“Your paycheck has been compromised.” That’s the kind of subject line you’ll see in a phishing email that’s trying to trick you into revealing personal information — like your BlazerID and password.

But if you fall for it, your paycheck — and all of your other personal information — truly could be compromised.

UAB has been under attack from scam artists and phishing e-mails. Dozens of individuals have fallen victim to the attacks and have had their e-mail accounts compromised and used for malicious purposes.

Users whose accounts are compromised will have their passwords revoked. The recommended method to reset them is through BlazerID self-service, particularly during the holidays when AskIT will have limited hours. AskIT will be closed on Thursday, Nov. 27, and Friday, Nov. 28, and will reopen at 9 a.m. Saturday.

Scam e-mails typically increase around the holidays, so take steps now to be able to recover your password by registering for BlazerID self-service.

Be extremely cautious about any e-mail message that claims to be from UAB, and NEVER provide your password in response to an e-mail communication.

Follow these additional tips to avoid being a victim:

• Do NOT click links in messages that ask you to log in. Type a trusted Web address in your browser or Google for the Web site if you don’t know the address.

• Never type personal, sensitive information (such as passwords or account numbers) on Web sites without verifying the Web site’s authenticity and security — look for an “https” in the address bar.

• Verify the address. Malicious Web sites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain (.com vs. .edu).

• Misspellings and grammatical errors can be a dead giveaway in phishing emails and subject lines.

• If you are unsure whether a request is legitimate, contact the company directly. Do NOT use contact information provided in the request.

• Don’t open attachments. They may contain viruses or malware that can infect your computer.

• Protect your password. Information security and IT officials at both the university and UAB Hospital will never ask users for passwords or any other sensitive information.

• Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555.  Hospital employees can call the HSIS Help Desk at 205-934-8888.



Social media has changed the way we interact with each other, but while they have made some things easier for us, they have also made it easier for us to be a target for security risks.

The November issue of the IT Risk Bulletin, a joint publication of UAB, the University of Alabama, UAB Health System and the University of Alabama-Huntsville, offers some practical tips for staying safe online.

Among them:

• Keep private information private. Do NOT post your Social Security number, banking PIN or other personal information.

• Use the social network’s privacy and security settings to control what you post.

• Only approve friend requests from people you know.

For more tips and to access previous IT Risk Bulletins, click here.

Microsoft released a new critical security update on Nov. 18, 2014, that resolves a Windows vulnerability regarding privileges.

The vulnerability in Microsoft Windows Kerberos KDC could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator.

An attacker could, according to Microsoft, use those privileges to compromise any computer in the domain.

The update requires a restart.

For more information, visit https://technet.microsoft.com/library/security/ms14-068

Microsoft has released a security package to correct a critical vulnerability in Windows, and UAB IT is urging campus technical professionals and users to apply the patch immediately.

Microsoft released security bulletin MS14-066 “Vulnerability in Schannel Could Allow Remote Code Execution (2992611),” for November’s Patch Tuesday.

MS14-066 is a critical vulnerability in the Microsoft Secure Channel (Schannel) security package that allows specially crafted packets to compromise the machine. This affects all Windows servers and clients. Microsoft indicates that there are no workarounds or mitigations.

Please run the Windows update as soon as possible for all your Windows machines, servers and clients.

What is Schannel?

Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.


For more information:

https://technet.microsoft.com/library/security/MS14-066

https://isc.sans.edu/diary/Microsoft+November+2014+Patch+Tuesday/18941

https://isc.sans.edu/forums/diary/How+bad+is+the+SCHANNEL+vulnerability+CVE-2014-6321+patched+in+MS14-066+/18947

http://www.zdnet.com/drop-what-youre-doing-and-patch-the-windows-schannel-bugs-now-7000035738/

Hoping to reduce threats to computer security, the chief information security officers for the University of Alabama, UAB, UAB Medicine and UAHuntsville are launching a new monthly IT Risk Bulletin.

The inaugural issue offers tips on creating stronger passwords. 

The newsletters will be published by the chief information security officers for UA, UAB, UAB Medicine and UAHuntsville, working in conjuction with the UA System Office of Risk Management and the director of IT Audit. The monthly newsletters are designed to help each campus' users to avoid IT errors.

An archive of the IT Risk Bulletin is available here.
UAB IT is aware of a critical vulnerability — called “POODLE” — on Web browsers and is taking steps to ensure that all enterprise systems and applications have been protected from this vulnerability.

Security researchers have identified POODLE — “Padding Oracle on Downgrade Legacy Encryption” — in an old but still commonly used version of SSL, the technology used to encrypt HTTP and other web traffic. Any server that supports SSL version 3 (SSLv3) can be exploited so that an attacker can decrypt secure sessions, potentially revealing passwords and other private information.

Web browsers will be updating their technology over the next few weeks to automatically disable SSLv3 on the client (browser) side, eliminating the POODLE vulnerability. If you utilize an older computer, please ensure that you have updated modern web browser such as Firefox 33, Chrome 38, Safari 7, Internet Explorer 10 or 11. There are platform-specific settings available for most browsers to disable SSLv3 at runtime for those who do not want to wait. Most users can simply ensure they get automatic browser updates and wait for the official update.

The safest and simplest solution is to disable SSLv3 support on all software, and instead use more recent versions of SSL: TLS version 1, 1.1, or 1.2. (Confusingly, more recent versions of SSL use the name TLS, for Transport Layer Security, rather than SSL, and the numbering scheme was reset to 1. So SSLv3 is older than TLSv1. TLS version 1.2 is the most recent version of SSL/TLS.)

Server administrators should take immediate action to disable SSLv3. Simply enabling other versions and leaving SSLv3 enabled is insufficient, as protocol downgrade attacks are possible. Disabling SSLv3 on a server may create compatibility problems for ancient client software — most notably, Internet Explorer 6 will be blocked from using SSL. Protocol configuration is platform-specific, so please refer to your official documentation for instructions. Some unofficial guides and methods of checking your server are available in in the references below.

Web clients other than browsers, such as web services, may need reconfiguration to communicate over TLS. Administrators and developers responsible for non-browser clients should check their official documentation. 

In an effort to emphasize the risks of using cloud services to store University data, UAB IT is releasing interim guidance on the use of cloud services for the UAB campus.

The guidance is for members of the UAB campus community who wish to use cloud applications and services available on the Web, including file storage, Web conferencing and content hosting.

While recognizing that cloud services can fill a need in certain areas, UAB IT reminds all UAB employees to use appropriate due diligence when entering into agreements, especially with cloud providers. UAB employees should not store sensitive/restricted information in a cloud service without University-approved agreements in place.

UAB employees cannot subscribe to cloud services to store sensitive or classified data (see UAB Data Protection and Security Policy for what UAB defines as sensitive data) without an appropriate agreement directly with UAB — and employees cannot be reimbursed for such cloud subscriptions without an affirming statement that the data stored is not sensitive.

“We want to make people aware of how risky it is to use such sites for sensitive data,” said David Yother, director of enterprise technology services for UAB IT. “The safest method is to keep it here at UAB, unless a specific business reason exists and appropriate management approvals have been received.”

Over the coming months, additional information will be released, including guidelines for specific cloud services.

More information about the cloud guidance can be found here.

UAB Hospital employees should refer to guidance from HSIS with regard to using cloud services.



Cyberspace is a shared resource, and its security is the responsibility of all American citizens, businesses, groups and governmental agencies. Cyber security begins with the awareness of our individual internet usage habits and changing them to practices that can help safeguard our digital lives.  cybersecurityawareness logo

When in doubt remember staysafeonline.org’s motto: STOP. THINK. CONNECT.

STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s. 

CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.


Cybersecurity is daily issue that will affect the rest of your life.  Therefore, every individual should place the cybersecurity motto “STOP. THINK. CONNECT.” at the same level of importance as “Stop, drop and roll” and “Look both ways before crossing.”

This year, the UAB Enterprise Information Security department will focus on the campus community through classroom and homecoming event presence. The classroom presence involves an intuitive presentation to the CAS 112 – Success in College class. The CAS 112 course prepares students for a successful collegiate career in any field of study.

The UAB Enterprise Information Security department’s homecoming presence will be at a booth in the Occupational Health and Safety Vendor Fair from 11 a.m. to 2 p.m. on Friday, Oct. 10. The OHS Vendor Fair will be located between Rast Hall and the Campus Green.  Come and visit our booth so that we can chat about cyber security.  You will leave our booth with more cyber security awareness knowledge — and a few treats.

Additional cyber security resources:

National Cyber Security Alliance

Password Security

Phishing Scams

Physical security tips







UAB IT is urging all university employees to be aware of a possible e-mail phishing scam with the subject line “Your Nex Salary Notification.”

The e-mail claims to be communication from UAB Human Resources and asks users to click a link which takes them to a fraudulent site.

UAB IT officials are taking steps to prevent the further dissemination of e-mails from this particular sender, but remind UAB employees remain vigilant about potential phishing scams.

To report suspected spam to AskIT, please follow the instructions here.

Some tips to help users avoid phishing scams include:

Be wary of unsolicited email. Phishing scams try to convey a sense of urgency and try to pressure you into clicking a link. They might claim that unusual activity regarding your account has been flagged, or you must reconfirm your password by clicking on a link in the e-mail. If you receive such a message, be very skeptical and do not click on any links. Send an email to AskIT@uab.edu to report the suspicious email.

Check for misspellings or grammatical errors. Phishers often make such mistakes when writing the subject matter line or when writing the body of the email.

Think before you click. Both the sender’s email address and any suspicious links in the message body can help identify a fraudulent email. First, hover your cursor over the sender’s email address and check the domain name (the part of the address that comes after the “@”; for example, @school.edu). Now hover your cursor over the suspicious link (be sure not to click on it!) to view the web site address of the link (for example, school.com). There’s likely a problem if those two don’t match (for example, an email address of ITadmin@school.edu and a web site address of passwordchange.school.com).

Verify the address. Be aware that cyber-criminals will try to trick you into thinking a web site address is real by making it look similar to the real thing. For example, UAB web sites end in the domain name “uab.edu.” A phishing e-mail might ask you to click on a malicious web site link with the domain name “uab.edu.com.”

Avoid opening attachments. Many phishing emails include attached documents that contain malware that can infect your computer. Never download and open these attachments.

Protect your password. Remember, information security and IT officials at both UAB Hospital and the university will never ask users for passwords or any other sensitive information.

Report suspicious activity. If you have any questions or you receive a suspicious email that you want to report, university employees and students can call the AskIT Help Desk at 205-996-5555.  Hospital employees can call the HSIS Help Desk at 205-934-8888.

Wondering if your photos, data and other information are securely stored in the cloud after the leak of celebrity photos over the Labor Day weekend?

UAB IT security professionals say the incident is a good reminder to the rest of us to take precautions with our own data.

Since most of us aren’t celebrities, our photos probably won’t be worth hackers’ time — but personal information can be.

So what can you do to keep your personal cloud accounts safe?

• Enable two-factor authentication on your cloud accounts. That way, if you — or someone else — tries to log into your account from a device that is not registered, you’ll have to log in using a verification code sent to one of your devices. It’s an extra step that helps secure your information.

Microsoft’s OneDrive — a cloud storage application available free for UAB students — uses two-factor identification and allows users to add security information to their account. Learn more here.

• Make sure you have a strong password. Ideally, you should use a passphrase you can remember. For example, choose “goblazers,” but replace some of the letters with numbers or symbols and include capital letters. The example, then, could become g0b!azers — easy to remember, harder to hack.

Change your password often to keep your data secure. That’s why UAB requires employees and students to change their BlazerID passwords frequently, and to make sure they contain the kind of character combinations that make them much less vulnerable to attacks.

• Consider using a password manager or password vault such as LastPass or KeePass. Such tools — which vary in price — can help manage your different logins while keeping them secure.

UAB employees should also be very cautious about cloud storage in regards to University information.

“UAB employees should not use cloud products for UAB business data without approval,” said Scott Fendley, information security operations manager for UAB IT. “UAB IT reviews the contracts and ensures that the cloud products meet our requirements.”

This month’s Tech Talk on Sept. 25 will feature a discussion of cloud computing at UAB.