In an effort to emphasize the risks of using cloud services to store University data, UAB IT is releasing interim guidance on the use of cloud services for the UAB campus.

The guidance is for members of the UAB campus community who wish to use cloud applications and services available on the Web, including file storage, Web conferencing and content hosting.

While recognizing that cloud services can fill a need in certain areas, UAB IT reminds all UAB employees to use appropriate due diligence when entering into agreements, especially with cloud providers. UAB employees should not store sensitive/restricted information in a cloud service without University-approved agreements in place.

UAB employees cannot subscribe to cloud services to store sensitive or classified data (see UAB Data Protection and Security Policy for what UAB defines as sensitive data) without an appropriate agreement directly with UAB — and employees cannot be reimbursed for such cloud subscriptions without an affirming statement that the data stored is not sensitive.

“We want to make people aware of how risky it is to use such sites for sensitive data,” said David Yother, director of enterprise technology services for UAB IT. “The safest method is to keep it here at UAB, unless a specific business reason exists and appropriate management approvals have been received.”

Over the coming months, additional information will be released, including guidelines for specific cloud services.

More information about the cloud guidance can be found here.

UAB Hospital employees should refer to guidance from HSIS with regard to using cloud services.



Cyberspace is a shared resource, and its security is the responsibility of all American citizens, businesses, groups and governmental agencies. Cyber security begins with the awareness of our individual internet usage habits and changing them to practices that can help safeguard our digital lives.  cybersecurityawareness logo

When in doubt remember staysafeonline.org’s motto: STOP. THINK. CONNECT.

STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s. 

CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.


Cybersecurity is daily issue that will affect the rest of your life.  Therefore, every individual should place the cybersecurity motto “STOP. THINK. CONNECT.” at the same level of importance as “Stop, drop and roll” and “Look both ways before crossing.”

This year, the UAB Enterprise Information Security department will focus on the campus community through classroom and homecoming event presence. The classroom presence involves an intuitive presentation to the CAS 112 – Success in College class. The CAS 112 course prepares students for a successful collegiate career in any field of study.

The UAB Enterprise Information Security department’s homecoming presence will be at a booth in the Occupational Health and Safety Vendor Fair from 11 a.m. to 2 p.m. on Friday, Oct. 10. The OHS Vendor Fair will be located between Rast Hall and the Campus Green.  Come and visit our booth so that we can chat about cyber security.  You will leave our booth with more cyber security awareness knowledge — and a few treats.

Additional cyber security resources:

National Cyber Security Alliance

Password Security

Phishing Scams

Physical security tips







UAB IT is urging all university employees to be aware of a possible e-mail phishing scam with the subject line “Your Nex Salary Notification.”

The e-mail claims to be communication from UAB Human Resources and asks users to click a link which takes them to a fraudulent site.

UAB IT officials are taking steps to prevent the further dissemination of e-mails from this particular sender, but remind UAB employees remain vigilant about potential phishing scams.

To report suspected spam to AskIT, please follow the instructions here.

Some tips to help users avoid phishing scams include:

Be wary of unsolicited email. Phishing scams try to convey a sense of urgency and try to pressure you into clicking a link. They might claim that unusual activity regarding your account has been flagged, or you must reconfirm your password by clicking on a link in the e-mail. If you receive such a message, be very skeptical and do not click on any links. Send an email to AskIT@uab.edu to report the suspicious email.

Check for misspellings or grammatical errors. Phishers often make such mistakes when writing the subject matter line or when writing the body of the email.

Think before you click. Both the sender’s email address and any suspicious links in the message body can help identify a fraudulent email. First, hover your cursor over the sender’s email address and check the domain name (the part of the address that comes after the “@”; for example, @school.edu). Now hover your cursor over the suspicious link (be sure not to click on it!) to view the web site address of the link (for example, school.com). There’s likely a problem if those two don’t match (for example, an email address of ITadmin@school.edu and a web site address of passwordchange.school.com).

Verify the address. Be aware that cyber-criminals will try to trick you into thinking a web site address is real by making it look similar to the real thing. For example, UAB web sites end in the domain name “uab.edu.” A phishing e-mail might ask you to click on a malicious web site link with the domain name “uab.edu.com.”

Avoid opening attachments. Many phishing emails include attached documents that contain malware that can infect your computer. Never download and open these attachments.

Protect your password. Remember, information security and IT officials at both UAB Hospital and the university will never ask users for passwords or any other sensitive information.

Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555.  Hospital employees can call the HSIS Help Desk at 205-934-8888.

Wondering if your photos, data and other information are securely stored in the cloud after the leak of celebrity photos over the Labor Day weekend?

UAB IT security professionals say the incident is a good reminder to the rest of us to take precautions with our own data.

Since most of us aren’t celebrities, our photos probably won’t be worth hackers’ time — but personal information can be.

So what can you do to keep your personal cloud accounts safe?

• Enable two-factor authentication on your cloud accounts. That way, if you — or someone else — tries to log into your account from a device that is not registered, you’ll have to log in using a verification code sent to one of your devices. It’s an extra step that helps secure your information.

Microsoft’s OneDrive — a cloud storage application available free for UAB students — uses two-factor identification and allows users to add security information to their account. Learn more here.

• Make sure you have a strong password. Ideally, you should use a passphrase you can remember. For example, choose “goblazers,” but replace some of the letters with numbers or symbols and include capital letters. The example, then, could become g0b!azers — easy to remember, harder to hack.

Change your password often to keep your data secure. That’s why UAB requires employees and students to change their BlazerID passwords frequently, and to make sure they contain the kind of character combinations that make them much less vulnerable to attacks.

• Consider using a password manager or password vault such as LastPass or KeePass. Such tools — which vary in price — can help manage your different logins while keeping them secure.

UAB employees should also be very cautious about cloud storage in regards to University information.

“UAB employees should not use cloud products for UAB business data without approval,” said Scott Fendley, information security operations manager for UAB IT. “UAB IT reviews the contracts and ensures that the cloud products meet our requirements.”

This month’s Tech Talk on Sept. 25 will feature a discussion of cloud computing at UAB. 

Forgot your BlazerID password? You don’t have to contact AskIT.

Did you know there is a quick and easy way to reset it through BlazerID Central?

If you have a phone number registered for B-Alert/e-Notify, you can use the automated password reset. Just register a new or existing phone number for “Identity” in the e-Notify signup here. You’ll get a text or voice message with a code to reset your password.

And if your password has expired, you can still log in to BlazerID Central with your old password to reset to a new password.

UAB’s password/passphrase policy, effective Jan. 1, 2014, requires faculty and staff to change their passwords every 90 days, and students to change their passwords every 180 days.

UAB IT has changed its notification schedule for changing your BlazerID password. Users now receive notices 15 days before their passwords expire, as well as seven days, three days, two days and one day prior to expiration.

Remember: E-mailed password change notices from UAB IT will NOT include clickable links, due to ongoing phishing attempts. All updates to your BlazerID password should be managed through BlazerID Central.

A strong password, changed at regular intervals, is one of the best ways to safeguard your information – and everyone else’s.

That’s why UAB requires employees to change their BlazerID passwords every 90 days, and students every 180 days.

Changing passwords often – and making sure they are both strong and secure – will help keep hackers out of your data and out of UAB’s systems.

Beginning Aug. 1, UAB IT will send the first reminder that you need to change your BlazerID password 15 days before the expiration date, a change from the previous 30-day advance notice. Reminders are also e-mailed one week before expiration, as well as sent at three days, two days and one day prior to expiration.

Password expiration notices tell you the exact date your password will expire so you can keep track of when you need to change it.

Remember: E-mailed password change notices from UAB IT will NOT include clickable links, due to ongoing phishing attempts. All updates to your BlazerID password should be managed through BlazerID Central.

Warning: Several units at UAB have received harassing calls from telephone scammers, known as “cyber extortionists.” This is a known issue documented by the FBI and AT&T.

If you receive persistent calls from one of these scammers, it will probably be under the pretense of “payday loan collections.” The scammer may know a lot of information about your identity, including your work number, which they actually obtained from a third party. They will attempt to harass you into making a payment to them just to leave you alone. Otherwise, they will continue to call and harass you at work.

UAB IT and HSIS recommend this activity be reported to the following numbers: AskIT at 996-5555 or HSIS Helpdesk at 934-8888, depending on which group supports the affected phone. To help fix the problem, we also recommend directing the calls to a phone number where they can be screened before sending the call to the department or unit. If necessary, the phone number under attack can be blocked from outside callers.

This allows normal internal operations to continue, until the scammer understands they are wasting their time, and they move on.

 

 

 

UAB IT Provides Critical Guidance to Campus on Appropriate Versions of Internet Explorer, Mac OS, and Java to Mitigate Risks of Exploitation; updates Java recommendation to 1.7.0_55

A significant security vulnerability was discovered in the Internet Explorer web browser over the weekend of April 26th and is being shared in mass media.  This vulnerability could allow an attacker to compromise a Windows based computer should the end-user visit a website with appropriate content.

On May 1st, Microsoft released a fix to the IE vulnerability. Users should install this fix immediately.  UAB IT will begin pushing this update Thursday afternoon May 1st.  If IE is open, you will be required to perform a system reboot in order for the fix to take effect. If IE is closed, no reboot should be necessary.  Once the fix has been applied to your system (and IE is open) you will have 24 hours to perform a reboot or your system will automatically reboot.  

UAB IT continues to recommend that end-users use a two web browser methodology to limit the risks to the campus.

1.       Use an up-to-date version of Internet Explorer for conducting UAB business on university supported web sites.

2.       Use a second web browser (such as Mozilla Firefox or Google Chrome) with the Java plug-in disabled for any general web surfing and accessing off-campus resources.

Windows Systems:

• On Windows 7 Install IE 10 and Java 1.7.0_55

UAB IT has updated the minimum recommendations for versions of Internet Explorer and Java as UAB systems have improved functionality to support newer browsers and the currently secure version of Java. Internet Explorer 10 and Java 1.7.0_55 are recommended for installation on Windows 7/8. UAB IT also recommends using a separate browser with JAVA disabled for Internet use.  Use IE for on campus with Java enabled and your choice of Firefox or Chrome for Internet browsing with JAVA disabled (for information on disabling Java click here).

Mac Systems:

• Install OSX 10.9 and Java 1.7.0_55

UAB IT has updated the minimum recommendations for versions of Mac Operating systems and Java as UAB systems have improved functionality that are compatible with the current version of Java. The recommended operating systems for use on Campus are Apple OSX 10.7x and 10.8x. While Apple OSX 10.6x is still supported by Apple, vendors are no longer testing against it for compatibility. Apple operating systems will not run any version lower than Java 1.7.0_51.

UAB IT also recommends using two different browsers — one for surfing the Web and one just for accessing UAB systems. For Internet Web browsing, use one of the following: Firefox Safari, or Chrome, with Java disabled (for information on disabling Java click here). For working with just UAB systems, choose a different browser and enable Java to work in it. If you run into compatibility issues with the local browser and UAB IT systems, use the IT terminal servers to access UAB resources via RDP client (for information on using IT terminal servers on Mac click here).

For more information, contact AskIT (www.uab.edu/askit).

UAB IT announced Friday that Windows XP systems (that do not have an approved exeception in place) will have all internet access suspended.  The UAB IT Oversight Committee approved this plan in late April.  See detail about the announcement below and effective dates.


May 2, 2014

Office of the Chief Information Security Officer

Subject:

Suspension of Internet Access for XP Computers/System

To:

All UAB Faculty and Management

What is Happening:

Effective April 8th, Microsoft stopped support for the Windows XP operating system and associated software.  Non-support represents a significant vulnerability to UAB and, as a result, the IT Oversight Committee has directed that action be taken to mitigate this vulnerability.



Actions:

Mitigation actions include the following steps:

1.    XP system owners will be notified via an email that their Internet access will be suspended. Notices will start being sent on Monday May 5th.

2.    7 calendar days after notification, Internet access will be suspended via our IPS/IDS system.

3.    After May 31st, all XP systems will be disconnected from the UAB campus network.

4.    If an XP system requires campus network and Internet access, an Exception Request must be submitted to the Information Security Office, be adjudicated by the Enterprise Information Security Council, and the system access restored if approved.



Contact: For questions call the Enterprise Information Security staff at (205) 975-0842 or email datasecurity@uab.edu
Physician Tax Fraud Scheme

Alabama has now been added to a growing list of states with a doctor targeted tax fraud outbreak.  Hundreds of physicians in Arizona, Connecticut, Indiana, South Dakota, New Hampshire, Michigan, North Carolina, Vermont and Alabama have been impacted.

A bulletin from the North Carolina Medical Society recently said, “The majority of those affected first become aware of it when they receive an IRS 5071C letter advising them of possible fraud. Others are receiving a rejection notification when attempting to electronically file their tax return. It indicates it cannot be submitted because a return has already been filed under that Social Security number.”

Earlier week, the UAB IT Information Security Team received information that a half-dozen physicians associated with a local medical group affiliated with the Children’s Hospital of Alabama have also been victimized as a result of this scheme.  We have unconfirmed reports that several UAB physicians may also be impacted.

We are in contact with the local FBI field agent regarding this matter and are asking if you or a physician you know has been affected by this, please contact the UAB Chief Information Security Officer at (205) 975-3117 or by email to jwp3@uab.edu for additional information.