Newsletter No. 424

No. 424, 4.10.2013 3 one attempt only. So in its official records, the University is faced with hundreds of attempts per day. Mr. Leung added, ‘There are many reasons that hackers would target a university. Some wannabe hackers may test their skills on university networks. Somebody has a grudge against a professor or a student may want to give them a hard time by sabotaging their computers. Some hackers may hijack a university network to launch attacks against other organizations. Some people may want to profit by stealing and selling the user names and passwords of teachers and students. Someone may attempt to steal research results with potential value from researchers.’ The Information Security Section (ISS) of the ITSC is responsible for coordination when dealing with cyber security incidents. But Mr. Leung said that these incidents usually involve a wide range of responsibilities and tasks, including identifying problems, informing the people concerned, fixing the problems, recovering the system, answering enquiries, and stepping up security. In other words, the whole ITSC is involved. These incidents include phishing e-mails, hijacking of servers, website defacement, viruses and malware. In 2012, there were 87 incidents in total handled by the ISS, up 89 per cent from 2011. From January to August 2013 alone, the ISS handled 103 incidents. This surge reflects the fact that the University has increasingly become a target for cyber attacks. Attack and Defence The CUHK e-mail server handles 1.1 million e-mails per day. Seventy per cent of them are filtered out because they contain viruses, they’re spam or they have other problems. Firewalls are installed in the application system networks of the University to detect abnormal data traffic, which may indicate break-ins and zombie computers under a remote control. The ITSC meets IT technicians of different academic departments and administrative units to exchange the latest information, and there are plans to team up with them to regularly check the computers of their departments and units. Mr. Leung said, ‘We rely on these IT technicians to safeguard the security of the computers of their departments and units. We hope that their chairpersons or heads could give them support.’ When dealing with hacking incidents, the ITSC sometimes has to report them to the police because in most of the cases the attacks did not originate on our campus, or even in Hong Kong. So the police has to get involved. Concerted Effort Needed Network security is a serious issue for the University. Prof. P.C. Ching said, ‘Data is our asset. Every person and every organization will do their best to protect their assets by safeguarding their network and data security.’ To safeguard CUHK’s computer security, the ITSC needs the concerted effort of all CUHK staff and students. Mr. Leung said, ‘Information security requires teamwork. For example, if you don’t mind your house security, not only that your house will be robbed, the robbers may hide in your house and use it as a base to rob other houses in the same complex.’ Security and convenience have always been at loggerheads on the issue of computer security. Mr. Leung said, ‘It’s like public health. When everybody washes their hands frequently, they will have a lesser chance of contracting viruses.’ A university is a diverse community with different levels of understanding and expectation of information security. Its environment is also very different from that at a corporation or a government agency, because of the free flow of information it is trying to promote and its extensive connection with others from all over the world. This unique situation makes the task to strengthen information security more difficult. The Snowden incident may serve as a wake-up call to CUHK members. Professor Ching added, ‘Internet security is one of our main concerns. The University will allocate necessary resources when they are needed to ensure that our equipment and technologies are sophisticated enough to fend off attackers.’ 程伯中副校長 Prof. P.C. Ching, Pro-Vice-Chancellor Campus Network Security after the Snowden Incident In June this year, Edward Snowden , a contract employee at the National Security Agency of the US, disclosed to the media that US Government had hacked the networks of governmental agencies and the universities of other countries. The local media speculated that one of the targets was the Hong Kong Internet Exchange (HKIX) operated by the Chinese University. 信息保安小提醒 Cyber Security Tips 經常更改上網戶口的密碼 Change passwords frequently 黑客盜取密碼後不一定馬上使用，而可能儲存起來留待日後使用或待價而沽，經常改更密碼，就能令這些黑客得物無所用。 Hackers may not use the stolen passwords right away. They may save them for future use or sell them later. If you change passwords frequently, that would render your stolen password useless. 設定複雜的密碼 Set a strong password 黑客用來破解密碼的軟件，會利用各種語文的字典為工具，所以簡單或容易聯想的密碼是難以保障安全。 The cracking software that hackers use would make use of dictionaries of different languages to crack passwords. So, simple passwords are unsafe. 不要把戶口密碼借給朋友使用 Don’t share your passwords with friends 即使朋友很可靠，也難保他們不會在不安全的電腦登入戶口，令密碼被盜取。 You may trust your friends. But they may log in your computing account with an insecure computer which may result in information leakage. 不要使用校外公用電腦或在未經加密的無線網絡登入大學戶口 Do not access CUHK IT systems from public computers 在網吧之類的公用電腦，很可能被人植入木馬程式，記錄鍵入的帳戶和密碼。 Public computers in cyber cafes or other places might contain Trojans that would capture your user names and passwords. 盡快安裝軟件公司發出的補丁 Installing the most recent security patches on the system as soon as possible 因為補丁一發出，黑客也會知道軟件的漏洞，可能會針對漏洞編寫病毒，此時未安裝補丁的電腦就十分危險。 All hackers become aware of the loophole of a program as soon as the software company issues a patch for it. They may create virus targeting that loophole. Computers that haven’t installed the patch to fix it will be vulnerable. 小心保護數據 Safeguard personal and sensitive data 校內部門如無必要，不應把任何個人資料儲存於電腦之內，如須儲存，則必須加密。 Unless absolutely necessary, academic departments or administrative units should not keep personal or sensitive data on their computers. If you have to keep them there, the data must be encrypted.