For Staff, Faculty and Students running personal or departmental installations of WordPress:
If you have not already done so, it is critical that you upgrade to WordPress version 4.7.2, which was released on 1/26/17. This upgrade fixes a bug (in the REST API) allowing hackers to bypass authentication systems and edit the titles and content of WordPress pages. The web security firm WordFence reports that over 1.5 million WordPress pages have been defaced by 20 hacking groups. 800,000 sites have been defaced in the last 48 hours alone.
For people using NYU’s central version of WordPress on http://wp.nyu.edu, the version is already up to date, and you do not need to take additional action.
You can confirm the version of WordPress that you are running in the administrative view. The Dashboard view will display the version running as follows:
If you are not running NYU’s central version of WordPress, and have questions concerning the version you are running or upgrading to version 4.7.2, please consult your local tech support.
Expect social engineering attacks in all shapes, sizes and disguises! These attacks do not occur only through e-mail. The following are a few ways to identify social engineering attacks and their telltale signs:
Phishing isn’t relegated to just e-mail
Cybercriminals also launch phishing attacks through phone calls, text messages, and online messaging applications. Don’t know the sender or caller? Does it seem too good to be true? It’s probably a phishing scam.
Know the signs
Does an e-mail contain spelling and grammatical errors, a call to immediate action, or a request for sensitive or confidential information? It’s probably a phishing scam. If in doubt, call the sender at a trusted phone number to confirm the legitimacy of the message received.
Verify the sender
Confirm the legitimacy of the sender’s e-mail address, and be suspicious of e-mail which does not come from the usual contact point for a sender. Hovering over the sender’s address will allow you to confirm that the address has not been spoofed. For example, if you hover over a sender’s address which displays as chase.com, and the address that appears is email@example.com, the message is forged/spoofed.
Don’t be duped by aesthetics
Phishing e-mails often contain convincing/familiar logos, links, legitimate phone numbers, and e-mail signatures of actual employees. However, exercise caution when any e-mail calls for urgent action or the disclosure of sensitive information. Look for the telltale signs of phishing before you click on any embedded elements or open any attachments. If in doubt, call the sender at a trusted phone number to confirm the legitimacy of the message received.
Never, ever share your passwords. Did we say never? Yup, never!
Your passwords are identifying data, and the key to your data and the data of others to which you may have access. Remember NYU IT will never ask for your login credentials.
Don’t talk to strangers!
Receiving calls from people you don’t know? Are they asking you to provide information or making odd requests? Hang up or verify the legitimacy of the call by using a trusted phone number to contact the caller.
Don’t be tempted by abandoned flash drives
Cybercriminals may leave flash drives lying around for people to pick up and use. When inserted into a device, the flash drives will install malware such as a keystroke logger, designed to steal credentials. You may be be tempted to insert a found flash drive to find it’s rightful owner. Be wary, it could be a trap.
See someone suspicious? Say something
If you notice someone suspicious walking around or “tailgating” someone to gain access to a locked area, call NYU Public Safety at 212-998-2222.
Please see the following SANS video of the month for tips on creating a cybersecure home! The video run-time is 3 minutes and 45 seconds, and the video reviews how to secure your home WiFi network and all of the personal devices connected to it. This video will be available for viewing throughout the month of February.