'Heartbleed' Security Vulnerability Update: Action on your part is recommended

April 10, 2014
Campus IT staff are encouraged to review technical details of the Heartbleed flaw at this advisory page: Heartbleed: OpenSSL TLS Extension Vulnerability (CVE-2014-0160)
Dear Campus Community,
A widely reported critical security flaw, called “Heartbleed,” has been discovered that affects not only some campus systems, but also many information systems worldwide. One possible consequence of this flaw is that attackers can easily steal personal information and see sensitive information and even passwords used on vulnerable websites and systems.

Impact on UC Berkeley IT Systems

Campus information security is actively identifying potentially vulnerable systems, and monitoring for attempts to exploit the flaw. IT staff on campus have been asked to review their systems and apply available patches.
Our CalNet login site and email system did not have this vulnerability. However, other campus systems, and other systems you may use outside of campus in your professional or personal life, may be at risk. 

Recommended Precautions

We are asking you to please take the following voluntary precautions.
  1. Change your CalNet passphrase to a phrase you have not used before and do not use anywhere else.  As a reminder, do not blindly follow links asking you to reset your CalNet passphrase.
  2. Change critical passwords for any campus, professional or personal accounts of importance.
  3. Change your CalNet passphrase and other passwords again in another two weeks. Some websites and Internet services have immediately patched, and others will take time to respond to this vulnerability.  A second round of changes is recommended, by which time we hope this issue has been widely addressed around the world.

Beware of Suspicious Email and Phishing Attempts

In addition to the above precautions, we are asking you to be aware of the following:
  1. Not sure if it’s a Phish? We are confident scammers will attempt to send emails to our campus, asking you to visit links to change your password in response to this or similar IT emergencies. We encourage you to be skeptical and check if in doubt. You may always send email to consult@berkeley.edu if you are unsure whether an email is legitimate.
  2. Do not share your CalNet passphrase with anyone. No person should ask you to reveal your CalNet credentials, via email, in-person or on the phone. Any such request is not a legitimate request and may be refused.

The campus information security team can provide more in-depth presentations about this vulnerability, phishing scams, or other security topics to campus departments, units or other peer organizations. We encourage departmental administrators and other interested individuals and groups to send an email to security@berkeley.edu or visit https://security.berkeley.edu/phishing for more information.

Larry Conrad, Associate Vice Chancellor for IT and CIO
Paul Rivers, Interim Chief Information Security Officer