NYU Wordpress Theme

Social Security Administration Phone Scam Alert

Please be advised that the Social Security Administration (“SSA”) has noted a skyrocketing of fraudulent calls purporting to come from the SSA. These imposter scam phone calls have been reported to include the following scare tactics:

  • calls alerting you that your social security number has been suspended due to suspicious activity or due to involvement a crime.  
  • robocalls regarding the “reactivation” of your social security number. These calls  suggest that you should “press 1” to speak to a government support representative for help reactivating your social security number.

Further, scammers may advise you to:

  • withdraw funds for safekeeping or store money on gift cards in the event your assets are frozen. Scammers will then seek to steal the value of gift cards purchased by requesting the codes on the back of the gift cards.
  • withdraw cash and convert it into digital currency by depositing it in a Bitcoin ATM (where it’s accessible to them/thieves).

SSA scam calls appear to be coming from a spoofed SSA phone number. The number displaying in caller ids is the SSA’s fraud hotline number (1.800.269.0271). The SSA has advised that legitimate requests to confirm information will not come from the fraud hotline number. They also advise that they will never seek to confirm your SSN, ask you to send money or threaten you. If in doubt of the legitimacy of a call, you can contact the SSA’s main number: 1.800.772.1213 to confirm.

It is recommended that you do not provide your social security number or other sensitive information to unverified callers. If you have already done so, visit IdentityTheft.gov/SSA for recommendations. Imposter scam can be reported to the FTC at FTC.gov/complaint.


Update: Amazon Alexa Privacy Alert

As an update to our April 26th blog post entitled “Amazon Alexa Privacy Alert”, two lawsuits have been filed seeking class-action status regarding Amazon Alexa Echo Dot privacy issues. One lawsuit has been filed in the state court and the other has been filed in federal court. Both suits allege the routine recording of children and the indefinite storage of these voiceprints by Alexa without consent. Both suits also state that the technology is in violation of the laws of nine states, which require consent of all parties when recording, and the lawsuits seek fines, the deletion of existing recordings and prior consent for the future recording of minors.

Please note the following options and instructions for deleting recordings from Amazon Alexa (courtesy of Kim Kommando):

To delete existing recordings:

  • Go to the Alexa app and access the main menu by tapping the three lines on the top left of your screen.
  • Tap Settings, Alexa Privacy
  • Tap Review Voice History
  • From here you can delete the data for a specific day or delete All History

There is also a new feature in Amazon’s latest product, Echo 5, which will allow you to say “Alexa, delete everything I said today” or “Alexa, delete what I just said”. To enable this feature on your device:

  • Go to the Alexa app and access the main menu by tapping the three lines on the top left of your screen.
  • Tap Settings, Alexa Privacy, Review Voice History
  • Slide the toggle to the right of the option Enable deletion by voice

For more information on this and other Amazon Alexa privacy issues, please see: https://threatpost.com/amazon-alexa-secretly-records-children/145708/

Additionally, Amazon has launched an Alexa privacy hub, which can be accessed here: https://www.amazon.com/Alexa-Privacy-Hub/b?ie=UTF8&node=19149155011

Supplemental Resources:

The Ins & Outs of Text Message Phishing

Although phishing threats most commonly occur via email, please be reminded that phishing threats also occur via phone calls, social media updates and text messages. What all phishing threats have in common is that they are social engineering attempts designed to steal information or install malware.  

Text message phishing, also known as “smishing”, often attempts to lure victims with promises of free gifts, deals and debt relief. Scammers may also send messages that purport to come from trusted institutions, such as your bank, a government agency or a charitable organization. Clicking the links supplied in these messages may:

  • direct you to a spoofed website designed to look like the website of a trusted entity in an attempt to steal your credentials or money.
  • install malware on your device, such as ransomware, spyware or cryptocurrency mining code.  

Businesses and other entities commonly use numerical text message shortcodes, which allow you to send a one word answer in response to a message received. As you may know, these shortcodes can be used to trigger transactions, which will appear on your service provider’s bill. For example, if you text “PREVENT” to shortcode 90999, you will donate $10 to the American Red Cross Disaster Relief Fund. Please be advised that scammers may seek to steal money by posing as legitimate entities seeking donations or purchases via shortcodes. A recommended best practice is to check all shortcodes prior to donating or purchasing using the The U.S. Short Code Directory (https://usshortcodedirectory.com/), which is a resource for determining the authenticity of shortcodes. You can search the directory by shortcode or brand.

Please note that sending unsolicited commercial text messages to wireless devices is illegal. A commercial sender must obtain your permission first. Exceptions include:

  • non-commercial text messages, including surveys or fundraising messages
  • text messages from a company with whom you have an established relationship

AT&T, T-Mobile, Sprint, Verizon subscribers can report phishing messages to their service provider by copying the original message and forwarding it, free of charge, to 7726 (SPAM). Unwanted commercial text messages may also be reported to the FTC. Receipt of a threatening text may be reported to the FBI Internet Crime Complaint Center (IC3).   

Supplemental Recommendations:

  • Be suspicious of strange looking numbers that are not cell numbers, such as “5000” which may be used by email to text services. Scammers may use these services when texting in an attempt to mask their identity.
  • Do not visit sites via embedded links in text messages. Instead visit sites by typing a known and trusted URL into your browser’s address bar.
  • Do not click links in unexpected text messages. Clicking malicious links may lead to the installation of malware, such as ransomware or spyware. 
  • When in doubt of the legitimacy of the message, confirm with the sender via a trusted means of communication.
  • Delete messages that ask you to provide or confirm personal information. Legitimate entities do not request information in this manner.
  • Do not reply to smishing messages. Replies confirm that your phone number is active and that you review messages received.


BlueKeep Vulnerability Update

As an update to our May 15th blog post, regarding the severe security flaw, now known as BlueKeep (CVE-2019-0708), which is a Remote Desktop Services Remote Code Execution Vulnerability, please be advised of the following supplemental security recommendations from the NSA:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.  Note: NYU IT has confirmed that the RDP protocol at port 3389 is blocked for incoming / ingress RDP traffic.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.


Urgent Update for Older Windows Versions

Microsoft has asked users of the following Windows versions to urgently apply an update which is available today to protect against a potential widespread exploit:

  • Windows XP — users of Windows XP will need to manually download the update from Microsoft’s update catalog
  • Windows 7
  • Windows Server 2003
  • Windows Server 2008R2
  • Windows Server 2008

Patches can be found on Microsoft’s Customer Guidance for CVE-2019-0708 web page.

Please note that Windows versions 10, 8.1 and 8, as well as Windows Server 2019, Windows Server 2016, Windows Server 2012R2 and Windows Server 2012 are not impacted by this vulnerability.

Although Microsoft has not yet observed attacks, they have described this vulnerability as “wormable” meaning that malware exploiting this vulnerability has the ability to propagate from vulnerable system to vulnerable system in a similar fashion to the WannaCry ransomware attack in 2017, which also targeted older Windows versions. Notably, the patch to prevent WannaCry was released by Microsoft before the attacks began, but it nevertheless remains an active exploit.

Technical Details:

The vulnerability, identified as CVE-2019-0708, is a Remote Desktop Services (“RDS”) (formerly known as Terminal Services) remote execution vulnerability which requires no user interaction and would allow an unauthenticated malicious actor to execute arbitrary code on an affected system via Remote Desktop Protocol (“RDP”). An update will mitigate the vulnerability by correcting how RDS handles connection requests.  


Active Exploits in Confluence

Confluence critical vulnerabilities detailed in CVE-2019-3396, are WebDAV and Widget Connector vulnerabilities. The following are two attacks related to these vulnerabilities that are being actively exploited:

  1. the infection of servers with GrandCrab ransomware. Please be advised that there are currently no tools available to decrypt files affected by GandCrab version 5.2 (which is being used in this attack).
  2. the distribution of Kerberods malware, which is a combination of a Monero crypto-miner and a rootkit to obfuscate activity. 

Atlassian recommends upgrading to the latest version (6.15.1), and has also provided recommendations for versions that cannot be upgraded. For more information, see the Confluence Security Advisory – 3019-03-20.


Pirated Streaming Devices Are No Bargain

Researchers from Dark Wolfe Consulting, a cybersecurity consulting firm and the Digital Citizens Alliance (“DCA”), which is a consumer focused group dedicated to making the internet safer have analyzed six pirated streaming devices using the Kodi platform and found that they are rigged with malware and open doors for malware entry.

Kodi devices are sometimes called “Kodi boxes” or “jailbroken Fire TV Sticks” and look like legitimate streaming devices, and are cheap in comparison to Apple TV or Roku. The price users pay upfront gives them access to illegally provided content. Researchers equate the use of one of these devices to letting a “Trojan horse in through the front door” for the following reasons:

  • these devices allow hackers to bypass the security of home network router firewalls.
  • normal security features and precautions are either not available or not in use to accommodate the illegal streaming of content.
  • users often have to turn over full admin access, which includes access to the device’s memory, location history and other security features.
  • malware can be used to snare devices into a botnet for use in cyber attacks or cryptocurrency mining.
  • sensitive information stored on devices, such as credit cards, passwords and photos are vulnerable to exploit.


Today is National Password Day

National Password Day is all about caring, but no sharing! Remember, do not use passwords that can be easily guessed . . . . 

Image with "No Nicknames", "No Birthdays", "No Quotations" and "No Pets"

Image courtesy of nakedsecurity 

Please also be reminded to activate Multi-Factor Authentication (“MFA”)  on all available accounts as MFA protects you if your credentials get compromised by requiring authentication via devices that you own/register. For information on NYU MFA, see: http://www.nyu.edu/it/mfa

For more information, please see:

  • https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security
  • Connect, Under Lock and Passphrase


Amazon Alexa Privacy Alert

Please be advised that Amazon has staff monitoring queries made to Amazon Alexa-enabled Echo smart speakers in an attempt to improve product accuracy. Apparently, while the monitored recordings do not provide full names, they do connect to an account name, a user’s first name and the device serial number. According to Bloomberg, employees working in Costa Rica, India and Romania parse as many as 1,000 audio clips per shift. The recordings are transcribed, annotated and fed back into the software to help correct gaps in Alexa’s understanding of human speech and voice commands.

According to Amazon, unless Echo detects the default or custom wake word or is activated by the press of the button, no audio is stored. However, Alexa sometimes records absent a prompt, and reviewers are required to transcribe these recordings as well.

It is recommended that users review their Alexa privacy settings. To disable the use of voice recordings for the development of new features, go to the Alexa app and go to Alexa account=>Alexa privacy=>Manage how your data improves Alexa. Please note that Amazon has stated that users who opt-out may still have their recordings analyzed by hand in the review process. 


Security Update Available for Apache Tomcat

Due to a vulnerability detailed in CVE-2019-0232, users and admins are advised to update the following Apache Tomcat versions. The update addresses a remote code execution vulnerability on Windows, whereby a remote attacker could take control of an affected system. Specific mitigation steps can be found below.

Versions Affected:

  • Apache Tomcat 9.0.0.M1 to 9.0.17
  • Apache Tomcat 8.5.0 to 8.5.39
  • Apache Tomcat 7.0.0 to 7.0.93


Users of affected versions should apply one of the following mitigations:

– Ensure the CGI Servlet initialisation parameter enableCmdLineArguments is set to false

– Upgrade to Apache Tomcat 9.0.18 or later 

– Upgrade to Apache Tomcat 8.5.40 or later 

– Upgrade to Apache Tomcat 7.0.93 or later