NYU Wordpress Theme

Free Credit Freezes and Year-Long Fraud Alerts Now Available

As of September 21st, Equifax, Experian and TransUnion are required to offer free credit freezes and year-long fraud alerts nationally to all consumers. These initiatives are part of broader financial legislation, which was signed in May. Please be advised of the following:

  • A credit or security freeze restricts access to your credit file and thereby helps protect personal/sensitive information and makes it difficult for identity thieves to open accounts in your name. To be effective, freezes need to be placed at all three credit bureaus.
    • If you freeze your file, the credit bureaus will not provide lenders with information until you lift the freeze (using a personal identification number).
    • Parents can now request free credit freezes for children under the age of 16.
  • Fraud alerts inform businesses that check your credit that they need to confirm the opening of a new account with you. Fraud alert duration has changed and lasts for a year (vs. 90 days) and consumers can renew fraud alerts yearly. Victims of identity theft are eligible for an extended fraud alert lasting seven years.
  • Free credit monitoring services will be offered to active duty military personnel.  

Resources:

New NYU Email security feature which will launch on September 28

As part of NYU’s commitment to help protect the University’s networks and data, NYU IT will launch a new email security feature on September 28 at 8pm ET. In compliance with NYU IT’s security policies, email protection is a priority. The University’s existing email security tool prevents external email with known malicious URLs from reaching your inbox. The upcoming new feature will further protect against seemingly harmless URLs that make it into your inbox but become malicious thereafter, exposing you to security threats should you click on them.

If you click on a URL that is safe, you will be directed to the corresponding website. If you click on a URL that leads to a malicious website, you will see a notification explaining that you have been blocked from accessing it.

You do not have to do anything to activate this new feature; it will be automatically available when checking NYU Email on any network, in every location, from any device. If your NYU Email is already protected by URL Defense, this change will not affect you.

Note: The implementation of URL Defense minimizes email security risks, but it does not guarantee that every link contained in incoming, external email to @nyu.edu is safe to click. Please continue to exercise caution when reviewing embedded links. For more information on detecting phishing messages, including tips for examining embedded URLs, see Recognizing phishing scams and protecting yourself online.

FAQs and Support

See the ServiceLink knowledge base for URL Defense FAQs, including more information about how the feature works. If you believe that a site has been blocked unnecessarily or that a malicious site was not appropriately blocked, or if you have other questions, please contact the NYU IT Service Desk.

Sincerely,
NYU IT Office of Information Security

Safari Vulnerability – Update to iOS 12 ASAP

A Safari browser address bar vulnerability allowing well designed phishing attacks which are difficult to detect has been patched with the release of Safari 12. We recommend that users patch to iOS 12 asap. For update instructions, please see: https://support.apple.com/en-us/HT201222. For information on the security content of Safari 12, please see: https://support.apple.com/en-us/HT209109.

Vulnerability specifics: Safari (versions prior to 12) permitted JavaScript to update the address bar before it loaded completely. A malicious actor could begin loading a legitimate web page, which would cause the legitimate URL to appear in the browser’s address bar. The code could then be quickly replaced with a malicious site while the browser preserves the legitimate address and loads the content of a spoofed page. This type of attack could be used to spoof any website, including banking websites, Gmail, Facebook, Twitter . . . etc., in an attempt to steal user credentials and sensitive information.

A similar vulnerability in Microsoft Edge was patched by Microsoft on August 14th.  Google Chrome and Mozilla Firefox are reportedly not impacted by this vulnerability.  

Mongo Lock

Please be advised of a new attack type dubbed “Mongo Lock”, which targets remotely accessible unprotected MongoDB databases. In this scam, malicious actors scan the internet for vulnerable servers and once located, export and then the delete server content. A ransom note is then generated demanding bitcoin payment in return for the deleted content.  

Reports state that following deletion, the malicious actors will leave a new database named “Warning”, which contains a Readme collection. The following is sample ransom note text from the Readme collection in this attack:

Your database was encrypted with ‘Mongo Lock’.  If you want to decrypt your database, need to pay us 0.1 BTC (Bitcoins), also don’t delete ‘Unique_KEY’ and save it to a safe place, without that we cannot help you. Send email to us: mongodb[at]8chan[dot]co for decryption service.
(Text courtesy of BleepingComputer).

According to the security researcher who discovered the attack (Bob Diachenko), the scripts automating the process of accessing MongoDB, exporting and then deleting do not always work. He notes that sometimes the script fails and the data is still available to the user even though a ransom note has been created.

For MongoDB recommendations, including a security checklist of recommended actions, please see the following resources:

Resource: https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/

NJCCIC Membership

A recommended resource for anyone interested in receiving additional alerts, advisories and bulletins regarding emerging and cyber related threat intelligence is the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). To receive information from NJCCIC, (free) membership is required. To join, please visit the NJCCIC membership web page. For more information on the NJCCIC, and to to access available updates and resources, please visit the NJCCIC home page.