NYU Wordpress Theme

LinkedIn phishing targeting students

Phishing can come in many guises. People are familiar with emails that ask them to “confirm their details immediately” and know not to click on them. Just as common, though, are social engineering attacks that come through social media, such as Facebook and Twitter. In this case, a community member has reported an event targeting NYU students and alumni via LinkedIn messaging.  Note the initial message which uses urgency and a sort of threat to entice people to click on the link:

(linkedin messaging screen) Seems you have some haters on the NYU Community here is the article (fraudulent tinyURL link)

The link uses a URL shortener to further hide the real destination. If the person does click, they would be taken to a fake Login page , where the URL doesn’t belong to nyu.edu, and the page itself is somewhat suspect. In other cases, the URL may contain “nyu.edu” as part of the address but not the site where the page is hosted, for example: http://www.IamAcrook.com/nyu.edu

page which emulated NYU Login in order to trick people into giving away NYU username and password.

 

So, remember to be careful of unsolicited messages, whatever platform you get them on.

 

 

Adobe releases patches for 60+ vulnerabilities

On November 14, Adobe released patches to fix numerous security flaws, including serious issues with Adobe Flash and Reader. These vulnerabilities affect Mac, PC and Chrome OS. In order to protect against these and future vulnerabilities, you should make sure that automatic updates are set:

https://helpx.adobe.com/flash-player/kb/flash-player-background-updates.html

and remember to restart your browser on a regular basis to ensure that any updates are fully applied.

This is just the latest reminder of the serious security issues associated with running Flash. NYU IT recommends that you uninstall it completely by downloading and running the Uninstaller from adobe.com. If you enabled Flash to complete the Benefits Annual Enrollment process, this is a good time to remove it. In addition, Adobe has announced that Flash is being retired by 2020 and replaced with newer interactive media, such as HTML5.

If you need to run Flash, require permission before the plugin runs, so that you can control the circumstances in which it is used. You can set this up via the Adobe Settings Manager website (which, ironically, requires Flash to run) to “Always Ask” before performing functions.

https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

or check the instructions for your browser below:

If you would like more information on the specific vulnerabilities addressed by these updates, see:

New Wireless Vulnerabilities: KRACK

A security researcher recently demonstrated that there are fundamental flaws in WPA2, the protocol that manages encryption for wireless connections. These flaws, if exploited properly, allow an attacker to see all the traffic passing between a target computer/phone/smart device and their destination.

This attack is not easy to execute and is not yet being widely used, but it impacts any device that connects using WPA2, including phones, computers, and other devices, such as wireless tvs, game consoles, Amazon Echo, etc.

How does this affect NYU?

We use Cisco equipment and have already enabled the recommended workaround. Patches will be applied as soon as they are available

What can I do?

As always, the most important thing is to apply updates for your computer and mobile devices promptly. Last month’s Windows patch already included its fix for this vulnerability and Apple released their fixes this week.

Vendors were informed of this vulnerability before it was made public and have been working on fixes. Here are some that have been released:

Can you explain the hack in more detail?

When an individual initially connects to Wi-Fi, before they visit any websites, their laptop or phone will do something called a four-way handshake. This is a process that checks that the password the user has provided is correct, and establishes the encrypted connection between the wireless router and the device.  However, the researcher was able to show a way to interfere with that initial handshake between your device and the WiFi router in a way that allows them to decrypt the traffic you exchange over WiFi.  In order for this to work, the attacker must be physically close to the victim

Once the attack is successful, the hacker can do many malicious things, for example, inject malware into otherwise ok sites. Using other widely-available tools, the hacker could also break web encryption, meaning that they would be able to see all of your sensitive traffic, including for example, banking information or credit card transactions.

References:

Full explanation of vulnerability: https://www.krackattacks.com/

Vulnerability Notes DB: https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

List of Updates available:

https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it

WordPress SQL injection vulnerability, patch ASAP to 4.8.3

A security researcher has disclosed a SQL injection vulnerability in WordPress 4.8.2, so any WordPress installs should be updated to 4.8.3 asap. This is particularly important for groups which run their own version(s) of WordPress, which is an extremely common target for attackers. If you support web servers where clients perform their own WP installs, please make sure that they receive this notification.

SQL injection attacks consist of creating an SQL query embedded the input data from a client to the application. That is, the code is “injected” into the input. If successful, the exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

wp.nyu.edu is externally hosted and is planned to be updated as soon as testing is complete.

 

Resources

https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

https://www.welivesecurity.com/2017/11/01/wordpress-update-now/

https://www.owasp.org/index.php/SQL_Injection

Ransomware Reminder

With the return of newer strains of the Locky malware, ransomware remains a top threat for all computer users. Ransomware is malicious software that usually arrives via email with subjects such as “please print” or “document”. When the user clicks the attachment, a script runs to download additional software which encrypts the user’s hard drive, as well as any attached drives.

Even if the malware has different names or uses different attachments, the steps you take to protect the data entrusted to you are the same. Take this opportunity to review the resources we have available, starting with our  Connect article on Ransomware scams here, as well the alerts on ransomware in the NYU IT Security News & Alerts Blog below. If you have questions, please feel free to send email to security@nyu.edu

 

Resources

New Ransomware Alert “Petya” https://wp.nyu.edu/itsecurity/2017/06/28/new-ransomware-alert-petya/

WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, and Wanna Decryptor) Malware/Ransomware https://wp.nyu.edu/itsecurity/2017/05/16/update-5162017-re-wannacry-also-known-as-wannacrypt-wanacrypt0r-2-0-and-wanna-decryptor-malwareransomware/

New Ransomware exploits MS vulnerability, spreading quickly https://wp.nyu.edu/itsecurity/2017/05/12/new-ransomware-exploits-ms-vulnerability-spreading-quickly/

Locky/Osiris Ransomware Alert https://wp.nyu.edu/itsecurity/2016/12/07/lockyosiris-ransomware-alert/

Locky Ransomware Spreading via JavaScript (.js) Attachments https://wp.nyu.edu/itsecurity/2016/03/29/locky-ransomware-spreading-via-javascript-js-attachments/

Locky Ransomware Alert https://wp.nyu.edu/itsecurity/2016/02/19/locky-ransomware-alert/

The Return of Locky https://www.itgovernance.co.uk/blog/the-return-of-locky-a-closer-look-at-2017s-largest-malware-campaign/

 

Important VMware update

VMware has issued a critical security alert for

  • VMware ESXi (ESXi)
  • VMware vCenter Server
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

regarding a number of issues. The most important is an out-of-bounds write vulnerability in VMware’s products allows guests to break out of their isolation. This means a malicious actor who has compromised a virtual host could escape the constraints of the virtual machine and execute malicious code on the machine the VM is running on. Anyone running these applications should check VMware’s site (below) and apply the appropriate patches as soon as possible.

 

References:

https://www.vmware.com/security/advisories/VMSA-2017-0015.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4924

FTC Issues Alert on Equifax Phishing Scams

The Federal Trade Commission (FTC) released an alert warning consumers to be wary of calls or emails purporting to be from Equifax agents. As with other phishing scams, the phishers are pretending to be Equifax representatives asking for “verification” of your information. Legitimate Equifax employees will not be contacting people to ask for this information.  For up-to-date information on the breach, you can check the site Equifax has set up: https://www.equifaxsecurity2017.com/

For NYU-related spam or fraud, please contact NYU IT Office of Information Security at security@nyu.edu. For commercial fraudulent calls and emails, use the FTC Complaint Assistant <https://www.ftccomplaintassistant.gov/#crnt&panel1-1>

Resources:

https://www.consumer.ftc.gov/blog/2017/09/equifax-isnt-calling

https://www.equifaxsecurity2017.com/

US-CERT Tips on Avoiding Social Engineering and Phishing Attacks <https://www.us-cert.gov/ncas/tips/ST04-014>

Preventing and Responding to Identity Theft <https://www.us-cert.gov/ncas/tips/ST05-019>

 

New Ransomware exploits MS vulnerability, spreading quickly

Update #2: May 15, 2017

Ransomware worm that takes advantage of a vulnerability in the Windows operating system remains a threat.

Please see the below PDF for a copy of an urgent security alert message from NYU CIO Len Peters. This message, relating to steps you should take to protect the data on Windows computers from the ransomware attack, was distributed to the entire NYU community via email on May 14 at 11:07pm ET. Should you have any questions or concerns about this message or the instructions it contains, please contact the NYU IT Service Desk, open 24×7: www.nyu.edu/it/servicedesk.

Download (PDF, 98KB)

Update #1: May 12, 2017

The following links will assist in determining which patch to apply, and both provide patch downloads: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 or http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212

Additional Resources:

https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/

https://www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html

Original post: May 12, 2017

A new ransomware worm, dubbed Wanna DecryptoR 2.0 and #WannaCry, has been spreading quickly throughout locations around the world. Particularly hard hit was the UK National Health Service (NHS). The malware spreads via a malicious link in an email phishing message and takes advantage of a vulnerability in the Windows operating system that was identified by the NSA and released by the hacking group “Shadow Brokers” several weeks ago. The good news is that Microsoft has already patched this vulnerability back in March. For more information on ransomware, read this article in Connect https://wp.nyu.edu/connect/2016/09/22/ransomware-scams/

You should take this opportunity to make sure that your Windows systems are patched and up to date, and if you have not restarted your computer recently, do so, to ensure that any applied patches take effect.

Gooligan/Googlian Android Malware steals Google credentials

Researchers at Checkpoint, Inc. have found a family of malware which, when installed on vulnerable Android OS version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) gives the hacker full control of the device. Then it steals Google credentials to give the hackers access to all Google apps. The malware can be downloaded a link in a phishing message or text, or be installed through software downloaded from a third-party site. According to the researchers, more than one million accounts may have been compromised, about 57 percent of devices infected by Gooligan are located in Asia, about 19 percent are in the Americas, about 15 percent are in Africa, and about 9 percent are in Europe.

Google has been actively shutting down compromised accounts as they are found, and has made available instructions for “Verify Apps” https://support.google.com/accounts/answer/2812853?hl=en so that people can check the apps they have and prevent installation of malicious software in the future. There is also a list of known infected apps at the Checkpoint URL listed below in the notes.

Notes:

http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

http://arstechnica.com/security/2016/11/1-million-android-accounts-compromised-by-android-malware-called-gooligan/

Critical AppleOS updates

Following last week’s announcement of iOS critical vulnerabilities and their patches, Apple has issued similar patches for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. See details on the vulnerabilities in our last post and below for links to the updates and more details.

More info here: https://support.apple.com/en-us/HT207130

https://www.grahamcluley.com/2016/09/mac-users-vulnerable-state-sponsored-trident-attack-fixed-ios-week-patch/