Effective January 1, 2014, UAB has a new password/passphrase standard for all active Blazer ID users. This standard supports the Data Protection and Security Policy and is designed to improve the overall security posture on campus. This standard applies to all users and systems at UAB which utilize a BlazerID.

The basics of this standard include:

  • minimum/maximum length requirements for BlazerID passwords/passphrases
  • password/passphrase expiration intervals
  • restrictions on reusing the same password/passphrase for the six previous intervals
  • password/passphrase complexity requirements
  • system logging of failed attempts to log on
  • disabling of unused accounts after a specific interval of non-use
  • requirements for credential encryption while in transit
  • several other recommendations

An official copy of this standard can be found in the UAB Policies and Procedures Library and on the UAB IT Information Security website in the IT Related Policies and Guidelines page.

Questions on this standard and its implementation should be directed to AskIT at (205) 996-5555 or to the Enterprise Information Security line (205) 975-0842 or to This email address is being protected from spambots. You need JavaScript enabled to view it. .



May 9, 2013

Purpose

Computer systems running vendor-unsupported or end-of-life operating systems are potential security threats to the UAB campus network. Vendors do not provide security patches for unsupported systems, and these unpatched systems can be exploited by attackers. Such exploitations can result in disrupted experiments, corrupted research data and/or completely compromised systems.  UABIT reserves the right to disconnect these computers from the campus network to mitigate this data breach risk (see UAB’s Acceptable Use of Computer and Network Resources policy).  UAB system administrators are responsible for maintaining the security of all information systems, per the campus Data Protection and Security Policy, which includes updating applications and operating systems.

Windows XP will not be supported after April 2014. Windows versions prior to Windows XP and any version of Mac OS X prior to version 10.6 should be considered unsupported.


Scope

The information in this guidance statement applies to all constituents internal to UAB.

Guidance

We recommend that systems running legacy, unsupported operating systems should not be used. They should be disconnected from the network because of the significant security risk to the university’s network and environment. If the device is critical and cannot be turned off or disconnected, the device should be physically isolated from the university network. If disconnection and/or isolation are not possible, then an exemption and risk acceptance form will need to be completed, signed by the appropriate dean or vice president, and filed with Enterprise Information Security.

Unsupported legacy operating systems:

Windows Family

Windows 95/98/ME

Windows 2000

Windows 2003

Windows XP after April 8, 2014

Mac OS X Family

Mac OS 9.x

OS X 10.5 (Leopard)

OS X 10.4 (Tiger)

OS X 10.3 (Panther)

OS X 10.2 (Jaguar)

Linux Distributions

Ubuntu 11.10 after May 9, 2013

Ubuntu 11.04 and Prior

Ubuntu 10.04.4 LTS

Debian 5.0 (lenny)

Debian 4.0 (etch)

Debian 3.1 (sarge)

Debian 3.0 (woody)

Other Unix OS

AIX prior to 6.1

Solaris prior to 9 (SunOS 5.9)

Questions can be directed to This email address is being protected from spambots. You need JavaScript enabled to view it. or, by calling (205) 975-0842.


References

http://sppublic.ad.uab.edu/policies/pages/LibraryDetail.aspx?pID=38

http://support.microsoft.com/gp/lifeselect

http://www.debian.org/releases/

https://wiki.ubuntu.com/Releases

http://www-01.ibm.com/software/support/aix/lifecycle/index.html

http://www.sun.com/service/eosl/eosl_solaris.html

http://www.computerworld.com/s/article/9229784/Mac_users_left_wondering_if_OS_X_Snow_Leopard_s_retired




UAB Information Security recently discovered a new spam campaign where users are tricked into opening an email attachment that contains a virus aimed at stealing passwords and financial information.  As with any suspicious email messages you may receive, please report them to This email address is being protected from spambots. You need JavaScript enabled to view it. for inspection.

The recent spam email messages are crafted to look like they came from one of several legitimate companies such as Chase Bank, the Better Business Bureau (BBB), Department of Treasury, Dun & Bradstreet Financial Services or a wire transfer company. You should be aware that these emails are forged and that none of the information included in the email can be trusted including embedded links, e-mail addresses or phone numbers.

Here are some of the common email subject lines we have seen in this spam campaign:

•  FW: Company 2013 Report

•  Incoming Wire Transfer Notification

•  D&B iUpdate: Company Order Requested

•  Department of Treasury Notice of Outstanding Obligation – Case ######

•  Better Business Bureau Complaint Case #######

•  Merchant Billing Statement

•  ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)

Windows 8 is not recommended for campus use at this time. However, if you have to support a Windows 8 portable device, it must be encrypted. At this time, BitLocker is available to accomplish this task on all Windows 8 portable devices that have a TPM chip and do not run on an ARM platform (such as a Windows 8 RT tablet). Windows 8 devices that run on an ARM platform or those that do not have TPM chips should not be used.

UAB Policy requires all laptop/portable devices owned by UAB or UAB businesses and all personal laptop/portable devices used for UAB business be encrypted. PGP, UAB’s current encryption tool, does not work on Windows 8 and Symantec has not yet set a support date for Windows 8.

BitLocker is an acceptable alternative to encrypt Windows 8 system drives in some circumstances. In the past, BitLocker has been recommended when PGP was incompatible with Windows 7 or specific BIOS versions. Systems that are currently encrypted with PGP should remain encrypted via PGP.  UAB IT is currently researching BitLocker key management solutions and will issue further guidance as available, but in the mean time, BitLocker should be installed using the non-enterprise setup method below.

Non-Enterprise BitLocker Setup

Recommendations for using BitLocker

    • Password set system BIOS
    • TPM chip in the device
    • You must take ownership of the TPM chip
    • Before updating the BIOS, BitLocker must be suspended
    • Escrow the key in some manner
    • Professional/enterprise version of Windows
    • Use a TPM + PIN authentication method
    • System must be formatted NTFS with two volumes

 Escrowing the key

With Windows 8, you may escrow the key in one of the following ways:

  • Save the recovery key to a USB flash drive
This method saves the recovery key to a USB flash drive. This option cannot be used with removable drives.
  • Save the recovery key to a file
This method saves the recovery key to a network drive or other location.
  • Print the recovery key
This method prints the recovery key, but it is not recommended.

It will be up to the department to maintain the escrow recovery keys.

Installation instructions can be found here

Published in FAQ - Infrastructure
January 31, 2013

IT Security Newsletters

Monthly Training Newsletters

UAB IT is now providing information security training materials to inform university faculty, staff and students about computer threats.  Each month a newsletter will be released focusing on new and different cyber security threats.  Contact the This email address is being protected from spambots. You need JavaScript enabled to view it. for more specific training options that can increase the protection of your information systems. 

As part of the University's contract review process, UAB IT is responsible forcontract reviewing any University contract that includes an IT or IT related component prior to such contract being executed.  The information and sample addendum, below, provide details on how to ensure that your IT related contract can be routed for execution in a timely manner. Questions on the process or requirements should be directed to UAB IT
(This email address is being protected from spambots. You need JavaScript enabled to view it. ). 
 
What constitutes an IT related contract or agreement? (see note below about renewals)
 
  • Contracts* for software, subscriptions, or services (including software maintenance) that include  
    • Hosting/processing/transmission of UAB data external to UAB
    • PCI (Payment Card Industry) acceptance/processing of credit card transactions
    • Design, creation, maintenance, support, and/or hosting of any website/webpage
    • Personally identifiable information (PII) or personal health information (PHI) - does not include Health System Agreements which are managed by HSIS
    • Audit language
    • Custom software development
    • Hardware purchase with embedded software with any of the above
  • *NOTE: For agreements that include the type of information listed above, documents/agreements must be executable, meaning they have signature lines for both UAB and the vendor.  Printing a 'click-agreement' or printing language from a website and submitting as an 'agreement' for review does not guarantee that the vendor will ever see changes/addendums that UAB may make or add to the agreement. 


What can I provide my vendor in advance so they are aware of the contract requirements?

  • For most agreements the following two addendums will be added during the routing process.  You can provide those addendums to your vendor in advance for their review and acceptance/signature prior to routing at UAB and include them in the routing packet.  
    • The general UAB Addendum (found on the Financial Affairs contract website) which covers information related to State, University, and Legal issues/clarifications.  Any changes to the UAB addendum must be approved by University Contracts.
    • The UAB Information Technology Addendum which covers additional confidentiality, information security, and liability language to mitigate any issues related to the items/concerns above. Portions of the IT Addendum may be applicable to only certain agreements and that applicability is detailed in the various sections of the addendum.  Any changes to the IT addendum must be reviewed and approved by UAB IT. 
  • For agreements that include HIPAA (health related information) a Business Associate Agreement (BAA) may also be required. For information related to the BAA see the UAB HIPAA website

 

What do I need to ensure is included in my routing packet to UAB Contracts?
 
In addition to the requirements shown on the Financial Affairs contract review process website the following items are needed to ensure a timely review:
  • For RENEWAL agreements*: please ensure that a copy of the original, underlying, governing agreement that was previously executed between UAB and the vendor is included with the routing packet, including any subsequent addendums.  If that original agreement included the IT Addendum and UAB Addendum, no additional language may be necessary as long as the renewal document references the original agreement and not a new document. If the original agreement did not include the IT Addendum, please have it reviewed/executed by your vendor and attach to the renewal agreement when routing.
  • For NEW agreements:* please ensure that a copy of the full, underlying, governing agreement (license, EULA, professional services, etc) and any documents referenced in such agreement such as separate maintenance, support, privacy, statement of work, etc. are included with the routing packet.  Submission of an order form, quote, schedule, etc. without the full underlying terms/conditions document will cause delays in the review process as those documents will be requested before the review can be completed. In addition, please have your vendor review/execute the UAB Addendum and UAB IT Addendums and attach them to the new agreement when routing. 

*NOTE: For agreements that include the type of information listed above, documents/agreements must be executable, meaning they have signature lines for both UAB and the vendor.  Printing a 'click-agreement' or printing language from a website and submitting as an 'agreement' for review does not guarantee that the vendor will ever see changes/addendums that UAB may make or add to the agreement. 

 

Link to UAB IT Addendum

Links to other IT Related Agreements

1. Overview

The IT Administrator's view of Secunia is via the "Secunia CSI" Console.   There are two subcomponents available.  

  • Deploying Secunia CSI Agents (Scan systems for software vulnerabilities)
  • Deploying Secunia PSI Agents (Scan systems for software vulnerabilities, provide some automatic patching and give reporting to end user).

1.1 Notes

  • UAB has a site license (currently through Fall 2013) for this software though there are license counts associated with the software and administrator accounts.
  • Secunia PSI can only have 1 linkID per reporting subaccount!
  • Secunia PSI can be configured to report to a CSI instance or be standalone. Personally owned devices should generally use the non-reporting PSI.
  • UAB IT's initial deployment does not include pushing patches via WSUS. How to accomplish this on top of our existing WSUS processes and coming Forefront-based processes is being examined.

2. PSI Usage

If you are only worried about one or two systems (like a workstation), use the end user install of secunia PSI.

3. CSI Usage

Full documentation is available at http://secunia.com/vulnerability_scanning/corporate

  • Establishing Subaccounts. Each subaccount is a unique set of reporting views and licensing counts. Accounts can either be subordinate or they can be a "shadow" of an existing account.
  • Reporting (AdHOc or Scheduled Email); Several are available including static URLs that you can include in existing webpages as a dashboard for system status.
  • Integration with Secunia PSI;
  • Patch deployment Integration with WSUS or SCCM; This requires your own WSUS infrastructure. UAB IT is currently examining how to offer third party patches beyond Microsoft.

3.1 Getting Started with CSI

  1. Contact This email address is being protected from spambots. You need JavaScript enabled to view it. and request an account. Please indicate an approximate number of systems and other administrators you will need.
  2. You will receive an email with your account username and password from Secunia This email address is being protected from spambots. You need JavaScript enabled to view it. .'; document.write(''); document.write(addy_text67533); document.write('<\/a>'); //-->\n This email address is being protected from spambots. You need JavaScript enabled to view it.
  3. Download and install the CSI Management console from http://secunia.com/vulnerability_scanning/corporate
  4. Login to the CSI Console with your assigned username and password. You can change your password at anytime.

3.2 Downloading CSI Agent

Please note that a csia.exe download is bound to an account.  If you end up with multiple accounts, please make sure to keep your csia.exe unique.

  1. Go to Scan > Scheduled Scanning > Download Agent; There is also a manual available on this screen.
  2. Choose an installation methodology. At the end of this document is an example script that will run csia.exe using the -NAME of the hostname as the "group" .

3.3 Downloading a Linked PSI Agent

PSI agents are nice for situations where end users take some responsibility for the software they install and keep up to date.   Please refer to end-user documentation for dealing with some of the caveats associated with PSI, especially with Java.

  1. Go to Scan > PSI Integration > Download Custom PSI
  2. Create a unique LinkID for your area. This cannot be changed.
  3. Save the custom installer as PSISetup!.exe; The name of the installer should not be changed.

3.4 Creating a shadow account

This is an account with the same reporting scope as an existing account.

  1. Navigate to User Management > Shadow Accounts
  2. Click New Shadow Account
    • Name: Real Name
    • UserName: This email address is being protected from spambots. You need JavaScript enabled to view it.
    • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
    • Click "Generate Password"
    • Select the level of access they need to have to your main account
      • Read/Write (Can make changes/delete hosts/regroup systems)
      • Read (Can view reports/system status)

3.5 Creating a subaccount

This is an account with a new reporting scope.  This will not roll up into your main set of reports.  This is useful for delegated responsibility situations such as labs.  If you want someone else to have the same rights as you, create a shadow account!

  1. Navigate to User Management > Accounts
  2. Click New Account
    • Name: Real Name
    • UserName: This email address is being protected from spambots. You need JavaScript enabled to view it.
    • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
    • Click "Generate Password"

4. Secunia CSI Login Scripts

This script is suitable for being used as a login script or as a scheduled task.   Please share any suggested changes to this script.

'==========================================================================
'
' NAME: runsecunia.vbs
'
' AUTHOR: Chris Green This email address is being protected from spambots. You need JavaScript enabled to view it.
' AUTHOR: Aaron Blum    This email address is being protected from spambots. You need JavaScript enabled to view it.
' DATE  : 2/2/2011
' DATE  : 5/1/2012 (updated)
'
' COMMENT:
'
'  Runs the Secunia csia agent (different visibility scopes per user) and
'    sets the site to the active OU|
'  
' CHANGES:
'     5/1/2012 - Updated Script to work with Secunia 5.0 Agent
'     2/2/2011 - Made csia execute in background.
'
' This default configuration assumes that the csia.exe file is
'   in the "C:\Secunia\" folder and that logs are to be placed
'   in the "C:\Secunia\logs" folder.
'
' It also configures the agent to check-in every two days
'  This can be modify by adjusting the flag after the -i in SecuniaCmd
'
' Change these values where needed.
'
'==========================================================================
' SEC (AKA Chris Green) Login Script

 'On Error Resume Next

'' full path to CSI Program
''const CsiaPath = "%ProgramFiles%\Secunia\csia.exe"
const CsiaPath = "C:\Secunia\csia.exe"
'' Output log directory, Log will be username.sec
''const LogPath = "%ProgramFiles%\Secunia\logs\"
const LogPath = "C:\Secunia\logs\"
'' Run in foreground?
const bInteractive = False

Set objNetwork = CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Overwrite the last instance of the logs
Dim objLogPath, ouGuess, idxDash, secuniaCmd
objLogPath = LogPath & objNetwork.UserName & ".sec"
Set objLog = objFSO.OpenTextFile(objLogPath,2,true)

TimeStamp = Year(now) & "-" & Month(now) & "-" & Day(now) & "-" & Hour(now) & Minute(now)
ouGuess = "ADLogonScript"
idxDash = InStr(1,objNetwork.computername, "-", 1) - 1

If idxDash > 0 Then
   ouGuess =  Mid(objNetwork.computername, 1, idxDash)
End If  

objLog.WriteLine("[*] Secunia " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)

secuniaCmd = CsiaPath & " -i 2D -L -g " & ouGuess & " -v --skipwait -d " & LogPath & TimeStamp & "_csia.log"
objLog.WriteLine("[*] Secunia Executing with " & secuniaCmd)

If bInteractive Then
                set oExec = objShell.Exec(secuniaCmd)

                ' Wait for the scan to complete
                Do While Not oExec.StdOut.AtEndofStream
                                strText = oExec.StdOut.ReadLine()
                                objLog.WriteLine(strText)
                Loop

                objLog.WriteLine("[*] Secunia Exited with " & oExec.Status & " on " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)

Else
    '' Close the output file, hide csia in the background
                objLog.Close
                objShell.Run "cmd /c " & secuniaCmd & ">>" & objLogPath, vbHide
End If

UAB & National Cybersecurity Awareness Month 2012

During National Cybersecurity Awareness Month this year, UAB IT is sponsoring a series of presentations on cybersecurity topics of interest.  Please join us for any or all of the four sessions throughout the month of October.  Our hope is that you gain a better understanding and awareness of cybersecurity as it pertains to UAB, our country and the world.

The following sessions are open to all faculty, staff and students at UAB, and their invited guests.  All will begin at noon, with the exception of October 31st, which will begin at 1 p.m.

Registration is currently available for all sessions.  Please bring your lunch; cookies and soft drinks will be provided at each session. 

Date

Time

Location

Topic

Presenter

October 3, 2012 Noon Center for Teaching & Learning (EB238, room 243) Cybersecurity Law and Current Issues Jim Phillips, AUSA (retired)
October 10, 2012 Noon Hill University Center Alumni Auditorium Countering the Cyber Threat with Intelligence Analytics John Grimes, J.D., Assistant Professor, UAB
October 24, 2012 Noon West Pavillion, room D To Be Announced To Be Announced
October 31, 2012 1 p.m. Cudworth Hall (CEC) Auditorium Tales from the FBI on Cybersecurity Todd Berryman, FBI Special Agent & Cybersecurity Squad Leader
Posted on 9/20/2012 10:50:00 AM
Published in Events