Skip to Navigation | Skip to Content

ITS News

search the news

Your source for the latest news about computing and networking at NYU. See the About ITS section for more about this blog.

Categories

Archives

Recent Posts

Subscribe to this blog's feed »

April 16, 2015

Microsoft Security Vulnerabilities

User Reminder:
 

On Tuesday, Microsoft identified two major vulnerabilities in the Windows operating system, in addition to other Microsoft products and non-critical updates. One vulnerability in particular exploits common system components for every major release of Windows since 95 and through Windows 10 (still in development) which can be used to retrieve Windows login credentials (username and password). These credentials can then be cracked in less than a day using moderate resources by an attacker. As of right now, there has been no patch for this vulnerability, identified as "Redirect to SMB." To mitigate the risk posed by this vulnerability, TSS recommends following safe browsing and computing procedures. Do not click on links in unsolicited e-mails, and note the path of any link you click on while browsing the Internet. The vulnerability will exploit links that begin with "file://".

For more on this vulnerability, you can read here: http://www.computing.co.uk/ctg/news/2403924/windows-redirect-to-smb-exploit-could-affect-millions-say-security-researchers

As a reminder, Microsoft no longer supports versions of Windows older than Vista (ie, Windows 95, 98, 2000, ME, and XP). If you are still using a version of Windows that is unsupported by Microsoft, these vulnerabilities, as well as any newly discovered ones going forward will remain unpatched. NYU TSS strongly recommends that you upgrade your operating system immediately by purchasing a new version of Windows or a new computer.

March 18, 2015

New Articles on a New Connect

Connect: Information Technology at NYU has a new look, a new URL, and new articles. Connect is happy to be using NYU's new Web Publishing service, and as part of our relaunch, we have four new articles recently posted.

  • Student-Led Space Combines Tech and Design Thinking for Social Good
    Bolstered by funding from an Amplify grant sponsored by UK development agency the Department for International Development, Design Tinkering members are currently collaborating with the Nepal-based NGO, Women for Human Rights (WHR), to implement their winning OpenIDEO idea, the Community Concierge Program. “From the research phase, we learned that safety issues were often deeply intertwined with women’s empowerment,” says Gopi. “We also found that empowering women can come through information, connections, and a sense of community and financial independence. Working with WHR, it became clear that safety and empowerment particularly affected newcomers in a community.”
  • Social Engineering Attacks and How You Can Protect Yourself
    Within the context of information security, social engineering is a method of psychological manipulation used to trick people into divulging confidential information. It is often used to gather secure information, commit fraud, or obtain system and even physical facility access. Think of it as voice-to-voice (or even face-to-face) phishing or “human hacking.” Hackers target their victims through phishing emails; phone calls; mail and email; text messages; or by convincing someone to click a link, open an attachment, or navigate to a malicious website.
  • Bringing Arabic Books to the Digital World
    One of the most exciting digital developments in the world of scholarship and research is the ability to scan and archive texts and make them available online. The NYU Libraries currently host thousands upon thousands of e-books, millions of full-text articles, and access to thousands of e-journal publications. Recently, a group of researchers at NYU and other universities added their own efforts to the pool of knowledge by making some 10,000 titles available—all online, and all in Arabic.
  • Mobile Apps Foster a New Learning Experience at Stern
    For most students, orientation means sitting through hours of presentations and speeches. At NYU Stern’s MBA program, it’s a little bit different. Since 2013, new students participate in the Langone Lab, a two-day experiential program. Students participate in a design-thinking experience where they use cutting-edge mobile technology and applications to come up with actual product prototypes that they present to professors and peers.
February 24, 2015

TA15-051A: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

Summary:
A piece of pre-installed adware (Superfish) on recently purchased Lenovo consumer PCs can allow an attacker to view normally secured web communications.

What Does This Mean For Me:
This software may expose web mail, banking, and shopping transactions and information, and more, regardless of which web browser (Internet Explorer, Chrome, Firefox, etc) you are using.

Detailed Description:
Adware (software designed to intercept user data for advertising purposes) that was preinstalled by Lenovo, Superfish, is vulnerable to being redirected to a malicious server, used to collect private information. The nature of this vulnerability means that your information is acquired before it is encrypted by your browser, known as a "Man-in-the-Middle" attack. Lenovo itself has "shut off" the data collection on its own servers, but the software remains vulnerable to malicious third parties. This attack bypasses even secured connections (HTTPS). Follow the directions below under the Solution section to remove Superfish and its supporting software.

For more information on this alert and Lenovo's response, the following CNET article is included for reference:
Lenovo's Superfish security snafu blows up in its face

Technical Details:
Alert (TA15-051A) Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

Solution:
Remove the Superfish adware and its associated components.

Removal Instructions (Automatic):
1) Download the automatic removal tool from Lenovo, located here:
Superfish Automatic Removal Tool
2) Locate the downloaded file, and run the program.
3) Click "Analyze and Remove Superfish Now." You will be prompted to close any open browsers. Wait while the program runs.
4) At the conclusion of the scan, the tool will indicate whether or not Superfish was identified on your system, and what action was taken.

Removal Instructions (Manual):
Lenovo has provided a detailed set of instructions for removal here:
Superfish Uninstall Instructions
Alternatively, Naked Security, a cyber-security blog run by the antivirus firm Sophos, has also provided their own removal instructions if you prefer:
How to Get Rid of the Lenovo "Superfish" Adware

February 18, 2015

*New York University Email Alert [Code: 3141]* phishing scam

There are new reports about a phishing message that purports to come from "New York University Technical Service " The phishing message claims "Dear User, The following alert has been posted to your webmail account regarding an unauthorized access to your account," and instructs the recipient to click on a web link. An adjacent URL takes victims to a malicious website that requests, amongst other things, the NetID and password. This message is a forgery and should be deleted immediately.

Continue reading "*New York University Email Alert [Code: 3141]* phishing scam" »

February 06, 2015

Nominate a Student for a $500 NYU IT Computing Prize

NYU IT and the Courant Institute of Mathematical Sciences (CIMS) annually sponsor two student computing prizes: the Max Goldstein Prize and the George Sadowsky Award. Nominations are open until the dates specified below, and can be submitted by any NYU community member.

The Max Goldstein Prize of $500 is awarded to an NYU undergraduate who has applied computing in a creative and practical way to improve the academic, cultural, or social life of the NYU community. Please send nominations—including the student's full name, school, and class year, your relationship to the nominee, and a brief description of his/her accomplishments—to maxgoldsteinprize-group@nyu.edu by Sunday, March 8 at midnight ET.

The George Sadowsky Award of $500 is awarded to an undergraduate or graduate student who exhibits exemplary innovation in using the Internet for community service. Please send nominations—including the student's full name, school, and class year, your relationship to the nominee, and a brief description of his/her accomplishments (including the website address)—to sadowskyaward-group@nyu.edu by Sunday, March 8 at midnight ET.