NYU Wordpress Theme

Google Pulls Fake Ad Blockers from Chrome Web Store

Google has identified and pulled the following fake ad blockers from the Chrome Web Store: AdRemover, uBlock Plus, Adblock Pro, HD for YouTube and Webutation. These ad blockers have been downloaded in excess of 20 million times. The extensions have been disabled on Chrome instances on which they were installed. However, if you installed one of the malicious ad blockers, it is recommended that you remove it. To do so, please take the following steps:

  • Open Google Chrome and click on the three vertical dots to the right of the browser address bar, and go to More Tools, Extensions.
  • Locate the extension you wish to remove, and click Remove in the bottom left of the extension dialog.

Ad Blockers have become very popular way to remove or manage advertising content on a website, web page or mobile app. Cloning legitimate software and adding malicious features have become common tactics of cyber criminals. In this instance, bad code was hidden in the jQuery library of javascript. Infected browsers formed a browser botnet, and could be forced to do whatever the command center server ordered.

For additional information, please see:

  • https://www.zdnet.com/article/google-cuts-fake-ad-blockers-from-chrome-store-were-you-among-20-million-fooled/
  • https://www.komando.com/happening-now/455166/google-pulls-fake-ad-blockers-were-you-one-of-the-20-million-fooled?utm_medium=nl&utm_source=alerts&utm_content=2018-04-20-article-a
  • http://www.newsweek.com/google-chrome-fake-ad-blockers-installed-20-million-users-how-check-if-you-892929

Call & Text History Logging with Facebook Messenger or Facebook Lite on Android

Android users have discovered when downloading their Facebook files, that there is a section of the download that contains details on phone calls and text messages. In response to user queries, Facebook has stated that call and text history logging are part of an opt-in feature for people using Facebook Messenger or Facebook Lite on Android, which were introduced in 2015. Facebook further states that users had to “expressly agree to use this feature”, that it could be turned off at any time, that the feature does not collect call or text message content, and information is stored securely and not sold to third parties. According to Facebook, if the app is deleted, previous call and text history will also be deleted.

ars Technica notes “[I]f you are really concerned about privacy, you should not share address book and call-log data with any mobile application. And you may want to examine the rest of what can be found in the downloadable Facebook archive, as it includes all the advertisers that Facebook has shared your contact information with, among other things.” 

The following are instructions to turn off/on continuous syncing of contacts to Facebook Messenger on all devices should you choose to do so.

  1. From Home, tap your profile picture in the top right corner.
  2. Tap People
  3. Synched Contacts to turn this setting off/on. 

Additional Resources:

The Top Seven End User Risks

The top seven end-user risks found in most organizations have been identified by SANS, and are detailed herein along with relevant NYU resources to help you combat these risks and stay secure in your work and personal lives.

Lack of situational awareness

Refers to people not realizing that they are targets. Awareness of social engineering strategies being used by scammers and utilizing awareness resources are strategies that can be used to address a lack of situational awareness. For more information on social engineering, see the following Connect article, Social Engineering Attacks and How You Can Protect Yourself. For NYU awareness resources generally, see NYU’s Security Awareness web page.  Additionally, a subscription to this blog will provide you with up-to-date and timely information on information security threats and resources (the subscription option is visible along the right side of the blog).

Phishing

Refers to the targeting of individuals or groups using email, text messaging, phone calls or social media updates/messaging. For more information on these types of attacks and recommendations on how to protect yourself, please see the following Connect article, Phishing, Spear Phishing, and Whaling.  

Password reuse

Refers to the same password being used for multiple accounts. Once a scammer steals one password, that password will be tried in a variety of sites. Do not let the compromise of one account occasion the compromise of other accounts. Each account password should be unique and lengthy (12+ characters). Password length vs. complexity has been shown as the primary password safeguard. Further, consider using passphrases instead of passwords. For more information on password best practices, please see the following Connect article, Under Lock and Passphrase.

Using Unpatched or Poorly Configured Devices (BYOD)

Secure your devices by performing application and system updates/patching frequently, or as updates become available. Updates address known vulnerabilities which scammers will attempt to exploit on unpatched devices. For  specific recommendations, please see the following blog post from the IT Security News & Alerts blog on Securing Your Mobile Device. Additionally, please see the following NYU KnowledgeBase articles, iPhone, iPod Touch & iPad security and Android security.

Indiscriminate Use of Mobile Media

Is a reminder to use WiFi and bluetooth best practices (for more information, see the above-referenced blog post). Additionally, 

  • no restricted data should be stored on your mobile devices. For information on NYU data classification and what comprises restricted data, please see the following webpage containing the NYU Data Classification Table.
  • install only well reviewed applications from reliable and trusted sources, such as Google Play or the App Store. Grant installed applications the minimum permissions necessary.  If you are not comfortable with the minimum permission levels, do not install the application. 

Data Leakage via Social Networking

Refers to the fact that social engineers regularly review social media sites and gather information on individuals and groups to target in attacks. For this reason, it is important to limit what you share about yourself yourself and others.  For example, none of your answers to security challenge questions, such as “what street did you grow up on?” should be posted on social media. For tips on social media use, see the following following blog post from the IT Security News & Alerts blog on Safe Social Networking.

Accidental Disclosure/Loss

Refers to the loss of mobile devices or physical media such as flash drives and to the unintended disclosure of information.

  • To avoid unintended email disclosure, a recommended best practice is to proofread the list of message recipients before sending an email as inadvertent disclosure sometimes occurs due to the auto-complete feature or use of “Reply to all” unintentionally.
  • With respect to flash drives, encrypted flash drives which require a PIN or password to access content are the most secure as the data will remain protected even if the drive is lost or stolen.
  • Please be reminded that any lost or stolen NYU provided mobile devices must be reported to NYU Public Safety at 2112-998-2222.

Reporting Tax-Related Identity Theft

As a follow up to the blog post on Tax Identity Theft Awareness Week, please note that the FTC has the following site, https://identitytheft.gov/#_blank, where consumers can report identity theft including tax-related identity theft.  Tax-related identity theft occurs when someone uses your social security number to file a tax return and claim a refund.  For additional information, please see the FTC Consumer Information web page on A new way to report tax identity theft

For information on ways to prevent and recover from identity theft, please see the following Connect article:  

Protect Who You Are Online