NYU Wordpress Theme

Security Update Available for Apache Tomcat

Due to a vulnerability detailed in CVE-2019-0232, users and admins are advised to update the following Apache Tomcat versions. The update addresses a remote code execution vulnerability on Windows, whereby a remote attacker could take control of an affected system. Specific mitigation steps can be found below.

Versions Affected:

  • Apache Tomcat 9.0.0.M1 to 9.0.17
  • Apache Tomcat 8.5.0 to 8.5.39
  • Apache Tomcat 7.0.0 to 7.0.93

Mitigation:

Users of affected versions should apply one of the following mitigations:

– Ensure the CGI Servlet initialisation parameter enableCmdLineArguments is set to false

– Upgrade to Apache Tomcat 9.0.18 or later 

– Upgrade to Apache Tomcat 8.5.40 or later 

– Upgrade to Apache Tomcat 7.0.93 or later 

Silent Librarian Phishing Campaign

The Office of Information Security (“OIS”) has been made aware of a phishing campaign dubbed “Silent Librarian” that is targeting the NYU community. This phishing campaign is designed to steal login credentials, and has been targeting universities, companies and government agencies around the world. Silent Librarian has targeted more than 300 universities in 22 countries, and the cost to universities alone is estimated to be around 3.4 billion.

The following is an example of a Silent Librarian phishing message.

Screenshot of a Silent Librarian phishing message alerting recipient that their library access will soon expire and to reactivate via the embedded URL.

Please note that these phishing messages often arrive from spoofed sender email addresses, and appear to be signed by actual Library personnel. The subject lines of these messages have remained consistent over time and tend to be “Library Account”, “Library Notifications”, or “Library Services” with the name of the university sometimes appended to the subject. The phishing ‘tells’ in this email message are the incorrect library address, and the embedded link, which takes users to a spoofed login prompt.  Although the embedded link contains familiar elements, please be reminded to look for “https://shibboleth.nyu.edu” in the typed link, link preview and in your browser’s address bar once you’ve clicked a link.

Further, because links can be spoofed (the destination URL is not the same as the typed URL), the following are recommended best practices:

  • Never click embedded links or open attachments in unexpected email.
  • When in doubt of the legitimacy of an email message, contact the sender using a trusted means of communication, such as the sender’s NYU Directory phone number.  

If you have fallen for this phishing campaign, please change your NetId password asap via: https://start.nyu.edu/.

Resources:

 

Apache HTTP Servers – Update now

A patch has been released for Apache HTTP servers, which addresses a critical vulnerability with a Common Vulnerability Scoring System (“CVSS”) score of 8.8, and is identified as “Carpe Diem”, CVE-2019-0211. The flaw affects Apache HTTP Server versions 2.4.17 to 2.4.38, and could provide an attacker with root admin control on Unix-based systems. Windows servers are not affected, however recent Linux distributions are impacted. It is recommended that you update to version 2.4.39 asap.

For more information, please see:

Leaky Third-Party Facebook Apps

There has been a reported breach of Facebook data that was acquired by third-party apps. The leaky apps include:

  • “Cultura Colectiva”, a Latin American social networking collective with a database exceeding 500 million entries. Exposed data includes Facebook ID’s, likes, friends and more.
  • “At the Pool”, which is an app that has not been in use since 2014. Exposed data includes names, email addresses, Facebook IDs and 22,000 plaintext user passwords.  

Recommendations (courtesy of NakedSecurity):

  • Review your Facebook apps and permissions. To do so, go to https://www.facebook.com/settings and choose Apps and Websites from the menu on the left. Using the list of apps and websites, remove those you no longer wish to use and re-review the permissions settings for those you wish to keep.
  • Review your Facebook privacy settings via the Privacy menu on the Settings screen where you can access the Privacy Settings and Tools page.
  • Strengthen your login with 2FA via the Security and Login page.

For more information, please see:

Phone Scam Alert “Wangiri”

A widespread automated phone scam dubbed “Wangiri”, which is Japanese for “one ring and drop”, is using automated dialing machines to repeatedly dial phone numbers one time before hanging up. Incoming calls may appear to come from a variety of phone numbers, including “unknown caller”, “no caller id”, or spoofed domestic or international phone numbers. Calls may even appear with three digit area codes that appear to be domestic, but are associated with pay-per-call international phone numbers. The goal is to get the recipients/victims to call back and remain on the call as long as possible, while the call is routed to a premium rate service which can charge a connection fee and then bill victims for significant per minute charges.

As it is not possible to block calls that are received from an “unknown caller” or “no caller id”, it is recommended that you do not answer unexpected calls, calls that you suspect may be spoofed, or return calls coming from unexpected or unknown phone numbers. If you return a call to an unknown number and hear an odd message, it is recommended that you immediately hang up. Further, if you do not frequently make international calls, you may want to consider asking your service provider to block all outgoing international calls.

Please see the following NJCCIC blog post for carrier specific call blocking options: Tired of Receiving Scam Calls? Don’t Just Sit There. Do Something About It. Additionally, if you have been a victim of an international phone scam, you can file a complaint with the Federal Trade Commission (“FTC”) at www.ftccomplaintassistant.gov.

Additional Resources:

Scammers Use Recent Disasters to Spread Malware

Please be advised that scammers use reports of recent disasters, such as the recent Boeing 737 Max crash to spread malware. With respect to this recent crash, spam messages appear to be coming from a purported private intelligence analyst, “info@isgec.com”, who is claiming to share information found on the dark web about other airlines that will soon be impacted by similar crashes. The email requests that recipients forward the email to loved ones. The email attaches a JAR file, which if opened, is believed to install the Houdini H-worm remote access trojan (“H-Worm RAT”), which can provide remote control of a device to a malicious actor, and Adwind, which is an information stealing trojan.

Recommendations:

  • Refrain from forwarding unsolicited emails to others
  • Do not open unexpected attachments
  • Do not click embedded links in unexpected email messages
  • When in doubt, confirm the legitimacy of a message with the sender via a trusted means of communication, such as a known phone number

For more information, please see:

Windows Server Vulnerability in WDS

There is a remote code execution vulnerability with a critical severity rating on Windows Servers (since 2008 SP2).  Microsoft disclosed the twelve vulnerabilities last November and supplied 62 patches. Servers which have not been upgraded are open to attack and should be patched asap. Specifically, CVE-2018-8476 impacts how Windows Deployment Services (“WDS”) Trivial File Transfer Protocol (“TFTP”)  Server handles objects in memory. The bug can be remotely exploited by an unauthenticated actor via a specially crafted TFTP message to gain access to a system or service, such as Active Directory, DHCP, DNS . . .etc. and there are no available workarounds.

For more information, please see: https://www.helpnetsecurity.com/2019/03/07/windows-servers-compromise/

NYU Box: Reduce Unintended Disclosure via Link Sharing

Please be advised/reminded when sharing folders or files via NYU Box, the Box “Share” option, “Get Shared Link” (shown below), which appears to the right of listed folders/files is by default restricted to “People in this folder” (click “Get Shared Link” to see this option).

Screenshot showing the "Get Shared Link" option circled in red. The other option displaying is "Invite Collaborators"

This selection can be changed via the drop-down arrow to the right, to “People with the link” or “People in your company” (as shown below).

Screenshot showing the above-described NYU Box dialog

Please be advised/reminded that if you select, “People with the link” as your share setting you are making the data contained in the folder/file publicly accessible to not only those provided with the link, but anyone who discovers the link. Public folders/documents can be scraped and indexed by search engines, making them easily found. Therefore, it is recommended that if you choose “People with the link” as your share option for any file/folder you additionally visit “Settings” via the gear icon on the top right of the dialog (as shown below), and select either the “Require password” or “Disable Shared Link on” option.

Screenshot of NYU Box dialog showing the "People with the link" share setting and the "Settings" icon on the top right

Screenshot of NYU Box dialog "Shared Link Settings" showing the following options "Custom URL", "Password Protect', "Link Expiration" & "Allow Download", which is auto-selected by default. A red arrow points to "Password Protect" and "Link Expiration".

 

For additional information, please see:

Update Google Chrome Now

Users are advised to update their Google Chrome browser asap on all devices to the latest version, 72.0.3626.121. The security issue patched by this update is is a zero-day vulnerability, rated as “high severity” and “Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild.”  Please note that all previous versions of Google Chrome are vulnerable to attacks exploiting CVE-2019-5786.  

The security issue is a use-after-free-flaw or a memory mismanagement bug in the browser FileReader API designed to allow the browser to access and read locally stored files, which could potentially allow an attacker to execute arbitrary code and take over a device, or trigger a denial of service. Possible exploit consequences include data deletion and the installation of malware.

To manually update Google Chrome on a Mac:  

  • Open Google Chrome
  • Click Chrome, About Google Chrome

Screenshot showing the Chrome Menu available when "Chrome" is clicked on the application menu bar

  • You will see the current version of Google Chrome running.  Click Relaunch to apply any available update.Screenshot showing the display of Google Chrome version information on the left side and the "Relaunch" button on the right side
  • Following a relaunch, you will see the following, informing you that Google Chrome is up to date.

Screenshot with text "Google Chrome is up to date" with the version number, 72.0.3626.121, beneath this text

For more information see:

Triout Android Spyware Reprise

Android malware, dubbed Triout has re-emerged posing as the trusted online privacy application, Psiphon, to trick users into downloading it. The legitimate “com.psiphon3” package is available in Google’s app store, Google Play and is advertised as a privacy tool that enables access to the open internet. The application has over 50 million installs and over 1 million reviews. The malicious version is bundled with Triout and is not available via Google Play.

Triout acts as spyware that collects device data and can record phone calls, log incoming text messages, record videos, access/take photos, and access location information. It also comes bundled with three adware components, Google Ads, Inmobi Ads and Mopub Ads. Both the legitimate and malicious Psiphon application have a similar look and equivalent functionalities, but the malicious version uses v91 of the original application when distributing Triout spyware.  The current version of the legitimate application is v241.

Recommendations:

  • Download apps from official marketplaces only.
  • Keep your device OS (operating system) and applications up to date.

Resource: