The jolly old elf himself will help collect toys for UAB’s annual Toy Drive during a “Drive-Through Santa” event on Friday, Dec. 5.

drivethrough santaThe UAB Toy Drive is ongoing now, with boxes distributed in 30 locations throughout campus to collect new, unwrapped toys. The UAB Toy Drive will end on Dec. 5.

Anyone with last-minute gifts will be able to drop them off at the entrance to the Administration Building parking deck located at 701 20th St. South. Santa Claus and his helpers will be there between 7:30 a.m. and 1 p.m. on Dec. 5 to receive the gifts. 

“This is the first time that the UAB Toy Drive has featured a ‘Drive-Through Santa,’” said Eric Thompson, chairman of this year’s committee. “We’re doing everything we can to make it convenient for UAB faculty, staff and students to support the UAB Toy Drive.”

This is the 21st year that UAB has participated in Toys for Tots, which provides Christmas gifts for children in need throughout the greater Birmingham area.
AskIT will have special hours during the Thanksgiving holiday week.

AskIT will be open from 7 a.m. to 7 p.m. Monday, Nov. 24, and Tuesday, Nov. 25. AskIT will be open from 7 a.m. to 5 p.m. Wednesday. The help desk will be CLOSED Thursday and Friday for the Thanksgiving holidays.

Regular hours will resume Saturday, Nov. 29.
Social media has changed the way we interact with each other, but while they have made some things easier for us, they have also made it easier for us to be a target for security risks.

The November issue of the IT Risk Bulletin, a joint publication of UAB, the University of Alabama, UAB Health System and the University of Alabama-Huntsville, offers some practical tips for staying safe online.

Among them:

• Keep private information private. Do NOT post your Social Security number, banking PIN or other personal information.

• Use the social network’s privacy and security settings to control what you post.

• Only approve friend requests from people you know.

For more tips and to access previous IT Risk Bulletins, click here.

Microsoft released a new critical security update on Nov. 18, 2014, that resolves a Windows vulnerability regarding privileges.

The vulnerability in Microsoft Windows Kerberos KDC could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator.

An attacker could, according to Microsoft, use those privileges to compromise any computer in the domain.

The update requires a restart.

For more information, visit https://technet.microsoft.com/library/security/ms14-068

Microsoft has released a security package to correct a critical vulnerability in Windows, and UAB IT is urging campus technical professionals and users to apply the patch immediately.

Microsoft released security bulletin MS14-066 “Vulnerability in Schannel Could Allow Remote Code Execution (2992611),” for November’s Patch Tuesday.

MS14-066 is a critical vulnerability in the Microsoft Secure Channel (Schannel) security package that allows specially crafted packets to compromise the machine. This affects all Windows servers and clients. Microsoft indicates that there are no workarounds or mitigations.

Please run the Windows update as soon as possible for all your Windows machines, servers and clients.

What is Schannel?

Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.


For more information:

https://technet.microsoft.com/library/security/MS14-066

https://isc.sans.edu/diary/Microsoft+November+2014+Patch+Tuesday/18941

https://isc.sans.edu/forums/diary/How+bad+is+the+SCHANNEL+vulnerability+CVE-2014-6321+patched+in+MS14-066+/18947

http://www.zdnet.com/drop-what-youre-doing-and-patch-the-windows-schannel-bugs-now-7000035738/

UAB Information Technology reminds faculty, staff, and students that fraudulent email, internet, and phone scams tend to increase around the holidays.  Users should be vigilant to confirm that unsolicited requests for information are legitimate prior to providing sensitive information. 

A current telephone scam making its way around campus is one in which imposters claiming to be representatives of the Internal Revenue Service. 


Among the most common scams are callers who tell you that you owe money or that you have a refund coming, to try to trick you into sharing private information, according to the IRS.

The IRS, according to its latest alert, does not:

• Call or e-mail to demand payment without having first mailed you a bill.

• Demand you pay taxes without giving you the chance to appeal the amount they say you owe.

• Require you to use a specific payment method.

• Ask for credit or debit card numbers over the phone.

• Threaten to use law enforcement to have you arrested for not paying.

If you receive a phone call you believe is fraudulent, here is what you can do:

• If you know or think you owe taxes, call the IRS at 1-800-829-1040 so that IRS workers can help you with a payment issue.

• If you believe you don’t owe taxes, report the incident to the Treasury Inspector General for Tax Administration at 1-800-366-4484 or at www.tigta.gov.

• If you have been targeted by a scam, contact the Federal Trade Commission and use their “FTC Complaint Assistant” at FTC.gov. Add “IRS Telephone Scam” to the comments of the complaint.
Three months after introducing a stronger WiFi network to campus, UAB IT is reminding users that the WiFi network named "uabwifi_nac" will be discontinued on Dec. 15.

Users whose devices are still logged into uabwifi_nac will need to configure their devices one of two new WiFi networks, UABStartHere or UABSecure.

For users with a BlazerID and password, UABSecure is the preferred network because it provides encryption for sensitive data. UABStartHere is a completely open network, which means it provides no encryption and users will not need to enter a WEP key as they have in the past.

WiFi users who want to connect to UAB’s WiFi network can begin by choosing the UABStartHere network from their device. Upon opening a web browser, users are  automatically directed to a Web site where they can choose whether to configure their device for the UABSecure network, log on to the UABStartHere network or to register as a guest user.

Guests on campus are no longer be required to get sponsor access to use the campus WiFi network. They can simply log on to UABStartHere using a valid e-mail address to get 24 hours of access to the WiFi network.

Unencrypted, sensitive data should NOT be transmitted through the UABStartHere network unless protected by other means, such as a virtual private network (VPN) session. 

If your WiFi device can support the UABSecure network, we highly suggest taking the time to walk through configuring your device using QuickConnect. Click here for instructions.
toysfortotsUAB's 21st annual Toy Drive, benefitting Toys for Tots, is under way.

UAB IT will again organize the drive, with the department's own Eric Thompson leading the effort for the second year.

Boxes for toy donations will be located at 19 buildings across campus. UAB is the largest contributor to the local Toys for Tots effort.

New, unwrapped toys are needed for the toy drive, Thompson said, who is in his fourth year of being involved in the effort.

"I enjoy being able to offer Christmas for children who wouldn't otherwise be able to have Christmas," Thompson said.

Toys will be picked up the morning of Friday, Dec. 5.
Hoping to reduce threats to computer security, the chief information security officers for the University of Alabama, UAB, UAB Medicine and UAHuntsville are launching a new monthly IT Risk Bulletin.

The inaugural issue offers tips on creating stronger passwords. 

The newsletters will be published by the chief information security officers for UA, UAB, UAB Medicine and UAHuntsville, working in conjuction with the UA System Office of Risk Management and the director of IT Audit. The monthly newsletters are designed to help each campus' users to avoid IT errors.

An archive of the IT Risk Bulletin is available here.
UAB IT is aware of a critical vulnerability — called “POODLE” — on Web browsers and is taking steps to ensure that all enterprise systems and applications have been protected from this vulnerability.

Security researchers have identified POODLE — “Padding Oracle on Downgrade Legacy Encryption” — in an old but still commonly used version of SSL, the technology used to encrypt HTTP and other web traffic. Any server that supports SSL version 3 (SSLv3) can be exploited so that an attacker can decrypt secure sessions, potentially revealing passwords and other private information.

Web browsers will be updating their technology over the next few weeks to automatically disable SSLv3 on the client (browser) side, eliminating the POODLE vulnerability. If you utilize an older computer, please ensure that you have updated modern web browser such as Firefox 33, Chrome 38, Safari 7, Internet Explorer 10 or 11. There are platform-specific settings available for most browsers to disable SSLv3 at runtime for those who do not want to wait. Most users can simply ensure they get automatic browser updates and wait for the official update.

The safest and simplest solution is to disable SSLv3 support on all software, and instead use more recent versions of SSL: TLS version 1, 1.1, or 1.2. (Confusingly, more recent versions of SSL use the name TLS, for Transport Layer Security, rather than SSL, and the numbering scheme was reset to 1. So SSLv3 is older than TLSv1. TLS version 1.2 is the most recent version of SSL/TLS.)

Server administrators should take immediate action to disable SSLv3. Simply enabling other versions and leaving SSLv3 enabled is insufficient, as protocol downgrade attacks are possible. Disabling SSLv3 on a server may create compatibility problems for ancient client software — most notably, Internet Explorer 6 will be blocked from using SSL. Protocol configuration is platform-specific, so please refer to your official documentation for instructions. Some unofficial guides and methods of checking your server are available in in the references below.

Web clients other than browsers, such as web services, may need reconfiguration to communicate over TLS. Administrators and developers responsible for non-browser clients should check their official documentation.