Information Security in Schools
|(24/09/2018) Cyber Security Campaign – Smart Devices Security [EDBCM No.164/2018]|
EDB ITE Section issued an EDB Circular Memorandum No.164/2018 on “Cyber Security Campaign – Smart Devices Security” [EDBCM No.164/2018]
The purpose of this circular memorandum is to inform heads of schools about the launch of the “Cyber Security Campaign – Smart Devices Security” organised by the Cyber Security and Technology Crime Bureau (CSTCB) of Hong Kong Police Force (HKPF), and the distribution of the relevant posters and leaflets on the Campaign.
|(20/06/2018) Build a Secure Cyberspace 2018 “Stay Smart, Keep Cyber Scam Away” Video Ad Contest [EDBCM No.101/2018]|
EDB ITE Section issued an EDB Circular Memorandum No.101/2018 on “Build a Secure Cyberspace 2018 'Stay Smart, Keep Cyber Scam Away' Video Ad Contest” [EDBCM No.101/2018]
The purpose of this circular memorandum is to inform heads of primary and secondary schools of the Build a Secure Cyberspace 2018“Stay Smart, Keep Cyber Scam Away” Video Ad Contest. All students and teachers of the schools are invited to participate in the captioned activity.
|(05/06/2018) Cyber Security and Technology Crime Bureau of Hong Kong Police Force (HKPF) introduced the "No More Ransom" Project|
|(02/06/2018) IT in Education e-Safety Series: School Websites Secure Sockets Layer (SSL) Protection, Security Risk and Cyber Security Seminar on 2 June 2018 [EI0020180236]|
This seminar aims to arouse the schools' awareness and knowledge on information and cyber security issues. Information of the seminar are as follows:
Speaker's presentation slides are as follows:
*Remark: Presentation slides by HKPF & HKITF could not be provided.
|(28/05/2018) Cyber Security Campaign (Phase Two) [EDBCM No.092/2018]|
EDB ITE Section issued an EDB Circular Memorandum No. 92/2018 on "Cyber Security Campaign (Phase Two)" [EDBCM No.092/2018]
The purpose of this circular memorandum is to inform heads of schools about the launch of “Cyber Security Campaign (Phase Two)” organised by the Cyber Security and Technology Crime Bureau (CSTCB) of Hong Kong Police Force (HKPF), and the distribution of poster and leaflet on the campaign.
|(17/05/2018) Useful Links on Website Security|
1) Safety centre on “Keep Your Website Safe” (useful information on how to protect websites and secure the data)
2) “HTTPS and Website Security” (Leaflet)
3) “Secure Your Website, Be a Smart Website Owner” (Leaflet)
For schools that would like to learn more about CSIP and their services, they can approach OGCIO's School Visit programme. The details are available at: https://www.cybersecurity.hk/en/school-visit.php
|(14/05/2018) Reminder on IT Security Matter on HTTPS from IT in Education Section, EDB|
Google has announced that starting with the release of Chrome 68 in July 2018, its Chrome browser will mark all HTTP sites as “not secure”. Any websites if staying at HTTP will be viewed by Chrome users as not secure. In this connection, you may wish to turn your school’s websites/web applications, in particular those Internet-facing, into HTTPS timely in order to avoid undesirable consequences such as worries and queries of students, parents, media and public. Google’s announcement could be found at the following website:
|Schools may refer to the following InfoSec website to know more about HTTPS and website security:|
|To enable HTTPS on websites for content delivery, schools need to acquire digital certificates for servers. Reference could be made to the following webpage of OGCIO on the recognised certification authorities in Hong Kong:|
|Schools are reminded to take necessary actions to protect their information systems/websites, such as applying the latest security patches recommended by the product vendors, all classified information shall be encrypted while in storage, classified information shall be encrypted when transmitted over an un-trusted communication network (e.g. Internet), implement appropriate access controls, etc. For further information, schools may refer to OGCIO’s InfoSec website at the following link:|
|To enhance schools’ awareness and understanding on information and cyber security issues, a seminar “IT in Education e-Safety Series: School Websites Secure Sockets Layer (SSL) Protection, Security Risk and Cyber Security Seminar (EI0020180236)” will be held on 2 June 2018. Relevant teachers and technical support staff are encouraged to enroll at:|
|(15/11/2017) Briefing Seminar on Strengthening School Information Security & Data Protection on 28 & 29 November 2017|
AiTLE is working with a number of stakeholders, including HKPF, Cisco, Microsoft and EDB, to organise a seminar on strengthening school information security & data protection. Information of the seminar are as follows:
|Speaker's presentation slides are as follows:
*Remark: Presentation slides by HKPF could not be provided.
|(14/11/2017) Special Attention on Ransomware Attacks Leveraging Remote Desktop Services (RDP) for Infection|
We notice that there have been reports of Crysis/Dharma ransomware attacks through RDP recently in Hong Kong, resulting in data being encrypted and inaccessible. TSS are advised to review and take the following preventive measures to protect the computers of your school from ransomware attacks:
(a) Block RDP protocol access from the Internet. If remote access from the Internet is unavoidable, additional protection (such as VPN and multiple-factor authentication for the access) should be applied;
(b) Restrict the use of RDP in computers;
(c) Apply the least privilege principle to the account(s) that can remotely access the computer. Do not grant the administrator right unless necessary;
(d) Use strong passwords and change password frequently;
(e) Implement account lockout policy to lock out account after a set number of failed login attempts;
(f) Restrict only specific IP(s) to access the RDP-enabled computers; and
(g) Limit the time period allowed for remote connection.
Secure the Remote Desktop Services (RDP) for Preventing Ransomware Attack!
CrySIS/Dharma-variant .arena Ransomware Encrypts Victim Data
|(14/11/2017) Beware of Bad Rabbit Ransomware Spreading|
A new variant of ransomware known as “Bad Rabbit” – delivers through a compromised website, tricking a user to download and install a seemingly legitimate but malicious software to infect a computer. It can spread through other vulnerable computers in the same network by using the same technique as PetrWrap (i.e. leverage of the legitimate Windows Management Instrumentation (WMI) service). Users/ Administrators are advised to review and take the following preventive measures to protect the computers of your school from ransomware attacks :
1. To protect your computer against the ransomware attacks, every computer user should take the following actions:
(a) Backup important data frequently and keep the backup data disconnected from the computer;
(b) Use strong passwords and change the passwords regularly;
(c) Do not open any suspicious emails, attachments and hyperlinks;
(d) Refrain from visiting suspicious websites or downloading any files from them; and
(e) Check and keep your anti-malware program and signatures up-to-date.
2. For network/system administrators, the following preventive measures are advised:
(a) Disable WMI services on computers if they are not necessary for the users;
(b) Block RDP protocol access from the Internet if the access is not necessary; otherwise, apply additional protection, such as VPN and multiple-factor authentication for the access;
(c) Ensure timely patching of computer systems against known vulnerabilities; and
(d) Avoid granting administrative privileges to end users.
3. In case a computer is infected, users should take the following IMMEDIATE actions:
(a) Disconnect the network cable of the computer to avoid affecting network drives and other computers; and
(b) Power off the computer to stop the ransomware from encrypting more files.
Please refer to the HKCERT alert at URL: https://www.hkcert.org/my_url/en/blog/17102501 to take measures to prevent your network from infection and data loss.
|(19/10/2017) WiFi Protected Access II (WPA2) Multiple Vulnerabilities (KRACK)|
|Multiple vulnerabilities were identified in WiFi Protected Access II (WPA2) which could allow an attacker to conduct a key reinstallation attack (KRACK) on targeted devices that use WiFi. An attacker could decrypt the data or even conduct data tampering in the wireless connection.
For details, please visit HKCERT website URL: https://www.hkcert.org/my_url/en/alert/17101701
|(28/06/2017) Beware of Petwrap / NotPetya Ransomware spreading|
|Please take note to the message from Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT):
A new variant of ransomware known as Petwrap / Petrwrap / Petya / NotPetya / Nyetya is spreading quickly. It encrypted victims’ data file and demand for ransom. Some overseas countries were hit. The different names of the ransomware indicate that there is a debate among security experts on where this ransomware is directly related to another known ransomware Petya.
The ransomware can be spread via phishing email or via local network.
An infected computer uses two methods to attack computers on local network. It uses the EternalBlue exploit previously employed by the WannaCry ransomware to attack computers that have not applied the SMB patch (MS17-010). It also tries to force computers in the local network that it has administrative rights to install the malware.
HKCERT likes to alert organizations to take measures to prevent your network from infection and data loss. The centre had issued security alert on the ransomware. Please refer to this URL: https://www.hkcert.org/my_url/en/alert/17062801
|(16/05/2017) How to get an update through Windows Update|
|For details, please visit Microsoft website URL: https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-update|
|(15/05/2017) Tackling Ransomware and Related Seminar on 17 May 2017|
1. A new variant of ransomware known as "WannaCry" (WannaCrypt) is spreading quickly, through a Windows SMB vulnerability (EternalBlue and DoublePulsar). HKCERT was aware that there is a widespread overseas and advised to adopt the attached precaution measures.
For further updates, please visit
2. AiTLE is working with a number of stakeholders, including HKCERT, Microsoft and EDB, to organise a seminar on tackling ransomware for schools.
Information of the seminar are as follows:
Speaker's presentaion slides and notes are as follows:
3. In order to raise public awareness on information and cyber security, the OGCIO recently produced two infographics titled as "Beware of Ransomware Infection" and "Secure Your Home Network Devices" which help to remind your teachers and students to take necessary precautions against ransomware attacks. Schools may download the softcopy of the two infographics from the website at http://www.cybersecurity.hk/tc/resources.php.
4. For recommended practices for information security in schools, please refer Information Security in Schools - Recommended Practice.
5. Should you have any enquiries regarding handling the issue, please contact the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) by e-mail to firstname.lastname@example.org or by phone on 8105 6060. Besides, you are welcome to contact our technical advisory team at 3698 3594 / 3698 3574 / 3698 3566 / 3698 4148.
|(20/02/2017) Infographics from Office of the Government Chief Information Officer (OGCIO)|
|OGCIO: Infographics on "Beware of Ransomware Infection" and "Secure Your Home Network Devices"|
|(13/05/2016) Protect Mobile Devices from Ransomware Attacks|
Ransomware hits mobile devices and is on the rise. An information security vendor detected 2 896 mobile ransomware programs in Q1 2016, which is 1.4 times of the figure in Q4 2015. The trend is that ransomware attacks keep growing at personal computers (PCs) while spreading rapidly to mobile devices. Facing the trend, every government mobile device user and administrator shall be well aware of the threats and take actions to protect their mobile devices, in addition to protecting their PCs.
Ransomware Threats to Mobile Devices
Similar to the threats to PCs, ransomware locks down mobile devices or encrypts data stored in and connected to the devices to defy user access. Payments are then demanded from the users to release the access. Mobile devices could get infected with ransomware in the following ways:
•Download and install mobile apps that are embedded with ransomware;
•Open attachments or click links in phishing emails;
•Click malicious links in or open specially crafted SMS, MMS and instant messages; or
•Click on a compromised website to trigger a “drive-by” download of ransomware.
Once ransomware infects a mobile device, it sends a fingerprint of the ransomware app, the IMEI or the device’s phone number to a command and control (C&C) server. The C&C server sends back an encryption key for the particular device by which the device can be locked or files on the device can be encrypted. The user would suffer from total denial of access to the mobile device until a factory reset is taken but all data would be lost unless timely backup is available.
Users and administrators should take the following preventive measures:
For B/Ds with mobile device management, the administrators are advised to deploy policy controls to:
(a) Whitelist permitted mobile apps to block unauthorized apps from installation;
(b) Push anti-malware apps installation and update;
(c) Restrict users to download from permitted apps stores only; and
(d) Enforce browser security settings, including anti-phishing and blocking pop-ups.
If the mobile device is infected, the user should:
(a) Shut down the device immediately;
(b) Report the case to DITSOs or ISIRTs;
(c) Jot down what have been accessed before discovering the issue;
(d) Remove the SIM card and removable storage media (if applicable) before turning on the device to avoid spreading the malware through mobile network; and
(e) Report to the Police for investigation.
|(13/05/2016) Protect Internet-facing Systems against Unauthorised Administrative Access|
The administrative interface (or admin interface) of a system is a usual point of attack by intruders who intend to gain administrator privilege for taking total control of the target system. Exposing the admin interface to the Internet is therefore a risky option. All administrators of Internet-facing systems shall take actions to protect their systems against unauthorised administrative access. The following actions are recommended:
(a) Minimise exposure of the admin interface to the Internet
Remote administration through the Internet is generally of higher risk than through the trusted internal network or local console administration. Some admin interfaces may be enabled by default configurations. The administrators should:
•Examine if any admin interface is enabled and accessible from the Internet; and
•Disable the admin interface from Internet access if not needed.
(b) Step up protection of the admin interface with operational needs
If the operational needs justify the Internet-accessible admin interface, the administrator should step up protection of the access as suggested:
•Deploy a virtual private network (VPN), such as SSL-VPN for accessing the admin interface;
•Enforce a strong password policy, such as password complexity, lockout after retries and password aging, or even a two-factor authentication against brute-force password attacks;
•Restrict only specific host IP addresses for accessing the admin interface and time-limit the access;
•Rename or revoke default accounts of the admin interface system;
•Enforce the principles of least privilege and segregation of duties; and
•Regularly monitor the access or account activities on admin accounts.
You are strongly advised to consult and liaise with the technical support of the system(s) operated by your School to review the relevant system and take necessary actions to enhance protection of administrative interface as appropriate.
|(14/04/2016) Urgent Updates to fix Multiple Vulnerabilities in Adobe Flash Player|
As informed by OGCIO, there are reports that the vulnerability in Adobe Flash Player is being exploited to spread ransomware. Please ensure the Adobe Flash Player and other software, in particular the Anti-virus software, installed at your desktop and notebook computers, are always updated with the latest version. You may wish to go to the official page of Flash Player (https://helpx.adobe.com/flash-player.html) and click "Check Now" button in Step 1 at the above link to check whether the Adobe Flash Player installed at your computer is the latest version. If not, please follow the instructions to download the latest version of Flash Player in Step 2.
|(12/04/2016) Tackling Ransomware|
Recently, there are public concerns over IT security in schools, in particular ransomware intrusion via emails. On opening attachments or hyperlinks from fake emails, users may get their workstations infected with the ransomware programs which will encrypt files in their local folders as well as network shared folders that they can gain access to. Hackers will then ask for ransom money for providing a key to decrypt the files. Users would no longer be able to read/open the encrypted files without a decryption key, and the way to salvage the files is to recover them from offline backup. As currently anti-virus software may not be able to detect such intrusion, prevention is of utmost importance. You may wish to know that IT in Education Section has prepared the "IT Security in Schools - Recommended Practice" to help schools handle their general security matters. The document is available on our website (http://www.edb.gov.hk/ited/wifi900) and also attached below for your reference.
In relation to the latest ransomware case, schools are advised to take following suggested actions:
(a) BACKUP important data frequently and keep the backup data disconnected from the computer;
(b) DISABLE macros for Microsoft Word, Excel and other office applications by default;
(c) DO NOT open any suspicious emails, attachments and hyperlinks;
(d) REFRAIN from visiting suspicious websites or downloading any files from them;
(e) CHECK and KEEP your anti-malware program and signatures are up-to-date;
(f) INSTALL the latest patches for software in use;
(g) DO NOT connect unauthorised computer resources, including those privately-owned removable storage media, to computers; and
In case of suspected infection:
(a) DISCONNECT the network cable of the computer to avoid affecting network drives and other computers;
(b) POWER OFF the computer to stop the ransomware encrypting more files;
(c) JOT DOWN what have been accessed (such as programs, files, emails and websites) before discovering the issue; and
(d) REPORT the case to relevant personnel / organisation, such as ICT coordinator in school, HKCERT, HK Police, etc.