On February 22nd, The Wall Street Journal (“WSJ”) reported that 11 iOS and Android apps were purportedly sharing sensitive data with Facebook in apparent violation of Facebook’s own policies.The WSJ further reported that tests showed that the Facebook collects data from numerous apps within seconds of data entry by the user. This appears to be the case even when a user has not logged into Facebook and even if a user does not have a Facebook account. Following the initial WSJ report, the WSJ reported that certain apps ceased sending data to Facebook.
Governor Cuomo has called on two state agencies, the New York Department of State and the Department of Financial Services to investigate the issue of apps sharing data without explicit user consent. Further, Governor Cuomo has also asked federal regulators to “step up and help us put an end to this practice and protect the rights of consumers”. Reuter’s reports that “New York’s financial services department does not traditionally supervise social media companies directly, but has waded into digital privacy in the financial sector and could have oversight of some app providers that send user data to Facebook”.
For more information, please see:
Facebook has updated the location controls for Android devices to give users an additional option, offering similar options to those available on iOs devices. Prior to this update, if you shared Facebook location information on an Android device, your location information would be shared even when not using the app. Android users will now have the following 3 choices with respect to Location Services in the Facebook app:
- Never: Your app can’t access your precise location
- While Using: Your app can access your precise location while you’re using the app
- Always: Your app can access your precise location even when you’re not using the app
Facebook has advised users that it is not changing user specified choices, nor does this update allow them to collect any new information. Users who have not enabled Location Services do not need to do anything, but Facebook requests that Android users who have enabled Location Services review their location settings to confirm their setting preference is correctly reflected.
Apparently the next major Android update, Android Q, is going to allow users location control settings similar to iOs “only while the app is in use”.
As a Data Privacy Day related advisory, please be reminded of the importance of protecting your personal and sensitive data by keeping operating systems and applications up to date on all of your devices. Devices running outdated operating systems or applications are commonly targeted by malicious actors seeking to exploit known security bugs and loopholes in programs and systems as a way to gain access to your data and sensitive information. Malicious actors rely on the simple fact that users/admins largely ignore updates/patching and thereby supply rich attack surfaces for anyone who can develop an exploit.
An example of this is the global WannaCry ransomware worm. WannaCry exploited a security bug in outdated Microsoft Windows Operating systems, like Windows XP, for which there is no longer any technical support. Within a day of it’s outbreak,WannaCry infected more than 230,000 computer systems in 150 countries and caused approximately $4 billion in financial losses. WannaCry remains an active exploit although the patch to prevent it was available several months before the exploit began in 2017.
Please be advised that the Office of information Security (“OIS”) has seen a recent uptick in imposter scams. As an update to our posts on imposter scams and gift card scams (which are a type of imposter scam), please be on the alert and note the following 3 recent examples of these types of scams:
- This message purports to come from an NYU executive and uses a sense of urgency, which is a common phishing ploy, to impel the recipient to action.
- Both examples #2 and #3 purport to come NYU email addresses, and the sender’s email address in both examples contains familiar elements, email@example.com and firstname.lastname@example.org. NYU email will always be in the following format: [name/alias/or NYU NetID]@nyu.edu.
- Both examples #2 and #3 also use a sense of urgency to impel the recipient to action.
- Although text in Example #3 states “You can only talk to me through Email”, please be reminded that it is a recommended best practice to confirm urgent or sensitive email requests via a trusted means of communication, such as a phone call to a trusted phone number, such as an NYU Directory phone number.
- When viewing your NYU Gmail on mobile devices you may not see the sender’s email address display in entirety. To see this address, click either “View Details” or or tap the the “>” to the right of the sender’s name.
- However, since the sender’s email address can be “spoofed”, confirmation with the sender as per the above-stated best practice is the the top recommendation for confirming sensitive/urgent requests.
Please note that NYU IT has replaced two data-centric policies (Data Classification Table and Reference for Data and System Classification) with the new Electronic Data and System Risk Classification Policy, which incorporates necessary General Data Protection Regulation (“GDPR”) data-centric information. Please consult this policy for information on how NYU classifies information assets into risk based categories and security precautions that must be taken to protect these assets from unauthorized access. It is recommended that this policy be read in conjunction with the Data and System Security Measures policy, which details specific security measures that apply to each data and system classification.
As an update to our 12/05/18 post on the Marriott breach, please be advised that Marriott has provided an update on this security incident, which details the number of guests, passport numbers and payment cards impacted by the breach as well as guest monitoring/support resources. Marriott states that they will be putting a mechanism in place whereby designated call center reps will be able to refer guests to appropriate resources to check if their individual passport numbers were among the unencrypted passport numbers that were exposed. Marriott will update its designated website for this incident (https://info.starwoodhotels.com) once this mechanism is in place.
As an update to our September 24th post entitled Free Credit Freezes and Year-Long Fraud Alerts Now Available, please note that Equifax and TransUnion have abandoned the use of PINS in connection with the online unfreezing of frozen credit files. However, if you are seeking to unfreeze your credit file via phone, a PIN is still required.
When unfreezing online via Equifax, consumers must now create a “my Equifax” account. Account activation is protected by extra security measures, such as a one time code to your mobile phone. Consumers without a mobile phone will have to answer additional security questions. TransUnion already requires consumers to have an account with their name, password and PIN. Using these credentials online, consumers will be able to lift a freeze. Experian will continue to require a PIN in connection with the lifting of freezes.
For additional information, please see: https://www.nytimes.com/2018/09/28/your-money/frozen-credit-files-tips-unfreezing.html
As of September 21st, Equifax, Experian and TransUnion are required to offer free credit freezes and year-long fraud alerts nationally to all consumers. These initiatives are part of broader financial legislation, which was signed in May. Please be advised of the following:
- A credit or security freeze restricts access to your credit file and thereby helps protect personal/sensitive information and makes it difficult for identity thieves to open accounts in your name. To be effective, freezes need to be placed at all three credit bureaus.
- If you freeze your file, the credit bureaus will not provide lenders with information until you lift the freeze (using a personal identification number).
- Parents can now request free credit freezes for children under the age of 16.
- Fraud alerts inform businesses that check your credit that they need to confirm the opening of a new account with you. Fraud alert duration has changed and lasts for a year (vs. 90 days) and consumers can renew fraud alerts yearly. Victims of identity theft are eligible for an extended fraud alert lasting seven years.
- Free credit monitoring services will be offered to active duty military personnel.
As part of NYU’s commitment to help protect the University’s networks and data, NYU IT will launch a new email security feature on September 28 at 8pm ET. In compliance with NYU IT’s security policies, email protection is a priority. The University’s existing email security tool prevents external email with known malicious URLs from reaching your inbox. The upcoming new feature will further protect against seemingly harmless URLs that make it into your inbox but become malicious thereafter, exposing you to security threats should you click on them.
If you click on a URL that is safe, you will be directed to the corresponding website. If you click on a URL that leads to a malicious website, you will see a notification explaining that you have been blocked from accessing it.
You do not have to do anything to activate this new feature; it will be automatically available when checking NYU Email on any network, in every location, from any device. If your NYU Email is already protected by URL Defense, this change will not affect you.
Note: The implementation of URL Defense minimizes email security risks, but it does not guarantee that every link contained in incoming, external email to @nyu.edu is safe to click. Please continue to exercise caution when reviewing embedded links. For more information on detecting phishing messages, including tips for examining embedded URLs, see Recognizing phishing scams and protecting yourself online.
FAQs and Support
See the ServiceLink knowledge base for URL Defense FAQs, including more information about how the feature works. If you believe that a site has been blocked unnecessarily or that a malicious site was not appropriately blocked, or if you have other questions, please contact the NYU IT Service Desk.
NYU IT Office of Information Security
As an update to our 1/4/18 post entitled Computer Chip Vulnerabilities: Meltdown & Spectre and our 2/26/18 post entitled Spectre Patches Available, please be advised of the following NJCCIC (New Jersey Cybersecurity & Communications Integration Cell) resource dedicated to the Meltdown and Spectre vulnerabilities. The Meltdown and Spectre Product Vulnerability and Update List
summarizes the incident and supplies an updated listing of vendor patches, mitigation strategies and updates.