password 1

UAB is revising its password/passphrase policy to ensure better security for campus assets.

Beginning Sept. 15, passwords/passphrases will need to be 15 characters, but the passwords will expire after one year.

Implementation of the policy will be phased in; while users can change their passwords at any time at BlazerID Central, they will not be required to change their passwords to 15 characters until their current password expires. Enforcement of the new requirements and expiration will begin on the first password change event after the policy goes into effect on Sept. 15.

Fifteen-character passwords are much harder to crack than eight-character passwords, making them more secure than UAB’s current standard. Once a password/passphrase expires, a user will never be able to reuse it. 

A strong passphrase:

  • Is a series of words that create a phrase.
  • Does not contain common phrases found in literature or music. You can choose a sentence or phrase that is familiar to you, but use the first letter of every word as a mnemonic device.
  • Does not contain words found in the dictionary. You can replace certain letters in words with numbers, such as 1 for an I or L.
  • Does not contain your user name, real name or company name.

UAB’s passphrases must contain three of the following four characters: an uppercase letter, a lowercase letter, a number and a special symbol.

When users log into BlazerID Central to change their passwords, they will automatically be prompted to enroll a phone number in the Identity feature, which allows users to more easily reset a BlazerID password/passphrase without having to contact AskIT.

UAB IT is also actively pursuing a contract for a password manager for faculty, staff and students. 

A new phishing email is hitting UAB users' inboxes, purporting to be from "Staff Portal." 

phishing staffportal
Users should not click the link in the email. The URL has been blocked from campus, but the login page is a replica of a UAB page with university branding. Phishing emails are usually an attempt to gain access to steal your personal or financial information.

phishing fakelogin

If you receive an email with a hidden link like “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads.

Look at the URL of the website you are visiting. 

You should only enter your UAB credentials at UAB .edu web sites.

To report suspected spam to AskIT, please follow the instructions here.

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.
Wednesday, 05 August 2015 15:22

Phone scams continue to target UAB students

ScamAlertUAB students continue to be targets of phone scammers who impersonate law enforcement officers or IRS representatives.

Students at universities across the country have been targets of similar scams, in which malicious callers make threats about alleged debt. Although the phone scammers often know personal details about students -- such as their majors -- students should know there has been NO breach of protected information at UAB. Such information is often publicly available in student directories or social media.

 According to UAB IT’s Information Security division, students need to know:
  • No law enforcement body will call them and threaten to arrest them over the phone.
  • The attackers can spoof a police station phone number or a government number so the call will look like it is coming from such an office.
  • UAB has not suffered a breach that resulted in this scam.

More information about IRS scams is available here.

Tips:
  • Do NOT provide Social Security numbers, birth dates or any other personal information.
  • Ask to call the “officer” or "IRS representative" back, take down their number and call the number back.
  • Ask them to meet you at the police station in question, if they claim to be from a police department.
  • When in doubt, hang up and call the UAB Police Department at 205-934-4434.
Tuesday, 04 August 2015 21:50

Phishing attempt forges AskIT address

A new phishing email purporting to be from AskIT is targeting UAB faculty, staff and students as well as UAB Medical Center staff. 

UAB IT and HSIS are taking steps to block this phishing attempt, but students, faculty and staff should be on alert.

The email has forged the "from" address as AskIT. A sample of the latest phishing email is below.

Phishingattempt askit

Phishingattempt askitIf you receive an email with a hidden link like “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads.

Look at the URL of the website you are visiting. 

You should only enter your UAB credentials at UAB .edu web sites.

To report suspected spam to AskIT, please follow the instructions 
here.

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.
As part of the initative to protect UAB's assets and inventory servers and workstations, UAB IT is making Microsoft SCCM available at no cost to all areas of campus.

Having all of the asset information on campus managed by a single system is critical to maintaining a secure computing environment. For those areas without any tools UAB IT will work with you to implement SCCM on all systems; for those areas that already have SCCM implemented, we will work with you to integrate your instance with the enterprise; and for those who have implemented a different solution, we will work with you to import information to the Campus SCCM database on a regular basis. 

A kickoff meeting for the initiative will be held at 2 p.m. Thursday, July 9, at the Finley Conference Center.

IT managers should contact UAB IT about who will represent their areas at the kickoff meeting.
Tuesday, 30 June 2015 10:58

Windows Server 2003 to reach end of life

UAB IT is actively working to migrate servers across campus that are using Microsoft Windows Server 2003, which will reach end of life after July 14, 2015, meaning it will be unsupported by Microsoft.

Servers that are not migrated could cause problems with compliance and compatibility as well as increase costs for maintaining aging hardware.

To facilitate this transition, the UAB Enterprise Information Security Office (EISO) is actively working with Windows Server 2003 system owners to ensure a plan is in-place and actively being worked to migrate or retire affected systems.

If your department has affected servers, you should hear from UAB IT staff soon. If you have questions or concerns, call (205) 975-0842 or email datasecurity@uab.edu.

You can request an exception by filling out the Exception Request Form and submitting to AskIT.
UAB and other universities have partnered with one of the premier information security training organizations, the SANS Institute, to offer a number of discounted training opportunities.

UAB departments can purchase online security training vouchers, to be used through SANS OnDemand or Sans vLive training programs, at a significant discount.

OnDemand provides student online courseware and recorded video training so that students can study and complete hands-on labs and quizzes at a convenient time. vLive is a live, online training option; classes typically meet two evenings per week for five or six weeks.

With both options, pricing can include a certification exam attempt for that particular course. Pricing for a SANS voucher is $2,330 for the course alone or $2,959 with a bundled GIAC certification exam.

UAB IT Enterprise Information Security will be placing an order with SANS on behalf of UAB on July 30.

Any organization that wants to be included in this summer's aggregate purchase should e-mail Enterprise Information Security before this date.

A wave of phishing e-mails using false messages about mailbox size has hit UAB, mainly targeting student accounts in an attempt to steal personal information.

The emails warn that recipients’ mailboxes are “almost full” or have reached “90% of your quote,” and urge recipients to click a link to re-validate their mailboxes. UAB will never direct users to a non-UAB web site for anything regarding email or concerning your password.
Phish1Phish2
UAB IT is taking steps to block this phishing attempt, but students, faculty and staff should be on alert.

If you receive an email with a hidden link like “Click Here,” do the hover test. Hover your mouse over the link and look at the lower left pane to see where the link leads.

Look at the URL of the website you are visiting. In the case of this phish you are being redirected to www.didrihsons  .lv/wp-content/wps4/  and not uab.edu.

You should only enter your UAB credentials at UAB .edu web sites.

To report suspected spam to AskIT, please follow the instructions here

Follow these additional tips to avoid being a phishing victim:

  • Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.
  • Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.
  • Verify the address. Malicious web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).
  • Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.
  • If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.
  • Don’t open attachments. They may contain viruses or malware that can infect your computer.
  • Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.
  • Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555. Hospital employees can call the HSIS Help Desk at 205-934-8888.
Sunday, 31 May 2015 21:57

UAB students target of phone scam

Some UAB students have been targets of a phone scam in which malicious callers make threats about alleged debt, similar to scams seen at universities across the country.

According to UAB IT’s Information Security division, students need to know:

  • No law enforcement body will call them and threaten to arrest them over the phone.
  • The attackers can spoof the police station phone number so the call will look like it is coming from the police station.
  • UAB has not suffered a breach that resulted in this scam.

Tips:

  • Ask to call the “officer” back, take down their number and call the number back.
  • Ask them to meet you at the police station in question.
  • When in doubt, hang up and call the UAB Police Department at 205-934-4434.
  • Do NOT provide Social Security numbers, birth dates or any other personal information.
OpenSSL released a security advisory bulletin on Thursday, March 19, detailing multiple high and moderate severity vulnerabilities in the secure sockets layer library used in Linux and Unix based systems.

The security vulnerabilities have been addressed in the most recent version of OpenSSL and should be available from the standard update channels for Linux distributions at this time. UAB IT encourages all Linux and Unix systems administrators take steps to update their systems during their planned update windows in upcoming weeks. 

More information is available at:

https://openssl.org/  and

http://www.cyberciti.biz/faq/howto-openssl-security-update-cve20150291-cve20150204-cve20150290-cve20150207-cve20150286/