News

January 27, 2020

Phone Phishing and Telephone Spoofing Scam

We have become aware that identity thieves are calling individuals on campus via landline or cellular devices asking for personal information. Remember to be vigilant and careful about protecting your personal information.

We work very hard to protect our voice network; however, attackers may try to use a technology called spoofing to trick you into giving up information.  Spoofing is the practice of deliberately falsifying the information transmitted to your caller ID to pretend to be someone else.  

January 20, 2020

Why Should We Care About Online Privacy?

With the California Consumer Privacy Act taking effect this year, data privacy will become a central issue for businesses in 2020. Consumers conduct much of their lives on the internet, yet few understand the critical issue of privacy and how their personal information is used, collected and shared by businesses. Your data can be stored indefinitely and used in both beneficial and unwelcome ways.

January 15, 2020

Tax Season is Here - Protect Yourself from Tax Fraud

You and Your W-2

Every year phishing messages are crafted by tax scammers to trick victims into giving out personal information. Taxpayers should continue to watch out for fake emails and/or websites looking to steal personal information. Be wary of any message asking for W-2 or other tax information. Additionally, because of the UCPath conversion attackers may send emails with fraudulent links. Do not open any attachments or click on any email links.

January 14, 2020

Patch IMMEDIATELY! - Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)

Summary

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.  This vulnerability affects the Microsoft Windows 10 desktop operating system, as well as Windows Server 2016 and 2019.

Microsoft has released a security update that addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Patch IMMEDIATELY! - Microsoft Remote Desktop Gateway Remote Code Execution Vulnerability (CVE-2020-0610)

Summary

*** Vulnerable RD Gateway servers should be patched IMMEDIATELY even where there is a potential business impact (unscheduled maintenance). Notify security@berkeley.edu if you anticipate any delays in patching. ***

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway). 

January 13, 2020

Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution

Summary

Mozilla has published an out-of-band patch for Mozilla Firefox and Firefox Extended Support Release (ESR).  It fixes a type confusion vulnerability in Mozilla’s Javascript compiler, IonMonkey. This vulnerability is identified as CVE-2019-17026. [1]

Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. [2]

January 9, 2020

Phishing Example: Urgent Request
These are targeted and simple forms of phishing emails designed to get victims to purchase gift cards, the "email compromise" gets its name because the attacker mimics the email of a known sender. However, these can also be sent through a legitimate, albeit hacked account. The messages start out as basic greetings then progress into requests for money or data. Since the content is highly personalized it’s often easy to get hooked.

January 8, 2020

Data Privacy and You

In honor of International Data Privacy Day, January 28

Data Privacy Day Logo

All of us exist in digital form on the Internet. When you're online you leave a trail of "digital exhaust" in the form of cookies, GPS data, social network posts, browser searches, and email exchanges, among others. Services that you don’t even use may have information about you. And once something is online, it can be there forever.

January 6, 2020

Celebrate Data Privacy Day 2020

What's Data Privacy Day?

Champion Badge

November 13, 2019

ISO Reorg and Call for Staff Internship Applications

We are excited to announce some organizational developments and opportunities to work with us.

Recently ISO underwent a structural reorganization. This new structure allows us to continue to evolve and respond to challenges in the information security space, to streamline operations, and to create additional efficiencies. Vacant positions will be posted shortly to jobs.berkeley.edu and to our website.

November 12, 2019

Tips to Protect Yourself While Online Shopping

Even outside the traditional "Holiday" season we find ourselves purchasing items online. And so, it's good to remember online shopping best practices year round. In addition to our holiday shopping tips, here are a few others to keep you safe while online shopping: 

November 11, 2019

ISO Graduates First Staff Security Intern

The Information Security Office is proud to graduate Ryan Tran, our first Staff Information Security Intern!

We wanted to mark the occasion by talking with him about what he learned while at ISO. 

Oski thumbs up

November 6, 2019

Upcoming Changes for Information Security Policy

There will be some changes coming to information security policies at Berkeley brought on by a major update to the UC systemwide information security policy (IS-3). The revision brings sweeping changes to the way information security risk is handled on Campus. 

Ho-Ho-Holiday Tips to Keep You Shopping Safe

Animals in lights

I love this time of year; the air gets crisp, the leaves start to turn, and I get to wear sweaters all the time. However, the thought of leaving the house to battle the crowds elicits panic level 12. Perhaps that's why online shopping is gaining even more popularity. An estimated 165.8 million people shopped between Thanksgiving Day and Cyber Monday in 2018! [1] 

October 30, 2019

Phishing Example: Part time work assistant needed
This message, appearing to come from a professor, was successful at convincing several students to engage in back and forth emails ending in money changing hands. If you have received this message and shared correspondence with the scammer, we recommend that you cease correspondence immediately and contact UCPD if there has been any financial transactions.

October 18, 2019

Kubernetes Vulnerabilities Allow Authentication Bypass, DoS (CVE-2019-16276)

Summary

Two dangerous vulnerabilities have recently been discovered in Kubernetes, the open-source container-orchestration system: 
CVE-2019-16276
CVE-2019-11253

Impact

October 1, 2019

Vulnerability in Exim Could Allow for Remote Command Execution (CVE-2019-16928)

Summary

A vulnerability has been discovered in Exim, which could allow for unauthenticated remote attackers to execute arbitrary system commands on the mail server. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems. Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

September 27, 2019

Vulnerability in PHP 7.3 Could Allow for Arbitrary Code Execution

Summary

A vulnerability has been discovered in PHP 7.3 (the latest release series) that could allow an attacker to execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.  [1]

September 6, 2019

No peeking! Staying safe and private on Wi-Fi

Wi-Fi is great. Think about it, you pretty much carry an entire library and a direct line to anywhere in the world in your pocket. Nowadays many businesses offer Wi-Fi for their customers, so you can stay connected even while eating udon or waiting in line for toast.

But! That doesn’t mean it’s perfect. Using public Wi-Fi is sort of like doing, well, anything else in public: you want to be safe and not accidentally wander into trouble. Let’s talk about what you can do to protect yourself on Wi-Fi.

Don’t pass on strong passwords

Passwords! What a headache, am I right? Sometimes it seems like that in order to be safe, your password must contain letters, numbers, punctuation, bird noises, and at least one Egyptian hieroglyph.

But the truth is that it’s easier to create a long, strong, safe password than most people think. Let’s take a quick look at a few tips for making a password that will keep your account safe.