Urgent Information Security Vulnerability

September 26, 2014

On Thursday multiple IT companies and government cyber security organizations issued warnings about a significant vulnerability present on a high percentage of devices on the Internet. The vulnerability is widely present on UCSB’s campus network as well. The consequences of an exploit range from a disruption in service and loss of data to the use of a system as an attack point against other systems. Given the adverse impact that this vulnerability may bring to your critical systems, and the effort it will take to remove the threat, you should understand the situation.

Yesterday Enterprise Technology Services (ETS) issued a notification to Campus system administrators warning them of the vulnerability and asking them to take action to patch their systems. A follow-up message with updated information will be issued today.

ETS is taking steps to detect and mitigate the threat. ETS has already detected multiple attacks against Campus systems, and a sister UC campus has already reported a successful exploit. Unfortunately there can be no assurance that the vulnerability or a successful exploit can be detected at the network level. Ultimately your system administrators must patch the systems that they are responsible for to completely remove the vulnerability.

We appreciate your understanding of the situation by allowing your IT staff to take time to focus on patching systems in your organizations. We recognize that IT staff may not administer all systems in your department. We appreciate allowing your IT staff to work with faculty, non-IT staff, researchers, and students who may be responsible for system administration as many of these people may be unaware of the issue.

If you have questions about the situation, you can contact Sam Horowitz, Chief Information Security Officer or Kevin Schmidt, Campus Network Manager.

Thank you for your assistance in mitigating this significant threat.