OCIONEWSLETTER Issue 15 • APR 2014
SPOTLIGHT
LMS Evaluation 2013 Findings Crusher Wong In Issue 13 of the OCIO Newsletter [1], the LMS Evaluation 2013 project at City University of Hong Kong (CityU) was outlined with some information about pilot tests of the candidate platforms. Selected evaluation findings based on e-Learning Team’s extensive testing, CityU members’ feedback and pilot run experiences are shared in the following.
Feature & Function Comparison The e-Learning Team performed feature and function assessment of Blackboard (Bb), Canvas and Moodlerooms (MR) in May 2013 with support from the vendors and colleagues in the Computing Services Centre (CSC). After receiving verbal enquires, Desire2Learn (D2L) was admitted to join the evaluation in November 2013. A summary of features and functions comparison is presented in Table 1.
Interviews with Pilot Teachers As a hands-on evaluation of the 2 major candidates, pilot licenses were acquired to use Canvas and Moodlerooms in real courses. 8 colleagues volunteered for the pilot teaching over 700 students in 9 courses on either platform during Semester A 2013/2014. Figure 1: Rating of Canvas and Joule2 by Pilot Teachers
2
OCIO NEWSLETTER
INDEX SPOTLIGHT 1
LMS Evaluation 2013 Findings
FEATURE 4
DEC Mobile App Development Grants Get Digital Management Systems to Go
8
I Like Tech@CityU Student Contest
13
Smart Card Technology and Applications
FYI 6
Don’t Open That Email! (A Fictional Story)
BRIEF UPDATES 12
CityU Renewed ISO/IEC 27001:2005 Certification for Its Paperless Office Service
14
CityU Receives 4 Gold Awards for Accessibility
15
CityU Receives the CSO40 Award for Information Security Achievement
16
New IT Security Related Policies
IT SECURITY AWARENESS SERIES BY JUCC 10
Internet Security
STATISTICS AT A GLANCE 17
Central IT Services
GLOSSARY CORNER Table 1: LMS Candidates Feature and Function Comparison
20
Advanced Persistent Threat (APT) and Spear Phishing
In December 2013, face-to-face semistructured interviews were arranged to seek inputs from these 8 staff members where half of them tried Canvas and the other half tested MR Joule2. Views on productivity in administration on both LMS were scattered but opinions on the effectiveness in teaching and learning were conclusive – 3 voted “improved” for Canvas versus 3 voted for “no significant improvement” for Joule2. Canvas users praised the interface design, flexibility, and support to mobile devices. When one colleague valued the drag-and-drop feature to upload contents in Joule2, another MR pilot teacher returned to Blackboard for certain feature. Quantitatively, colleagues rated the pilot platform in the aspects of teaching, assessment
Figure 2: Acceptance of Pilot LMS to Replace Blackboard
and administration on a 5-point scale. Figure 1 illustrates pilot teachers’ satisfaction with Canvas being much higher than that with MR Joule2. When it came to replacing Blackboard, Canvas won the trust of the majority whilst mixed feelings were expressed among the Joule2 users (Fig.2). Interestingly, the “No” response for
Canvas was due to the long-term cost and the worry of reaction from colleagues in terms of change management instead of any doubt to the platform.
Feedback from Pilot Students Online questionnaire was sent to all students registered in courses
Issue 15 • APR 2014
running pilot of Canvas or Moodlerooms Joule2 in November 2013 after they gained experience with the platforms. The response rates are 29.9% (out of 331) and 14.3% (out of 391) for Canvas and Joule2 respectively. Results of all quantitative questions are illustrated in Fig.3 and Fig.4 separately for each LMS. The Likert scale questions asked students to compare the pilot platform against Blackboard. Canvas was appreciated in the user friendliness and convenience in downloading course materials. Although students welcomed Canvas in some areas, they were uncertain about replacing Blackboard with Canvas. In contrast, MR Joule2 was rated relatively low in user friendliness and overall learning experience. Students also showed a clear preference to stay with Blackboard instead of adopting Joule2. The average scores of the five-point Likert items are listed sideby-side in Table 2 for easy comparison.
Figure 3: Assessment of Canvas against Blackboard by Pilot Students
Choice of Staff and Students without Pilot Involvement Vendor presentations were arranged so that CityU members, who might not have been involved with the pilot, will also have a basic understanding of the individual LMSs. An online survey for non-pilot users attracted 22 responses (10 staff and 12 students). Among Blackboard, Canvas, Moodlerooms and Desire2Learn, over half of the respondents preferred to keep Blackboard (Fig. 5). However, 22 responses out of over 30,000 users at CityU might not be a good representation of opinions. Also, opinions of non-pilot users might change once they have some hands-on experience.
Figure 4: Assessment of MR Joule2 against Blackboard by Pilot Students
Analysis on LMS Candidates Canvas is a modern LMS platform with highly intuitive and user-friendly interface. Software wizards guide instructors on how to use the system and remind them of important tasks. The course site structure is similar to Blackboard, which lowers the learning curve for existing CityU users. There is integration with many popular
Table 2: Comparison of Pilot LMS with Blackboard by Students in 5-point Likert Scores
3
4
OCIO NEWSLETTER
FEATURE TAG and MADG project sharing series (II):
Figure 5: Preferred LMS According to Staff & Students without Pilot Involvement
third party e-learning tools. This ability to easily extend the platform is the company’s tactic in supporting different types of pedagogies. The cloud-based Software as a Service model will save local hosting costs in the long run. However, the resolution on a regional data centre is still pending. The advantage of Moodlerooms Joule2 is obvious – allowing drag-and-drop action to add multiple files to a course site. Nevertheless, the interface is not very intuitive and the experience during pilot is a bit frustrating. The quality of technical support is also a concern when the users had to settle in a non-fully functional LMS instance for the entire pilot. The adoptions of the Blackboard, instead of Moodle, at the Polytechnic University of Hong Kong and the Chinese University of Hong Kong in recent years also suggest the uncertainty involved. Many users agree that Blackboard may not be the best LMS. Its user interface is dated and tedious steps are required in order to create an activity. Nevertheless, Blackboard provides more tools than any other LMSs involved in the evaluation and a complete makeover is on the way. Many CityU users are skeptical of any new LMS and prefer to stay with Blackboard according the survey results. When the Senior Management is facing a tough decision on the centrally supported LMS in the near future, further development of e-Learning at CityU may depends on how we facilitate teaching and learning rather than which LMS is being used. Reference: 1. Wong, C. (2013, October). LMS Evaluation 2013-2014. OCIO Newsletter Issue 13. Retrieved from http://issuu.com/cityuhkocio/ docs/newsletter_issue_13
DEC Mobile App Development Grant Get Digital Management Systems to Angel Lu
In support of City University of Hong Kong’s (CityU) Discoveryenriched Curriculum and the growing importance of technology innovation and knowledge transfer, the application of mobile technology has been gratefully embraced and pioneered. Being a vanguard in enhancing our learning environment and experience, DEC Mobile App Development Grants (MADGs) is going to ignite a digital revolution.
In this issue, we have Mr. Angus Yip, from the Department of Computer Science, and a group of voluntary students who are both talented and assiduous to showcase two successful MADG projects, CityUiReserve and CityUiStore. Thanks to Provost Office’s generous project funding to all the necessary equipment and software, CityU’s facility reservation and inventory management are on the way to enrich user experience and productivity. CityUiReserve – unified booking of facilities CityUiReserve, a unified mobile booking system, aims to simplify the reservation services to users and maintainers. CityU has provided a myriad of facilities and rooms for educational and recreational purposes to staff
and students. Even though online booking services have already been made available, different facilities require divided procedures at individual system to make reservations. Despite the concerns of security, such fragmented booking platforms escalate the complication of booking facilities. Therefore, iReserve provides a collaborative infrastructure platform with the same mobile access interface to bridge mobile users and facility providers, so as to maintain consistent booking experience. Beyond enhancing user experience, iReserve’s flexible interface lets facility providers tailor the booking form and booking flow to meet specific requirements. As a consequence, iReserve does not only ease the complication of the booking procedure but also helps facility officers to optimize the usage of facilities and provide on-time support to users. CityUiStore- Reaching inventories within a click It is no doubt that inventory management is an arduous task. CityUiStore is here to teach inventories to tell their locations and current statuses within just a touch or swipe on smart devices.
Issue 15 • APR 2014
ts Go
Secure collaborative architecture of iReserve
iStore, intending to save the effort of inventory staff, is a portable inventory maintenance system to provide efficient ways to manage all inventories on campus. Authorized users can easily query about the location and status report of designated inventory by utilizing the location sensor and high-pixel camera on their smart gadgets. In addition, iStore links up the status of the inventory to a unified system. Thus, inventory staff can add a remark and take a snapshot of the inventory so as to keep the status of the inventory up-to-date and ensure an on-time replenishment or replacement. Such accessibility saves tremendous paper work and clerical manual work on inventory management, especially when there are thousands of pieces of technical equipment distributed all over the University. Similar structures, different targets, same goal In order to maximize both apps’
iStore’s workflow: Keep inventory updated
productivity of development, they were structured on top of Apache Flex and Adobe AIR, in which Apache Flex is an opensource framework for developing applications across web, computers and mobile gadgets; Adobe AIR allows the application to “write once, run anywhere” on popular mobile platform, i.e. Google Android, Apple iOS and Blackberry PlayBook. Despite the given tight schedule, their wise combination turns out to be a well-matched tool-kit to boost the development and deployment cycle. Students from iReserve and iStore have attained great satisfaction when their final products released online. Although these awarded mobile apps are targeting at different audience and trying to solve unique problems, they unanimously helped students make great strides in the eyes of their supervisor. “The hands-on experience of solving a real-life
problem and constructing a large-scale program assist students to transform theories into practical application,” Mr. Angus Yip remarked. “Theory becomes more useful after you tinker with it by yourself.” That is the true spirit behind the Discovery-enriched Curriculum!
“I’d like to pay special tributes to the students who all worked with all their hearts and soul,” Mr. Yip noted appreciatively. In the picture from left to right: Mr Angus Yip, Daniel Yuen from the iReserve team and Kingsley Chan, Cathy Ho, Kevin Kwong from the iStore team. Other members who have also contributed to the projects that are not in the picture include: Kwok Yee Lok, Quill Hon and Roy Ng.
5
6
OCIO NEWSLETTER
FYI
Don’t Open That Email! (A Fictional Story) Andy Chun
Ever wonder what happens when you open attachments or click on links in suspicious emails? Here is a fictional story of what might happen. “Emma works in CityU. Being a professor, Emma receives lots of emails each day from students and colleagues. She also gets lots of junk and spam email. But Emma is very careful not to open suspicious email. One day she gets an email titled: “Important Message from the President”. The sender was from president@cityu. edu.hk, so it looks legitimate and Emma opens it. The email says the University plans to endorse some important new policies with details attached in a PDF file, and would like to seek opinions from all members of the University. Eager to participate in the development of the University, Emma quickly opens the PDF file, only to find it was a memo that was already circulated a couple of weeks ago. Emma says to herself, “That’s strange; maybe it is the second round of consultation?” and continues with her work. Unknown to Emma, the email she opened was a phishing email and the attachment contained a malware. At the same instance that Emma clicked on the PDF attachment, a silent rootkit was installed, and on the other side of the world, a message pops up in a console window at one of many computers of a botnet command control center. It is the middle of the night; just the right time for
Creative commons photo via Flickr user powtac.
hackers to start their shift. One sees the message in the console window and types in some commands. With a sneering grin, the hacker watches the screen as more software is quietly being installed onto Emma’s computer at CityU. From then on, everything Emma types will be replicated to the botnet immediately or spooled onto a file that the hacker may retrieve later to fish for valuable information such as login IDs and passwords. Every so often, the hacker who had taken full control of Emma’s computer, may take a screen shot of her work, or even turn on her webcam to watch and listen to what Emma’s doing or even take a photo. All these data will be encrypted, compressed, and then sent back to the hacker interactively, or at a later time. Armed with Emma’s login credentials, the hacker and his friends will quickly infiltrate CityU’s intranet, installing more malware
and hacking tools, and changing system configurations. The hackers will exploit any zero day vulnerabilities, possibly infiltrating departmental servers and then moving on central servers. Hackers have tons of hacking tools at their disposal; tools to find security vulnerabilities and to crack our passwords. After quietly watching Emma work for months, the hacker decided they had enough data. But before leaving, they encrypted Emma’s entire hard disk and blackmailed her for untraceable bitcoin money in return for a password to decrypt her hard disk. Sadly for Emma, she paid the ransom, but never got her password; all her years of research and teaching material gone.” Even though the story is fictitious, uncountable numbers of events similar to those described occur on a daily basis all around the world.
Issue 15 • APR 2014
Hackers are getting more and more sophisticated. They would target a specific organization, and then perform extensive background research, leveraging social engineering techniques, to gain a deeper understanding of our organization, its people, and our work. Thus the phishing email they create will look quite authentic and real. At CityU, we get these “spear-phishing” emails very often. So beware! They will look just like a normal CityU email, and with names of actual colleagues working at CityU. The following is example of what a sophisticated spear-phishing email might look like:
From: City University of Hong Kong [cio@cityu.edu.hk] Sent: Sunday, January 06, 2013 3:41 PM Subject: News update Please, some of your incoming mails are on pending status due to our recent database upgrade Click {URL to unknown external site} to verify your account and wait for a few hours while we rectify it we apologies for any inconvenience. Signed Andy Chun Chief Information Officer City University of Hong Kong 83 Tat Chee Avenue Kowloon Tong Hong Kong E-mail:cio@cityu.edu.hk © 2013 City University of Hong Kong. All Rights Reserved.
Here are some hints to help you safeguard yourself against those attacks:
the link goes to before visiting. CityU will only use links to our www.cityu.edu.hk domain.
• Don’t Trust Any Email! Even if it says it is from CityU or from a person you know. It is easy to fake the “sender” field of any email.
• CityU Will Never Ask You To Verify Your Account Through Email! We will never send you a link to your CityU email and ask for your personal data and password; we already have those information!
• Do Not Click On Attachments or Links! Unless you are absolutely sure of the authenticity of the sender. Always be suspicious of attachments or links from anyone, even from people you know, as their email accounts may have been compromised. It is good practice to NEVER click on links directly in emails, always use “Copy & Paste” instead (as the link you see might not be the actual destination). Highlight the URL in the email to select it, then copy and paste to the address bar of a browser. Do not hit “return” yet! Check exactly where
• Beware of Email from Social Media Sites! A lot of phishing emails poses to be from LinkedIn, facebook, youtube, etc. They use the exact same logo, and looks just like a real message from those sites. It is best to avoid clicking on those emails. • Trust CAP Messages Instead! Most messages from University are sent via CAP, not email. Only the most important “University Announcements” (UAs) are sent via CAP and email, but they rarely ever contain
a PDF attachment. If you see a “University Announcement” email with a PDF attachment, do not open it. Instead, go to CAP to see if the UA message is there. It is safe to open a PDF file within our CAP system. All PDF files in CAP and AIMS have already been scanned for virus/malware. • Double Check with Sender! Finally, when in doubt, always double check with the sender to see if the email is real. If, in the unfortunate case, you have responded to a spear-phishing email and have disclosed your account or password information, please change your password immediately. The security of the University’s digital asset depends on you! Be vigilant and on guard at all times. For your information, the University gets over a million hacking attempts each week. The reputation of the University depends on you!
7
8
OCIO NEWSLETTER
FEATURE
I Like Tech@CityU Student Contest e-Learning Team
To give students a chance to share interesting stories of how they pursued their “Discover & Innovate @ CityU” dream, the Office of the Chief Information Officer and the Office of Education Development and Gateway Education (EDGE) co-organized the “I Like Tech@CityU” Student Contest in last November. The contest attracted students across various departments submitting their entries using different media including stories, videos and mobile apps. Their innovative submissions clearly demonstrate how their learning is enriched through the use of technologies provided by CityU. Winners were announced during its award presentation ceremony held during Discover Festival 2014 in the presence of the Chief Information Officer, Dr. Andy Chun and the Director of the EDGE, Prof. Shuk Han Cheng. Two categories of awards were presented - Most Innovative Use of Technology (top prize) and Best Use of Technology
(first prize). Apple iPhone 5S was awarded to all the members of the top prize winning team, and the winners of the first prize each received $500 shopping coupons. Technology@CityU “Design of 3D builder ~ Learning from advanced technology” was one of the winning entries produced by College of Science and Engineering students Lau Tsz Kit and Kam Chun Wing. In their submitted video, they recorded the process in designing a new 3D printing system for building construction. With the support from the CityU GE Lab, they are able to utilize the interactive surface computing platform and smart TV during the design process, providing them an interactive environment in generating creative ideas. In another submission produced by Chan Ka Lai, Yip Yi Chau and Chow Ka Shing, they showed how rapid prototyping can be achieved by using the 3D printer in GE Lab. They also created an Android mobile
application called “Journey in GE lab” which further described their learning process and provided additional content to the users including 3D printing tutorials and 3D model sample photos.
Dr. Andy Chun (CIO) giving the opening speech highlighting the importance of technologies in teaching and learning
Winning entries were showcased at the e-Learning and m-Learning mini fair during Discovery Festival
Issue 15 • APR 2014
Snapshots of the winning entries with technologies ranging from multitouch table, 3D printing to mobile apps
Innovation@CityU Apart from the use of technologies, our students also leveraged their innovation throughout their study in CityU. Pang Chak Man, a student from Electronic Engineering documented how he pursues learning in programming through the development of mobile applications. He developed several innovative mobile apps for different purposes including one that can be used for event opening ceremony and another one showing weather forecasts. Leading by the School of Creative Media student Cheng Yan Ting, her team plotted and filmed an interesting story “Finding Son” showing a father searching for his son inside the campus. Through the story, viewers will have a chance to explore various learning venues inside CityU, e.g. the DEC
Lab, CMC Animation Lab and Audio Lab. Wong Chui Shan, a student from Department of Civil and Architectural Engineering, designed a parametric building based of Twisted Y-shapes using professional building design and construction software. To prove the feasibility of her design, she constructed some of the components using 3D printing technologies.
Contest organizing committee chairs Dr. Andy Chun (CIO) and Prof. Shuk Han Cheng (Director EDGE) with the contest winners
Most Innovative Use of Technology
Best Use of Technology
Design of 3D builder ~ Learning from advanced technology
Finding Son in CityU
LAU Tsz Kit, KAM Chun Wing
YIU Kin Man, CHIM Tsz Wang Kevin
Make Learning Fun with Programming PANG Chak Man All the winning entries together with their submissions are available on the e-Learning team web site at http://go.cityu.hk/iliketech
CHENG Yan Ting, MOK Ka Yee,
An App to explore our Journey in the GE Laboratory CHAN Ka Lai, YIP Yi Chau, CHOW Ka Shing Revit studies - Parametric building design WONG Chui Shan
9
10
OCIO NEWSLETTER
IT Security Awareness Series by JUCC With an aim to enhancing the IT security awareness of the CityU community, the KPMG was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.
Internet Security I. Background Industry Story Scaling Back Web Browser Security Expectations Web browsers serve as the most popular interfaces for users to interact with the web-based applications. However, as it is always said, technology is the double-edged sword, the increasing importance of the web browsers in today’s Internet technologies has also made web browsers the focus of cyber attack. Security is one of the major concerns on the evolution of web browsing technologies and development of web browser market. Vulnerabilities of web browsers such as Microsoft Internet Explorer and Firefox are continuously discovered or exploited. It has been a challenging task for web browser vendors to incorporate latest web technologies and meanwhile to harden their products in order to protect the information security of its users. Internet Security Overview Internet security is an essential component for preserving the information security within universities. The Internet is an insecure channel for communicating and exchanging information. Therefore, the main objective is to protect the universities’ information systems from various threats. The most common approach for universities’ students and staff members to interact with the Internet is through the use of web browsers. Nowadays, software vendors of the web browsers often incorporate different features to improve the user experiences when browsing the Internet, but sometimes may end up causing additional
vulnerabilities and increasing the security risk exposed to malicious attacks. As most of the threats aim at attacking the web browsers used by students and staff members of universities, it is important to understand various threats on the Internet and the corresponding consequences when those threats exploit the vulnerabilities of the web browsers, whether it is Internet Explorer, Mozilla Firefox, Opera, or Apple Safari.
II. Management Threats to Internet Security While most of the network infrastructures and information systems maintained by universities have appropriate information security management (e.g. corporate firewall, change management and regular penetration tests), individual access to the Internet by students and staff members is often loosely controlled. Management should be aware of the following major threats that usually exploits the vulnerabilities of web browsers and may result in adverse impact on the overall security of universities’ IT environment.
1. Phishing Phishing is a way of attempting to obtain sensitive information (e.g. usernames, passwords and credit card details) by masquerading as a trustworthy entity when users are interacting with the Internet. It is typically initiated by directing users to fake websites through e-mail spoofing or by popping fake messaging windows to deceive users for downloading malware. Recent trends also indicate that social networking sites have become the prime target of phishing, since the personal details in such sites can be used in identity theft.
Impact Successful phishing attempts can cause the leakage of sensitive information related to the universities or their students/ staff. Access (i.e. usernames and passwords) to universities information systems may be released to unauthorised parties and lead to serious security breaches. Monetary loss may occur if credit card details are acquired by the attackers. Reputation damage or possible litigations may follow a phishing activity that steals the privacy data from universities’ students, staff or third party personnel (e.g. contractors). 2. Trojan A Trojan is a general term for malicious software that pretends to be harmless so that a user willingly allows it to be downloaded onto his or her computer. Unlike viruses, Trojans do not replicate themselves and spread to other hosts. Instead, they resemble themselves as useful programs that users wish to run. When being executed, they are doing something unrelated to the advertised purposes without users’ knowledge. The most common ways to be infected by Trojans is downloaded files or e-mail attachments. Impact
Consequences of Trojan infection come to many forms. A key logger Trojan logs the victim’s keystrokes and then send the log files to the attacker. A remote access Trojan gives the attacker control over the victim’s computer. The attacker
Issue 15 • APR 2014
can go through the files and access any sensitive information (e.g. personal data, credit card numbers and research information) that is stored in the files. A proxy/wingate Trojans converts the victim’s computer into a proxy/wingate, which can be used by the attacker for anonymous access to commit illegal activities.
takes advantage of Internet Explorer’s vulnerabilities to create popup ads, redirect web pages to pornography or gambling sites and collect private data.
4. Worm
3. Spyware
Spyware refer to programs that surreptitiously monitor the activities of a user’s computer and report such information back to the spyware owners without users’ awareness. Originally spyware is a way for shareware authors to earn revenue from their free software by implanting advertising elements (e.g. banners, popup windows, etc). The downside is that such advertising elements perform additional tracking tasks on users’ behaviours and report the statistical data back. Ideally, there will be no sensitive information being collected. However, the functions of spyware have been extended well beyond simple tracking today and are able to collect various types of personal information, such as Internet surfing habits, websites that have been visited, redirecting web browser activities, altering system configurations or even installing additional software.
Impact
Interference with users’ control of their computers is one of the most dangerous consequences of spyware. Victims may frequently notice undesired behaviours, such as unknown CPU activity, disk usage and network traffic, which cause degradation of system performance and stability. In addition, spyware is closely related to identity theft as it sometimes record the victims’ user accounts, passwords or bank information. For example, the “CoolWebSearch” spyware
Generally speaking, worms are viruses that can replicate themselves through the Internet by exploiting security flaws of victims’ computer systems and perform malicious tasks. Unlike computer viruses, worms do not need to attach themselves to existing programs and therefore are more epidemic in nature.
Impact
Most worms are capable of hampering the working of the Internet, whether by altering web browsers’ setting, consuming bandwidth, corrupting system files or installing backdoors to allow the creation of “zombie” computers, which comprise a network called “botnet” commonly used for sending junk e-mails and launching Denial of Service (“DoS”) attacks. In November 2008, a worm named “Conficker” exploited vulnerabilities in a number of Microsoft operating systems and infected millions of computers and business networks in countries around the world, creating a massive botnet that can be controlled by the author. Its infection also include web browser problems such as redirection of web pages to unintended websites, program crashes, DoS symptoms (e.g. “404 error” or “Page not found”when attempting to access security software websites).
III. General Users Security of Web Browsers Most of the popular web browsers today have integrated some fundamental security features that can largely lower the risk of threats on the Internet. The followings functions are highly recommended to be
enabled for general users: • Enable Popup Blocker Enabling “Popup Blocker” can effectively reduce the possibilities of being compromised by malicious content in the popup windows. Most web browsers have this function enabled by default and users are strongly recommended not to disable it unless the popup windows are from trusted websites. • Control Cookies Cookies are widely used by websites to track users’ activities, personalisation settings, browsing status, login user accounts or even encrypted passwords. Many attacks on the Internet utilise cookies to spread malicious activities, steal user identifies and passwords. Most web browsers can perform automated purge of cookies and general users are recommended to enable them. For example, check “cookies” in the “Delete browsing history” configuration page of Internet Explorer 9. • Anti-Virus and Anti-Malware A good habit to maintain the health and security of computer systems is to install anti-virus and antimalware programs. General users should regularly (e.g. weekly) update the virus/malware definitions and perform system scans to detect / quarantine / remove any viruses and malware programs on their computers. • Be Cautious to Social Websites The development of social websites, such as Facebook, MySpace and Twitters, creates opportunities for attackers to conduct activities including phishing, personal data
11
12
OCIO NEWSLETTER
theft or clickjacking. General users should be cautious about suspicious links either available on the social websites (e.g. news feeds from friends) or received through e-mails. They should check with their friends through alternative means (e.g. instant messaging, e-mails or SMS) before clicking on the doubtful links. Moreover, be aware that most social websites do not ask users to re-login simply to view material or access web applications. Always to change the passwords of the social websites immediately if a user believes that he or she has already fallen victim to malicious attacks. Conclusion The Internet is a double-edged sword. It is an excellent source of information and a convenient means of communication. Yet, the freedom of the Internet and lack of monitoring exposes universities to great threats. Management should well understand the potential consequences resulted from the Internet threats and cultivate general users’ awareness on information security when surfing on the Internet through web browsers.
Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, noncommercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC), Room 223, Run Run Shaw Building, c/o Computer Centre, The University of Hong Kong, Pokfulam Road, Hong Kong
Reference:
http://science4umore.blogspot.com/2009/08/understandinginternet-security-threats.html http://www.mixthenet.com/browser-based-attacks/ http://www.spychecker.com/spyware.html http://www.cse.buffalo.edu/~qiao/cse620/fall04/worms.ppt http://www.thedailybeast.com/articles/2010/12/11/hackers-10most-famous-attacks-worms-and-ddos-takedowns.html http://www.ecu.edu/cs-itcs/itsecurity/Web-Browsers.cfm http://www.it.northwestern.edu/security/browsermanagement/
BRIEF UPDATES
CityU Renewed ISO/IEC 27001:2005 Certification for Its Paperless Office Service Office of the CIO
The ISO/IEC 27001:2005 standard is the most widely recognized information security management system in the world. CityU first earned ISO/IEC 27001:2005 certification for our Paperless Office Service in 2013. The certification confirms that CityU has a mature information security management system in place for its mission critical Enterprise Content Management (ECM) system, i.e. the Paperless Office Service, and that CityU has adequate and proportionate security controls to protect important information assets and manage information security risks. However, ISO certification is not a one-off exercise. To maintain certification, an organization must faithfully, diligently, and consistently review and monitor the information security management system on a sustained on-going basis. We are pleased to announce that in Feb 2014, the University renewed its ISO/IEC 27001:2005 certification after a rigorous continuous assessment process performed by the British Standard Institute (BSI). Dr. Andy Chun, Chief Information Officer for CityU, commented: “IT security is a top priority for the University. We are very pleased with the result of the re-certification. This remarkable accomplishment could not have been possible without the hard work and dedication of our IT staff within the Computing Services Centre (CSC) and the Enterprise Document Management Team (EDMT) within the Enterprise Solutions Office (ESU). Looking forward, we hope the success in the Paperless Office Service can be replicated in the other critical services of the University.”
Issue 15 • APR 2014
FEATURE
Smart Card Technology and Applications Donny Lai
A smart card is any pocket-sized card with embedded integrated circuits (IC). The integrated circuits actually include a very low-powered microprocessor with the capacity of performing cryptographic computing and managing the embedded storage. Thus, smart cards have the intelligence to securely protect and manage the stored data, such as the personal identification number or the money value stored in the payment card. Smart cards offer a number of security features that can be used to provide or enhance privacy protection in systems, which include identification and authentication, data encryption, secure data storage, secure data exchange, biometric matching, and security certifications. A contactless smart card is a normal smart card with a small and sensitive antenna that can intelligently interact with a card reader through a contactless radio frequency (RF) interface to complete transactions within a very short distance and time. Contactless smart card technology is widely used in applications that need to protect personal information and deliver fast secure transactions, such as electronic passports/ visas and transit fare payment cards. The Hong Kong Identity (HKID) card and the Octopus card are examples of successful applications of contactless smart cards. We are also proud of having our CitySmart card launched in 1997, which was the same year of the launch of the Octopus card.
There are international standards for contactless smart card technology and applications. Two important standards are ISO/IEC 14443 and ISO/IEC 7816. Current smart cards have more data volume, so a signature, some biometric data, or even a photo of the card owner can be stored there. The biometric data may include the fingerprint or the facial characters of the card owner. Biometrics is used in many new identity management systems to improve the accuracy of identifying individuals. Besides the authentication through the presentation of a valid smart card, the biometric data stored on the smart card, rather than in an online database, can be retrieved immediately to compare with the instantly captured biometric data, such as the fingerprint, of the person who is presenting the card. This two-factor approach ensures the biometric owner is holding his/ her own card for authentication. Near Field Communication (NFC) is an application and extension of the smart card technology. NFC technology is also a standardsbased wireless communication technology that allows data to be exchanged between devices, especially the new NFC-enabled mobiles and NFC-enabled smart cards. We know that two NFCenabled mobiles can easily exchange contact information by bumping closely in less than a second. Furthermore, the business contact information can be stored in a NFC-enable smart card and it can be transferred by a quick tap to a NFC-enabled mobile. This may
reduce the typing of new contacts into the mobile and eliminate the exchange of paper business cards during business events.
Smart Cards
Smart Gates
Book Borrowing
13
14
OCIO NEWSLETTER
BRIEF UPDATES
CityU Receives 4 Gold Awards for Accessibility Office of the CIO
This is the second year that the Hong Kong SAR Government’s Office of the Government Chief Information Officer (OGCIO) and the Equal Opportunities Commission (EOC) coorganize the annual Web Accessibility Recognition Scheme. The Scheme recognizes the dedication and efforts of enterprises and organizations in making their websites and/or mobile apps accessible to all people, including those with disabilities such as blindness, low vision, deafness, or physical disabilities. The award presentation ceremony was held on 14 April 2014. A total of 110 enterprises and organizations were recognized, with 117 websites and 23 mobile apps receiving Gold Awards, and 19 websites and 8 mobile apps receiving Silver Awards. This year, City University of Hong Kong received two Gold Awards in the Website Stream for achieving the highest level of Web accessibility criteria as defined by the OGCIO. The awards were for University main website and the Office of the CIO (OCIO) website. Although only two websites received the award, in reality all CityU official websites (totally over a hundred) were designed for Web accessibility. In addition, the University received two additional Gold Awards in the Mobile Application Stream, which is a new category this year. The
award recognizes mobile apps with the highest level of compliance in providing easy accessible content and functions on mobile devices to those with disabilities. The two mobile apps that received the Gold Awards are the CityU Mobile CAP and the CityU Mobile AIMS. The CityU Mobile CAP is a onestop portal for all CityU-related announcements, which includes events such as seminars, workshops, etc. as well as administrative announcements. The CityU Mobile AIMS, on the other hand, provides students/staff with speedy native mobile app access to our University ERP with a suite of essential functions for academic, administrative and support services, such as grade report, class schedule, examination timetable, campus internship/ work scheme for students, JobPlus vacancies for students, leave application/summary, academic calendars, and other useful directories. Dr. Andy Chun, the Chief Information Officer of City University of Hong Kong, commented: “Being a global institute of higher education, it is our social responsibility and obligation to ensure equal and convenient access to all our online resources by all people, including those with disabilities. Ensuring Web accessibility is not just an IT issue; it requires efforts from content owners
Mr. Tomson Xu (left), key technical lead for the two winning native mobile apps, with the Mobile App Accessibility Gold Award and Mr. K.H. Tam (right), key technical lead for web technology, with the Website Accessibility Gold Award.
across the entire University. I am happy to see their efforts are being recognized.” Dr. Chun also pointed out: “With popularity of mobile devices, such as smart phones and tablets, we also wanted to make sure our mobile apps did not exclude any member of the CityU community from using those new devices and our services. I would like to thank our colleagues for the extra effort they had put into making accessibility work. This award belongs to them! Congratulations!”
Issue 15 • APR 2014
BRIEF UPDATES
CityU Receives the CSO40 Award for Information Security Achievement Office of the CIO
This is the second year that IDG’s CSO magazine organized the CSO40 Award. The CSO (Chief Security Officer) magazine provides security executives and decision makers with knowledge on security best practices, strategies and insights. According to CSO, the annual international CSO40 award program “recognizes 40 security projects and initiatives that have delivered groundbreaking business value through the innovative application of risk and security concepts and technologies.” Judging for the CSO40 Awards was done based on scores from a uniform set of criteria by a panel of judges that included security leaders, industry experts and academics. This year’s award ceremony was held April 1, 2014, at Chateau Elan, outside Atlanta, GA, USA. CityU’s Security Information and Event Management (SIEM) project was named as one of the top 40 global information security projects for 2013. The SIEM project started in 2010 and was designed and developed on top of the HP ArcSight platform. Over the years, we have consolidated all the University’s key event logs from over 30 routers, over 10 MS AD servers, firewalls/IPS, as well as over 230 network devices. With this capability, the SIEM system continuously monitors and detects
The 2014 CSO40 Award Plaque, received by Mr. Raymond Poon, Director of Computing Services, on behalf of the University.
any potential modern attacks, such as advanced persistent threats and insider threats. “We are extremely pleased that the University is being recognized by our peers in the information security field as one of the leading organizations in the use of technology for IT security,” said Dr Andy Chun, CityU’s Chief Information Officer.
The list of other 2014 CSO40 Award Honorees include some of the largest companies in the world, including Blue Cross Blue Shield, Boeing, Cisco, Comcast, Credit Suisse, Deloitte, Homeland Security, Hyatt, Intel, Lockheed Martin, McAfee, Metlife, Royal Bank of Scotland, SAP, UBS, etc. Currently, CityU is the first University in Asia to receive this prestigious award.
15
16
OCIO NEWSLETTER
BRIEF UPDATES
New IT Security Related Policies Office of the CIO
To further improve our cyber security readiness, the “Information Strategy and Governance Committee” (ISGC) recently passed a couple of new IT security-related policies:
Enforcement of Mandatory Reboot after Windows Update: Ensuring your Windows PC has the most up-to-date version of the operating system is highly important to guarding against any attacks. Windows updates are automatically downloaded to your machine. However, these updates only become effective after a reboot. Unfortunately, some users might not reboot their computers for days or even months. This means known vulnerabilities are left exposed and exploitable by hackers. Not rebooting computers regularly gives hackers opportunities to attack the University. Once attacked and infected, these CityU computers will be used as platform to launch further attacks against other desktops
and servers, and potentially our enterprise systems. The ISGC has decided to make rebooting after Windows Update mandatory across the University. Machines will automatically reboot after a given time after Windows Update has been downloaded and installed. This will be enforced on machines within the CityU Windows domain. For nondomain machines, the owner shall enforce the reboot. Exemption will be given to computers used for special purposes, such as computer stimulations that might span days to complete. For those cases, owners are responsible to reboot their computers within a reasonable interval or when situation allows.
Enforcement of Mandatory Security Question and Answer: In case you loss access to your University account or forgotten your password, the “Security Question and Answer” feature in AIMS, provide an alternative method for the University to
authenticate your identify and rescue your account. This is particularly useful in the unfortunate situation of a security breach, where the University might need to “force reset” your LDAP and/or AD passwords. In order for you to log in again, you must set a new password. To set a new password online, you must have a “security question” and an “answer” stored in AIMS. Without a “security question” you will need to visit the CSC Service Counter in AC-2 in person to reset your password. This is highly inconvenient and impractical if there is a need for a massive password reset. Although the “Change Security Question” feature has been available through AIMS “Personal Information” menu for a long time, it is not widely used. The ISGC has now approved making the security question and answer a mandatory requirement. You can set and change your security question and answer any time through AIMS.
Issue 15 • APR 2014
STATISTICS AT A GLANCE
Central IT Services
17
18
OCIO NEWSLETTER
Issue 15 • APR 2014
19
20
OCIO NEWSLETTER
GLOSSARY CORNER
Advanced Persistent Threat (APT) and Spear Phishing Andy Chun (ed.)
Advanced Persistent Threat (APT) is a set of stealthy and continuous hacking processes often orchestrated by human targeting a specific entity. APT usually targets organizations and or nations for business or political motives. APT processes require high degree photo from TaxCredits.net of covertness over a long period of time. As the name implies, APT consists of three major components/processes: advanced, persistent, and threat. The advanced process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The persistent process suggests that an external command and control is continuously monitoring and extracting data off a specific target. The threat process indicates human involvement in orchestrating the attack.
Spear Phishing is a type of phishing that is directed at specific individuals or companies. Attackers may gather personal information about their target to increase their probability of success. In general, phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. This article uses material from Wikipedia. The Author(s) and Editor(s) listed with this article may have significantly modified the content derived from Wikipedia with original content or with content drawn from other sources. The current version of the cited Wikipedia article may differ from the version that existed on the date of access. Text in this article available under the Creative Commons Attribution/Share-Alike License. [Note: A 2012 Trend Micro study showed that 91% of APT attacks start with a spearphishing email, and 94% of the emails carry a malicious attachment – usually in ZIP, XLS or RTF format.]
Editorial Box OCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mrs. W K Yu (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC) Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Ms. Kitty Wong (ESU) Ms. Doris Au (OCIO) For Enquiry Phone 3442 6284 Fax 3442 0366 Email csc@cityu.edu.hk OCIO Newsletter Online http://issuu.com/cityuhkocio