, please see the following NYU Knowledge Base article: NYU Drive: Finding and securing shared files.