NYU Shanghai IT Newsletter

Information Technology

As we gear up for the Spring Festival, the only things that should be "leaking" are the red envelopes and maybe a bit of steam from the dumpling pot. While you’re busy catching up with family and avoiding awkward questions from your relatives, cyber-threats don’t take a holiday. In fact, hackers love the "quiet" periods when IT departments are at half-capacity.

Before you set that Out-of-Office (OOO) reply and head out, here is your essential security checklist to ensure your digital life stays as festive as your dinner table.

1. The "Out of Office" Trap

We all want to let people know we’re away, but oversharing is a gift to social engineers.

- Do: Keep it professional and vague. "I am away until Feb 20th. Contact [Department Email] for emergencies."

- Don’t: Include your personal cell phone number, specific travel destinations, or names of colleagues who are also away.

2. Public Wi-Fi: The Free Lunch Myth

Treat public Wi-Fi as insecure by default. Stick to your mobile data or a VPN to keep your login credentials safe.

- Use a VPN (Virtual Private Network) for all work-related tasks. If you can not access to the VPN, stick to your mobile hotspot.

- Disable "Auto-Join" for Wi-Fi networks in your settings to prevent your phone from connecting to malicious "Free Airport Wi-Fi" clones.

3. Physical Security (The Basics Matter)

If you’re bringing your work laptop on travel:

- Lock it up: Don’t leave devices in your car or at a crowded café table while you grab a coffee.

- USB Danger: Beware of "found" USB drives or public charging stations (Juice Jacking). Stick to your own wall outlet and cables.

4. Phishing for Red Envelopes

Expect an influx of "Chinese New Year" themed emails or texts. These often look like:

- Fake shipping notifications for gifts you didn't order.

- "Digital Red Envelopes" from unknown senders or fake HR accounts.

- Urgent "Account Compromised" alerts while you're away.

If the link looks fishy, don't click it. Hover over the URL to see where it actually goes.

🧧 Wishing you a prosperous, happy, and secure Year of the Horse! 🐴

Beginning February 2, 2026, Duo will require version 4.85.0 or higher of the Duo Mobile app in order to use the Duo Push (or Verified Push) authentication method.

Before you set that Out-of-Office (OOO) reply and head out, here is your essential security checklist to ensure your digital life stays as festive as your dinner table.

Check Your Current Version:
- Open the Duo Mobile app,
- tap the menu or settings icon,
- scroll to the bottom to verify your version number.

Verify Compatibility: Kindly ensure your device meets the minimum system requirements for the Duo Mobile application to support the latest version.
- iOS: Requires iOS 16.0 or later.
- Android: Requires Android 12.0 or later.

Update the App: Visit the Apple App Store or Google Play Store to download the latest version (4.85.0 or higher).
- * Review supported devices for Duo Mobile app installation

To ensure all accounts remain secure and functional, users who continue to use older versions of the Duo Mobile app may receive a second round of notifications as the deadline approaches. To opt out of further reminders, please complete the update as soon as possible.

If your mobile hardware does not support the required operating system, you can still authenticate using the Duo Mobile Passcode method:

Open your Duo Mobile app and select your NYU account to reveal a 6-digit passcode.
When prompted to log in, select "Other Options" and enter the passcode manually.

If you have questions regarding device compatibility or the update process, please contact NYU Shanghai IT Help Desk.

If your inbox currently looks like a "Who’s Who" of your professional network all suddenly obsessed with a tool called MinutesLink, you aren't alone. Over the last two weeks, we’ve seen a massive surge in these invitations hitting the community.

The twist? Most of the people "sending" these invites have no idea they’re doing it. Let’s break down whether this is a genuine security threat, how it works, and how you can reclaim your digital personal space.

Technically speaking, this isn't a traditional "hack" where someone stole a password. Instead, it’s a classic case of OAuth Permission Abuse.

When a user signs up for MinutesLink, the platform asks for permission to access their calendar and contacts to "sync meetings." In the rush to try a new tool, many people click "Allow" without reading the fine print. Once granted, the app automatically sends invitations to every contact it can find, making it look like a personal recommendation from a colleague.

Is it Phishing? Not in the sense of stealing your credit card, but it is "Aggressive Spam." It uses deceptive tactics to spread by leveraging the trust you have with your contacts.

If you’ve realized you are the one who started the chain in your office, don't panic. You just need to sever the link between the app and your email provider.

Revoke Access:
- Google Users: Go to your Google Security Settings and find "Third-party apps with account access." Locate MinutesLink and click "Delete all connections you have with MinutesLink"
- Outlook/Microsoft Users: Go to My Applications or your account's "Privacy" settings and revoke permissions for the app.
Delete the Account: If the app has an internal setting to "Delete Account," do that after revoking access to ensure they don't keep your data on their servers.

The MinutesLink saga is a great reminder that our contact list is high-value real estate. Here is how to keep the squatters out:

The "Stop-Think-Act" Rule: When an app pops up a window asking to "See, edit, share, and permanently delete all the calendars you can access," stop. Ask yourself: Does a meeting-notes app really need the power to delete my calendar?
Check the "From" Address: Just because the name says "John Doe" doesn't mean John actually hit send. Look at the actual email address. If it's a "no-reply@minuteslink.com" address, it’s a bot, not John.
Use a Separate Test Account: If you love trying new AI tools, consider using a secondary email address that doesn’t have your primary contact list or calendar synced to it.
Audit Regularly: Once a month, check your Google or Microsoft security settings to see which apps still have access to your account. If you haven't used an app in 30 days, kill the connection.

Bottom Line: If a productivity tool starts its relationship with you by annoying everyone you know, it’s probably not a tool that’s going to make your life easier.

Want to print from your mobile device? Check this out: Print from Your Mobile Device

Email: shanghai.it.help@nyu.edu

Phone: +86 (21) 2059 5555

In-Person: Visit us at the IT Service Center N525@Campus Building

NYU Shanghai

NYU Shanghai Website

Subscribe to our email list.

Spring Festival: Don't Let Your Data Go on Vacation

Action Required: Duo Mobile Upgrade

Action Items

Important Note on Notifications

What if my device is not supported?

Need Assistance?

MinutesLink Invites: Is It a Scam or Just Very Annoying Spam?

What Exactly Is Happening?

How to Stop the Spam (If You Already Signed Up)

How to Avoid the Trap in the Future

Print from Your Mobile Device @NYU Shanghai

Contact Us