OCIONEWSLETTER Issue 19 • APR 2015 INDEX SPOTLIGHT 1
Microsoft Office 365 User Experience: What Do Staff and Students Think and How Are They Using It?
FEATURE 4
Experience New Wi-Fi Technology in Open Access Area at Academic 2
6
Office 365 ProPlus for Staff
10
Brief Report on the Full Adoption of Canvas at CityU
DISCOVER & INNOVATE 5
Information Security inside Contactless Smart Card and Passport
BRIEF UPDATES 8
CityU Mobile - More Informative, Smarter App
ITSM SERIES 12
SPOTLIGHT
Microsoft Office 365 User Experience: What Do Staff and Students Think and How Are They Using It? Maria Chin CityU introduced the Microsoft Office 365 (O365) to students in early 2013 and to staff in mid-2014. The first encounter for most students and staff with the O365 would be to migrate their email to the O365, and for the students, to also change their email address (domain) from “@student.cityu. edu.hk” to “@my.cityu.edu.hk”, which has enabled them to keep their email accounts and addresses for life as they graduate and become CityU alumni, and to stay in touch with their schoolmates, teachers and the University.
ITSM Awareness Series (Part 2: Configuration Management Database)
HOT FAQS 15
FAQs on OneDrive for Business
IT SECURITY AWARENESS SERIES BY JUCC 17
Mobile Security – Best Practices for General User
FYI 22
Green IT at CityU
STATISTICS AT A GLANCE 23
AIMS Access
GLOSSARY CORNER 24
GHOST & Superfish
Office 365 Featuring Apps
2
OCIO NEWSLETTER
端 Students and staff like to use the O365 email (Exchange Online) as it is modern and works very similar to
their personal Gmail, iCloud, Yahoo, Dropbox, Google Drive, etc., for example, the O365 provides generous storage for email, unlimited storage for personal drive (O365 OneDrive), easy file sharing for read and co-edit of document in private folder (O365 Sites), and easy access to the O365 contents from any-where-any-device (with O365 PC and mobile apps). These features, amongst the others yet to be mentioned, have already relieved students and staff of the winding trouble of deleting old email to free storage for new one, enable on-line collaboration, and reduce the chance of loss or unauthorized access to files shared via other means, for example, USB, unprotected cloud storage, and even email that can be forwarded by a mouse-click. 端 Students and staff use the O365 to simplify teamwork
in their studies and work. O365 Lync Online is commonly used by students and staff for instant messaging, video calls, sharing of PC desktop and applications for illustration and discussion with their peers. O365 Sites, mentioned above, enables file sharing, and its co-editing feature is ideal for teammates who are responsible for drafting different sections of a document/report, and they can refer to teammates writing real-time as they develop their own. Newsfeed (Yammer coming), Calendar and Task facilitate discussion, help planning, scheduling, record progress, and can send reminders automatically on outstanding items.
Office 365 Lync Online
端 Using O365 OneNote for personal note-taking is also trendy amongst students and staff. OneNote helps
collect and organize documents, email and materials received from different sources on the same topic and place them in a folder (tap) for easy finding. Users can also add remarks and annotations to the materials as personal reminders or references. For example, students like to create different course/project folders (taps) in OneNote for keeping email, notes, pictures, multimedia materials, etc. for respective courses/projects that they are taking, and then add highlights (different colors), notes (type or handwritten) and other useful contents to personalize their study notes as they wish. For staff, OneNote also helps gather and keep personal notes/comments of meetings and projects.
Office 365 OneNote
Issue 19 • April 2015
ü Students and staff value using Microsoft Office
Pro Plus in O365 for their studies and work, (including MS Office software for 5 PCs/Macs, and MS Office Mobile for 5 iOS/Android devices), as it ensures the use of legitimate software, the readily download and use of the newest features, and the compatibilities across PCs in office, at home and on the move when using mobile devices.
Office 365 Cross Platform Compatibilities
ü The convenience offered by O365 Office Online (including Word Online, Excel Online, PowerPoint Online,
OneNote Online) enables students and staff to read and edit attachments sent in email in web browsers instantly (using O365 Office Web Apps - lite versions of the software that run in browsers, and no app download or installation is required). This is a handy tool when a user has the need to edit a document for reply, but do not have the needed software installed on the computer that s/he can use, for example, when using shared PCs in conference venue, kiosk, café, etc. Of course, students and staff should be mindful and must not open and edit files with Office 365 Office Online confidential information on shared PCs. ü In terms of security, students and staff appreciate the improved anti-virus, anti-spam and server security
on the O365 which are backed by the Microsoft global security knowledge base. Staff can also make use of O365 Rights Management to encrypt email and documents in folders (O365 Sites) so as to better the security for email communication and file sharing on confidential and sensitive data with colleagues and external parties. The following summarized the advanced email and add-on features students and staff can enjoy on the O365: • 50 Gigabytes (GB) mailbox quota • Unlimited disk storage on OneDrive • Full O365 suite including Exchange Online, SharePoint Online, Lync Online, OneDrive, and Newsfeed/ Yammer, for communication, on-line meeting and collaboration • 24x7 access to email and all O365 functions from PC, Mac, and smartphone via web apps, thin clients and mobile apps • More stable email connection from Apple Mac Operating System • Wiping data from mobile device to prevent unauthorized access in case of loss • Use of Microsoft Office Pro Plus for work, including Office software for 5 PCs/Macs, and Office Mobile for 5 iOS/Android devices • For staff, use of Rights Management on O365 to encrypt email and files with sensitive data for better email and file sharing protection • Use of state-of-the-art e-communication technologies without waiting for the on-premises systems to upgrade • Supported by global security knowledge base for better e-communication security (anti-virus, anti-spam, anti-phishing and server hosting)
3
4
OCIO NEWSLETTER
FEATURE
Experience New Wi-Fi Technology in Open Access Area at Academic 2 Tony Chan
The new Wi-Fi standard, IEEE 802.11ac, answers the rapid growth of demand for Wi-Fi speed. Its specification stated more than three times (3x) the speed of IEEE 802.11n that is generally supported by the campus Wireless LAN (WLAN), and is backward compatible with the previous standards - 802.11n. Most Access Points (APs) supporting this new standard can also support 802.11a, b, g and n, and therefore can support WLAN connections from devices without the IEEE 802.11ac standard, but at their lower speeds.
The Computing Services Centre (CSC) will launch the Virtual Desktop Service soon to cater for the trend of Bring Your Own Device (BYOD) and facilitate the use of personal mobile devices for teaching and learning. However, the current WLAN does not provide sufficient bandwidth for virtual desktops, especially to run applications that are graphics and video intensive, and the IEEE 802.11ac may provide a solution [Further reading on the challenges on implementing the Virtual
Desktop Service is available at “Cater for the Trend of Bring Your Own Device (BYOD) in Teaching” (Ref: Network Computing Issue 81 – September 2014)]. Before releasing the APs supporting the new Wi-Fi standard for staff and students use, it has been tested in the Discovery-enriched Curriculum (DEC) Laboratory (AC2-1400) in Semester A 2014/2015 to evaluate its performance and its compatibility with a mix of PCs and mobile devices communicating with various Wi-Fi standards. Three new IEEE 802.11ac APs had been placed in the DEC Lab and tested with IEEE 802.11ac-equipped PCs, pads and tablets connecting to the Virtual Desktop Service to play high quality videos simultaneously. We found that the new Wi-Fi standard can complement and boost the performance of the WLAN to display the HD video smoothly.
For staff and students to experience the quality and speed of IEEE 802.11ac Wi-Fi, the CSC has relocated the IEEE 802.11ac APs from the DEC Lab to the Open Access Area on the 4th floor of Academic 2, together with the other APs, for general use. Staff
and students can now bring their 802.11ac-equipped devices to the Open Access Area to see for themselves the high speed Wi-Fi and are encouraged to email their comments to the CSC at csc@ cityu.edu.hk with the subject “New Wi-Fi Feedback (802.11ac)”.
References • IEEE 802.11ac http://en.wikipedia.org/wiki/ IEEE_802.11ac • IEEE 802.11n http://en.wikipedia.org/wiki/ IEEE_802.11n-2009 • Wireless Access Point http://en.wikipedia.org/wiki/ Wireless_access_point
Issue 19 • April 2015
DISCOVER & INNOVATE
Information Security inside Contactless Smart Card and Passport Tomson Xu
The Radio Frequency Identification (RFID) technology has been in the news recently owing to the Hong Kong SAR Government’s plan to replace all Hong Kong residents’ identity cards with new cards that have embedded RFID chips from 2018 to 2022. As a result, some recently found vulnerabilities in the Hong Kong Public Libraries’ RFID system became a major attention catcher, as news media reported that anyone with a common Near Field Communication (NFC) smart phone can easily modify book loan statuses on the RFID chip embedded in the library books to “On Loan” and thus cheat the digital gate alarms, making it very easy for the unscrupulous to steal library books. The convenience of contactless cards has made RFID the technology of choice in many aspects of modern life from e-money systems to high-tech IDs in e-passports. However, the ease of use of RFID technology has also brought about many security and privacy concerns. For example, in the UK, visa contactless payment cards have a limit of £20
per purchase. But researchers from Newcastle University have found a flaw to steal larger amounts of money from the cards. It was found that cyber criminals can use a mobile phone to manipulate the cards to transfer up to $999,999.99 (in any currency) into an arbitrary account. Octopus card, widely used by 95% of the population of Hong Kong, is also a type of contactless payment card. Balance of any Octopus card can easily be read by a mobile phone by downloading a free app called “Octopus Balance Reader.” The fact that phones are mobile is making it easy to steal information from smart card without ever touching the target –
contactless through the victim’s pocket and wallet. RFID technology is already applied to the passports of a few countries, as it makes identity verification easier. Unfortunately, the convenience also puts the holders at risk. RFID chip in passport usually contains sensitive personal information like your name, your photo, and other details. The information is sufficient for someone to open a bank account, book hotel room or even create a fake identity. Governments take excessive measures to prevent theft via RFID scanning or “eavesdropping”. For example, the information on U.S. passport RFID chip can be “read” only when the passport book is open. When the cover is shut, it supposedly cannot be scanned by an RFID device. As for the next generation HKID card, RFID function is not enabled until the key printed on the card is captured and validated by an authorized optical reader. The following are some ways to reduce the risk of information being stolen from your contactless smart card and e-passport:
5
6
OCIO NEWSLETTER
FEATURE
Office 365 ProPlus for Staff • Keep your RFID cards in a RFID-blocking sleeve, pouch, or wallet. RFID is based on radio signal, and data is transmitted via radio wave. These RFID blockers will interrupt wireless communication between card and reader, and prevent illegitimate reading of your RFID-embedded cards. • For RFID-embedded passport, you should leave it securely closed until you need to present it to the immigration agent at the border. • If you do not really need contactless payment, then you should get a credit card without an RFID chip. Obviously, it is important to check bank and credit card statements regularly.
Yeung Man
To support work related activities of staff, all regular staff are now free to install and use the latest versions of Microsoft Office software under the Office 365 ProPlus via the University’s Enrollment for Education Solutions with Microsoft. This allows each regular staff free installation of MS Office software on up to a maximum of five PCs or Macs owned and used by staff for their University work. They can also run Office Mobile for Android or Office Mobile for iPhone on up to five mobile devices.
What is the difference between Office 365 ProPlus and traditional Office installation?
Conventional wisdom tells us that “Where God has his church, the devil will have his chapel.” The hints that work today may be broken tomorrow by researchers and hackers. Nothing will work 100% to eliminate the possibility of your RFID cards being scanned. The best measure of protection is to be alert and be aware of your surroundings. Reference: http://hk.apple.nextmedia.com/news/art/20150126/19016703 http://thehackernews.com/2014/11/hackers-can-steal99999999-from-visa.html http://www.makeuseof.com/tag/rfid-hacked-stay-safe/ http://www.legco.gov.hk/yr14-15/english/panels/se/papers/ se20150203cb2-654-3-e.pdf
Both suites include commonly used Microsoft software like Word, PowerPoint, Excel, Outlook, OneNote, OneDrive, Publisher, Access, InfoPath and Lync. Traditional Office installation is tied to the hardware or device it is installed on, but Office 365 ProPlus is linked to the user (as a subscription) which adds flexibility for the users and their IT needs.
Does it require an Internet connection? Office 365 ProPlus is designed to run locally on PCs, so a persistent connection to the Internet is not required. However, you need to be connected to the Internet the first time you run one of the Office 365 ProPlus application,
Issue 19 • April 2015
so that the “Activation“ process can be completed. After that, you only have to connect to the Internet at least once every 30 days to check the status of your subscription. If your computer is offline for more than 30 days, Office 365 enters Reduced Functionality mode until the next time you connect to the Internet.
Collaborate with Office Online Office Online is included in Office 365 ProPlus, and you can use it in web browsers (there is no need to download or install app) to prepare/edit your documents, spreadsheets & presentations and store them in your OneDrive. You can then share/email the URLs of your documents stored in OneDrive to your collaborators. The co-edit feature of Office Online enables collaborators to work on the same document together at the same time and to see each other’s changes immediately.
What will happen when I leave the University? When you leave the University, your CityU Microsoft Office ProPlus subscription will end shortly and you will retain read-only access to your Microsoft Office documents stored on your self-owned PC. You may consider purchasing an Office 365 software license for your PC, from Microsoft or a retailer, to continue to use Office ProPlus.
Where to learn more? You can find the detailed information including FAQ and installation guide on the CSC home page. http://www.cityu.edu.hk/csc/deptweb/support/faq/ faq_office365_proplus.htm. You can also consult CSC’s Help Desk or send an email to csc@cityu.edu.hk .
7
8
OCIO NEWSLETTER
BRIEF UPDATES
CityU Mobile - More Informative, Smarter App Vicker Leung
Illustration by Mei Leung
The Central IT released the very first version of CityU Mobile in fall 2013, enabling campus information like class schedule, maps, facilities and contacts to be readily available on mobile. With more than 8,000 active users from both iOS and Android, CityU Mobile is one of the top rated higher education mobile apps in Hong Kong. To further enrich the app’s capability and overall user experiences, several upgrades of the app have been released throughout the year and the following highlight some of the major improvements.
Many Ways to CityU Getting to CityU is not something difficult for our staff and students, but that may be a little bit tricky for our first-time visitors. The new “Go to CityU” feature in the app provides detailed information on various transportation options to
reach CityU, such as taxi, bus, MTR and private car. Each option includes stepby-step instructions and an overhead map to guide users to reach CityU. No matter where you are, getting to the campus has never been so easy. Finding your way using CityU Mobile is more enjoyable too with the new integration with CityU Tour[1]. When a venue was found in the app, you can launch CityU Tour in just a single tap to explore around with the gorgeous 360-degree panorama.
about the distribution of classes and availability. It fully utilized every pixel of the limited mobile screen estate and intelligently removed unoccupied early morning and late night sessions to give users a crisp clean and readable schedule. A new Academic Calendar module has been added too, putting all the key dates at your fingertips, such as week number, add drop period, examination, public holidays, grade release date etc. Students will never miss a class or event anymore.
Never Miss a Date The login-free offline schedule is one of the most popular features in CityU Mobile. Since the launch, there were more than 14,000 schedules downloaded from AIMS with 88,000 views, almost 200 were viewed daily. The original schedule is shown in a daily format, showing lessons and gap hours chronologically. In the latest release, we also included a weekly schedule to allow students to get a rough idea
Smarter and Swifter Apart from adding new features and functionalities, the development team also paid lots of efforts in optimizing existing features, and one of those is the enhancement of the item searching mechanism. Inside CityU Mobile, there are almost 200 pieces of venue and facility information; sometimes it will be difficult to find the exact item that
Issue 19 • April 2015
(Left) Go to CityU showing various bus routes (Middle) CityU Tour of green rooftop at Amenities Building (Right) Full-screen weekly schedule without scrolling
you need. For instance, searching “ac” will show up results like “Academic 1”, “Department of Accountancy”, “CSC Teaching Studio” etc. And it is common that users only remember the abbreviations but not the full name, e.g. CDFO (Campus Development and Facilities Office). In order to improve the search accuracy, thousands of prior search history was analyzed to build up a list of keywords, each of them associated to a related piece of information, allowing you to search for it much easier than before. On the other hand, we are exploring the possibility to introduce natural language[2] to improve the search experience further. Another key factor that affects user experience is the swiftness of the app. To maintain a synchronous release cycle on Android and iOS, a cross-platform tool Adobe AIR[3] was used to develop CityU Mobile. The cons are the larger memory footprint and computing power demand than native approach[4].
To minimize the performance gap, every function, logic, images, animations have been reviewed and optimized thoroughly in each version updates. As a result, the application launch time has been cut by around 30% comparing with the first release. You may also experience swifter scrolling, page transition etc.
Future Releases We are preparing for the next major release of CityU Mobile. With a completely redesigned application architecture and the adoption of Google’s Material Design[5], we are looking forward to bringing the whole experience to a whole new level. As always, we welcome your feedback and feature suggestion to improve our service. Please visit our portal at http:// cityu-mobile. uservoice.com to voice out your ideas and to explore what we are currently working on.
Reference: [1] CityU Tour http://go.cityu.hk/tour [2] Natural language processing https://en.wikipedia.org/wiki/Natural_ language_ processing [3] Adobe AIR http://www.adobe.com/hk_en/ products/air.html [4] The State of Native vs. Web vs. Hybrid http://java.dzone.com/articles/statenative-vs-web- vs-hybrid [5] Material design http://www.google.com/design/spec/ material- design/introduction.html
CityU Mobile Available on Apple App Store and Google Play
9
10
OCIO NEWSLETTER
FEATURE
Brief Report on the Full Adoption of Canvas at CityU Crusher Wong
Semester B 2014/2015 is the utmost critical time for the Canvas implementation where all course instructors are advised to adopt this new cloud based platform while Blackboard provides limited service only. To ensure the news reaching all users, promotional activities were launched in various channels since October 2014. Besides the standard CAP messages to all CityU users, we approached Departmental e-Learning Coordinators to seek opportunities for departmental specific briefings and workshops. Eventually, our voices were heard directly in 17 academic units and a total of 19 training workshops were conducted to assist teaching staff to revive e-learning on Canvas. CityU has a long history of data driven decision making. Full adoption of Canvas is no exception. Canvas Satisfaction Questionnaire was posted to staff and students involved in the extended pilot near the end of Semester A 2014/2015. 88% of the
Figure1
staff and over two thirds of the student respondents were satisfied with Canvas as an e-learning system (see Fig. 1). The resolution to adopt Canvas as the unified Learning Management System at CityU was reconfirmed by user feedback. Another piece of feedback collected from the questionnaire was latency. Even our time test showed good results comparing Canvas to Blackboard for typical use case, we understood the data transfer rate for a cloud service from North America was no match to locally hosted system. Users handling large size files, such as photo and video, demanded for more speed. After long negotiation, Canvas’ new data centre in Singapore Amazon Web Services finally came at the right time. CityU’s Canvas instance had moved from Virginia to Singapore in the morning of 14th January 2015. The data centre relocation had empowered the same data transfer rate on CityU campus as other cloud services such as Google Drive and MS One Drive.
Issue 19 • April 2015
Eight weeks passed since our full adoption of Canvas, analytics on Fig. 2 showed 1,415 teachers and over 24,000 students have participated in teaching and learning activities in 1,582 courses currently. This meant 79% of the 2,002 course sites in Semester B were published for students to access, which is very close to the previous Blackboard utilization rate. With no major issue on Canvas in Semester B, the Information Strategy and Governance Committee has approved the decommissioning of Blackboard system. Blackboard is scheduled to temporary shut-down for three days from 19th to 21st May 2015, which will be followed by termination of service at the noon of 30 June 2015. All users are
Figure 2
advised to download personal files (see animated instruction at http://go.cityu.hk/d6d0eu), course materials and organizations contents (get help at http://go.cityu.hk/qmt7q7) before the deadline. Course instructors and Organizations leaders may complete the online form at http://go.cityu.hk/ shyqud for migration from Blackboard to Canvas for the reuse of contents in the near future. Please note that teaching staff will not be able to access old courses on Blackboard when trying to rebuild course sites on Canvas in the coming academic year. Please contact the e-Learning Team at elearn@cityu.edu.hk if you would like to start constructing Semester A courses in advance.
11
12
OCIO NEWSLETTER
ITSM SERIES
ITSM Awareness Series (Part 2: Configuration Management Database) Chadwick Leung The ITSM Awareness Series of articles aim to raise awareness among CityU IT provisioning units (both Central IT and departments) and interested parties of the current best practice in IT service management (ITSM)
This is Part 2 of this series on the ISO/IEC 20000 IT Service Management (ITSM) Standard. Previously, in Part 1, we introduced the overall ISO/IEC 20000 processes and the Design and Transition of New or Changed Services (DTNCS) in particular. In this article, we highlight the Configuration Management Database (CMDB). The CMDB is the core element of the Configuration Management process itself and is an important data source for queries, used by a number of other processes as depicted in Fig. 1. It functions as a centralized database to store all Configuration Items (CI) and their relations to live IT services. A CI can be any component, including hardware, software, documentation, facility, service and personnel.
What are the benefits derived from CMDB? There are many model answers. The actual benefits received will depend on the prior efforts of making CMDB data become useful information to support other processes and authorized users. The following section describes a scenario with the use of iET ITSM CMDB to demonstrate the values provided by the CMDB (shown in the right column).
How does CMDB support CI management? CMDB stores CI with unique identification, also with CI description, status, version and location. Further CI details (commonly referred to as CI attribute) are stored as needed. For examples, a CI in type of hardware server typically has attributes such as model, CPU, RAM, disk size, network card, and IP addresses, while software may have attributes such as software name, version, patch number, and license. Apart from storing CI data, a CMDB is capable of providing the following useful features: a) define relation between CI and CI, and relation between CI and service component b) associate CI with relevant event records (e.g. Change, Incident, Problem and Release) c) record CI baseline and trace changes to CI (by who and when)
Figure 1: Interface between CMDB and other processes
Issue 19 • April 2015
Scenario An incident occurred in an IT Service B. An IT analyst checked this incident using the Graphical CMDB and saw the graph shown below. Incident and Problem tickets were created and associated with the affected CIs IT Service B and Server C, indicated by the “Inc” and “Prb” labels. The yellow exclamation mark meant the CI Server C had downtime recorded. The IT analyst also noticed that another IT Service A was connected to IT Service B, Server A and Server B had a Change ticket recorded, indicated by the “Chg” label.
• Quick information gathering with Graphical CMDB • CI relations are shown • Record CI downtime which can be used for service availability measurement
Figure 2: CIs relations and their associated events present in graph
By clicking the affected CI icon to open the CI record, the IT analyst could easily find related Incident and Problem tickets on the Process Relations interface.
• Quick navigation between CI and event records by simple clicks. • Clear presentation of CI and processes relation.
Figure 3: CI Process Relations interface
By clicking the ticket link to open the Incident/Problem ticket, the IT analyst could study the case and save notes of action to the ticket. The IT analyst could then open the Change tickets of Server A and B, and alert the Change Manager to review if the incident caused any impact to the scheduled Change implementation.
• Facilitate a better view of multiple events which have potential dependency
After the Incident and Problem were resolved, a post review could be conducted in the views of Service Continuity and Availability (SCA) Management and Capacity Management of IT Service B. The infrastructure of service and capacity of hardware or software would need to be reviewed to improve service continuity and availability.
• Provide a collection of CI information for service review and improvement
13
14
OCIO NEWSLETTER
How to strengthen the CMDB values? A CMDB is really just a tool. To bring about true business value, it will depend on CI accuracy, completeness and timely update. Here are a few rules of thumb:
Please stay tuned for Part 3 of this series when we introduce the Change Management process.
Do • Record only that which is needed • Record only that which can be managed • Record only that which can be audited By using the above rules to decide the extensive and in-depth levels to manage the CI data, it minimizes the efforts on CI management and maximizes the values with the information delivered for decision making or other purposes. CMDB offers a controllable way, works tightly with the Change Management process, and manages different kinds of service component details. CMDB eliminates the need to store support references in less reliable manners, such as server list and configuration in MS Excel, system relationship diagram in MS Visio, software installation list in MS Word, etc. CMDB should be the only official record to describe the provision of IT services, and other sources are references only. With this perspective, efforts used to build a CMDB with accurate and complete CI data will pay for itself in delivering true business value to the organization down the road.
Figure 4: Managing different kinds of service components information could be simplified
Issue 19 • April 2015
HOT FAQS
FAQs on OneDrive for Business ML Lee
What is OneDrive for Business? OneDrive for Business provides an online single storage for storing and organizing your work files from multiple devices with internet connections. It is part of Microsoft Office 365 (O365) which is a cloud computing services. You can create, upload, sync and share your files easily with peers/ collaborators. In the past you saved files to your computer, now with OneDrive for Business, saving your files to the cloud allows you to access them almost anywhere and from any device.
How do I get to OneDrive for Business? To get started, you need to sign in O365 at http://mail.office365.com using the latest version of a popular web browser on your computer. If you are a staff, enter your CityU O365 Exchange Online full email address, i.e. <Your EID>@um.cityu.edu. hk and your Active Directory (AD) account password in the Account and Password fields respectively, then click Sign in. If you are a student, please refer to the “FAQs on Microsoft Office 365 for CityU
Student” (http://www.cityu.edu.hk/ csc/deptweb/support/faq/email/ o365/o365.htm). After you have successfully logged in, click the app launcher at the top left corner of the page and select OneDrive.
How do I sync OneDrive for Business to my local Windows computer? You must have the OneDrive for Business sync app (client) installed in your computer. For CityU staff and students, the latest Office 2013 version of this app can be downloaded from their staff/student O365 accounts (login O365, select Office 365 settings then Software). Staff/ students must already be using O365 Exchange Online in order to login O365. To work with earlier versions of Office, which is not recommended, please refer to the Microsoft Support article on “How to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online” (http://support.microsoft.com/ en-us/kb/2903984). With the sync app installed, go to your OneDrive for Business in a web browser and click sync.
This opens the “Sync this library …” window, and click Sync now to start the sync process. When it is completed, your synchronized files will appear in the “OneDrive – City University of Hong Kong” or “OneDrive for Business” folder under Favorites in your File/ Windows Explorer. Any files you add to this folder get uploaded to OneDrive for Business in the cloud when you come online. The green check mark means that the file is synchronized to the cloud.
You can edit file in the folder just like any ordinary file on your computer and all changes will get automatically updated whenever you are online. However, you cannot pick which files in your OneDrive for Business to sync. It is all or nothing.
How do I access files in OneDrive for Business from my mobile device? With the mobile app available from Apple iTunes Store, Google
15
16
OCIO NEWSLETTER
Play Store and Windows App Store, you can download and install it on your device, and follow the instructions to sign in your O365 account.
In the Share window, enter the name or email address of the person you want to share the file with. When you see the name you want, select it to add to the invitation list. After you have finished adding people, select the permission (Can edit or Can view) that you want to grant to the people in the list, then click Share to send email to the invitees. Files placed in the “Shared with Everyone” folder automatically become available to everyone within the same domain. In CityU, staff is in one domain whereas students and alumni are in another . To learn more on share documents, you may read the “Store and Share Documents Quick Start Guide” (http://go.microsoft.com/ fwlink/p/?LinkId=511132).
How do I know how much space I have used in my OneDrive for Business? Go to OneDrive for Business in a web browser, click the Gear icon and select Site settings. On the Site Settings page, click Storage Metrics. In the top right corner, you will see how much space have been used.
How do I share a file in OneDrive for Business with others? Follow the steps above to get to OneDrive for Business, select the file you want to share and click share.
Issue 19 • April 2015
IT Security Awareness Series by JUCC With an aim to enhancing the IT security awareness of the CityU community, the KPMG was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.
Mobile Security – Best Practices for General User According to research figures from Business Intelligence1, the number of smartphones sold worldwide has already surpassed the number of personal computers. Two to three years from now, tablet sales are also expected to exceed personal computer sales. In less than twenty years, we have evolved from using traditional, personal computers as productivity tools to a new mobility era in which people are using mobile devices extensively for both work life and personal life. It is foreseeable that more information such as people’s contact lists, personal information, files, photos, videos, and even passwords, will be stored in mobile devices. Not only are mobile devices small, and easily transportable, but they also have high reselling values, making them the cause behind petty crimes, malicious attacks and organized syndicates. There are a vast number of malicious and risky mobile apps targeting different platforms. However, due to Android’s popularity and dominance, there are more mobile apps developed for Android compared to other mobile OS. Since the discovery of the first Android Trojan in 2010, TrendLabs estimates in just 3 years, there are already over 1.4 million malicious and high-risk mobile apps on Android platform6. If malicious apps, malware and insecure wireless connections infiltrate mobile devices, an attacker may be
able to monitor and read messages, send out predefined messages, steal data, access and view contact lists and track locations. Some are even able to register victims for overpriced services. In lieu of the aforementioned mobile device security threats, it is highly advised to follow certain practices like: locking a mobile device with a secure password, backing up the mobile device data, using Wi-Fi Protected Access encryption and others (refer to the below table). I.
Lock device with PIN or password
II. Install trustworthy mobile apps III. Minimize installation of unnecessary mobile apps IV. Beware of wireless connections V. Physically protect devices VI. Do not jailbreak or root mobile devices VII. Keep software updated VIII. Install security software IX. Do not follow links sent in suspicious emails or text messages X. Backup mobile device data XI. Be cautious about privacy services
Solutions to Security Problems in Depth Physical Loss and Theft Some thieves are only interested in the mobile device hardware to resell for monetary gain. Others however, try to break into the mobile device to look for valuable information such as contact
information, personal information, photos and videos, which can be leveraged for other malicious criminal activities. Physically Protect Devices Maintain physical control to safeguard mobile devices. Do not leave the devices unattended. Keep the devices secured in bags. Users are also encouraged to activate the remote disable feature in their phones, which can completely wipe out the device’s content remotely, lock the mobile and see its last active location. An example of this feature is the “Find My iPhone” default for Apple phones. Lock Device with PIN, Password or Finger-print If the mobile device is lost or stolen and the device is not locked, not only the information in the mobile device will be exposed, but the device can also be used to conduct online transactions, download apps and perform other actions on behalf of the victim. Some mobile devices also use the PIN or password to generate a unique key to encrypt stored data. This will add an additional layer of protection by increasing the difficulty of retrieving data from the stolen mobile device. Backup Mobile Device Data If a mobile device is broken, lost or stolen, data can be restored if the user previously backed up the mobile device by synchronizing it to a computer or cloud.
17
18
OCIO NEWSLETTER
Keep in mind that if the mobile device contains data such as calendars, work files, photos, passwords and contact lists, and the user synchronizes the device with his or her home computer, this information can be compromised once the computer has been hacked or stolen.
Social Engineering Attacks Social engineering is a technique used to trick innocent users to disclose information without the need to use any technical means to break into a mobile device. The most common social engineering attack is phishing. It is the use of email or instant messaging to acquire a victim’s personal information. Below is an example of a real phishing message from the Who’s Who scam12. The email is crafted in a way that the victim is deceived into believing it is legitimate. If a user clicks on the embedded link, the user will be redirected to a web page requesting to submit personal information. Do not follow links sent in suspicious email or text messages
FACTS The average person checks their phone up to 110 times a day by pressing the home button or unlocking the mobile device to activate the screen13. Some people will therefore ignore security to facilitate the use of the mobile device. In Hong Kong, the Police handle an average of 5,000 reported stolen mobile phones every year and the number was gradually rising7.
Unnecessary Access to Personal Information In the diagram below, there is a downloaded game called “Thor: TDW”. Thor wants to access contact information. Why would a game wants to access your contact information? For advertisement purposes? For cross selling purposes? Or for other malicious reasons? One should think hard before allowing a mobile app such as the “Thor: TDW” game retrieve all your contact information.
Malware Malware is a computer contaminant that can gain access to private information on mobile phones or computer systems. Malware can sometimes appear to be legitimate software. Note that defective software is not malware, as it is not meant for harm or fraud. For an example of these disrupting programs, refer to the case studies at the bottom. Install Security Software To protect from malware, it is recommended that software like anti-virus or firewalls be implemented. Particularly on the Android platform, users should consider installing security software to booster the security protection. Some software can even protect from call blocking, SMS filtering, anti-data theft and viruses.
Insecure Wi-Fi Very often, users will connect to wireless access points that pretend to be legitimate but are actually not secure. Some access points use weak encryption (e.g. WEP) and some do not even provide encryption capabilities. This means that all communications between the mobile devices and the Internet, through such access points, can be eavesdropped. Beware of Wireless Connections – Choose Wisely When choosing a wireless access, users should opt for wireless connections which are from reputable sources and support Wi-Fi Protected Access 2 (WPA2) encryption.
Issue 19 • April 2015
Rogue Wi-Fi There are malicious attackers setting up a rogue access point using a recognizable Service set identification (SSID) name pretending to be a lawful wireless access point in order to lure a victim to connect to it. Once a victim connects to a rouge access point, all the communications between the victim’s mobile device and the external world can be eavesdropped by the malicious attacker. Wi-Fi Services from Hong Kong Government In Hong Kong, the Government provides free Wi-Fi services at designated Government premises. Users can connect to two types of wireless SSIDs – freegovwifi which does not support encryption and freegovwifi-e which supports encryption. Freegovwifi-e should be used for wireless connection.
Pjapps malware
Ikee malware
Targeting Android platform, Pjapps is designed to steal information, send and monitor incoming SMS messages, read and write on a user’s browsing history and install software packages on open network sockets to launch attacks on web sites.
Ikee could be spread over the air targeting jail-broken iOS mobile devices and SSH application installed with default password set. Ikee would change the background wallpaper of the infected iPhone to a picture of the 80’s pop singer Rick Astley. Once a device was infected, the screen would lock and display a text message saying “Your iPhone’s been hacked because it’s really insecure! Please visit doiop.com/ iHacked and secure your iPhone right now!” The victim would have to pay a ransom fee to the attacker’s PayPal account in order to unlock the mobile device.
19
20
OCIO NEWSLETTER
Exploitation of Mobile Apps According to TrendLabs, out of the 1.4 million high-risk or malicious mobile apps in the Android market, 53% of these are classified as premium service abusers. Premium service abuser mobile apps are capable of accessing the SD card data of the mobile device, monitoring and reading messages, sending out predefined messages, accessing and viewing contact list and tracking locations. Some are even able to register victims to overpriced services while adware aggressively pushes ads and can even collect personal information without the victim’s consent7. Install Trustworthy Apps Since some apps may have hidden behaviors that can steal private data, modify user settings and initiate unauthorized messages and transactions: • Users should only download mobile apps from legitimate app stores.
• Users should not jailbreak or root their mobile devices in order to download and install mobile apps from third party app stores. • Users should consider to download those mobile apps with good ratings and reviews. • Users can install security software which can detect and alert users of mobile apps containing malware and of high risk nature. • Users should minimize the installation of unnecessary mobile apps. Keep Software Updated Application and software updates may include fixes to software bugs and security vulnerabilities. Security Update of Software For instance, Apple released an update for its iOS6 and iOS7 operating systems to provide a fix for the SSL connection verification issue11. Without installing the update, iPhone and iPad devices are vulnerable to
man-in-the-middle attacks, which mean attackers can spy on user connections to websites over untrusted Wi-Fi network that are supposed to be using encrypted communications.
Privacy and Caution Some apps ask for permission to access contact information and/ or location services within the mobile device. Once permission is granted, the mobile app can read all contact information and track the physical location of the mobile device. Some mobile apps such as Google Map have legitimate reason to use a mobile device’s location tracking to facilitate its service. However, other mobile apps may track the user’s whereabouts for advertisement pushing and user behaviour analysis. Some apps may even collect location services data surreptitiously without user knowledge, and thus compromise the privacy of the owner of the mobile device.
Issue 19 • April 2015
Careful on third-party app stores Apart from “premium service abuser” malicious mobile apps, some other malicious mobile apps are posted on the app stores pretending to be from legitimate companies tricking users to download and install. There are also malicious mobile apps which are reverse engineered from the legitimate source but embedded with malicious codes and re-posted to third-party app stores tricking users to download and install.
Minimize installation of unnecessary mobile apps According to the Google’s Our Mobile Planet data, average global smartphone users downloaded 26 apps on their smartphone devices. In countries like South Korea, the number can shoot up to over 405. Most of these downloaded apps go unused and are just left installed in the mobile device. Depending on the sophistication of the mobile app developers, some mobile apps may not be well written; resulting in security vulnerabilities on the mobile devices. Users can reduce such risk by limiting the installation of unnecessary mobile apps.
References 1. ”Cell Carriers Launch Anti-theft Effort.” IT News. 10 Apr. 2010. Web. June 2014. 2. Cocotas, Alex. “The Future of Mobile.” Business Insider. 22 Mar. 2012. Web. May 2014. 3.” First Case of Android Trojan Spreading via Mobile Botnets Discovered | ZDNet.” ZDNet. 05 Sept. 2013. Web. June 2014. 4. “Gartner Says Worldwide Traditional PC, Tablet, Ultramobile and Mobile Phone Shipments On Pace to Grow 7.6 Percent in 2014.” Newsroom. Gartner, 7 Jan. 2014. Web. May 2014. 5. H., Michael. “The Average Global Smartphone User Has Downloaded 26 Apps.” Phone Arena. 06 Sept. 2013. Web. June 2014. 6. Incorporated, Trend Micro. “Cashing in on Digital Information.” TrendLabs 2013 Annual Security Roundup: Cashing in on Digital Information (2013). Trend Micro. Web. May 2014. 7. Incorporated, Trend Micro. “The Invisible Web Unmasked.” TrendLabs 3Q 2013 Security Roundup. Global Technical Support & R&D Center of TREND MICRO, 2013. Web. June 2014. 8. “Over the past Three Years Handset Lost Upward Trend.” Hong Kong News. 06 June 2012. Web. June 2014. 9. Pidathala, Vinay, and Jinjian Zhai. “MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages.” FireEye Blog. 16 Dec. 2013. Web. 11 June 2014.
10. “Virus and Malicious Code.” InfoSec. The Government of the Hong Kong Special Administrative Region, June 2014. Web. June 2014. 11. “Vulnerability Summary for CVE-2014-1266.” National Cyber Awareness System. DHS National Cyber Security Divison2, 22 Feb. 2014. Web. May 2014. 12. ”Who’s Who Scam.” Wikipedia. Wikimedia Foundation, 06 June 2014. Web. June 2014. 13. Woollaston, Victoria. “How Often Do You Check Your Phone? The Average Person Does It 110 times a DAY (and up to Every 6 Seconds in the Evening).” Mail Online. Associated Newspapers, 08 Oct. 2013. Web. June 2014.
Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC), Room 223, Run Run Shaw Building, c/o Computer Centre, The University of Hong Kong, Pokfulam Road, Hong Kong
21
22
OCIO NEWSLETTER
FYI
Green IT at CityU Office of the CIO
Illustration by Kevin Chim
e-Business Automation
Reducing Carbon Footprint
Since 2001, CityU’s ERP provides self-help e-services (over 1,000 online functions) and numerous e-workflows through our Administrative Information Management System (AIMS), saving paper / time and improving productivity process, providing them an interactive environment in generating creative ideas.
CityU adopted timer power control for PCs, Fast Network Printers and Express Terminals (saving $271,500/yr in electricity), used recycled paper and toner, and encourage students to reduce printing.
Promoting User Awareness CityU’s “Green ICT Guidelines” helps promote user awareness, and is easily accessible on the web.
Paperless Office CityU’s Enterprise Content Management (ECM) provides e-filing and e-workflow / document flow; since Aug 2012, over 1.7 million pages have been archived, saving over $3.2M/year in reduced paper consumption and manpower.
Green IT Best Practice CityU launched a new data center in 2013 using state-of-the-art green design with efficient cooling / power; we also reduced hardware through consolidation, virtualisation, cloud and outsourcing; saving 38% of electrical power (HK$1.6M/yr).
Asia-Pacific IT Award CityU’s “Paperless Office Project” received the 2013 FutureGov Award for “Green Government” – recognition of excellence in the planning, execution and positive environmental impact of digital sustainability programmes.
Worldwide IT Award CityU’s “Paperless Office Project” also received the 2013 Computerworld Honors Laureate “Sustainability Award” named for our use of technology to create a greener campus.
Issue 19 â&#x20AC;˘ April 2015
STATISTICS AT A GLANCE
AIMS Access
AIMS Access Statistics in March 2015 (By Mobile Device) Apple iPad Apple iPhone LG D855 G3 Others Samsung GT-I9300 Galaxy S III Samsung GT-I9505 Galaxy S IV Samsung GT-N7100 Galaxy Note II Samsung GT-N7105 Galaxy Note II Samsung SM-N9005 Galaxy Note 3 SonyEricsson C6603 Xperia Z
23
24
OCIO NEWSLETTER
GLOSSARY CORNER
IT Security from Wikipedia Andy Chun (ed.) GHOST vulnerability is a serious weakness in the Linux GNU C Library (glibc), allowing attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. It is called the GHOST vulnerability as it can be triggered by the GetHOST functions. The vulnerability was first found in glibc-2.2 released Nov 10, 2000. Although fixed on May 21, 2013, because it was not classified as a security threat, many Linux systems are still vulnerable today. To exploit this vulnerability, all an attacker needs to do is trigger a buffer overflow by using an invalid hostname argument to an application that performs a DNS resolution. This vulnerability then enables a remote attacker to execute arbitrary code with the permissions of the user running DNS. In short, once an attacker has exploited GHOST they may be capable of taking over the system.
Superfish is an advertising company that develops various advertising-supported software products based on a visual search engine. The company is based in Palo Alto, California, and was founded in Israel in 2006. Its software has been described as malware or adware by several sources. The software was bundled with various applications as early as 2010, and Lenovo began to bundle the software with some of its computers in September 2014. On Feb 20, 2015, the United States Department of Homeland Security advised uninstalling it and its associated root certificate, because they subject computers to serious cyberattacks, including interception of passwords and sensitive data being transmitted through browsers. This article uses material from Wikipedia. The Author(s) and Editor(s) listed with this article may have significantly modified the content derived from Wikipedia with original content or with content drawn from other sources. The current version of the cited Wikipedia article may differ from the version that existed on the date of access. Text in this article available under the Creative Commons Attribution/ShareAlike License.
Editorial Box OCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mr. John Hui (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC) Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Ms. Kitty Wong (ESU) Ms. Doris Au (OCIO) For Enquiry Phone 3442 6284 Fax 3442 0366 Email csc@cityu.edu.hk OCIO Newsletter Online http://issuu.com/cityuhkocio