Respond to a Security Notice

Follow the below instructions for the specific security notice received from the Information Security Office.

Compromised Host / Possibly Compromised System

What does it mean?

If you receive a “Compromised Host” notice, our analysts are highly confident that attackers have gained unauthorized access to your computer. With “Possibly Compromised System” notices, we detected highly suspicious network activity and we believe that your computer is compromised.

Some of the things attackers can do once your computer has been compromised include:

  • Install a keylogger to collect your email passwords, bank account numbers, and other private information
  • Use your computer to send out junk email (“spam”) or attack other computers
  • Use your computer to store and distribute illegal software, media files, and pornography
  • Search the hard drive for private information such as credit card and Social Security Numbers.
  • Disable your anti-virus and firewall software and leave "back-doors" allowing easy access to your computer

What should I do?

Read the email notice carefully. At the bottom of the notice, you will find additional information including the log messages that triggered the alert. If there is a legitimate explanation for the detected network activity and you believe the alert is a “false-positive”, please reply to the notice and let us know.

If you cannot explain the network activity, take these steps to secure your computer:

  1. Remove the computer from the network
    For your safety and the safety of others, a compromised computer must not remain on the campus network! If this notice was for a computer connected to Airbears, do not use the computer on Airbears or the campus wired network until the computer can be properly cleaned. Limit your use of other Internet connections to avoid losing your personal information and putting other computers at risk.
  2. Clean all signs of malware and other signs of intrusion from the computer
    There are two options you can use for cleaning your compromised computer:
  3. Respond to the security notice and describe how you have cleaned your computer
    Unless we get a response to our notices, we must assume the problem is not corrected, and your network access may be blocked. Respond to the notice, keeping the ticket number in the subject line, and let us know what you did to clean the computer. If you use anti-virus/anti-malware utilities, please include evidence of the results. You can send the results log as an attachment, paste the results as text, or send a screenshot.

In addition to these steps, we recommend that you:

Vulnerability Detected

What does it mean?

Vulnerabilities are flaws in the software or system configuration of a computer that can be used by attackers to gain unauthorized access to the system. By scanning for vulnerabilities on the UC Berkeley campus network, we find these flaws before they can be used by attackers to compromise computers. Fixing vulnerabilities reported in our “Vulnerability Detected” notices will help protect your computer from electronic attacks.

What should I do?

The “Vulnerability Detected” notices contain detailed information about the vulnerability and how to fix it. This may involve installing security updates to your operating system or software, changing system configuration settings, setting or changing passwords, or removing/upgrading outdated software.

Reply to the security notice if you are still unsure how to correct the vulnerability, or if you believe your configuration is secure and the notice is a “false-positive”.

Otherwise, it is not necessary to reply to these notices.

Credential Exposure

What does it mean?

If you receive a “Credential Exposure” notice, we identified a possible disclosure of an account name and password. This disclosure may be the result of someone entering the information insecurely. Because this is frequently seen in phishing attacks and may have exposed the credentials to third parties, we strongly recommend changing your password on any internet sites using the credentials listed below.

What should I do?

First, read the email notice carefully.

  1. Change your CalNet passphrase: Change CalNet Passphrase (link is external)

Additionally, we recommend that you:

  • Change any other passwords or account access codes used on the compromised computer
  • Check with your financial institutions for any unauthorized activity on your accounts
  • Ensure that your cleaned computer meets the campus basic Minimum Security Standards for Networked Devices:
  • Perform a full scan of your computer with an updated Anti-Virus program

This email is not an attempt to confirm whether the credentials are correct, nor is it a request for your credentials. No University department personnel will ever request your credentials in email or otherwise.

Unless you have other questions, there is no need to reply to these notices.

Quick Links

Report a Security Incident 
How to report Security Incidents such as an intrusion, breach, and computer/network misuse

Respond to a Security Notice ⇢
How to respond if  you have received a security notice from the Information Security Office

Report a Stolen or Lost Device ⇢
Steps to take if your laptop, tablet, or phone has been stolen or lost

Request a Policy Exception ⇢
Instructions to request an exception to the campus minimum security standards

Submit an Off-Site Hosting Request ⇢
Request to host data services off-campus with a third-party service provider