Security researchers have identified POODLE — “Padding Oracle on Downgrade Legacy Encryption” — in an old but still commonly used version of SSL, the technology used to encrypt HTTP and other web traffic. Any server that supports SSL version 3 (SSLv3) can be exploited so that an attacker can decrypt secure sessions, potentially revealing passwords and other private information.
Web browsers will be updating their technology over the next few weeks to automatically disable SSLv3 on the client (browser) side, eliminating the POODLE vulnerability. If you utilize an older computer, please ensure that you have updated modern web browser such as Firefox 33, Chrome 38, Safari 7, Internet Explorer 10 or 11. There are platform-specific settings available for most browsers to disable SSLv3 at runtime for those who do not want to wait. Most users can simply ensure they get automatic browser updates and wait for the official update.
The safest and simplest solution is to disable SSLv3 support on all software, and instead use more recent versions of SSL: TLS version 1, 1.1, or 1.2. (Confusingly, more recent versions of SSL use the name TLS, for Transport Layer Security, rather than SSL, and the numbering scheme was reset to 1. So SSLv3 is older than TLSv1. TLS version 1.2 is the most recent version of SSL/TLS.)
Server administrators should take immediate action to disable SSLv3. Simply enabling other versions and leaving SSLv3 enabled is insufficient, as protocol downgrade attacks are possible. Disabling SSLv3 on a server may create compatibility problems for ancient client software — most notably, Internet Explorer 6 will be blocked from using SSL. Protocol configuration is platform-specific, so please refer to your official documentation for instructions. Some unofficial guides and methods of checking your server are available in in the references below.
Web clients other than browsers, such as web services, may need reconfiguration to communicate over TLS. Administrators and developers responsible for non-browser clients should check their official documentation.
The guidance is for members of the UAB campus community who wish to use cloud applications and services available on the Web, including file storage, Web conferencing and content hosting.
While recognizing that cloud services can fill a need in certain areas, UAB IT reminds all UAB employees to use appropriate due diligence when entering into agreements, especially with cloud providers. UAB employees should not store sensitive/restricted information in a cloud service without University-approved agreements in place.
UAB employees cannot subscribe to cloud services to store sensitive or classified data (see UAB Data Protection and Security Policy for what UAB defines as sensitive data) without an appropriate agreement directly with UAB — and employees cannot be reimbursed for such cloud subscriptions without an affirming statement that the data stored is not sensitive.
“We want to make people aware of how risky it is to use such sites for sensitive data,” said David Yother, director of enterprise technology services for UAB IT. “The safest method is to keep it here at UAB, unless a specific business reason exists and appropriate management approvals have been received.”
Over the coming months, additional information will be released, including guidelines for specific cloud services.
More information about the cloud guidance can be found here.
UAB Hospital employees should refer to guidance from HSIS with regard to using cloud services.
When in doubt remember staysafeonline.org’s motto: STOP. THINK. CONNECT.
STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s.
CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.
Cybersecurity is daily issue that will affect the rest of your life. Therefore, every individual should place the cybersecurity motto “STOP. THINK. CONNECT.” at the same level of importance as “Stop, drop and roll” and “Look both ways before crossing.”
This year, the UAB Enterprise Information Security department will focus on the campus community through classroom and homecoming event presence. The classroom presence involves an intuitive presentation to the CAS 112 – Success in College class. The CAS 112 course prepares students for a successful collegiate career in any field of study.
The UAB Enterprise Information Security department’s homecoming presence will be at a booth in the Occupational Health and Safety Vendor Fair from 11 a.m. to 2 p.m. on Friday, Oct. 10. The OHS Vendor Fair will be located between Rast Hall and the Campus Green. Come and visit our booth so that we can chat about cyber security. You will leave our booth with more cyber security awareness knowledge — and a few treats.
Additional cyber security resources:
National Cyber Security Alliance
Physical security tips
The AskIT help desk will now be open from 7 a.m. to 9 p.m. Monday through Friday; from 9 a.m. to 6 p.m. Saturdays; and from 1 to 6 p.m. on Sundays. The change goes into effect Monday, Oct. 5.
AskIT professionals offer support for all of UAB’s central applications and services, as well as enhanced support for Desktop customers.
Help desk professionals are also available for walk-up support at the Center for Teaching and Learning (ETS 238, Education Building) from 8 a.m. to 8:30 p.m. Monday through Friday; from 10 a.m. to 5:30 p.m. Saturdays; and from 1 to 5:30 p.m. on Sundays.
You can live chat with a professional from 8 a.m. to 5 p.m. Monday through Friday by clicking on the “Live Chat” button at uab.edu/askit.
You can also submit a ticket at any time by clicking on the “Submit a Ticket” button at uab.edu/askit.