A strong password, changed at regular intervals, is one of the best ways to safeguard your information – and everyone else’s.

That’s why UAB requires employees to change their BlazerID passwords every 90 days, and students every 180 days.

Changing passwords often – and making sure they are both strong and secure – will help keep hackers out of your data and out of UAB’s systems.

Beginning Aug. 1, UAB IT will send the first reminder that you need to change your BlazerID password 15 days before the expiration date, a change from the previous 30-day advance notice. Reminders are also e-mailed one week before expiration, as well as sent at three days, two days and one day prior to expiration.

Password expiration notices tell you the exact date your password will expire so you can keep track of when you need to change it.

Remember: E-mailed password change notices from UAB IT will NOT include clickable links, due to ongoing phishing attempts. All updates to your BlazerID password should be managed through BlazerID Central.

Warning: Several units at UAB have received harassing calls from telephone scammers, known as “cyber extortionists.” This is a known issue documented by the FBI and AT&T.

If you receive persistent calls from one of these scammers, it will probably be under the pretense of “payday loan collections.” The scammer may know a lot of information about your identity, including your work number, which they actually obtained from a third party. They will attempt to harass you into making a payment to them just to leave you alone. Otherwise, they will continue to call and harass you at work.

UAB IT and HSIS recommend this activity be reported to the following numbers: AskIT at 996-5555 or HSIS Helpdesk at 934-8888, depending on which group supports the affected phone. To help fix the problem, we also recommend directing the calls to a phone number where they can be screened before sending the call to the department or unit. If necessary, the phone number under attack can be blocked from outside callers.

This allows normal internal operations to continue, until the scammer understands they are wasting their time, and they move on.

 

 

 

UAB IT Provides Critical Guidance to Campus on Appropriate Versions of Internet Explorer, Mac OS, and Java to Mitigate Risks of Exploitation; updates Java recommendation to 1.7.0_55

A significant security vulnerability was discovered in the Internet Explorer web browser over the weekend of April 26th and is being shared in mass media.  This vulnerability could allow an attacker to compromise a Windows based computer should the end-user visit a website with appropriate content.

On May 1st, Microsoft released a fix to the IE vulnerability. Users should install this fix immediately.  UAB IT will begin pushing this update Thursday afternoon May 1st.  If IE is open, you will be required to perform a system reboot in order for the fix to take effect. If IE is closed, no reboot should be necessary.  Once the fix has been applied to your system (and IE is open) you will have 24 hours to perform a reboot or your system will automatically reboot.  

UAB IT continues to recommend that end-users use a two web browser methodology to limit the risks to the campus.

1.       Use an up-to-date version of Internet Explorer for conducting UAB business on university supported web sites.

2.       Use a second web browser (such as Mozilla Firefox or Google Chrome) with the Java plug-in disabled for any general web surfing and accessing off-campus resources.

Windows Systems:

• On Windows 7 Install IE 10 and Java 1.7.0_55

UAB IT has updated the minimum recommendations for versions of Internet Explorer and Java as UAB systems have improved functionality to support newer browsers and the currently secure version of Java. Internet Explorer 10 and Java 1.7.0_55 are recommended for installation on Windows 7/8. UAB IT also recommends using a separate browser with JAVA disabled for Internet use.  Use IE for on campus with Java enabled and your choice of Firefox or Chrome for Internet browsing with JAVA disabled (for information on disabling Java click here).

Mac Systems:

• Install OSX 10.9 and Java 1.7.0_55

UAB IT has updated the minimum recommendations for versions of Mac Operating systems and Java as UAB systems have improved functionality that are compatible with the current version of Java. The recommended operating systems for use on Campus are Apple OSX 10.7x and 10.8x. While Apple OSX 10.6x is still supported by Apple, vendors are no longer testing against it for compatibility. Apple operating systems will not run any version lower than Java 1.7.0_51.

UAB IT also recommends using two different browsers — one for surfing the Web and one just for accessing UAB systems. For Internet Web browsing, use one of the following: Firefox Safari, or Chrome, with Java disabled (for information on disabling Java click here). For working with just UAB systems, choose a different browser and enable Java to work in it. If you run into compatibility issues with the local browser and UAB IT systems, use the IT terminal servers to access UAB resources via RDP client (for information on using IT terminal servers on Mac click here).

For more information, contact AskIT (www.uab.edu/askit).

UAB IT announced Friday that Windows XP systems (that do not have an approved exeception in place) will have all internet access suspended.  The UAB IT Oversight Committee approved this plan in late April.  See detail about the announcement below and effective dates.


May 2, 2014

Office of the Chief Information Security Officer

Subject:

Suspension of Internet Access for XP Computers/System

To:

All UAB Faculty and Management

What is Happening:

Effective April 8th, Microsoft stopped support for the Windows XP operating system and associated software.  Non-support represents a significant vulnerability to UAB and, as a result, the IT Oversight Committee has directed that action be taken to mitigate this vulnerability.



Actions:

Mitigation actions include the following steps:

1.    XP system owners will be notified via an email that their Internet access will be suspended. Notices will start being sent on Monday May 5th.

2.    7 calendar days after notification, Internet access will be suspended via our IPS/IDS system.

3.    After May 31st, all XP systems will be disconnected from the UAB campus network.

4.    If an XP system requires campus network and Internet access, an Exception Request must be submitted to the Information Security Office, be adjudicated by the Enterprise Information Security Council, and the system access restored if approved.



Contact: For questions call the Enterprise Information Security staff at (205) 975-0842 or email This email address is being protected from spambots. You need JavaScript enabled to view it.
Physician Tax Fraud Scheme

Alabama has now been added to a growing list of states with a doctor targeted tax fraud outbreak.  Hundreds of physicians in Arizona, Connecticut, Indiana, South Dakota, New Hampshire, Michigan, North Carolina, Vermont and Alabama have been impacted.

A bulletin from the North Carolina Medical Society recently said, “The majority of those affected first become aware of it when they receive an IRS 5071C letter advising them of possible fraud. Others are receiving a rejection notification when attempting to electronically file their tax return. It indicates it cannot be submitted because a return has already been filed under that Social Security number.”

Earlier week, the UAB IT Information Security Team received information that a half-dozen physicians associated with a local medical group affiliated with the Children’s Hospital of Alabama have also been victimized as a result of this scheme.  We have unconfirmed reports that several UAB physicians may also be impacted.

We are in contact with the local FBI field agent regarding this matter and are asking if you or a physician you know has been affected by this, please contact the UAB Chief Information Security Officer at (205) 975-3117 or by email to This email address is being protected from spambots. You need JavaScript enabled to view it. for additional information.
The OpenSSL/Heartbleed vulnerability has been recently spotlighted in the news media since being announced on April 7, 2014.  UAB IT has reviewed all centrally supported systems for this vulnerability and, working with our vendors, have installed patches on all supported systems to mitigate this vulnerability.  We have used results from our daily Nessus campus network scans to identify system which are/were vulnerable and mitigated those systems which are centrally supported.  Additional mitigation steps were taken where needed to protect sensitive credentials and data from compromise.

We believe that the possibility of a data breach or compromise is very low at this time however we recommend that all users take additional steps from an abundance of caution perspective.  Those steps include 1) if you have access as an administrator to a system change your password(s) after you have verified that the vendor supporting your system has patched it appropriately, 2) increase your effort to mitigate those vulnerable systems identified on the weekly Nessus vulnerability report available at https://silo.dpo.uab.edu/vulnreport (if you need assistance please call Information Security at 205-975-0482), 3) please ensure that all systems that use SSL encryption services are fully patched, then restart the service on that system, 4) replace all SSL certificates on those systems with one provide free of charge from UAB IT from www.uab.edu/uabcrt (certificates from UAB are vetted, patched and kept up to date), 5) change all privileged account passwords immediately after vendor patches have been applied, and 6) be aware that many network devices and printers have embedded SSL based encrypted web based access portals which should be updated with vendor patches to mitigate this vulnerability.

We also recommend that all users with privileged access change their BlazerID passwords immediately as a precaution to mitigate any possible exfiltration of sensitive data by the OpenSSL vulnerability.  And we also recommend that users change their personal passwords which they may use to access personal non-UAB web sites such as on-line banking and others to assist in reducing the possibility of becoming a cybercrime victim.


If you need additional assistance, please call AskIT at (205) 996-5555.
Effective January 1, 2014, UAB has a new password/passphrase standard for all active Blazer ID users. This standard supports the Data Protection and Security Policy and is designed to improve the overall security posture on campus. This standard applies to all users and systems at UAB which utilize a BlazerID.

The basics of this standard include:

  • minimum/maximum length requirements for BlazerID passwords/passphrases
  • password/passphrase expiration intervals
  • restrictions on reusing the same password/passphrase for the six previous intervals
  • password/passphrase complexity requirements
  • system logging of failed attempts to log on
  • disabling of unused accounts after a specific interval of non-use
  • requirements for credential encryption while in transit
  • several other recommendations

An official copy of this standard can be found in the UAB Policies and Procedures Library and on the UAB IT Information Security website in the IT Related Policies and Guidelines page.

Questions on this standard and its implementation should be directed to AskIT at (205) 996-5555 or to the Enterprise Information Security line (205) 975-0842 or to This email address is being protected from spambots. You need JavaScript enabled to view it. .



UAB IT Information Security reports that there has been a recent sharp rise in the occurrence of a scam commonly known as a “support desk scam” on campus. In effort to help prevent you from being victimized, UAB Information Security has provided a description of the scam and some tips you can use to protect yourselves. 

About the scam:
Support Desk Scams are perpetrated  through a phone call.  Typically, the scammer will have a thick foreign accent and claim to be from some company’s (e.g. Microsoft, Apple) Support Services in the Technical Department.  The scammer will tell you something along the lines of “Your computer is seriously infected and has been causing a lot of trouble on the internet” or that “Your machine is at serious risk for infection”. Some scammers even offer you the opportunity to verify their ID by typing a specific command into your computer but this is not a legitimate method of verification. Once the scam caller feels they have your trust, they will ask you to take one of the following actions:

  1. visit a website that will allow them complete access to your machine
  2. download something they claim will help but is actually a virus
  3. purchase an item that will protect your machine but will do more harm than good and require you provide them will personal information. 

What you should look for and know:

  • Microsoft will never call you and say you’re machine is at risk/compromised or that you have been causing problems on the internet.
  • Always ask for a call back number and say you’ll call them back. Google the phone number they give you.  It is likely someone else has posted complaints about scammer online.
  • Never purchase and/or download something blindly from the internet based on the suggestion of an untrusted source.
  • Never give anyone access to your machine that you do not know and explicitly trust.

Remember, it is very simple to avoid being a victim by using caution.  If you ever have legitimacy concerns about a phone call or an email, contact UAB AskIT @ This email address is being protected from spambots. You need JavaScript enabled to view it. or 205-996-5555. 


UAB Information Security recently discovered a new spam campaign where users are tricked into opening an email attachment that contains a virus aimed at stealing passwords and financial information.  As with any suspicious email messages you may receive, please report them to This email address is being protected from spambots. You need JavaScript enabled to view it. for inspection.

The recent spam email messages are crafted to look like they came from one of several legitimate companies such as Chase Bank, the Better Business Bureau (BBB), Department of Treasury, Dun & Bradstreet Financial Services or a wire transfer company. You should be aware that these emails are forged and that none of the information included in the email can be trusted including embedded links, e-mail addresses or phone numbers.

Here are some of the common email subject lines we have seen in this spam campaign:

•  FW: Company 2013 Report

•  Incoming Wire Transfer Notification

•  D&B iUpdate: Company Order Requested

•  Department of Treasury Notice of Outstanding Obligation – Case ######

•  Better Business Bureau Complaint Case #######

•  Merchant Billing Statement

•  ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)

The UAB Security Forum will be conducting a survey of information technology personnel across the entire campus, including UAB Hospital.  A letter describing the content of the survey, and how to access it electronically will be sent to UAB leaders via email in the coming days.  All employees who are being asked to complete the survey should respond as soon as possible.  Questions can be directed to the Security Forum co-chairs,This email address is being protected from spambots. You need JavaScript enabled to view it. , School of Medicine, or This email address is being protected from spambots. You need JavaScript enabled to view it. , School of Business.  Additional information will be available from This email address is being protected from spambots. You need JavaScript enabled to view it. , UAB Information Technology.