The Microsoft Outlook mobile app will be blocked from accessing UAB mailboxes as of noon Thursday, Feb. 26, 2015, because of security concerns. Individual users of the app will be notified.
UAB IT’s Enterprise Information Security team has determined that the Microsoft Outlook mobile app violates UAB’s Password/Passphrase Standard because it caches BlazerID passwords in a cloud service — posing a serious security risk.
UAB IT will be blocking the Microsoft Outlook mobile app from accessing UAB mailboxes, so you won’t be able to receive email through the app. The Outlook mobile app is essentially a rebranded app from a company called Acompli, which Microsoft purchased recently. Many universities and other entities are also taking the step to block the Outlook mobile app.
Native mail applications on iOS and Android are still safe for use.
  • Discontinue using the Outlook Mobile App and uninstall it from your device.
  • Change your BlazerID Password
  • Configure the standard mobile app for use with Exchange (employees) or Office 365 (students). 
p.
{slide=What does "caching in the cloud" mean?}The Outlook mobile app captures each user’s BlazerID and password and stores them in a cloud service. UAB has no contract with — nor a security assessment from —the service, so UAB IT has no way of guaranteeing the safety of those BlazerIDs and passwords.
An official copy of this standard can be found in the UAB Policies and Procedures Library and on the UAB IT Information Security website in the IT Related Policies and Guidelines pageUAB’s password/passphrase standard states that applications should not cache BlazerID passwords/passphrases without an approved exception.
If you need help setting up a new mail app on your phone or mobile device, please contact AskIT@uab.edu or phone 205-996-5555.
February 16, 2015

Transport Layer Security

UAB’s information systems rely on encryption to protect data from being intercepted. Certain configurations have proven insecure. The following guidance provides configurations for acceptable protocols for all services that are protected by Transport Layer Security (TLS) as well as sensitive information protected by these services.
  • 2048 bit or 4096 bit (in accordance with FIPS 140-2 §4.7.3)
  • UAB has contracted with InCommon for TLS certificates for all of uab.edu. UAB systems using PKI should use these InCommon certificates. InCommon certificates can be ordered here.
  • Self-signed certificates are not recommended, nor are the use of other Certificate Authorities (CA). If you need to use any of these, contact Enterprise Information Security with a request through AskIT.
  • Wild card certificates should not be used. If you need to use a wild card certificate, contact Enterprise Information Security through AskIT.
  • TLSv1.2 is modern and provides the safest encryption. The use of this protocol is strongly recommended.
  • TLSv1.0 and TLSv1.1 are acceptable. TLSv1.0 should be phased out as soon as possible.
  • SSLv2 and SSLv3 are not allowed for TLS encryption at UAB.
  • You must use FIPS 140-2 where required by compliance.
  • Use AES-256 or AES-128 for symmetric ciphers.
  • Use RSA-2048 or RSA-4096 for non-elliptic curve public key cryptography.
  • Use Diffie Hellman Ephemeral (DHE) or Elliptic Curve Diffie Hellman Ephemeral (ECDHE) for key exchange with forward screcy.
  • Use SHA-2 rather than MD5 or SHA-1 for signatures, etc.
  • You should use ciphers that provide greater or equal to 128 bits real security or 3DES.
  • You should order ciphers by highest strength first.
  • Export (low-strength) ciphers are not allowed.
  • You should include ciphers that provide Perfect Forward Encryption.
  • Cipher strength selection should prioritize between confidentiality and then performance.
  • You should only use Transport Layer Security where it is required to protect information.
  • You should not have mixed secure and not secure for Web applications. Use the single mediation model.

Recommended configuration for Apache 2

Make sure you add to the main 443 server, and there are no overriding statements in virtual hosts. 

#SSLHonorCipherOrder not a valid command in Apache 2.0, only use in 2.2 and 2.4 – anything older than Apache 2.0 should be disconnected from the network.

SSLHonorCipherOrder on

SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!ADH:!SSLv2:!EXPORT56:!EXPORT40:!RC4:!DES:!LOW:RC4-SHA:RC4-MD5:+HIGH:ALL

SSLProtocol all -SSLv2 -SSLv3

#gives perfect forward secrecy but saw odd things on www with this, may revisit after older browsers diminish in use.

#SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW

  • HIGH: Encryption suites with key lengths equal to or larger than 128 bits. Included in this definition is the 3DES (Triple DES (Data Encryption Standard)) encryption suite.
  • MEDIUM: Encryption suites with key lengths that are less than 128 bit but not included in those categorized as “export”. Does not include 3DES.
  • EXPORT (LOW): Encryption suites with key lengths that are 64 bit or less.
  • Rivest, Shamir, and Adleman (RSA): RSA is one of the first practicable public-key cryptosystems and is widely used for secure data transmission.
  • Diffie-Hellman (DH): DH is a specific method of securely exchanging cryptographic keys and was the first specific example of public-key cryptography as originally conceptualized by Ralph Merkle.
  • Elliptic curve Diffie–Hellman (ECDH): An anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel.
  • Transport Layer Security (TLS): Cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key.
  • AES128, AES256, AES: A specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology in 2001. AES is based on the Rijndael cipher developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted a proposal to NIST during the AES selection process.  Implementations are available using 128 bit AES or 256 bit AES.
  • AESGCM: AES in Galois Counter Mode (GCM): These ciphersuites are only supported in TLS v1.2.
  • 3DES: Triple DES is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block.
  • DES: Once a predominant symmetric-key algorithm for the encryption of electronic data. It was highly influential in the advancement of modern cryptography in the academic world. Developed in the early 1970s at IBM and based on an earlier design by Horst Feistel. DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small.
  • RC4: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security. While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure protocols such as WEP.RC2
  • Pre-shared keys (PSK): Pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key cryptographic algorithms.
  • Certificate Authority (CA): A certificate authority or certification authority is an entity that issues digital certificates.
  • Secure Sockets Layer (SSL): A protocol developed by Netscape for transmitting private documents via the Internet. SSL version 3.0 was released in 1996. As of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.
December 19, 2014

Mathematica

mathematica
Mathematica is a software package used for communicating scientific ideas in a variety of ways, whether this is visualization of a concept in an intro-level course, or creating a simulation of a new idea related to research. Mathematica is available for free to UAB faculty, staff and students, thanks to funding from the College of Arts and Sciences and the School of Engineering.

Campus machines

Follow the directions below to download software from Wolfram and request the appropriate activation key. If you do not have administrator access to your machine, please contact your IT support for assistance.
    1. Create an account (New users only):
      1. Go to user.wolfram.com and click "Create Account"
      2. Fill out form using a @uab.edu email, and click "Create Wolfram ID"
      3. Check your email and click the link to validate your Wolfram ID
    2. Request the download and key:
      1. Fill out this form to request an Activation Key
      2. Click the "Product Summary page" link to access your license
      3. Click "Get Downloads" and select "Download" next to your platform
      4. Run the installer on your machine, and enter Activation Key at prompt

Computer labs

  • Please contact your College IT representatives for specific installation information.
  • UAB College of Arts & Sciences, contact IT at: 205-975-4500, casit@uab.edu, www.uab.edu/casit

Faculty and staff personally-owned machines

Fill out this form to request a home-use license from Wolfram.

Student personally-owned machines

Follow the directions below to download from the Wolfram User Portal.
    1. Create an account (New users only):
      1. Go to user.wolfram.com and click "Create Account"
      2. Fill out form using a @uab.edu email, and click "Create Wolfram ID"
      3. Check your email and click the link to validate your Wolfram ID
    2. Request the download and key:
      1. Fill out this form to request an Activation Key
      2. Click the "Product Summary page" link to access your license
      3. Click "Get Downloads" and select "Download" next to your platform
      4. Run the installer on your machine, and enter Activation Key at prompt
Are you interested in putting Mathematica elsewhere? Please let IT or Troy Schaudt at Wolfram Research know.

The first two tutorials are excellent for new users, and can be assigned to students as homework to learn Mathematica outside of class time. Follow along in Mathematica as you watch this multi-part screencast that teaches you the basics—how to create your first notebook, calculations, visualizations, interactive examples, and more. Provides examples to help you get started with new functionality in Mathematica 10, including machine learning, computational geometry, geographic computation, and device connectivity. Access step-by-step instructions ranging from how to create animations to basic syntax information. Search Wolfram's large collection of materials for example calculations or tutorials in your field of interest.

Mathematica offers an interactive classroom experience that helps students explore and grasp concepts, plus gives faculty the tools they need to easily create supporting course materials, assignments, and presentations.

Resources for Educators

Learn how to make your classroom dynamic with interactive models, explore computation and visualization capabilities in Mathematica that make it useful for teaching practically any subject at any level, and get best-practice suggestions for course integration. Learn how to create a slideshow for class that shows a mixture of graphics, calculations, and nicely formatted text, with live calculations or animations. Download pre-built, open-code examples from a daily-growing collection of interactive visualizations, spanning a remarkable range of topics. Access on-demand and live courses on Mathematica, SystemModeler, and other Wolfram technologies.

Rather than requiring different toolkits for different jobs, Mathematica integrates the world's largest collection of algorithms, high-performance computing capabilities, and a powerful visualization engine in one coherent system, making it ideal for academic research in just about any discipline.

Resources for researchers

Explore Mathematica's high-level and multi-paradigm programming language, support for parallel computing and GPU architectures, built-in functionality for specialized application areas, and multiple publishing and deployment options for sharing your work. Learn how to create programs that take advantage of multicore machines or available clusters. Learn what areas of Mathematica are useful for specific fields.

In general, Mathematica is a high-level complete system, while MatLab is a low-level core with specialist toolboxes. Most engineering colleges at research universities maintain both products, including UAB. Because MatLab has separate toolboxes, each toolbox can only assume the functionality of the basic, core system; Mathematica is an all-in-one software which is interconnected nicely. For example, in Mathematica, purely numeric commands can perform symbolic pre-processing for richer and more accurate results, which is not possible in MatLab because of the design. This overall concept applies to the vast majority of Mathematica’s commands when compared to MatLab. Engineers and other groups on campus value the following functionality, which is unique to Mathematica:
  • Very sophisticated symbolic algorithms for closed-form solutions to problems
  • Much easier to create mouse-driven interfaces to visualize variations in equations or simulations,
  • The highest quality and most accurate graphics engine available for symbolic and numeric graphics,
  • Support for both machine precision and arbitrary precision,
  • Automatic switching between algorithms for best results,
  • Solves any order ODE (rather than only first-order in MatLab),
  • Integration for any n-dimensions (rather than only 3 in MatLab),
  • Wolfram Language included to program in procedural, functional, object-oriented, or rule-based style makes language easier to learn (rather than procedural only in MatLab),
  • Mathematica’s  high-level language requires less code to develop algorithms or ideas than MatLab
  • Text and equation typesetting document interface with slideshow mode (not available in MatLab),
  • Load-on-demand data sets to use in addition to importing a wide variety of types of data
  • IDE based on Eclipse, which researchers more commonly know and work with (rather than MatLab’s home-grown IDE).
  • Import of MatLab data sets supported for high-quality rendering of MatLab results in Mathematica

To learn more about Matlab and access it, click here.

For assistance with using the Mathematica software:
  • College of Arts and Sciences users can contact the CAS IT help desk by phone at 205-975-4500, by e-mail at casit@uab.edu or online at uab.edu/casit
  • School of Engineering users can contact Tommy Foley at 205-934-8477 or by e-mail at tfoley@uab.edu
  • All other schools/departments should contact Tony Schaudt, Wolfram Research Inc., at 800-965-3726, ext. 5588, or by e-mail at troys@wolfram.com

December 10, 2014

Terminal server for Macs

To use Internet Explorer on a Mac, you will need to have Microsoft Remote Desktop application installed.

Instructions for installing Microsoft Remote Desktop 8.0.25189 (Downloaded via Mac App Store)
October 28, 2014

IT Risk Bulletins

Each month, the chief information security officers for UA, UAB, UAB Medicine and UAHuntsville publish a monthly electronic newsletter to help users avoid IT errors.

March 2015 | Issue No. 6

February 2015 | Issue No. 5


January 2015 | Issue No. 4

December 2014 | Issue No. 3


November 2014 | Issue No. 2

October 2014 | Issue No. 1
UAB IT has developed a set of Key Performance Indicators that report various statistics to help UAB IT better understand and improve on how we interact with customers and respond to their needs.

The KPI charts measure, for example, how tickets are submitted to AskIT, the kind of issues for which customers are seeking help, the length of time tickets are open and the scores from customer satisfaction surveys/feedback.

Setting goals, measuring the results, communicating to our customers and acting on these Key Performance Indicators are critical to UAB IT's becoming a more service-oriented organization.

KPI charts by month:

December 2014

November 2014

October 2014


September 2014


August 2014


July 2014


June 2014

UAB IT has contracted with InCommon to provide Comodo SSL server certificates for the uab.edu domain. 

Any UAB department using a certificate ending in uab.edu can use the service at no cost. UAB IT pays a yearly fee that covers all certificates.

For regular SSL server certificates, the server administrator can order them here.

For wildcard certificates and multiple domain name certificates, the server administrator should send a request to AskIT with all of the details and a valid CSR (Certificate Signing Request), and the request will be routed through Data Security and the Unix team.

 

 

 

 

 

 

Microsoft Office 365, a new cloud-based platform for e-mail, file storage, and Microsoft Office applications (Word, PowerPoint, Excel) is now the standard email for students (effective May 2014). This new service provides students with the following benefits:

  • 50 GB of e-mail space, an increase of 49 GB from the current service
  • 25 GB of free file storage, an increase of 24 GB from the current service
  • Access to Microsoft Office applications from laptops, tablets, and other mobile devices
  • A single web interface to access all of the above features

Students who prefer to work offline will be able to download the Office applications and continue using their preferred e-mail clients.

We expect all students to be transitioned to the Office 365 service by June 30, 2014. For more information and how the transition will occur please visit our Office 365 for Students info page.