Please be advised that NYU does not sponsor unannounced surveys.  If you have any questions about the legitimacy of a communication you receive, please do not reply to the communication or click any embedded links or options.   Instead, please contact security@nyu.edu

Adware can have the following characteristics:

• Deceptive and full of malware that will install on your device as options are clicked
• Deceptive and fairly benign, and will present users with multiple click-thrus

Pop-ups like these may mean that your device is infected.  If you see them, please contact your local System Administrator or NYU IT at AskIT@nyu.edu or 212.998.3333.

*Click images to enlarge

 

 

 

 

 

We have noticed an increase in phishing messages from file sharing services.   Since the messages associated with legitimate file sharing can be brief, it may make these phishing attempts more challenging to recognize.  We’d like to share the following phishing examples.

*Please click any image to enlarge.

Example #1  (claiming to be from an NYU student)

Example #2 (claiming to be from an NYU employee)

Example #3

Please be reminded/advised:

• If you’re not expecting to receive a file share, please confirm the legitimacy of the message with the sender prior to opening.
• If a shortened or tiny URL appears (e.g., http://tinyurl.com/zf7z5m) when you hover over an active link to documents in an email message, the email message is not legitimate, as file sharing services do not generate shortened URLs.
  • You can always  enter  shortened URL into http://wheredoesthislinkgo.com/ to see the URL destination.
• NYU Box is the recommended method for sharing restricted information or data whose unauthorized access or loss could seriously or adversely affect NYU, a partner, or the public.  For more information, please see:  NYU Box:  Best practices for sensitive data (permissions and security settings), http://www.nyu.edu/servicelink/KB0013199
• Google Docs. is the recommended method for sharing data that’s public, confidential or protected.
  • For a description of data classifications or categories (the classifications/categories include: restricted, protected, confidential & public), as well as specific examples of data in each category, please see:  The Data Classification Policy

 

 

A recently announced attack known as DROWN (Decrypting RSA using Obsolete Weakened eNcryption) exploits SSL/TLS vulnerabilities.  DROWN is an attack that allows decryption of intercepted data and can also allow man-in-the middle attacks.  

Vulnerable systems include:

• Servers that support SSLv2 – allows for a cross-protocol attack whereby an attacker could decrypt TLS sessions between clients and hosts that support SSLv2 and export cipher suites.  This vulnerability also allows for the decryption of traffic between clients and even non-vulnerable servers, if another server supporting SSLv2 and export ciphers shares the RSA keys of the non-vulnerable server.

• Unpatched OpenSSL servers  – This vulnerability dramatically increases the efficiency and danger of the DROWN attack by making it effective against even the stronger, non-export-grade cipher suites with very little computation time required.

 

Action Steps:

• Disable SSlv2 protocol in all SSL/TLS servers.  Disabling all SSLv2 ciphers is also sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and 1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol, and are not patched for CVE-2015-3197, are vulnerable to DROWN even if all SSLv2 ciphers are nominally disabled, because malicious clients can force the use of SSLv2 with EXPORT ciphers.

• Upgrade OpenSSL to the latest.  We strongly recommend eliminating all SSL support in favor of TLS.

References:

[1] https://www.openssl.org/news/secadv/20160301.txt

[2] https://www.drownattack.com/

[3] https://drownattack.com/#faq-factors

[4] http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/

[5] https://www.openssl.org/news/secadv/20160301.txt

[6] http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/

[7] https://drownattack.com/#faq-mitm

[8] https://drownattack.com/#faq-update​

 

Ransomware dubbed “Locky” is spreading via email, in the form of a Word file attached to e-mail messages.  Locky email is translated to various languages and localized by region.  E-mails with this type of ransomware may look something like (*click images to enlarge):  

Once the Word attachment is opened, users see scrambled content and are asked to enable macros.  When/if macros are enabled, the malware spreads, and encrypts nearly all file formats as hash.locky files including any mounted USB sticks and network file shares.  Once encrypted, users receive the following:

Locky ransomware typically asks victims to pay between 0.5 and 2 Bitcoins ($208 – $800) for the decryption key.
The antivirus software available thru NYU, Symantec Endpoint Protection, may not provide full protection against all variants of this malware.  Google also checks for viruses, and you can see if one has been identified.  If so, the Gmail attachment will have “virus found”,  as in the image below:

 

Therefore, if you see .locky extension files appearing on your computer, USB drives, or network shares, you should contact the NYU IT Service Desk immediately at 212.998.3333 or at AskIT@nyu.edu and disconnect the computer from the network.  System Administrators who see .locky extension files appearing on their network shares, may look up the file owner on _Locky_recover_instructions.txt file in each folder.  It is recommended that you lock these Active Directory user and computer accounts.

The best way to handle such an infection is to restore back-ups from external hard-drives or USB devices. You must wipe the machines before mounting back-up devices, and it is recommended that you check any files synched with services such as NYU Box, DropBox or Google Drive to ensure that these files have not been infected.

 

 

A number of people have reported receiving the phishing message below, with the subject “New NYU Spam Security Check”. This message is fraudulent, and included a link to a compromised site.

If you haven’t clicked, then you can mark the message as Spam by clicking the button at the top of the NYU Email window. This will help prevent such messages in the future.

If you did click on the link, you should change your password at the Start page (start.nyu.edu) and check for any changes to your account. If you would like assistance with this process, contact the NYU IT Service Desk, open 24×7.

Remember, NYU IT will never ask you for your username and password. And, if you click on a login link, be sure that the login page goes to https://shibboleth.nyu.edu with the green lock symbol, as highlighted in the image below (click to enlarge).

 

 

 

 

Copy of phishing message:

———- Forwarded message ———-
From: NYU
Date: Thu, Jan 28, 2016 at 11:40 AM
Subject: New NYU Spam Security Check
To:

[image: NYU]

Dear User,

IT Services have reviewed the existing security controls in place, in light
of a recent increase in fraudulent emails (often referred to as _phishing
emails_) received by staff and students.

As part of this review, we have extended the _spam_ checking and filtering service. As well as checking email coming in from outside the University we will also be checking emails sent from within the University.

This should increase our ability to detect fraudulent emails and mark them as spam.

Click to effect this upgrade.

Note: If you are unable to click the link, please move this email to your
inbox .

© Copyright 2016.

NYU has seen several recent scams that involve obtaining an employee’s NetID and password, which are then used by the scammer to alter the employee’s Direct Deposit information, resulting in the employee’s paychecks being re-directed to the scammers’ bank accounts. We want you to be aware of these scams, what we are doing to protect your Direct Deposit, and what you should do to protect yourself.

These scams usually occur as a result of:

• A “phishing” email that sends the recipient to a website to “update” their Direct Deposit information, or
• A compromised account, where the scammer obtains the employee’s NetID and password, signs on and changes the Direct Deposit instructions.

This can then result in funds going to the scammer’s bank account instead of the employee’s bank account.

NYU Payroll has a process in place for detecting Direct Deposit changes; when changes are made to an employee’s Direct Deposit instructions, Payroll sends a confirmation email and asks employees to notify Payroll if anything is amiss. Please pay attention to any email of this sort from NYU Payroll, and if you have not authorized a change to your Direct Deposit, follow-up by contacting PeopleLink (AskPeopleLink@nyu.edu or 212-992-5465) immediately.

In the event of any unauthorized attempt to change your Direct Deposit, it is very important that you promptly change your NYU NetID password to ensure the integrity of your account. This Knowledge Base article describes how to change your password. Should you have any questions or trouble, please contact the IT Service Desk, open 24×7.

Do not fall victim to phishing attempts:

• Keep your eyes open for any email requesting that you “confirm” your sign-on credentials or threatening immediate account closure.
• Remember that NYU IT/HR/Payroll personnel will never send you an email asking for your NYU NetID password. If you receive email that you think is a phishing, please forward it to phishing@nyu.edu.
• Make sure, when you are logging into a single sign-on NYU service, that the URL displayed on your browser starts with https://shibboleth.nyu.edu.

If you do respond to a phishing attack, change your password immediately and check your Direct Deposit information in PeopleSync (Workday), which you can access from the NYUHome Work tab.

NYU is working on methods for adding another authentication step, as many banks have done, to ensure additional security.