NYU Wordpress Theme

Amazon Alexa Privacy Alert

Please be advised that Amazon has staff monitoring queries made to Amazon Alexa-enabled Echo smart speakers in an attempt to improve product accuracy. Apparently, while the monitored recordings do not provide full names, they do connect to an account name, a user’s first name and the device serial number. According to Bloomberg, employees working in Costa Rica, India and Romania parse as many as 1,000 audio clips per shift. The recordings are transcribed, annotated and fed back into the software to help correct gaps in Alexa’s understanding of human speech and voice commands.

According to Amazon, unless Echo detects the default or custom wake word or is activated by the press of the button, no audio is stored. However, Alexa sometimes records absent a prompt, and reviewers are required to transcribe these recordings as well.

It is recommended that users review their Alexa privacy settings. To disable the use of voice recordings for the development of new features, go to the Alexa app and go to Alexa account=>Alexa privacy=>Manage how your data improves Alexa. Please note that Amazon has stated that users who opt-out may still have their recordings analyzed by hand in the review process. 

Resources:

Security Update Available for Apache Tomcat

Due to a vulnerability detailed in CVE-2019-0232, users and admins are advised to update the following Apache Tomcat versions. The update addresses a remote code execution vulnerability on Windows, whereby a remote attacker could take control of an affected system. Specific mitigation steps can be found below.

Versions Affected:

  • Apache Tomcat 9.0.0.M1 to 9.0.17
  • Apache Tomcat 8.5.0 to 8.5.39
  • Apache Tomcat 7.0.0 to 7.0.93

Mitigation:

Users of affected versions should apply one of the following mitigations:

– Ensure the CGI Servlet initialisation parameter enableCmdLineArguments is set to false

– Upgrade to Apache Tomcat 9.0.18 or later 

– Upgrade to Apache Tomcat 8.5.40 or later 

– Upgrade to Apache Tomcat 7.0.93 or later 

Silent Librarian Phishing Campaign

The Office of Information Security (“OIS”) has been made aware of a phishing campaign dubbed “Silent Librarian” that is targeting the NYU community. This phishing campaign is designed to steal login credentials, and has been targeting universities, companies and government agencies around the world. Silent Librarian has targeted more than 300 universities in 22 countries, and the cost to universities alone is estimated to be around 3.4 billion.

The following is an example of a Silent Librarian phishing message.

Screenshot of a Silent Librarian phishing message alerting recipient that their library access will soon expire and to reactivate via the embedded URL.

Please note that these phishing messages often arrive from spoofed sender email addresses, and appear to be signed by actual Library personnel. The subject lines of these messages have remained consistent over time and tend to be “Library Account”, “Library Notifications”, or “Library Services” with the name of the university sometimes appended to the subject. The phishing ‘tells’ in this email message are the incorrect library address, and the embedded link, which takes users to a spoofed login prompt.  Although the embedded link contains familiar elements, please be reminded to look for “https://shibboleth.nyu.edu” in the typed link, link preview and in your browser’s address bar once you’ve clicked a link.

Further, because links can be spoofed (the destination URL is not the same as the typed URL), the following are recommended best practices:

  • Never click embedded links or open attachments in unexpected email.
  • When in doubt of the legitimacy of an email message, contact the sender using a trusted means of communication, such as the sender’s NYU Directory phone number.  

If you have fallen for this phishing campaign, please change your NetId password asap via: https://start.nyu.edu/.

Resources:

 

Apache HTTP Servers – Update now

A patch has been released for Apache HTTP servers, which addresses a critical vulnerability with a Common Vulnerability Scoring System (“CVSS”) score of 8.8, and is identified as “Carpe Diem”, CVE-2019-0211. The flaw affects Apache HTTP Server versions 2.4.17 to 2.4.38, and could provide an attacker with root admin control on Unix-based systems. Windows servers are not affected, however recent Linux distributions are impacted. It is recommended that you update to version 2.4.39 asap.

For more information, please see:

Leaky Third-Party Facebook Apps

There has been a reported breach of Facebook data that was acquired by third-party apps. The leaky apps include:

  • “Cultura Colectiva”, a Latin American social networking collective with a database exceeding 500 million entries. Exposed data includes Facebook ID’s, likes, friends and more.
  • “At the Pool”, which is an app that has not been in use since 2014. Exposed data includes names, email addresses, Facebook IDs and 22,000 plaintext user passwords.  

Recommendations (courtesy of NakedSecurity):

  • Review your Facebook apps and permissions. To do so, go to https://www.facebook.com/settings and choose Apps and Websites from the menu on the left. Using the list of apps and websites, remove those you no longer wish to use and re-review the permissions settings for those you wish to keep.
  • Review your Facebook privacy settings via the Privacy menu on the Settings screen where you can access the Privacy Settings and Tools page.
  • Strengthen your login with 2FA via the Security and Login page.

For more information, please see: