A message from Larry Conrad, AVC-IT & CIO
Dear Campus Community,
A widely reported critical security flaw, called ”Heartbleed“ has been discovered that affects not only some campus systems, but also many information systems worldwide. One possible consequence of this flaw is that attackers can easily steal personal information and see sensitive information and even passwords used on vulnerable websites and systems.
Impact on UC Berkeley IT Systems
Campus information security is actively identifying potentially vulnerable systems, and monitoring for attempts to exploit the flaw. IT staff on campus have been asked to review their systems and apply available patches.
Our CalNet login site and email system did not have this vulnerability. However, other campus systems, and other systems you may use outside of campus in your professional or personal life, may be at risk.
We are asking you to please take the following voluntary precautions.
- Change your CalNet passphrase to a phrase you have not used before and do not use anywhere else. As a reminder, do not blindly follow links asking you to reset your CalNet passphrase.
- Go to https://calnet.berkeley.edu/
- Under the "Links" section, please click "Change CalNet Passphrase."
- When prompted, please enter your CalNet ID, your old passphrase, and your new passphrase (twice), then click the Change Passphrase button.
- For additional help, visit https://wikihub.berkeley.edu/display/calnet/CalNet+Customer+Support
Beware of Suspicious Email and Phishing Attempts
In addition to the above precautions, we are asking you to be aware of the following:
- Not sure if it’s a Phish? We are confident scammers will attempt to send emails to our campus, asking you to visit links to change your password in response to this or similar IT emergencies. We encourage you to be skeptical and check if in doubt. You may always send email to firstname.lastname@example.org if you are unsure whether an email is legitimate.
- Do not share your CalNet passphrase with anyone. No person should ask you to reveal your CalNet credentials, via email, in-person or on the phone. Any such request is not a legitimate request and may be refused.
The campus information security team can provide more in-depth presentations about this vulnerability, phishing scams, or other security topics to campus departments, units or other peer organizations. We encourage departmental administrators and other interested individuals and groups to send an email to email@example.com or visit https://security.berkeley.edu/phishing for more information.