Skip to main content

News & Announcements

East Campus Shred Event

The UCIT Office of Information Security (UCIT OIS) is hosting a free document shredding event for all UC students, faculty, and staff on Thursday, September 25, 2014. The event will take place in Lot 13 outside of the Kettering Lab Complex on East Campus from 9 a.m. until 1 p.m.

UCIT OIS staff will be onsite at all times to ensure all documents are securely destroyed and recycled.

UCIT Office of Information Security Alert Bulletin (05/21/2014)

** Password Expiration Notification**

By now you may have heard about the internet bug Heartbleed, which has impacted up to 2/3 of companies on the web. Without getting too technical, Heartbleed affects the OpenSSL framework used by many entities to privately send data to and form internet servers.

We want to assure you that the university took immediate and proactive steps to patch this security vulnerability - and has successfully eliminated any risk of unauthorized access to your account.

For your added protection, we will be expiring your Central Login System (CLS) password within the next 2 to 4 weeks. Changing your password at this time is not required. Similar to a normal password expiration, you will receive an email stating that your password is about to expire and that you need to change your password at that time. You will receive five grace logins but should change your password as soon as possible.

It's also a good idea to regularly change your passwords for all websites you frequent, especially if any use the same password as you were using for UC. 

What Can I Do to Help?

Please distribute this Security Alert to anyone who you feel needs to be made aware.

Contact the UCIT Integrated Services Desk at 513-556-HELP (4357), 866-397-3382 or helpdesk@uc.edu or the UCIT Office of Information Security at 513-558-ISEC (4732) or infosec@uc.edu with any questions or concerns.

UCIT Office of Information Security Alert Bulletin (05/02/2014)

** OpenID and OAuth Vulnerability Alert**

OpenID and OAuth Vulnerability Summary

This vulnerability may also be referred to as the “Covert Redirect” flaw.

The vulnerability allows hackers to trick users into authorizing an app or website using malicious phishing links.

Per Lifehacker:

For example, if you visit a site and click a button to log in with Google or Facebook, you'll see the familiar authorization popup. If you authorize the login, your personal data can be sent to the hacker instead of to the site. This can include your email address, contact lists, birthday, and more. The vulnerability could also redirect you to a different look-alike website.

Perhaps the scariest thing is the Covert Redirect flaw doesn't use a fake domain that might be spotted by more savvy surfers, but instead uses the real site address that you're trying to log into. So it's very hard to detect. 

Additional information may be found at:  http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/ and at http://lifehacker.com/security-flaw-found-in-oauth-and-openid-heres-what-it-1570872265.

What applications does this affect?

This vulnerability currently affects websites and applications that use credentials from websites such as Facebook, Twitter, Google, Yahoo, LinkedIn, Microsoft, PayPal, and others as a means to log into them.

How will the vulnerability be remediated?

CNET reports that this is not easy for sites to fix.

Per CNET:

This is to say, it's not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.

What should I do?

The UCIT Office of Information Security suggests that users perform the following:

  • Whenever possible, do not use credentials from websites such as Facebook, Twitter, Google, Yahoo, LinkedIn, Microsoft, PayPal, and others as a means to log into them.
  • Watch out for links that immediately ask you to log into them and close the window to prevent the redirection attack.

What Can I Do to Help?

Please distribute this Security Alert to anyone who you feel needs to be made aware.

Contact the UCIT Integrated Services Desk at 513-556-HELP (4357), 866-397-3382 or helpdesk@uc.edu or the UCIT Office of Information Security at 513-558-ISEC (4732) or infosec@uc.edu with any questions or concerns.

UCIT Office of Information Security Alert Bulletin (05/02/2014)

**Security Update for Internet Explorer Alert**

Microsoft Security Bulletin MS14-021 –Critical | CVE-2014-1776

Internet Explorer Security Update Summary

Microsoft has issued a security bulletin announcing the immediate availability of a fix that closes the “hole” in Internet Explorer discovered earlier this week. Since this is such a crucial vulnerability, the patch is available now meaning you don’t have to wait until Microsoft’s “Patch Tuesday.”

All versions of Internet Explorer on ALL versions of Windows contain a security hole that could allow cybercriminals to implant malware on your computer with little or no warning. The attacks that have been discovered have been targeting IE 9, 10, and 11; they also relied on a Flash file to help the attack, as well as an IE extension from Microsoft called VGX.DLL used for vector graphics rendering.

What Applications/Operating Systems does this affect?

This vulnerability currently affects all versions of Internet Explorer including 6, 7, 8, 9, 10 and 11. 

All versions of Windows are vulnerable.

What should I do?

The UCIT Office of Information Security suggests that users perform the following:

  • Update your machines immediately to ensure you receive this security update
    • Go to Control Panel | Windows Update

Although Windows XP will still receive this update, this is likely one of the last to be released by Microsoft as that operating system has reached end-of-life support status. 

For more information on the Security Update and the vulnerability, go here: https://technet.microsoft.com/library/security/ms14-021

What Can I Do to Help?

Please distribute this Security Alert to anyone who you feel needs to be made aware.

Contact the UCIT Integrated Services Desk at 513-556-HELP (4357), 866-397-3382 or helpdesk@uc.edu or the UCIT Office of Information Security at 513-558-ISEC (4732) or infosec@uc.edu with any questions or concerns.