May 9, 2013

Purpose

Computer systems running vendor-unsupported or end-of-life operating systems are potential security threats to the UAB campus network. Vendors do not provide security patches for unsupported systems, and these unpatched systems can be exploited by attackers. Such exploitations can result in disrupted experiments, corrupted research data and/or completely compromised systems.  UABIT reserves the right to disconnect these computers from the campus network to mitigate this data breach risk (see UAB’s Acceptable Use of Computer and Network Resources policy).  UAB system administrators are responsible for maintaining the security of all information systems, per the campus Data Protection and Security Policy, which includes updating applications and operating systems.

Windows XP will not be supported after April 2014. Windows versions prior to Windows XP and any version of Mac OS X prior to version 10.6 should be considered unsupported.

Scope

The information in this guidance statement applies to all constituents internal to UAB.

Guidance

Questions can be directed to This e-mail address is being protected from spambots. You need JavaScript enabled to view it or, by calling (205) 975-0842.

References

http://sppublic.ad.uab.edu/policies/pages/LibraryDetail.aspx?pID=38

http://support.microsoft.com/gp/lifeselect

http://www.debian.org/releases/

https://wiki.ubuntu.com/Releases

http://www-01.ibm.com/software/support/aix/lifecycle/index.html

http://www.sun.com/service/eosl/eosl_solaris.html

http://www.computerworld.com/s/article/9229784/Mac_users_left_wondering_if_OS_X_Snow_Leopard_s_retired

UAB Information Security recently discovered a new spam campaign where users are tricked into opening an email attachment that contains a virus aimed at stealing passwords and financial information.  As with any suspicious email messages you may receive, please report them to This e-mail address is being protected from spambots. You need JavaScript enabled to view it for inspection.

The recent spam email messages are crafted to look like they came from one of several legitimate companies such as Chase Bank, the Better Business Bureau (BBB), Department of Treasury, Dun & Bradstreet Financial Services or a wire transfer company. You should be aware that these emails are forged and that none of the information included in the email can be trusted including embedded links, e-mail addresses or phone numbers.

Here are some of the common email subject lines we have seen in this spam campaign:

•  FW: Company 2013 Report

•  Incoming Wire Transfer Notification

•  D&B iUpdate: Company Order Requested

•  Department of Treasury Notice of Outstanding Obligation – Case ######

•  Better Business Bureau Complaint Case #######

•  Merchant Billing Statement

•  ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)

Windows 8 is not recommended for campus use at this time. However, if you have to support a Windows 8 portable device, it must be encrypted. At this time, BitLocker is available to accomplish this task on all Windows 8 portable devices that have a TPM chip and do not run on an ARM platform (such as a Windows 8 RT tablet). Windows 8 devices that run on an ARM platform or those that do not have TPM chips should not be used.

UAB Policy requires all laptop/portable devices owned by UAB or UAB businesses and all personal laptop/portable devices used for UAB business be encrypted. PGP, UAB’s current encryption tool, does not work on Windows 8 and Symantec has not yet set a support date for Windows 8.

BitLocker is an acceptable alternative to encrypt Windows 8 system drives in some circumstances. In the past, BitLocker has been recommended when PGP was incompatible with Windows 7 or specific BIOS versions. Systems that are currently encrypted with PGP should remain encrypted via PGP.  UAB IT is currently researching BitLocker key management solutions and will issue further guidance as available, but in the mean time, BitLocker should be installed using the non-enterprise setup method below.

Non-Enterprise BitLocker Setup

Recommendations for using BitLocker

• • Password set system BIOS
  • TPM chip in the device
  • You must take ownership of the TPM chip
  • Before updating the BIOS, BitLocker must be suspended
  • Escrow the key in some manner
  • Professional/enterprise version of Windows
  • Use a TPM + PIN authentication method
  • System must be formatted NTFS with two volumes

 Escrowing the key

With Windows 8, you may escrow the key in one of the following ways:

• Save the recovery key to a USB flash drive
This method saves the recovery key to a USB flash drive. This option cannot be used with removable drives.
• Save the recovery key to a file
This method saves the recovery key to a network drive or other location.
• Print the recovery key
This method prints the recovery key, but it is not recommended.

It will be up to the department to maintain the escrow recovery keys.

Installation instructions can be found here

UAB IT is now providing information security training materials to inform university faculty, staff and students about computer threats.  Each month a newsletter will be released focusing on new and different cyber security threats.  Contact the This e-mail address is being protected from spambots. You need JavaScript enabled to view it for more specific training options that can increase the protection of your information systems. 

February 2013

March 2013

April 2013

May 2013

As part of the University's contract review process, UAB IT is responsible for reviewing any University contract that includes an IT or IT related component prior to such contract being executed.  The information and sample addendum, below, provide details on how to ensure that your IT related contract can be routed for execution in a timely manner. Questions on the process or requirements should be directed to UAB IT

• For most agreements the following two addendums will be added during the routing process.  You can provide those addendums to your vendor in advance for their review and acceptance/signature prior to routing at UAB and include them in the routing packet.  
  • The general UAB Addendum (found on the Financial Affairs contract website) which covers information related to State, University, and Legal issues/clarifications.  Any changes to the UAB addendum must be approved by University Contracts.
  • The UAB Information Technology Addendum which covers additional confidentiality, information security, liability, and warranty language. Portions of the IT Addendum may be applicable to only certain agreements and that applicability is detailed in the various sections of the addendum.  Any changes to the IT addendum must be reviewed and approved by UAB IT. 
• For agreements that include HIPAA (health related information) a Business Associate Agreement (BAA) may also be required. For information related to the BAA see the UAB HIPAA website. 

Link to UAB IT Addendum

• Non-Disclosure/Confidentiality Agreement
• Standard Master Product/Services Agreement (and/or appropriate SOW)
• Professional Services Agreement (and/or appropriate SOW)
• Statement of Work - no hosting or processing of data
• Statement of Work - with hosting or processing services

1. Overview

The IT Administrator's view of Secunia is via the "Secunia CSI" Console.   There are two subcomponents available.  

• Deploying Secunia CSI Agents (Scan systems for software vulnerabilities)
• Deploying Secunia PSI Agents (Scan systems for software vulnerabilities, provide some automatic patching and give reporting to end user).

1.1 Notes

• UAB has a site license (currently through Fall 2013) for this software though there are license counts associated with the software and administrator accounts.
• Secunia PSI can only have 1 linkID per reporting subaccount!
• Secunia PSI can be configured to report to a CSI instance or be standalone. Personally owned devices should generally use the non-reporting PSI.

• UAB IT's initial deployment does not include pushing patches via WSUS. How to accomplish this on top of our existing WSUS processes and coming Forefront-based processes is being examined.

2. PSI Usage

If you are only worried about one or two systems (like a workstation), use the end user install of secunia PSI.

3. CSI Usage

Full documentation is available at http://secunia.com/vulnerability_scanning/corporate

• Establishing Subaccounts. Each subaccount is a unique set of reporting views and licensing counts. Accounts can either be subordinate or they can be a "shadow" of an existing account.
• Reporting (AdHOc or Scheduled Email); Several are available including static URLs that you can include in existing webpages as a dashboard for system status.
• Integration with Secunia PSI;
• Patch deployment Integration with WSUS or SCCM; This requires your own WSUS infrastructure. UAB IT is currently examining how to offer third party patches beyond Microsoft.

3.1 Getting Started with CSI

1. Contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it and request an account. Please indicate an approximate number of systems and other administrators you will need.
2. You will receive an email with your account username and password from Secunia This e-mail address is being protected from spambots. You need JavaScript enabled to view it .'; document.write( '' ); document.write( addy_text24556 ); document.write( '<\/a>' ); //--> This e-mail address is being protected from spambots. You need JavaScript enabled to view it
3. Download and install the CSI Management console from http://secunia.com/vulnerability_scanning/corporate
4. Login to the CSI Console with your assigned username and password. You can change your password at anytime.

3.2 Downloading CSI Agent

Please note that a csia.exe download is bound to an account.  If you end up with multiple accounts, please make sure to keep your csia.exe unique.

1. Go to Scan > Scheduled Scanning > Download Agent; There is also a manual available on this screen.
2. Choose an installation methodology. At the end of this document is an example script that will run csia.exe using the -NAME of the hostname as the "group" .

3.3 Downloading a Linked PSI Agent

PSI agents are nice for situations where end users take some responsibility for the software they install and keep up to date.   Please refer to end-user documentation for dealing with some of the caveats associated with PSI, especially with Java.

1. Go to Scan > PSI Integration > Download Custom PSI
2. Create a unique LinkID for your area. This cannot be changed.
3. Save the custom installer as PSISetup!.exe; The name of the installer should not be changed.

3.4 Creating a shadow account

This is an account with the same reporting scope as an existing account.

1. Navigate to User Management > Shadow Accounts
2. Click New Shadow Account
   • Name: Real Name
   • UserName: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
   • Email: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
   • Click "Generate Password"
   • Select the level of access they need to have to your main account
     • Read/Write (Can make changes/delete hosts/regroup systems)
     • Read (Can view reports/system status)

3.5 Creating a subaccount

This is an account with a new reporting scope.  This will not roll up into your main set of reports.  This is useful for delegated responsibility situations such as labs.  If you want someone else to have the same rights as you, create a shadow account!

1. Navigate to User Management > Accounts
2. Click New Account
   • Name: Real Name
   • UserName: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
   • Email: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

   • Click "Generate Password"

4. Secunia CSI Login Scripts

This script is suitable for being used as a login script or as a scheduled task.   Please share any suggested changes to this script.

'==========================================================================
'
' NAME: runsecunia.vbs
'
' AUTHOR: Chris Green This e-mail address is being protected from spambots. You need JavaScript enabled to view it
' AUTHOR: Aaron Blum    This e-mail address is being protected from spambots. You need JavaScript enabled to view it
' DATE  : 2/2/2011
' DATE  : 5/1/2012 (updated)
'
' COMMENT:
'
'  Runs the Secunia csia agent (different visibility scopes per user) and
'    sets the site to the active OU|
'  
' CHANGES:
'     5/1/2012 - Updated Script to work with Secunia 5.0 Agent
'     2/2/2011 - Made csia execute in background.
'
' This default configuration assumes that the csia.exe file is
'   in the "C:\Secunia\" folder and that logs are to be placed
'   in the "C:\Secunia\logs" folder.
'
' It also configures the agent to check-in every two days
'  This can be modify by adjusting the flag after the -i in SecuniaCmd
'
' Change these values where needed.
'
'==========================================================================
' SEC (AKA Chris Green) Login Script

 'On Error Resume Next

'' full path to CSI Program
''const CsiaPath = "%ProgramFiles%\Secunia\csia.exe"
const CsiaPath = "C:\Secunia\csia.exe"
'' Output log directory, Log will be username.sec
''const LogPath = "%ProgramFiles%\Secunia\logs\"
const LogPath = "C:\Secunia\logs\"
'' Run in foreground?
const bInteractive = False

Set objNetwork = CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Overwrite the last instance of the logs
Dim objLogPath, ouGuess, idxDash, secuniaCmd
objLogPath = LogPath & objNetwork.UserName & ".sec"
Set objLog = objFSO.OpenTextFile(objLogPath,2,true)

TimeStamp = Year(now) & "-" & Month(now) & "-" & Day(now) & "-" & Hour(now) & Minute(now)
ouGuess = "ADLogonScript"
idxDash = InStr(1,objNetwork.computername, "-", 1) - 1

If idxDash > 0 Then
   ouGuess =  Mid(objNetwork.computername, 1, idxDash)
End If  

objLog.WriteLine("[*] Secunia " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)

secuniaCmd = CsiaPath & " -i 2D -L -g " & ouGuess & " -v --skipwait -d " & LogPath & TimeStamp & "_csia.log"
objLog.WriteLine("[*] Secunia Executing with " & secuniaCmd)

If bInteractive Then
                set oExec = objShell.Exec(secuniaCmd)

                ' Wait for the scan to complete
                Do While Not oExec.StdOut.AtEndofStream
                                strText = oExec.StdOut.ReadLine()
                                objLog.WriteLine(strText)
                Loop

                objLog.WriteLine("[*] Secunia Exited with " & oExec.Status & " on " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)

Else
    '' Close the output file, hide csia in the background
                objLog.Close
                objShell.Run "cmd /c " & secuniaCmd & ">>" & objLogPath, vbHide
End If