|Campus IT staff are encouraged to review technical details of the Heartbleed flaw at this advisory page: Heartbleed: OpenSSL TLS Extension Vulnerability (CVE-2014-0160)|
Impact on UC Berkeley IT Systems
- Change your CalNet passphrase to a phrase you have not used before and do not use anywhere else. As a reminder, do not blindly follow links asking you to reset your CalNet passphrase.
- Go to https://calnetweb.berkeley.edu/
- Under the "Links" section, please click "Change CalNet Passphrase."
- When prompted, please enter your CalNet ID, your old passphrase, and your new passphrase (twice), then click the Change Passphrase button.
- For additional help, visit https://calnetweb.berkeley.edu/it-help-desk-and-calnet-support
- Change critical passwords for any campus, professional or personal accounts of importance.
- Change your CalNet passphrase and other passwords again in another two weeks. Some websites and Internet services have immediately patched, and others will take time to respond to this vulnerability. A second round of changes is recommended, by which time we hope this issue has been widely addressed around the world.
Beware of Suspicious Email and Phishing Attempts
- Not sure if it’s a Phish? We are confident scammers will attempt to send emails to our campus, asking you to visit links to change your password in response to this or similar IT emergencies. We encourage you to be skeptical and check if in doubt. You may always send email to firstname.lastname@example.org if you are unsure whether an email is legitimate.
- Do not share your CalNet passphrase with anyone. No person should ask you to reveal your CalNet credentials, via email, in-person or on the phone. Any such request is not a legitimate request and may be refused.
The campus information security team can provide more in-depth presentations about this vulnerability, phishing scams, or other security topics to campus departments, units or other peer organizations. We encourage departmental administrators and other interested individuals and groups to send an email to email@example.com or visit https://security.berkeley.edu/phishing for more information.