+

Information Security Tips (March 2024) – Advice for Securing a System

/in /by

In today’s digital environment, it is very important to ensure the security of your system. By following the below advice, you can significantly enhance the protection of your system and data.

  1. Enable Strong Authentication:  Use strong password and consider other authentication mechanisms such as multi-factor authentication (MFA) to add an extra layer of security when accessing your system.
  2. Create an SSH Key Pair: Generate and use SSH key pairs for secure remote access. This method provides stronger encryption and authentication compared to traditional password-based authentication.
  3. Keep the System Up to Date: Regularly update your system with the latest security patches and software updates. These updates often address known vulnerabilities and protect against emerging threats.
  4. Remove Unnecessary Software: Minimize the attack surface by uninstalling any unnecessary or unused software. These software may contain vulnerabilities that can be exploited by attackers.
  5. Disable Administrator Login: Disable direct administrator login (e.g., “administrator”, “admin”, ”root”) and enforce the use of individual user accounts. This helps restrict access and mitigates the risk of unauthorized access to critical system resources.
  6. Check and Close Open Ports: Regularly scan your system for open ports and close any unnecessary or unused ports. Open ports can be served as entry points for attackers, so it is vital to limit their availability.
  7. Enable a Firewall: Set up a firewall to control inbound and outbound network traffic. A properly configured firewall can filter malicious traffic and protect your system from unauthorized access.
  8. Harden Your Linux System with SELinux or AppArmor: Implement Security-Enhanced Linux (SELinux) or AppArmor to enforce strict access controls and limit the impact of an attack on your system.
  9. Security Audits: Conduct regular security audits to identify vulnerabilities, assess system configurations and ensure compliance with security policies and standards.
  10. Regularly Create and Maintain Backups: Regularly back up your critical data to mitigate the impact of system failures, data loss, or ransomware attacks. Test the restoration process periodically to ensure the integrity of backup copies.

Protecting the security of system is an ongoing process. Stay informed about the latest security threats, update your security strategies, and best practices.

Information Security Tips (January 2024) – Do not let yourself to be the next victim of phishing scams

/in /by

To: All Users

Online services have become an indispensable part in our daily life, thus making Internet scams more prevalent and widespread, covering a wide range of areas such as shopping, job hunting, investing, charity, lottery, etc. There is a Cantonese saying, “An old trick is fine, as long as it works” implying that many traditional scams are repackaged in new forms and carried out on the Internet or over the phone. The tactics are constantly changing, making it hard for people to protect.

However, all scams have a common goal, whether they are tricking users to give their account numbers, passwords or personal information, the ultimate goal is money. As long as you raise your security awareness and always “fact‑check”, you can reduce the risk of being scammed. Remember the three key principles to prevent fraud:

  1. Stay calm and don’t be flustered: Fraudsters often use threatening words over phone, text messages or emails to cause victims to lose their composure and fall into their trap, especially if they claim themselves to be law enforcement, government or bank officials. Just stop and think! Try to buy time to verify the truth of the matter or consult with family and friends.
  2. Don’t be greedy: Never let the mentality of “Fear of missing out” to blind your judgment. There’s no free lunch in the world. If there’s any promotional sale or investment opportunity, make sure to understand it clearly and verify its authenticity to avoid losing more than you gain.
  3. Never casually disclose personal information: Personal information is equivalent to money. You should not reveal your personal information casually, as it is not just your data that can ultimately be stolen, but your personal identity, which can then be used to defraud money or engage in illegal activities.

Pay more attention to anti-fraud information and naturally raise your anti-fraud awareness, so that you won’t give fraudsters an opportunity to take advantage. The following are some examples of scam messages:

 

Pretending to be an instant messaging software notification, with disturbing words. But one thing to note is that the “w” letter in URL is actually impersonated by two “v” letters.

 

 

Suspicious text messages from strangers. Scammers may use social engineering scams to carry out all kinds of fraud, they will use the tactic of “played the long game” and communicate with the victim for a long time to win their favor, which means to defraud a large amount of money.

 

Compromising verification codes is a common method of hijacking other people’s accounts, including communication software, bank transfers, etc. Verification codes are used for personal identity verification or account operation verification, which is a matter of personal privacy, and should not be disclosed. Actually, using someone else’s phone number for verification is completely unreasonable, and the sender’s account may have been compromised.

Information Security Tips (November 2023) – Protect Your Digital Assets: A Guide for Data Backup

/in /by

Important data loss can occur anytime, data backup is an important measure to prevent data loss caused by equipment failure or data damage, ensuring valuable information will not be lost forever. Data backup also provides the last protection for cyberattacks (especially ransomware attacks), allowing you to recover the data and resume daily operations quickly. Proper data backup can also protect sensitive personal and financial information from unauthorized access or disclosure.

Basic Data Backup Practices:

  1. Regular Backup: Schedule regular backup to ensure your data is always up to date. Daily backup is recommended for critical data, weekly or monthly backup may be sufficient for files that are not updated frequently.
  2. Keep Multiple Backup Copies: Store multiple copies of your backup on different storage devices, such as external hard drives, cloud storage, or even physical copies. This redundancy ensures that even if one of the storage media failed, your data can still be preserved. When using cloud storage, please pay attention to the security and data protection settings of the service and consider which data is suitable for storage in the cloud.
  3. Store Storage Devices Properly: Store your backup storage devices properly and away from physical hazards like fire or water. For cloud storage, choose reputable providers with robust security measures.
  4. Test Backup Regularly: Verify the integrity of the backup by testing them regularly to ensure the data can be restored when necessary.
  5. Password Protection: Protect your backup devices by means of a password to prevent unauthorized access. In addition, consider encrypting the backup to increase the security.

Data backup is not a one-off task, but an ongoing process. Through the above basic and effective practices, you can protect your valuable data from being lost and ensure that your personal and work data are protected.

Information Security Tips (October 2023) – Beware of Ransomware Attacks

/in /by

Ransomware attacks are one of the most common types of cyber attacks in recent years. Attackers use various network intrusion techniques or methods such as impersonation and fraud to deploy ransomware programs to organizations and users, encrypt the data on the infected computer system, so that the affected systems will not be able to operate normally, and extort money and other economic benefits from the victims. At the same time, some attackers also steal data during the process and threaten victims with disclosure of confidential data to increase the likelihood of the victims compromising.

The following security measures can prevent ransomware attacks:

  1. Beware of phishing and virus emails, do not casually open attachments or web links:
    Attackers will send phishing emails with malicious program attachments or web links. Once you open, your computer system will be infected; 

     

  2. Beware of social engineering, do not trust strangers or people with unverified identities:
    They will impersonate government officials, customer service, bank staff, etc., and induce you to download or install unknown software, or even assist them in carrying out ransomware attacks; 

     

  3. Install antivirus software, turn on real-time protection and monitoring functions:
    Whether the ransomware program is spread via portable data storage devices (such as USB, mobile hard drives, etc.) or emails, the real-time protection function of antivirus software can effectively intercept the ransomware program when it is installed or executed; 

     

  4. Regularly update software, keep antivirus software up to date:
    This can prevent attackers from exploiting existing software vulnerabilities for attacks. At the same time, the latest antivirus software feature database can  detect effectively and intercept suspicious software programs; 

     

  5. Protect your user password, activate multi-factor authentication services and use strong passwords:
    They will use leaked accounts or brute force cracking techniques to remotely log into your computer system and install ransomware programs; 

     

  6. Regularly backup data to ensure that files can be restored from backups:
    Even if data is encrypted, it can be restored from backups, which will reduce the chance of data loss.

Information Security Tips (September 2023) – Beware of Spear Phishing

/in /by
  • What is Spear Phishing Attack?

Spear Phishing is a specific type of Phishing Attack that targets individuals or organizations with the intention of deceiving them and gaining unauthorized access to sensitive information. Unlike regular phishing attacks, spear phishing is more personalized and involves tactics such as impersonation, enticing bait, and finding ways to bypass security measures like email filters and antivirus software.

Although general Phishing and Spear Phishing employ similar techniques, there are distinctions between them. General Phishing attacks are typically straightforward, aiming to acquire the victim’s information, such as online banking credentials, to fulfill their objectives. In contrast, spear phishing attacks go beyond simply obtaining login details or personal data. They serve as a gateway for attackers to gain initial entry into the targeted network and act as a stepping stone for subsequent Targeted Attacks

  • How does Spear Phishing Work?

Spear phishing attacks specifically aim at targeting individuals within an organization or institution, including their social media accounts like the organization’s website, Twitter, Facebook, and LinkedIn. The attackers invest time in creating persuasive email content and may include harmful attachments or links in the emails. When the recipient opens such attachments or clicks on the links, it can trigger the execution of malicious code or redirect the user to a compromised website. This provides an opportunity for the attacker to establish a hidden communication network and advance to the next stage of the attack.

  • How to Prevent Spear Phishing?

To thwart spear phishing attacks, UM employs several layers of protection, empowering system administrators with enhanced visibility and control over the network. This approach minimizes the risk of targeted attacks and mitigates various attack vectors.

Nonetheless, the most pivotal factor in defense lies in the information security awareness of employees and students. By diligently observing spelling mistakes, peculiar language, and other suspicious indicators in emails, individuals can partially shield themselves against spear phishing attacks.

Information Security Tips (August 2023) – Beware of Scammers Exploiting AI Techniques

/in /by

Recently, there have been reports of scammers using artificial intelligence (AI) deep fake technique for fraudulent activities, including creating fake news to promote investment schemes or manipulating videos to impersonate celebrities and deceive victims into participation of false investment activities. It is also possible that scammers may use similar techniques to impersonate your friends or family members during video conferences or voice calls for phishing scams.

There are few steps to protect yourself from phishing scams:

  1. Stay vigilant and calm:
    • Keep composure when dealing with urgent requests, especially those involving financial transactions or investment request. Be particularly cautious if someone claiming to be a “friend” requesting money transfer in the video or audio recording.
  2. Verify identities:
    • When it comes to financial transactions or personal information, always verify the identity of the other party. Confirm the identities of the friends, family, or relevant institutions through independent channels and the authenticity of their requests.
  3. Watch for inconsistencies:
    • Attempt to verify the other party’s identity through casual conversation, as scammers may reveal inconsistencies.
  4. Protect personal information:
    • Besides personal data, do not provide biometric data such as facial recognition, fingerprints, or voice samples.
  5. Don’t blindly trust online information:
    • This includes messages labeled as “Fact Checked” or “Confirmed.” If you suspect it to be false information, avoid sharing it and consult the relevant authorities for verification.

Although criminals may change their fraudulent methods from time to time, their goal remains the same: to deceive users into revealing their account credentials, personal information, or money. By staying vigilant and remembering to “Stop and Think! Do Fact Check!”, you can protect yourself from phishing scams.

Information Security Tips (July 2023) – How to Dispose Personal IT Device Securely

/in /by

When you are no longer using personal IT devices, such as a computer, smartphone, tablet or external storage device, it is important on how you dispose of it properly. This helps to protect your privacy and security, as well as the environment.

There are few steps you can dispose of your personal IT equipment securely:

  1. Back up your data:
    • Before disposing of your device, make sure to back up all your important data and files. You can use an external hard drive or cloud storage to store your data.
  2. Unsubscribe or unbundle accounts:
    • If there are any subscription services or bundled accounts, you should first unsubscribe or log out of all bundled accounts.
  3. Wipe content from your device:
    • Make sure to wipe your device clean before disposing of it. This means deleting all your personal data and files from the device.
  4. Remove SIM cards and memory cards:
    • If your device has a SIM card or memory card, make sure to remove them before disposing of the device.
  5. Destroy the device (if necessary):
    • If you have sensitive data on your device that you don’t want anyone else to access, you can destroy the device physically.
  6. Recycle the device:
    • Once you confirm your device is wiped, you can recycle it through your local recycling company or organization, such as Direcção dos Serviços de Protecção Ambiental (DSPA) in Macau, which is promoting Electronic and Electrical Equipment Recycling Programme.
  7. Don’t forget those household appliances:
    • Such as TV boxes, TVs or portable game consoles, etc., which may contain credit card and personal information,  make sure to handle them carefully.

No matter how you choose to dispose of your personal IT equipment, make sure to do so in a responsible way.

Reference:
Electronic and Electrical Equipment Recycling Programme (DSPA)
How to Properly Prepare Your PC for Disposal
How to factory reset your iPhone, iPad, or iPod touch
Reset your Android device to factory settings

Information Security Tips (June 2023) – AI Tools and Information Security

/in /by

Artificial intelligence (AI) refers to a system or device that can simulate human intelligence, and realize automation, optimization and innovation functions through big data analysis, machine learning and other technologies. In recent years, the development and application of AI tools have become increasingly widespread, bringing convenience and efficiency to our life. It can chat with you, generate articles, draw portraits, write computer programs and more. When choosing and using AI tools, below are some precautions:

  1. Always use official and legal channels to obtain AI tools:
    • Hackers have created fake AI apps and websites to trick people into downloading and using them. However, these AI apps could be a piece of malware that steals data from your device, or they could steal your credit card and personal information by charging you for the service.
  2. Be careful when sharing personal or confidential information with AI tools:
    • Even using a reputable AI tool, don’t provide any personal or confidential information before understanding and accepting its privacy policy. The information you provide may be used to train the AI model and may be included in the responses to other people’s queries. And, it could lead to a data breach.
  3. Don’t open files and links in emails unsuspectedly:
    • Hackers can use AI tools to generate highly realistic phishing emails that are difficult to be identified by spam filters and even humans. If you have doubts about the email content or sender, don’t open the attached files and links, and don’t trust the contact methods. Confirm the authenticity of the email through a credible channel, such as, by calling the sender directly before taking the next step or replying.
  4. Don’t fully trust the content generated by AI tools:
    • An AI tool is only as good as the data it uses. If the data it learns from is outdated, incomplete, or incorrect, it may generate inaccurate, untrue, illegal, or unethical content. Therefore, whatever you get from an AI tool, verify it carefully before using and trusting it.
  5. Pay attention to the copyright of the content generated by AI tools:
    • The content generated by AI tools may have been used by others, or may contain copyrighted content of others.

Information Security Tips (May 2023) – Quishing Attack

/in /by

“Quishing” or “QR code phishing” is a type of phishing attack. When a user scans the QR code, he/she will then access the phishing website. Since a QR code is an image, current security measures may not be able to detect it as a threat. “Quishing” may therefore become a new normal in the future.

Safety Tips of Using QR code:

  1. Mobile payment:
    • Verify the information carefully in the mobile app before making any payment in any transaction with QR code. After transaction, verify the transaction details sent by the bank or mobile payment service provider immediately.
    • Do not share or disclose the QR codes generated by mobile payment services to others.
  2. Website redirection:
    • Stay alert before scanning QR codes and do not scan any codes from unknown sources.
    • Turn off the QR code scanner’s automatic URL redirection function. Once you turn it off, the scanner will show the URL content and request you to confirm if to open the URL or not.
  3. Account login:
    • Only scan account authentication QR codes in the official websites.
    • Contact the service providers immediately for any unusual login records

Information Security Tips (April 2023) – Don’t overlook the importance of patching vulnerabilities in your home network devices

/in /by

Security updates and vulnerability patches are important because they ensure that your device is protected from various threats, and attackers constantly seek new vulnerabilities to exploit with new technologies. Therefore, software on your device needs to be updated regularly to maintain security and prevent attackers from exploiting known vulnerabilities to attack your computer and network devices or steal sensitive information.

Here are several ways to ensure that your device has the latest security updates and vulnerability patches:

  • Develop good habits: Before installing updates or changing settings, please read the installation instructions and precautions provided by the vendor, and perform data backup as well.
  • Check for updates manually on a regular basis:
    • Choose an appropriate time to update your devices manually to avoid disrupting your work or other activities.
    • If you need to work outside, it is recommended to perform necessary updates in advance using your company or home network to avoid the risk of intrusion on public networks or incurring high data charges when using mobile data.
  • Enable automatic updates: Automatic updates can make up for the shortcomings of manual updates and improve security as well.
  • Download software only from trusted sources: Only download software and applications from trusted vendors to avoid downloading malware or malicious programs.
  • Update all software and applications: Not just the operating system, but all applications and software should be updated, including web browsers, antivirus software, and more.
  • Update hardware firmware: Do not overlook home network devices such as home routers, network-attached storage (NAS), smart homes, and home surveillance cameras, etc.
  • Don’t ignore small updates: Do not ignore minor updates as they may also contain critical security updates and vulnerability patches.
  • Stay aware of vulnerability disclosures: Pay attention to whether there are known security vulnerabilities in your devices and software, and respond and patch them in a timely manner

Security updates and vulnerability patches are important to protect your devices and data. Regularly checking and installing updates and patches is one of the best ways to ensure that your device is protected from various threats. If you have any questions, you can consult your service or product vendor.