“Your paycheck has been compromised.” That’s the kind of subject line you’ll see in a phishing email that’s trying to trick you into revealing personal information — like your BlazerID and password.

But if you fall for it, your paycheck — and all of your other personal information — truly could be compromised.

UAB has been under attack from scam artists and phishing e-mails. Dozens of individuals have fallen victim to the attacks and have had their e-mail accounts compromised and used for malicious purposes.

Users whose accounts are compromised will have their passwords revoked. The recommended method to reset them is through BlazerID self-service, particularly during the holidays when AskIT will have limited hours. AskIT will be closed on Thursday, Nov. 27, and Friday, Nov. 28, and will reopen at 9 a.m. Saturday.

Scam e-mails typically increase around the holidays, so take steps now to be able to recover your password by registering for BlazerID self-service.

Be extremely cautious about any e-mail message that claims to be from UAB, and NEVER provide your password in response to an e-mail communication.

Follow these additional tips to avoid being a victim:

• Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.

• Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.

• Verify the address. Malicious Web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).

• Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.

• If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.

• Don’t open attachments. They may contain viruses or malware that can infect your computer.

• Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.

• Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555.  Hospital employees can call the HSIS Help Desk at 205-934-8888.



The jolly old elf himself will help collect toys for UAB’s annual Toy Drive during a “Drive-Through Santa” event on Friday, Dec. 5.

drivethrough santaThe UAB Toy Drive is ongoing now, with boxes distributed in 30 locations throughout campus to collect new, unwrapped toys. The UAB Toy Drive will end on Dec. 5.

Anyone with last-minute gifts will be able to drop them off at the entrance to the Administration Building, located at 701 20th St. South. Santa Claus and his helpers will be there between 7:30 a.m. and 1 p.m. on Dec. 5 to receive the gifts. 

“This is the first time that the UAB Toy Drive has featured a ‘Drive-Through Santa,’” said Eric Thompson, chairman of this year’s committee. “We’re doing everything we can to make it convenient for UAB faculty, staff and students to support the UAB Toy Drive.”

This is the 21st year that UAB has participated in Toys for Tots, which provides Christmas gifts for children in need throughout the greater Birmingham area.
AskIT will have special hours during the Thanksgiving holiday week.

AskIT will be open from 7 a.m. to 7 p.m. Monday, Nov. 24, and Tuesday, Nov. 25. AskIT will be open from 7 a.m. to 5 p.m. Wednesday. The help desk will be CLOSED Thursday and Friday for the Thanksgiving holidays.

Regular hours will resume Saturday, Nov. 29.
Social media has changed the way we interact with each other, but while they have made some things easier for us, they have also made it easier for us to be a target for security risks.

The November issue of the IT Risk Bulletin, a joint publication of UAB, the University of Alabama, UAB Health System and the University of Alabama-Huntsville, offers some practical tips for staying safe online.

Among them:

• Keep private information private. Do NOT post your Social Security number, banking PIN or other personal information.

• Use the social network’s privacy and security settings to control what you post.

• Only approve friend requests from people you know.

For more tips and to access previous IT Risk Bulletins, click here.

Microsoft released a new critical security update on Nov. 18, 2014, that resolves a Windows vulnerability regarding privileges.

The vulnerability in Microsoft Windows Kerberos KDC could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator.

An attacker could, according to Microsoft, use those privileges to compromise any computer in the domain.

The update requires a restart.

For more information, visit https://technet.microsoft.com/library/security/ms14-068

Microsoft has released a security package to correct a critical vulnerability in Windows, and UAB IT is urging campus technical professionals and users to apply the patch immediately.

Microsoft released security bulletin MS14-066 “Vulnerability in Schannel Could Allow Remote Code Execution (2992611),” for November’s Patch Tuesday.

MS14-066 is a critical vulnerability in the Microsoft Secure Channel (Schannel) security package that allows specially crafted packets to compromise the machine. This affects all Windows servers and clients. Microsoft indicates that there are no workarounds or mitigations.

Please run the Windows update as soon as possible for all your Windows machines, servers and clients.

What is Schannel?

Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.


For more information:

https://technet.microsoft.com/library/security/MS14-066

https://isc.sans.edu/diary/Microsoft+November+2014+Patch+Tuesday/18941

https://isc.sans.edu/forums/diary/How+bad+is+the+SCHANNEL+vulnerability+CVE-2014-6321+patched+in+MS14-066+/18947

http://www.zdnet.com/drop-what-youre-doing-and-patch-the-windows-schannel-bugs-now-7000035738/

UAB Information Technology reminds faculty, staff, and students that fraudulent email, internet, and phone scams tend to increase around the holidays.  Users should be vigilant to confirm that unsolicited requests for information are legitimate prior to providing sensitive information. 

A current telephone scam making its way around campus is one in which imposters claiming to be representatives of the Internal Revenue Service. 


Among the most common scams are callers who tell you that you owe money or that you have a refund coming, to try to trick you into sharing private information, according to the IRS.

The IRS, according to its latest alert, does not:

• Call or e-mail to demand payment without having first mailed you a bill.

• Demand you pay taxes without giving you the chance to appeal the amount they say you owe.

• Require you to use a specific payment method.

• Ask for credit or debit card numbers over the phone.

• Threaten to use law enforcement to have you arrested for not paying.

If you receive a phone call you believe is fraudulent, here is what you can do:

• If you know or think you owe taxes, call the IRS at 1-800-829-1040 so that IRS workers can help you with a payment issue.

• If you believe you don’t owe taxes, report the incident to the Treasury Inspector General for Tax Administration at 1-800-366-4484 or at www.tigta.gov.

• If you have been targeted by a scam, contact the Federal Trade Commission and use their “FTC Complaint Assistant” at FTC.gov. Add “IRS Telephone Scam” to the comments of the complaint.
Three months after introducing a stronger WiFi network to campus, UAB IT is reminding users that the WiFi network named "uabwifi_nac" will be discontinued on Dec. 15.

Users whose devices are still logged into uabwifi_nac will need to configure their devices one of two new WiFi networks, UABStartHere or UABSecure.

For users with a BlazerID and password, UABSecure is the preferred network because it provides encryption for sensitive data. UABStartHere is a completely open network, which means it provides no encryption and users will not need to enter a WEP key as they have in the past.

WiFi users who want to connect to UAB’s WiFi network can begin by choosing the UABStartHere network from their device. Upon opening a web browser, users are  automatically directed to a Web site where they can choose whether to configure their device for the UABSecure network, log on to the UABStartHere network or to register as a guest user.

Guests on campus are no longer be required to get sponsor access to use the campus WiFi network. They can simply log on to UABStartHere using a valid e-mail address to get 24 hours of access to the WiFi network.

Unencrypted, sensitive data should NOT be transmitted through the UABStartHere network unless protected by other means, such as a virtual private network (VPN) session. 

If your WiFi device can support the UABSecure network, we highly suggest taking the time to walk through configuring your device using QuickConnect. Click here for instructions.
toysfortotsUAB's 21st annual Toy Drive, benefitting Toys for Tots, is under way.

UAB IT will again organize the drive, with the department's own Eric Thompson leading the effort for the second year.

Boxes for toy donations will be located at 19 buildings across campus. UAB is the largest contributor to the local Toys for Tots effort.

New, unwrapped toys are needed for the toy drive, Thompson said, who is in his fourth year of being involved in the effort.

"I enjoy being able to offer Christmas for children who wouldn't otherwise be able to have Christmas," Thompson said.

Toys will be picked up the morning of Friday, Dec. 5.
Hoping to reduce threats to computer security, the chief information security officers for the University of Alabama, UAB, UAB Medicine and UAHuntsville are launching a new monthly IT Risk Bulletin.

The inaugural issue offers tips on creating stronger passwords. 

The newsletters will be published by the chief information security officers for UA, UAB, UAB Medicine and UAHuntsville, working in conjuction with the UA System Office of Risk Management and the director of IT Audit. The monthly newsletters are designed to help each campus' users to avoid IT errors.

An archive of the IT Risk Bulletin is available here.