NYU Wordpress Theme

Chrome and Firefox Patch Security Flaws for Mac, Windows and Linux

Chrome 72, which is available now from the Chrome menu via Chrome, About Google Chrome (will auto update when accessed) fixes 58 CVE flaws (Common Vulnerabilities and Exposures, a catalog of known security threats sponsored by the U.S. Department of Homeland Security), 17 of which are rated ‘high severity’ and 1 of which is rated as  ‘critical’.

Firefox 65, which is available now from the FireFox menu via Firefox, About Firefox fixes 7 CVEs, 2 of which are marked as ‘high severity’ and 3 of which are marked as critical.

Please be reminded that your tablets and smartphones have a variety of options for updating apps. The following are directions for enabling the auto update of apps on iOS and Android devices.

  • On your iOS handheld devices, applications may be updated via Settings, iTunes & App Store and toggling the switch to the right of “Updates” to the ‘on’ position. Once your device is connected to a charger, available updates will install.
  • On Android devices go to the Google Play Store app store and from the main menu tap Settings and then tap Auto-update apps and select an option:
    • auto update apps at any time, which will update apps using either WiFi or mobile data, or
    • over WiFi only to only update when connected to WiFi.

It is recommended that you update Chrome and Firefox on all devices asap. For more information, please see the following article: Update Now! Chrome and Firefox patch Security Flaws.

Apple FaceTime Eavesdropping Bug

Please be advised that a snooping bug has been found in Apple’s FaceTime App. The bug exists in the apps Group Facetime feature and is triggered when someone makes a call using FaceTime and uses the “Add Person” option when the dialed number begins to ring to add themselves. Once the caller adds him/herself, a group FaceTime call will begin with audio feed from the phone of the person being called, even if the call has not been answered. Further, if the person being called hits the Power button when picking up their phone, video feed (accompanying the audio feed) gets sent to the caller.

Apple has disabled the Group FaceTime feature and stated that they will issue an update later this week. You may want to disable the FaceTime app until a patch/update becomes available and you have performed the update.

To disable FaceTime, go to Settings, FaceTime and turn the slider to the off position as shown below:

Screenshot showing the Apple settings for FaceTime with the toggle slider positioned to "off". A note at the bottom instructs how to turn the FaceTime app off and says that you can turn it back on once the patch is out and you've received it.

Image courtesy of naked security

Resources:

Outdated Software and Operating Systems, Update Now!

As a Data Privacy Day related advisory, please be reminded of the importance of protecting your personal and sensitive data by keeping operating systems and applications up to date on all of your devices. Devices running outdated operating systems or applications are commonly targeted by malicious actors seeking to exploit known security bugs and loopholes in programs and systems as a way to gain access to your data and sensitive information. Malicious actors rely on the simple fact that users/admins largely ignore updates/patching and thereby supply rich attack surfaces for anyone who can develop an exploit.

An example of this is the global WannaCry ransomware worm. WannaCry exploited a security bug in outdated Microsoft Windows Operating systems, like Windows XP, for which there is no longer any technical support. Within a day of it’s outbreak,WannaCry infected more than 230,000 computer systems in 150 countries and caused approximately $4 billion in financial losses. WannaCry remains an active exploit although the patch to prevent it was available several months before the exploit began in 2017.

Resources:

 

Annual Data Privacy Day (January 28th)

Data Privacy Day (“DPD”) is held annually on January 28th and is an international effort to create awareness around the importance of respecting privacy, safeguarding data and enabling trust. This year, DPD will spotlight the value of information. If you are seeking to better manage your privacy and how your data is collected and shared, you may be interested in the DPD 2019 event livestream. Please visit the following StaySafeOnline web page powered by NSCA (National Cyber Security Alliance), https://staysafeonline.org/dpd19-live/ for more information.

Additional Resources:

Old Phishing Scam Makes a Comeback

A recent phishing email, which is a variation of the “Nigerian Prince” scam, a fund transfer fraud, states that the sender is undergoing treatment for cancer and that her late husband has left her millions of dollars that need to be issued to another person to avoid confiscation. The sender further states that she wants the recipient to donate the money to various charities. If the recipient responds to this email the sender may seek:

  • A small amount of money for fees in connection with transferring ownership of the supposed fund.
  • Your bank account number, SSN, birth date or other sensitive information to accomplish the transfer.

Please note that some scammers may even set up a fake online bank website that supposedly reflects the funds to be transferred to the recipient. Aside from stealing fees associated with the supposed fund transfer, any personal information shared is used to further exploit the victim. Examples include, identity theft and draining the recipient’s bank account.

Other variations of the Nigerian Prince scam include an email stating that the recipient is the named beneficiary in a will of an estate totaling one million or more. Personal information is then sought to confirm the recipient’s identity and transfer funds. Additionally, scammers may represent themselves as foreign government officials who are seeking to place large sums of money in overseas bank accounts or may be they may be seeking funds to fight a specific group or dictatorship.

If you have fallen victim to any of the Nigerian Prince scam variants or responded to one of these scam emails, please contact the U.S. Secret Service at 202.406.5572 or 419.fcd@usss.treas.gov

Please be reminded:

  • If it sounds too good to be true, it is.
  • Your personal information has value, protect it.
  • Cashiers checks and money orders can be fraudulent. Consult with your financial institution about the time it will take for a check/funds to clear and wait for funds to clear.

Gift Card Scam Alert/Update

Please be advised that the Office of information Security (“OIS”) has seen a recent uptick in imposter scams. As an update to our posts on imposter scams and gift card scams (which are a type of imposter scam), please be on the alert and note the following 3 recent examples of these types of scams:  

Example #1

Screenshot of a phishing email requesting the urgent purchase of two $100 Amazon gift cards. Requests the gift card redemption numbers in the form of a photo of that information as it displays on the cards.

 

  • This message purports to come from an NYU executive and uses a sense of urgency, which is a common phishing ploy, to impel the recipient to action.

Example #2

Screenshot of a phishing email message requesting urgent assistance in obtaining iTunes gift cards

 

Example #3

Screenshot of phishing email with a subject of "Urgent" and stating "There is something I need you to do now" and further stating "You can only talk to me through Email".

Please Note: 

  • Both examples #2 and #3 purport to come NYU email addresses, and the sender’s email address in both examples contains familiar elements, nyu.edu@gmail.com and nyu.edu@outlook.com. NYU email will always be in the following format: [name/alias/or NYU NetID]@nyu.edu.  
  • Both examples #2 and #3 also use a sense of urgency to impel the recipient to action.
  • Although text in Example #3 states “You can only talk to me through Email”, please be reminded that it is a recommended best practice to confirm urgent or sensitive email requests via a trusted means of communication, such as a phone call to a trusted phone number, such as an NYU Directory phone number.
  • When viewing your NYU Gmail on mobile devices you may not see the sender’s email address display in entirety.  To see this address, click either “View Details” or or tap the the “>” to the right of the sender’s name.
    • However, since the sender’s email address can be “spoofed”, confirmation with the sender as per the above-stated best practice is the the top recommendation for confirming sensitive/urgent requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              

New Electronic Data and System Risk Classification Policy

Please note that NYU IT has replaced two data-centric policies (Data Classification Table and Reference for Data and System Classification) with the new Electronic Data and System Risk Classification Policy, which incorporates necessary General Data Protection Regulation (“GDPR”) data-centric information. Please consult this policy for information on how NYU classifies information assets into risk based categories and security precautions that must be taken to protect these assets from unauthorized access. It is recommended that this policy be read in conjunction with the Data and System Security Measures policy, which details specific security measures that apply to each data and system classification.

Marriott Breach Update

As an update to our 12/05/18 post on the Marriott breach, please be advised that Marriott has provided an update on this security incident, which details the number of guests, passport numbers and payment cards impacted by the breach as well as guest monitoring/support resources. Marriott states that they will be  putting a mechanism in place whereby designated call center reps will be able to refer guests to appropriate resources to check if their individual passport numbers were among the unencrypted passport numbers that were exposed. Marriott will update its designated website for this incident (https://info.starwoodhotels.com) once this mechanism is in place.

Windows & Windows Server Vulnerabilities – update asap

The US-CERT (United States Computer Emergency Readiness Team) has issued an advisory respecting two vulnerabilities found in Microsoft Windows and Windows Server. Successful exploitation of either vulnerability could allow a remote actor to take control of an affected system. Microsoft has patched both of these vulnerabilities via the January Patch Tuesday update and it is recommended that users/admins apply the most recent update asap. CVE-2018-8611 is a Windows Kernel Elevation of Privilege Vulnerability impacting supported Windows client and server versions.  CVE-2018-8626 is a Windows DNS Server Heap Overflow Vulnerability affecting Windows servers configured as DNS servers.

Netflix Phishing Scam

Please be advised of a Netflix phishing scam warning that “Your account is on hold” and asking you to update your payment information via an embedded  “Update Account Now” link. The following is a sample of this phishing message.

Screenshot of a Netflix phishing message with banner text stating "Please update your payment details"

Please be reminded:

  • that an email from a familiar company requesting credential input or an update of payment/account information via an embedded link is a common scam tactic designed to steal your sensitive information.
  • to be suspicious of unexpected links and attachments in email, text messages and social media messaging. Always be sure that you are visiting a legitimate (vs. spoofed) website by typing a site URL directly into your browser’s address bar.
  • to scan messages for expected tone/language and grammar usage. For example, the message above employs a salutation of “Hi Dear”, which is not a salutation Netflix would use and suggests that if you need help, you should visit the Help Centre (vs. Center).  
  • that @nyu.edu email accounts are protected by URL Defense, which automatically rewrites URLS in all incoming external email message and protects you at the time you click a link by blocking malicious sites. Please see URL Defense FAQs for more information.

If you were a victim of this scam, it is recommended that you:

  • contact the financial institution associated with the payment information you entered as this information has been compromised.
  • change your Netflix password. If you use the same password on other accounts (not a recommended practice) change these passwords as well.
  • report it to: phishing@netflix.com and the FTC at spam@uce.gov.

Resources: