Respond to a Security Notice

If you have received a security notice from Information Security and Policy (ISP), please review the following information about each type of notice and how to respond.

ISP Security Notices are sent via email from security@berkeley.edu with one of the following phrases in the Subject line:

Compromised Host / Possibly Compromised System

What does it mean?

If you receive a “Compromised Host” notice, ISP analysts are highly confident that attackers have gained unauthorized access to (“compromised”) your computer. With “Possibly Compromised System” notices, we detected highly suspicious network activity and we believe that your computer is compromised.

Some of the things attackers can do once your computer has been compromised include:

  • Install a keylogger to collect your email passwords, bank account numbers, and other private information
  • Use your computer to send out junk email (“spam”) or attack other computers
  • Use your computer to store and distribute illegal software, media files, and pornography
  • Search the hard drive for private information such as credit card and Social Security Numbers.
  • Disable your anti-virus and firewall software and leave "back-doors" allowing easy access to your computer

What should I do?

First, read the email notice carefully. At the bottom of the notice you will find additional information including the log messages that triggered the alert. If there is a legitimate explanation for the detected network activity and you believe the alert is a “false-positive”, please reply to the notice and let us know.

If you cannot explain the network activity, there are 3 steps you must take to secure your computer:

  1. Remove the computer from the network
    For your safety and the safety of others, a compromised computer must not remain on the network! If this notice was for a computer connected to Airbears, do not use the computer on Airbears or the campus wired network until the computer can be properly cleaned. Limit your use of other Internet connections to avoid losing your personal information and putting other computers at risk.
  2. Clean all signs of malware and other signs of intrusion from the computer
    There are two options you can use for cleaning your compromised computer:
    • Backup your files and data, and reinstall your operating system and software (RECOMMENDED): Reinstalling your compromised computer
    • Attempt to clean the system using anti-virus/anti-malware utilities: How do I clean an infected computer of viruses and malware?
      Attackers often leave “backdoors” on a compromised computer so they can easily regain access once the original virus/malware is removed. Removing all backdoors can be difficult, and many viruses/malware programs are designed to circumvent and even disable anti-virus utilities. Therefore we recommend reinstalling your operating system, but if that is not practical you can try this option first. If you receive another compromised notice after attempting to clean the computer, you MUST reinstall the operating system.
  3. Respond to the ISP notice and describe how you have cleaned your computer
    Unless we get a response to our notices, ISP must assume the problem is not corrected, and your network access may be blocked. Respond to the notice, keeping the ISP ticket number in the subject line, and let us know what you did to clean the computer. If you used anti-virus/anti-malware utilities, please include evidence of the results. You can send the results log as an attachment, cut-and-paste the results as text, or send a screen shot.

In addition to these steps, we recommend that you:

Back to Top

Vulnerability Detected

What does it mean?

Vulnerabilities are flaws in the software or system configuration of a computer that can be used by attackers to gain unauthorized access to the system. By scanning for vulnerabilities on the UC Berkeley campus network, ISP finds these flaws before they can be used by attackers to compromise computers. Fixing vulnerabilities reported in ISP “Vulnerability Detected” notices will help protect your computer from electronic attack.

What should I do?

ISP “Vulnerability Detected” notices contain detailed information about the vulnerability and how to fix it. This may involve installing security updates to your operating system or software, changing system configuration settings, setting or changing passwords, or removing/upgrading outdated software.

Reply to the ISP notice if you are still unsure how to correct the vulnerability, or if you believe your configuration is secure and the notice is a “false-positive”.

Otherwise, it is not necessary to reply to these notices.

Back to Top

Credential Exposure

What does it mean?

If you receive a “Credential Exposure” notice, Information Security and Policy identified a possible disclosure of an account name and password. This disclosure may be the result of someone entering the information insecurely. Because this is frequently seen in phishing attacks and may have exposed the credentials to third parties, we strongly recommend changing your password on any internet sites using the credentials listed below.

What should I do?

First, read the email notice carefully.

  1. Change your CalNet passphrase: Change CalNet Passphrase (link is external)

In addition to these steps, we recommend that you:

  • Change any other passwords or account access codes used on the compromised computer

  • Check with your financial institutions for any unauthorized activity on your accounts

  • Ensure that your cleaned computer meets the campus basic Minimum Security Standards for Networked Devices:

  • Perform a full scan of your computer with an updated Anti-Virus program

This email is not an attempt to confirm whether the credentials are correct, nor is it a request for your credentials. No University department personnel should ever request your credentials in email or otherwise.

Unless you have other questions, there is no need to reply to these notices.

Back to Top