Zoom Video Conference Software Vulnerability (07/10/2019)
Two vulnerabilities in the Zoom video conference software have been discovered, which if exploited affects a user’s privacy. A hacker can disguise a Zoom video conference link with a website URL or include it within an advertisement. When clicked on, it will forcibly join the user to the hacker’s call without their permission. When users connect to the hacker’s call, it will also automatically enable the user’s video camera. Another vulnerability allows a hacker to perform a local Denial of Service (DoS) attack that affects the user’s ability to use their machine by sending them an endless number of meeting requests. Deleting Zoom software does not fix the issue because the uninstallation process does not remove all the Zoom components (local web server) from the computer.
Am I Affected?
Mac users running Zoom software version 4.4.2 or earlier are affected. If you have previously installed and uninstalled Zoom software, your computer will still have the Zoom local web server installed, which can reinstall the Zoom software without any interaction from you besides clicking on the malicious URL.
What Should I Do?
- Make sure your Zoom software is the latest version. Versions prior to 4.4.2 are affected. A CSUN-owned device that is managed centrally by IT will automatically receive an update. All personal computers should be updated manually to the latest version. You can download the latest version from the Zoom Downloads page.
- Check the “Turn off my video when joining a meeting” option from Zoom settings. This will disable the video camera when you join a meeting until you give Zoom permission to access your camera.
World Password Day (05/02/2019)
May 2nd is known as World Password Day—a day to raise awareness of the importance of strong login credentials. However, passwords in general are no longer a secure way to protect your accounts. Here is why:
Too many easy, reused passwords - Passwords are needed for almost everything, meaning we must keep track of several unique combinations of letters and symbols. A common solution to this task is making something easy to remember and reusable. "123456," "123456789," "qwerty," and "password" remain the most popular password choices. More than 50% of users rely on the same password across multiple accounts. Reusing passwords leaves you vulnerable to Credential Stuffing: an attack where previously breached username and passwords are used to gain access to multiple websites where the user has the same credentials. It is one of the most common techniques to take-over user accounts.
Phishing attacks - Phishing, fake e-mails that impersonate a known business and urgently request you verify your credentials, remains the leading method of attack. CSUN has had several instances of attackers attempting to hijack student accounts through impersonation. For more about Phishing attacks, refer to our information page on Fraud E-mails.
Corporate negligence - Every year there are cases of compromised accounts due to corporate negligence. Big companies like Facebook, who compromised millions of Instagram passwords just this year, are not immune. Billions of e-mails and millions of passwords are stored on hacker forums.
Protect your account by looking out for phishing attacks, setting up multi-factor verification when available, and using a password manager. Password managers are a secure way to store and autofill all of your credentials with one master password. They can even generate strong, unique passwords for the user that they never need to memorize.
If you think your data may be compromised, please file an Incident Report with Information Security.
Fraudulent Email from Wells Fargo (04/01/2019)
An email from Wells Fargo Advisors was received by some campuses on April 1st 2019. The email message indicated that there is a security update and requires the email recipient to click on the link provided in the email, to update their information to keep the account active.
If you receive an email from Wells Fargo Advisors, do not click on any links in the email. If you feel the need to contact Wells Fargo, please do not use the phone number listed in the email. Instead, visit www.wellsfargo.com directly and call the customer service number listed on the website.
This email is a phishing scam that attempts to lure users to click on a link and give up their information. For more phishing examples, visit the Phishing Examples page.
Chegg Breach (09/26/2018)
Chegg, a textbook rental and online tutoring company based in Santa Clara, plans to reset passwords for 40 million users following the discovery of a breach dating back to April 2018. From Chegg's web site: "An unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company's family of brands such as EasyBib." Chegg said the hacker(s) "may have" gained access to user data such as names, email addresses, shipping addresses, Chegg.com usernames, and Chegg.com passwords.
Although passwords were hashed which should mean they are protected, it is important to change your password in Chegg and in any other application where you used the same or similar password. Always remember to use a separate password for each application or site you are enrolled in.
Spam Calls From ‘405’ Area Code Hitting Campus (08/30/18)
Calls from a ‘405’ area code phone number, 405-549-9807, were received by some campus phones on August 30, 2018. The recorded message indicated that a lawsuit had been filed and requested your immediate attention.
If you see a call from this number come through, do not answer it. If a voicemail is left, delete the message and do not call them back at the number provided. This call is an attempt to gain your personal information and should be ignored.
Back to School Security Tips (08/27/2018)
Welcome back to school. Here are some security tips to keep your data safe as you start a new semester at CSUN.
- Stop.Think.Click. Phishing and other malware scams rely on our habit to click first, think later. Phishing scams can be incredibly believable. We have many examples on our phishing web site. Please have a look. Hackers can be very clever.
- Be careful with social media: Make sure you understand who can see your posts.
- Place a fraud alert on your credit report: This will limit the damage caused by identity theft.
- Turn off Flash: Flash Player is popular with hackers. They exploit Flash by inserting malicious bits of code into ad networks used by well-known businesses.
- Check your apps: Mobile applications can only do what you let them do. Review permissions on your apps.
- Keep programs up-to-date: Most applications on all of your devices have automated update features. Turn them on.
- Use unique passwords: A single password used on all of your sites is a hackers best friend. A password can be stolen from an unimportant game with lax security site can then be used to hack into your bank account and other important sites, only to be used to break into one's bank accounts. Unique passwords limit the damage to one site. Also consider using a password manager.
- Think before you click. - see #1. It's important.
We are receiving information from our higher education information security intelligence sources that there is a blackmail/phishing scam hitting multiple higher edu institutions around the country including the UC. We have not been advised of any attempts against CSU campuses so far.
This particular attempt is a form of what is known as “Sextortion.” The scam, in most cases, displays a password that may appear to be or actually be a user’s password that the sender claims to have been obtained from an adult content website. The passwords were actually harvested from breaches of companies in the past, some as long as a decade ago and hackers have posted the credentials on the DarkWeb or sites like PasteBin. These are sites used by hackers to trade, sell and display credentials they have compromised.
The current scam purports to have obtained the user's password from an adult (porn) site and threatens to reveal the users online behavior to others unless a ransom is paid in Bitcoin (internet currency).
The FBI advises:
- Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
- Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know unless they are expected.
- Turn off [and/or cover] any web cameras when you are not using them.
Please report the receipt of any of these messages or similar phishing attempts to the Support Center: email@example.com
The CSU’s Responsible Use policy can be found in ICSUAM 8105 located online at http://www.calstate.edu/icsuam/documents/Section8000.pdf
Change Your Twitter Password (5/3/2018)
Twitter is telling its users to consider changing their passwords. The company discovered that it was logging user passwords in clear text and blogged about in a post by Twitter's CTO. CSUN recommends that you change your Twitter password. If you used your CSUN userid and password for your twitter account please also change your CSUN password.
Post Office Mail Scam (2/26/2018)
The USPS has a service that allows you to see a preview of your snail mail on-line. Unfortunately when the USPS rolled this out their identity verification was lax and there was no notification sent to the mail owner that someone signed up. Therefore, it was easy for scammers to sign up to get a preview of your mail and know when credit cards, bank statements or checks were delivered. The USPS has implemented a new notification system to alert you when someone signs up. It is suggested that you sign up for this notification process.
Chase Bank Mobile Glitch Exposes Customer Data (2/25/2018)
JP Morgan Chase & Co. suffered a glitch that gave some customers logging in to on line systems access to other clients’ accounts instead of their own. This software glitch occurred last week. if you logged into your account on line or via the mobile app it is suggested that you monitor your account closely.
W-2 Scam Alert (2/22/18)
The Internet Crime Complaint Center (IC3) has issued an alert on the increase in W-2-related phishing campaigns. Hackers often use tax-related phishing to get individuals to give up personally identifiable data (PII), click on a malicious link, open a malware infested attachment or pay a ransom. Note that the IRS does not initiate contact via email. if it looks suspicious or you are asked to give up PII it is more than likely a phishing email.
Chrome Browser Scam/Ransomware (2/8/2018)
Security researchers are reporting that hackers are exploiting a bug in Chrome to try to extort money from unsuspecting users. The way it works is that upon navigating to a hacked or invalid web site, your browser may display a message telling you to call a number and then lock up the browser and eventually your Windows machine. If you do encounter this issue on Windows you may use Task Manager to kill the Chrome browser or you can reboot your machine. On MacOS your Mac will eventually tell you that your browser is unresponsive. Under no circumstances should you call the number popping up on your machine. Chrome has not yet issued a patch.
Another Flash Exploit (2/1/2018)
Adobe issued a security warning that attackers are exploiting a new security hole in its Flash Player software to hack into Microsoft Windows computers. Adobe said it will issue a fix in the next few days. Adobe is recommending that users turn on protected view in Windows to mitigate this issue. We recommend that all users turn on protected view on their computers.
File Taxes Early to Prevent Fraud (1/29/18)
Today January 29th is the first day you can file your 2017 tax return. A favorite tactic of scammers and hackers is to file a false tax return using your stolen identity and receive a large tax return. Tax return fraud impacts hundreds of thousands of US taxpayers annually and is expected to climb this year due to the Equifax breach. One way to prevent this fraud is to not wait until April 15th but file as early as possible.
If you were a victim of the Equifax breach you should should consider submitting an Identity Theft Affidavit (Form 14039) to the IRS. Also be aware that if you froze your credit due to the Equifax breach and you are required by the IRS to use a PIN to file electronically you have some extra steps to perform.
Malware Bytes Update Causes Major Problems (1/29/18)
Malwarebytes released a production update on Saturday that can cause spikes in CPU use, resulting in slow performing or crashed computers. If you are using Malwarebytes please see the Malwarebytes Forum for remediation steps.
Major Flaw in Hardware Leaves Computers, iPads and iPhones Vulnerable (1/08/18)
Two major flaws in computer chips have left a huge number of computers, iPads and smartphones vulnerable to hackers. These flaws have been titled Spectre and Meltdown. The flaws are specific to Intel chips.
The flaws could potentially allow an attacker to read confidential data stored in computer or mobile device memory such as passwords, or sensitive data. Although the flaws are hardware based the fixes to make your device secure are software based.
The fixes are listed below. Please apply as soon as possible to devices in your department. We will pushing out many of these via SCCM and Jamf.
Need Help with Information Security?
Contact the Office of Information Security at (818) 677-6100. To report incidents of abuse, send an email to firstname.lastname@example.org or: