Professional Documents
Culture Documents
1
Are you being protected by these?
2
Common Types of Cyber Crime
Nowadays
Steal 偷 – information and money
Cheat 呃 – false identity and transaction
Abduct 拐 – hijacking web sites
Fraud 騙 – various kind
Rob 搶 – cyber asset
Blackmail 勒索 – DDoS attack revenue model
Libel 誹謗 – abuse of cyberspace “freedom of
speech”
Harassment 騷擾 – sexual or other means
Online Gambling 網上賭博
3
This course does not cover the technical
aspects of hacking and professional defense!
Topics
Information security
System security issues and measures
Using IT services in a secure manner
Mobile Security
Protection of Personal Sensitive Data
Information security policies and practices
Assignment 2
4
Source of Risk
Natural
Personal Criminal
Organizational
5
Source of Hazard: Natural
"Act of God"
Fire hazard
Water hazard
Quake hazard
Lightning hazard
6
Source of Hazard: Personal
Lack of AWARENESS
Mis-understanding or
Under-estimating certain risks
Lack of proper Precautions
Careless mistakes
Accidental data erasure/ overwrite
Confidential data exposure
Data loss such as losing a data disc or USB
drive
7
Source of Hazard: Organizational
Information infra-structure break-down/ brown-out
Power failure
Network outage
Your Password is:
System loop-hole 123456
8
Source of Hazard: Criminal
"Mal-ware" (unauthorized harmful software)
Computer virus Back-door
Computer worm Trojan horse
Spyware Key-logger
Adware Joke program/ Hoax
"Hacking" activities
Unauthorized information system access
9
Using IT Services in a Secure Manner
10
Internet is Globally Connected, thus…
Susceptible to Attacks
Partial map of the Internet
(Image source: http://en.wikipedia.org/wiki/File:Internet_map_1024.jpg)
11
Virtual Private Network (VPN)
To build a Private network
on top of Public connections
Concept of “tunneling”
By means of mutual
authentication and data
encryption
Secure Searching
Are you sure the
search results are
safe links?
13
Secure Browsing
Enable Pop-up Blocker/
Defender
Type HTTPS://www...
explicitly as much as possible
for server identification and
encrypted communication
Widely-Trusted Root
CA’s and their record
on a browser
15
HTTPS Example
16
Securing Wi-Fi Connections
Service Provider’s Perspective
Setup Wi-Fi Router/ Access Point securely
Check and assess firmware updates properly
Hide SSID (disable network name broadcast)
I.e. make the AP invisible to passers-by
Enable enhanced wireless security features such as WPA3
I.e. enable data encryption and user authentication
Enable MAC address filtering and hardware firewall
Check system status and log routinely
17
Securing Wi-Fi Connections
User’s Perspective
Only use registered and legitimate Wi-Fi services
Create/ save profiles for trusted SSID
Do NOT use open/ unsecured Wi-Fi AP
Do NOT use Ad-hoc Mode (Mesh Networking)
See:
https://www.itsc.cuhk.edu.hk/all-it/wifi-and-networ
k/on-campus-wifi/
18
Firewall
A firewall is to deny (or allow) certain network
connections
Network connections can be in-bound or out-bound
where in-bound connections are more susceptible
Example active network connections on a PC:
C:\Users\ENGG1000> netstat -a
Active Connections
19
Firewall
Different types and layers:
Institutional and Personal
Hardware and Software
We should always turn on firewall(s)
Software firewalls on the same computer usually cause
compatibility issues, e.g.
Windows Firewall
Kaspersky Firewall
ONLY ONE of them should be turned on but not both!
Improperly configured firewalls may prevent some
software and/ or network service from running
Be smart!
Use message filtering and sorting services
Do NOT click on links in a message
Verify the identity of the message sender
Image source:
http://i.hksilicon.com.s3-ap-southeast-1.amazonaws.com/kb/content_images/201 21
1/10/13/41471/1318470251_893.jpg
Fake or Malicious QR Codes
Attacker can easily fool users into scanning
malicious QR codes
22
IPLogger and Shortened URL with
QR Code
https://iplogger.org/2hGdr6
Shortened URL
https://bit.ly/3BgMOx9
23
Near Field Comm.
(NFC)
Mobile Payment
on Smartphones
Google wallet
Visa payWave
MasterCard PayPass
Octopus Mobile SIM
Identity Theft
Malicious Apps read user’s fingerprint and transmit to criminals
Passwords can easily be reset, but fingerprints are for life
25
Mobile Security
Android platform in
particular is having much
more malware activities
attention of cybercriminals
27
What does mobile malware do?
28
Mobile Malware
Spyware
The dominant malware affecting Android
Capture and transfer data such as browser history and
password on victim’s device
Can lead to financial gain for attackers ultimately
SMS Trojans
Second major category
Run in background and send SMS messages to premium
rate numbers owned by attacker
29
Mobile Malware
Fake Apps (App Phishing)
Rogue apps can masquerade as legitimate
apps you trust
30
Control Measures
Apple and Google, for example,
can remotely remove malware
from user devices if the apps
are being disseminated
through their market place
platform
However, this did NOT apply to
3rd party app stores
Perform Authentication
33
J*fg3#7Ke199qMn
Each individual has tons of passwords and Personal
Identity Numbers (PIN)
They should be composed of as many characters as
possible from a large pool of symbols (letters, digits, etc.)
They should be unique
They should be hard to guess Why?
They should be changed regularly
They should NOT be written down Any good strategy?
They should be hard to remember?!
34
Door Lock
CUSIS Discuss J*fg3#7Ke199qMn
QwertAsdf
Have It Your Own Way 9876543
Facebook
Wi-Fi
e-banking PayPal
Forum
School
35
Digital Data Privacy
36
Digital Footprint
Trail of data you create while using the
Internet
Web sites you visit, emails you send,
comment you make on public forum, etc.
Passive footprint refers to data trail
unintentional leave online
eg. When visit a web site, your IP address
is logged which identifies your ISP and
approximate location
37
Implication of Digital Footprint
Personal information, activity log, tracking
cookie, voice, photo, video, location, even
“eyeball hang time,” etc.
What for?
Are they using our identity properly?
40
Importance of Personal Data Privacy
One’s will and one’s freedom to protect, to use, to
reveal data about oneself
41
Lawful/ Proper Privacy Data Usage
Governments, corporations, institutions and even
individuals sometimes need Personal Privacy Data for
operation and activities
Census
Health information for setting insurance policy
COVID-19 Vaccination record
Activity log for contact tracing
Income data for taxation purpose
Personal identity and credit information for obtaining
financial services
Home address for voting based on regional constituency
Phone number for dating!
42
Personal Data Sources
Personal Blog and Facebook
Address book of our friends
Public accessible government data
Voters’ Registry
Land & Property Registry (https://www.iris.gov.hk/)
Company Registry
When using public accessible data sources such as IRIS land search,
do observe the regulations, terms and conditions. 43
Longer we Live, More we Expose
Data fusion and data mining technologies
could be used to reveal our personal data
and identity from multiple data sets
44
As a Student or Researcher
Do we really need certain personal data
and identity information in our work or
research?
Think twice before asking for such data
We have the responsibility to keep such
information confident and safe
We also have the responsibility to destroy such
data after proper use
Do a risk assessment and take precaution
measures to avoid unfortunate events such as
data leakage
Maintain a noble and respectful attitude
45
Further Readings
InfoSec
https://www.infosec.gov.hk/en/
46
Appendix
Cheat Example
[Self-study] 47
Credit Card Fraud with Money Laundry
Step 1
How to steal?
[Self-study] 48
Credit Card Fraud with Money Laundry
Step 2
[Self-study] 50
Credit Card Fraud with Money Laundry
Step 4
Criminals order the requested goods (e.g.
a PC) online using
Victim Credit CHAN’s credit card
Victim Buyer BOB’s delivery address
[Self-study] 51
Credit Card Fraud with Money Laundry
Step 5
[Self-study] 52
Credit Card Fraud with Money Laundry
Step 6
[Self-study] 53
Credit Card Fraud with Money Laundry
Puzzle Pieces in Place
Victim Victim Buyer BOB
Credit CHAN Online
Shop
Bank
Victim
Account AU-YEUNG
[Self-study] 54
Credit Card Fraud with Money Laundry
Discussion
Who is liable?
Victim Account AU-YEUNG?
Victim Buyer BOB?
Victim Credit CHAN?
The invisible hand behind the scene?
[Self-study] 55