UAB IT Provides Critical Guidance to Campus on Appropriate Versions of Internet Explorer, Mac OS, and Java to Mitigate Risks of Exploitation
UAB IT recomends that all campus users continue to stay at Java release 1.7.0_45. The recent _51 release of Java is being tested for compatitiblity, but at this time known issues prevent IT from recommending the upgrade to _51. More info will be released as soon as it is available.
Recent security vulnerabilities identified in the Java software used by many browsers for accessing Internet and internal web sites requires that systems be kept up to date with the latest approved Java version. The U.S. Department of Homeland Security recommended that all web users disable or remove Java to mitigate the risks. However, as many UAB systems require Java, UAB IT is providing guidance to the UAB Campus that will both protect the university and will provide the ability to continue accessing the required UAB systems. Part of that guidance includes using separate browsers for accessing UAB vs. non-UAB websites, and using certain browser versions and Java versions.
• On Windows 7 Install IE 10 and Java 1.7.0_45
• On Windows XP install IE 8 and Java 1.7.0_45
UAB IT has updated the minimum recommendations for versions of Internet Explorer and Java as UAB systems have improved functionality to support newer browsers and the currently secure version of Java. Internet Explorer 10 and Java 1.7.0_45 are recommended for installation on Windows 7 and IE 8 with Java 1.7.0_45 on existing XP systems. UAB IT also recommends using a separate browser with JAVA disabled for Internet use. Use IE for on campus with Java enabled and your choice of Firefox or Chrome for Internet browsing with JAVA disabled (for information on disabling Java click here).
• Install OSX 10.9 and Java 1.7.0_45
UAB IT has updated the minimum recommendations for versions of Mac Operating systems and Java as UAB systems have improved functionality that are compatible with the current version of Java. The recommended operating systems for use on Campus are Apple OSX 10.7x and 10.8x. While Apple OSX 10.6x is still supported by Apple, vendors are no longer testing against it for compatibility. Apple operating systems will not run any version lower than Java 1.7.0_45.
UAB IT also recommends using two different browsers — one for surfing the Web and one just for accessing UAB systems. For Internet Web browsing, use one of the following: Firefox Safari, or Chrome, with Java disabled (for information on disabling Java click here). For working with just UAB systems, choose a different browser and enable Java to work in it. If you run into compatibility issues with the local browser and UAB IT systems, use the IT terminal servers to access UAB resources via RDP client (for information on using IT terminal servers on Mac click here).
For more information, contact AskIT (www.uab.edu/askit).
The basics of this standard include:
- minimum/maximum length requirements for BlazerID passwords/passphrases
- password/passphrase expiration intervals
- restrictions on reusing the same password/passphrase for the six previous intervals
- password/passphrase complexity requirements
- system logging of failed attempts to log on
- disabling of unused accounts after a specific interval of non-use
- requirements for credential encryption while in transit
- several other recommendations
An official copy of this standard can be found in the UAB Policies and Procedures Library and on the UAB IT Information Security website in the IT Related Policies and Guidelines page.
About the scam:
Support Desk Scams are perpetrated through a phone call. Typically, the scammer will have a thick foreign accent and claim to be from some company’s (e.g. Microsoft, Apple) Support Services in the Technical Department. The scammer will tell you something along the lines of “Your computer is seriously infected and has been causing a lot of trouble on the internet” or that “Your machine is at serious risk for infection”. Some scammers even offer you the opportunity to verify their ID by typing a specific command into your computer but this is not a legitimate method of verification. Once the scam caller feels they have your trust, they will ask you to take one of the following actions:
- visit a website that will allow them complete access to your machine
- download something they claim will help but is actually a virus
- purchase an item that will protect your machine but will do more harm than good and require you provide them will personal information.
What you should look for and know:
- Microsoft will never call you and say you’re machine is at risk/compromised or that you have been causing problems on the internet.
- Always ask for a call back number and say you’ll call them back. Google the phone number they give you. It is likely someone else has posted complaints about scammer online.
- Never purchase and/or download something blindly from the internet based on the suggestion of an untrusted source.
- Never give anyone access to your machine that you do not know and explicitly trust.
The recent spam email messages are crafted to look like they came from one of several legitimate companies such as Chase Bank, the Better Business Bureau (BBB), Department of Treasury, Dun & Bradstreet Financial Services or a wire transfer company. You should be aware that these emails are forged and that none of the information included in the email can be trusted including embedded links, e-mail addresses or phone numbers.
Here are some of the common email subject lines we have seen in this spam campaign:
• FW: Company 2013 Report
• Incoming Wire Transfer Notification
• D&B iUpdate: Company Order Requested
• Department of Treasury Notice of Outstanding Obligation – Case ######
• Better Business Bureau Complaint Case #######
• Merchant Billing Statement
• ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)Tweet