Information Security in Schools
|(28/06/2017) Beware of Petwrap / NotPetya Ransomware spreading|
|Please take note to the message from Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT):
A new variant of ransomware known as Petwrap / Petrwrap / Petya / NotPetya / Nyetya is spreading quickly. It encrypted victims’ data file and demand for ransom. Some overseas countries were hit. The different names of the ransomware indicate that there is a debate among security experts on where this ransomware is directly related to another known ransomware Petya.
The ransomware can be spread via phishing email or via local network.
An infected computer uses two methods to attack computers on local network. It uses the EternalBlue exploit previously employed by the WannaCry ransomware to attack computers that have not applied the SMB patch (MS17-010). It also tries to force computers in the local network that it has administrative rights to install the malware.
HKCERT likes to alert organizations to take measures to prevent your network from infection and data loss. The centre had issued security alert on the ransomware. Please refer to this URL: https://www.hkcert.org/my_url/en/alert/17062801
|(16/05/2017) How to get an update through Windows Update|
|For details, please visit Microsoft website URL: https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-update|
|(15/05/2017) Tackling Ransomware and Related Seminar on 17 May 2017|
1. A new variant of ransomware known as "WannaCry" (WannaCrypt) is spreading quickly, through a Windows SMB vulnerability (EternalBlue and DoublePulsar). HKCERT was aware that there is a widespread overseas and advised to adopt the attached precaution measures.
For further updates, please visit
2. AiTLE is working with a number of stakeholders, including HKCERT, Microsoft and EDB, to organise a seminar on tackling ransomware for schools.
Information of the seminar are as follows:
Speaker's presentaion slides and notes are as follows:
3. In order to raise public awareness on information and cyber security, the OGCIO recently produced two infographics titled as "Beware of Ransomware Infection" and "Secure Your Home Network Devices" which help to remind your teachers and students to take necessary precautions against ransomware attacks. Schools may download the softcopy of the two infographics from the website at http://www.cybersecurity.hk/tc/resources.php.
4. For recommended practices for information security in schools, please refer to http://www.edb.gov.hk/attachment/en/edu-system/primary-secondary/applicable-to-primary-secondary/it-in-edu/WiFi900/IT_SecurityinSchools_RecommendedPractice_Aug2016.pdf.
5. Should you have any enquiries regarding handling the issue, please contact the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) by e-mail to firstname.lastname@example.org or by phone on 8105 6060. Besides, you are welcome to contact our technical advisory team at 3698 3594 / 3698 3574 / 3698 3566 / 3698 4148.
|(20/02/2017) Infographics from Office of the Government Chief Information Officer (OGCIO)|
|OGCIO: Infographics on "Beware of Ransomware Infection" and "Secure Your Home Network Devices"|
|(13/05/2016) Protect Mobile Devices from Ransomware Attacks|
Ransomware hits mobile devices and is on the rise. An information security vendor detected 2 896 mobile ransomware programs in Q1 2016, which is 1.4 times of the figure in Q4 2015. The trend is that ransomware attacks keep growing at personal computers (PCs) while spreading rapidly to mobile devices. Facing the trend, every government mobile device user and administrator shall be well aware of the threats and take actions to protect their mobile devices, in addition to protecting their PCs.
Ransomware Threats to Mobile Devices
Similar to the threats to PCs, ransomware locks down mobile devices or encrypts data stored in and connected to the devices to defy user access. Payments are then demanded from the users to release the access. Mobile devices could get infected with ransomware in the following ways:
•Download and install mobile apps that are embedded with ransomware;
•Open attachments or click links in phishing emails;
•Click malicious links in or open specially crafted SMS, MMS and instant messages; or
•Click on a compromised website to trigger a “drive-by” download of ransomware.
Once ransomware infects a mobile device, it sends a fingerprint of the ransomware app, the IMEI or the device’s phone number to a command and control (C&C) server. The C&C server sends back an encryption key for the particular device by which the device can be locked or files on the device can be encrypted. The user would suffer from total denial of access to the mobile device until a factory reset is taken but all data would be lost unless timely backup is available.
Users and administrators should take the following preventive measures:
For B/Ds with mobile device management, the administrators are advised to deploy policy controls to:
(a) Whitelist permitted mobile apps to block unauthorized apps from installation;
(b) Push anti-malware apps installation and update;
(c) Restrict users to download from permitted apps stores only; and
(d) Enforce browser security settings, including anti-phishing and blocking pop-ups.
If the mobile device is infected, the user should:
(a) Shut down the device immediately;
(b) Report the case to DITSOs or ISIRTs;
(c) Jot down what have been accessed before discovering the issue;
(d) Remove the SIM card and removable storage media (if applicable) before turning on the device to avoid spreading the malware through mobile network; and
(e) Report to the Police for investigation.
|(13/05/2016) Protect Internet-facing Systems against Unauthorised Administrative Access|
The administrative interface (or admin interface) of a system is a usual point of attack by intruders who intend to gain administrator privilege for taking total control of the target system. Exposing the admin interface to the Internet is therefore a risky option. All administrators of Internet-facing systems shall take actions to protect their systems against unauthorised administrative access. The following actions are recommended:
(a) Minimise exposure of the admin interface to the Internet
Remote administration through the Internet is generally of higher risk than through the trusted internal network or local console administration. Some admin interfaces may be enabled by default configurations. The administrators should:
•Examine if any admin interface is enabled and accessible from the Internet; and
•Disable the admin interface from Internet access if not needed.
(b) Step up protection of the admin interface with operational needs
If the operational needs justify the Internet-accessible admin interface, the administrator should step up protection of the access as suggested:
•Deploy a virtual private network (VPN), such as SSL-VPN for accessing the admin interface;
•Enforce a strong password policy, such as password complexity, lockout after retries and password aging, or even a two-factor authentication against brute-force password attacks;
•Restrict only specific host IP addresses for accessing the admin interface and time-limit the access;
•Rename or revoke default accounts of the admin interface system;
•Enforce the principles of least privilege and segregation of duties; and
•Regularly monitor the access or account activities on admin accounts.
You are strongly advised to consult and liaise with the technical support of the system(s) operated by your School to review the relevant system and take necessary actions to enhance protection of administrative interface as appropriate.
|(14/04/2016) Urgent Updates to fix Multiple Vulnerabilities in Adobe Flash Player|
As informed by OGCIO, there are reports that the vulnerability in Adobe Flash Player is being exploited to spread ransomware. Please ensure the Adobe Flash Player and other software, in particular the Anti-virus software, installed at your desktop and notebook computers, are always updated with the latest version. You may wish to go to the official page of Flash Player (https://helpx.adobe.com/flash-player.html) and click "Check Now" button in Step 1 at the above link to check whether the Adobe Flash Player installed at your computer is the latest version. If not, please follow the instructions to download the latest version of Flash Player in Step 2.
|(12/04/2016) Tackling Ransomware|
Recently, there are public concerns over IT security in schools, in particular ransomware intrusion via emails. On opening attachments or hyperlinks from fake emails, users may get their workstations infected with the ransomware programs which will encrypt files in their local folders as well as network shared folders that they can gain access to. Hackers will then ask for ransom money for providing a key to decrypt the files. Users would no longer be able to read/open the encrypted files without a decryption key, and the way to salvage the files is to recover them from offline backup. As currently anti-virus software may not be able to detect such intrusion, prevention is of utmost importance. You may wish to know that IT in Education Section has prepared the "IT Security in Schools - Recommended Practice" to help schools handle their general security matters. The document is available on our website (http://www.edb.gov.hk/ited/wifi900) and also attached below for your reference.
In relation to the latest ransomware case, schools are advised to take following suggested actions:
(a) BACKUP important data frequently and keep the backup data disconnected from the computer;
(b) DISABLE macros for Microsoft Word, Excel and other office applications by default;
(c) DO NOT open any suspicious emails, attachments and hyperlinks;
(d) REFRAIN from visiting suspicious websites or downloading any files from them;
(e) CHECK and KEEP your anti-malware program and signatures are up-to-date;
(f) INSTALL the latest patches for software in use;
(g) DO NOT connect unauthorised computer resources, including those privately-owned removable storage media, to computers; and
In case of suspected infection:
(a) DISCONNECT the network cable of the computer to avoid affecting network drives and other computers;
(b) POWER OFF the computer to stop the ransomware encrypting more files;
(c) JOT DOWN what have been accessed (such as programs, files, emails and websites) before discovering the issue; and
(d) REPORT the case to relevant personnel / organisation, such as ICT coordinator in school, HKCERT, HK Police, etc.