各位用戶：

您可能會收到一些類似以上的欺詐電郵，這些電郵看起來像是由資訊及通訊科技部發送的。

請勿回應此類查詢您的帳戶名稱及密碼的郵件，資訊及通訊科技部絕對不會要求您以電郵或通過網頁發送這類信息。

如需要協助請聯絡我們的服務中心：

服務中心聯絡
位置 :中央教學樓東5座(E5)2085室
電話 :8822 8600
電郵 :@

資訊及通訊科技部

欺詐郵件樣本

各位用戶：

您可能會收到一些類似以上的欺詐電郵。這些電郵看起來像是由資訊及通訊科技部發送的。

請勿回應此類查詢您的帳戶名稱及密碼的郵件。資訊及通訊科技部絕對不會要求您以電郵或通過網頁發送這類信息。若您不小心回應了一些可疑郵件，請儘快重設您的帳戶密碼。

如需協助，請聯絡我們的服務中心:

服務中心聯絡
位置 : 中央教學樓東5座 (E5) 2085室
電子地圖 : 電腦版本, 手機版本
電話 : 8822 8600
電郵 : @

資訊及通訊科技部

To: All Users

Many users reported that they received a suspicious email with password protected attachment named “A letter of complaint on University of Macau.rar”. Please DO NOT OPEN this attachment. This attachment contains a suspected Trojan. Usually, to compress an attachment with password can be used to bypass Anti-virus system. If you open it, your computer may be infected.

If you have any further queries, please feel free to contact our Help Desk (Ext. 8600, Email: @)

Thank your your attention.

Information and Communication Technology Office

To All Users,

The US Computer Emergency Readiness Team (US-CERT) have issued warnings on the vulnerability that found in OpenSSL versions 1.0.1 through 1.0.1f, and version 1.0.2-beta including version 1.0.2-beta1.

Original release date

8 April 2014

Description

This vulnerability allows remote hackers to retrieve sensitive information without authentication through incorrect memory handling in the TLS heartbeat extension. User authentication credentials and secret keys may then be disclosed to hackers.

The sensitive information that may be retrieved using this vulnerability include:

• Primary key material (secret keys)
• Secondary key material (user names and passwords used by vulnerable services)
• Protected content (sensitive data used by vulnerable services)
• Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Systems Affected

• OpenSSL 1.0.1 through 1.0.1f
• OpenSSL 1.0.2-beta (including 1.0.2-beta1)

Solution

Step 1: You can check if your web server is affected by this vulnerability through https://www.ssllabs.com/ssltest/.  A warning as show below will be displayed if the webserver is affected:

Step 2: OpenSSL has released the latest patches to address this vulnerability, you can download the patched update fromhttps://www.openssl.org/source/.

• For OpenSSL version 1.0.1 (including 1.0.1f): Update to version 1.0.1g
• For OpenSSL version 1.0.2-beta (including 1.0.2-beta1) : To be fixed in version 1.0.2-beta2.  Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS .
• Details: https://www.openssl.org/news/secadv/20140407.txt

Step 3: Any keys generated with a vulnerable version of OpenSSL should be considered compromised, they should be regenerated and deployed after the patch has been applied.

References

• US-CERT – OpenSSL ‘Heartbleed’ vulnerability

Thank you for your attention. For further inquiries, please feel free to contact our Help Desk (Ext. 8600, Email: @).

Information and Communication Technology Office