The U.S. Department of Health & Human Services, Office of the Inspector General, has issued a COVID related Fraud Alert and Barracuda reports a 521% spike in COVID-19 related phishing from October 2021 to January 2022. The goals of the scammers appear to be stealing sensitive information, including medicare information in order to perpetrate fraud […]
Please note: No NYU IT-managed services will be impacted by the change described below. Let’s Encrypt is not an NYU-provided or NYU-supported service. This information is being shared as a courtesy and this change is not expected to impact many NYU community members. Let’s Encrypt, a non-profit organization that helps people obtain free SSL/TLS certificates […]
A recent Chrome desktop update (97.0.4692.71) addresses 37 security issues, one of which is a critical use-after-free bug in the storage component that could lead to data corruption or execution of malicious code on a compromised machine. Users of Chrome on Windows, Mac and Linux are advised to update asap. For instructions on how to […]
The New York Times has reported on a Federal Government warning, issued to the public, about commercial spyware, potentially infecting mobile devices. While there are different types of spyware “in the wild”, the focus has been on commercially developed spyware, dubbed “Pegasus”, which was created by the NSO Group, and is a “zero-click” vulnerability, requiring […]
Due to the nature of the Log4j situation, vulnerabilities will be evolving over an extended period of time. It is our recommendation that all Admins do a daily check of the following web pages, and a periodic check of the CVEs listed herein, which are all being continually updated, to see if there are any […]
UPDATE, 12.20.2021: For the latest information on the Log4j cybersecurity threat as it emerges, please see the Cybersecurity & Infrastructure Security Agency (CISA) website. As an update to our December 10th and December 14th posts on Log4j, please be advised that although previous alerts advised updating to Log4j version 2.15.0, or higher, version 2.15.0 has […]
UPDATE, 12.20.2021: For the latest information on the Log4j cybersecurity threat as it emerges, please see the Cybersecurity & Infrastructure Security Agency (CISA) website. As an update to the recent post, Critical Zero-Day Java Vulnerability, please be advised that CISA (Cybersecurity & Infrastructure Security Agency) and its partners have setup a webpage to track the […]
UPDATE, 12.20.2021: For the latest information on the Log4j cybersecurity threat as it emerges, please see the Cybersecurity & Infrastructure Security Agency (CISA) website. Please be advised that the Java zero-day, dubbed Log4Shell, is being actively exploited. This critical vulnerability affects the Java utility Log4j versions 2.0 – beta9 to 2.14.1, and is being tracked […]
As an update to our prior blog posts on gift card scams, please be advised that gift card scams remain prevalent, and scammers are trying to trick you in new ways. We’ve reported on scammers posing as trusted individuals, groups or charitable organizations, seeking your assistance with gift card purchases, and then asking you for […]
A Server-Side Request Forgery (SSRF) vulnerability, which is being tracked as CVE-2020-40438 impacting Apache HTTP Server 2.4.48 and prior versions has been patched. The CVSS score for this vulnerability is 9/10 (critical). This vulnerability allows unauthenticated malicious actors to force vulnerable HTTP servers to forward requests to arbitrary servers. There are reported exploits, and on […]