Respond to a Security Notice

What does it mean?

If you receive a “Compromised Host” notice, our analysts are highly confident that attackers have gained unauthorized access to your computer. With “Possibly Compromised System” notices, we detected highly suspicious network activity and believe that your computer is compromised.

Some of the things attackers can do once your computer has been compromised include:

• Installing a keylogger to collect your email passwords, bank account numbers, and other private information
• Using your computer to send out junk email (“spam”) or attack other computers
• Using your computer to store and distribute illegal software, media files, and pornography
• Searching the hard drive for private information such as credit card and Social Security numbers.
• Disabling your antivirus and firewall software and leaving "back-doors" allowing easy access to your computer

What should I do?

Read the email notice carefully. At the bottom of the notice, you will find additional information including the log messages that triggered the alert. If there is a legitimate explanation for the detected network activity and you believe the alert is a “false-positive”, please reply to the notice and let us know.

If you cannot explain the network activity, take these steps to secure your computer:

1. Remove the computer from the network
   For your safety and the safety of others, a compromised computer must not remain on the campus network! If this notice was for a computer connected to Airbears, do not use the computer on Airbears or the campus wired network until the computer can be properly cleaned. Limit your use of other Internet connections to avoid losing your personal information and putting other computers at risk.
2. Clean all signs of malware and other signs of intrusion from the computer
   There are two options you can use for cleaning your compromised computer:
   • Reinstall your operating system and software (RECOMMENDED): Reinstalling your compromised computer
   • Attempt to clean the system using antivirus/anti-malware utilities: How do I clean an infected computer of viruses and malware?
3. Respond to the security notice and describe how you have cleaned your computer
   Unless we get a response to our notices, we must assume the problem is not corrected, and your network access may be blocked. Respond to the notice, keeping the ticket number in the subject line, and let us know what you did to clean the computer. If you use antivirus/anti-malware utilities, please include evidence of the results. You can send the results log as an attachment, paste the results as text, or send a screenshot.

In addition to these steps, we recommend that you:

• Change your CalNet passphrase: Change CalNet Passphrase(link is external)
• Change any other passwords or account access codes used on the compromised computer
• Check with your financial institutions for any unauthorized activity on your accounts
• Ensure that your cleaned computer meets the campus Minimum Security Standards for Networked Devices

What does it mean?

Vulnerabilities are flaws in the software or system configuration of a computer that can be used by attackers to gain unauthorized access to the system. By scanning for vulnerabilities on the UC Berkeley campus network, we find these flaws before they can be used by attackers to compromise computers. Fixing vulnerabilities reported in our “Vulnerability Detected” notices will help protect your computer from electronic attacks.

What should I do?

The “Vulnerability Detected” notices contain detailed information about the vulnerability and how to fix it. This may involve installing security updates to your operating system or software, changing system configuration settings, setting or changing passwords, or removing/upgrading outdated software.

Reply to the security notice if you are still unsure how to correct the vulnerability, or if you believe your configuration is secure and the notice is a “false-positive”.

Otherwise, it is not necessary to reply to these notices.

What does it mean?

If you receive a “Credential Exposure” notice, we identified a possible disclosure of an account name and password. This disclosure may be the result of someone entering the information insecurely. Because this is frequently seen in phishing attacks and may have exposed the credentials to third parties, we strongly recommend changing your password as instructed below.

What should I do?

1. Read the email notice carefully
2. Change your CalNet passphrase: Change CalNet Passphrase(link is external)

Additionally, we recommend that you:

• Change any other passwords or account access codes used on the compromised computer
• Check with your financial institutions for any unauthorized activity on your accounts
• Ensure that your cleaned computer meets the campus basic Minimum Security Standards for Networked Devices
• Perform a full scan of your computer with an updated Antivirus program

Remember, no University department personnel should ever request your credentials in email or otherwise.

Unless you have other questions, there is no need to reply to these notices.