August 2011


New PolyU Connect E-mail Service – Phasing out of Campus E-mail in 2011/12 Academic Year and Last Chance to Win an xBox 360
Social Engineering Security
Update on Identity and Access Management (IAM) Implementation – New PUsecure Identity Management (IM) System
Web Application Security Best Practices
Updated Staff and Student Handbooks
September Staff IT Training Programmes

2nd Road Show for Notebook Programme 2011 Starting 3rd September


As communicated in our last Issue, this year’s annual Notebook Ownership Programme has already commenced on 30 July. A wide range of Lenovo and Acer notebooks, sub-notebooks and tablets are offered at discounted prices ranging from HK$2,292 to HK$12,992 to PolyU students, staff and alumni.

If you have missed the 1st road show in August, come and visit the 2nd road show to be held at the beginning of the new academic year:






Web ordering will also be accepted during the road show period.

Meanwhile, you may check out the model and price information here.

For any enquiries about the notebook programme, please call the sales hotline at 8208 6988 (28 July – 31 October 2011) from 10:30 – 19:00 on Monday - Friday and 10:30 - 14:00 on Saturday (Closed on Sundays and Public Holidays).




New PolyU Connect E-mail Service – Phasing out of Campus E-mail in 2011/12 Academic Year and Last Chance to Win an xBox 360


Phasing-out of Campus E-mail

As communicated in the previous issues of 'Get Connected’, all students are reminded once again that the existing Campus E-mail System will be phased-out during the new academic year.

The new PolyU Connect service will then become the University's official communication channel with students. Click here for more information about the PolyU Connect service.


4th xBox 360 Winner

To encourage early adoption and familiarization of the new e-mail system, a total of 5 sets of xBox 360 with Kinect are to be given away to the early adopters of the PolyU Connect service. 3 lucky students have already received their xBox 360 during the past few months.


Click the Xbox 360 below to see if you are the lucky winner of this month:


Last Chance to Win an xBox 360

You are not the one again? You still have one more chance - the last set of xBox 360 will be given away in September!

As for students who have not yet activated your PolyU Connect account, don’t miss the last chance to take part in the lucky draw. ACTION NOW to: 

  • Activate your PolyU Connect account at: and change your initial password, AND

  • If you are an 'old’ student (registered before 30 July 2011), remember ALSO to forward your Campus E-mail account to your PolyU Connect account


Enjoy using the new PolyU Connect service and GOOD LUCK!




Frequently Asked Questions (FAQs) from New Students


As a new student at PolyU, you may have been overwhelmed by the influx of information coming from the University. Let us take this opportunity to answer a few frequently asked IT questions from new students.



What is NetID and NetPassword? 


The PolyU NetID (Network Identity) is your login name for most of the central IT facilities and services on campus. Upon receiving your Student ID card, you can activate your NetID via the University Portal ( by clicking the ‘New Student’ option. During the activation, you can create your own Netpassword.

With your NetID, you can access the following central IT facilities and services:

  • University Portal (known as myPolyU)
  • University e-Learning Platform
  • Wired & Wireless Network Access
  • Academic Unix Cluster, myStore, myWeb & mySurvey
  • HelpCentre Online Tracking System (HOTS)


The system prompted ‘Data does not match with our record’ when I created my NetID. Why?


Activation of your NetID requires your program code, which is printed on your 'Admission Letter’ issued by the Academic Secretariat (AS). Some students might have wrongly entered their JUPAS code instead.


What is ‘myPolyU’?


The University Portal, named ‘myPolyu’, is a one-stop gateway for personalized access to all the essential information and electronic services targeted for you. Once logged into ‘myPolyU’ with your NetID, you can access a variety of useful information including Student Handbook, academic calendar, class timetables, e-Learning materials, University and departmental announcements, library information, etc.    


What is ‘PolyU Connect’ service? How can I access it?


ThePolyU Connectis a new life-long e-mail and collaboration platform for students, alumni and retirees. To access the PolyU Connect service, you need a separate login ID other than your NetID.  

You can activate your PolyU Connect account at: More information about ‘PolyU Connect’ can be found here

Still got other questions? No problem - simply call the ITS Help Centre Hotline at 2766 5900 and our Help Centre consultants are ready to answer any questions you may have about the central IT facilities and services we provide. You may also visit our Help Centre in person at Room M202 of Li Ka Shing Tower for assistance.



Social Engineering Security


Many of the most damaging security penetrations are, and will continue to be, due to Social Engineering, not electronic hacking or cracking ...… Social Engineering is the single greatest security risk in the decade ahead.” 
Gartner Group

About Social Engineering

Social engineering is an art of deception. By exploiting basic human nature, i.e. trust, fear and friendliness, social engineers manipulate people into divulging confidential information. Methods most commonly-used in social engineering include:

  • Dumpster Diving
  • Phishing
  • Impersonation
Dumpster Driving is accomplished by digging through the trash for documents containing sensitive information.
Phishing is a technique where a scan artist sends an e-mail which appears to be from a legitimate source, e.g. PolyU ITS Help Center, in an attempt to trick the e-mail recipient into surrendering sensitive information, e.g. NetID and NetPassword. The collected information is then used for malicious activities e.g. unauthorized access to the PolyU network resources.
Impersonation occurs when malicious personnel pose as authorized individuals in an attempt to obtain confidential information. These attempts most often occur over the telephone or in person.


How to prevent social engineering


By knowing the most common techniques used by social engineers, you will know how to respond to these threats and to aovid becoming a victim:  

  • Dumpster Driving

    NEVER simply throw the docuemnts with sensitive information into a bin. You should dispose the documents properly by shredding.
  • Phishing

    E-mails are commonly-used for carrying out social engineering attacks. You might receive an e-mail asking you to visit a website and to enter your account information.

    What you can do:
    The best response to this kind of situation is to delete the e-mail message. If you have already provided your user credentials, reset the account password AS SOON AS POSSIBLE.
  • Impensonation through Phone Calls

    Phone call is a common form of impersonation because the social engineers face very little risk of being apprehended. Here is an example:

    “I’m Peter from ITS. We are upgrading the e-mail system and need your NetID and password in order to migrate your e-mail to the new system. Could you please tell me your NetID and password?”

    What you can do:
    If you don’t personally know the caller, you’d better take time to verify his identity. Often a simple call back to the number listed in the University telephone directory can help establish the caller’s identity.
Last but not the least, always remember that ITS DOES NOT have the practice of asking users to provide their account information through e-mail or phone call. For further information or assistance, please contact the ITS Help Centre at 2766 5900




Update on Identity and Access Management (IAM) Implementation – New PUsecure Identity Management (IM) System


To enhance the security, governance and compliance auditing on the management of user identities and accounts by departments, the user management framework currently deployed in the Account Management System will be revamped in the new PUsecure IM System, so as to mitigate the corresponding security risks faced by the University.

The existing practice of using functional NetIDs and accounts to fulfill some business requirements does not comply with the new User Management Framework in PUsecure IM System. These business requirements will be addressed under the new user class framework.

Each department / office has nominated at least one Departmental PUsecure Administrator (DPA) to manage the request and approval workflows associated with the lifecycle management of the new user classes for the department in the PUsecure IM System. Briefing sessions have also been organized for the DPAs to introduce the operaions of the new user classes.

Click here for details about the new PUsecure IM System.

Watch out for more updates of the IAM project in ‘Get Connected’!


Web Application Security Best Practices


As the number of web sites reaches over 255 million, hackers continue to relentlessly attack at the web application level. Vulnerabilities in web application introduce significant security threats, risking the normal service provision and the data contained therein.

The vulnerabilities could allow malicious attackers to take control of the interaction between a user and the website being accessed.

Malicious attackers could bypass access controls, inject scripts into web pages and gain elevated access privileges to sensitive information. A website under attack could even be used to launch criminal activities such as hosting phishing sites or transferring illicit content.


Securing Web Application by Design

Inclusion of security elements in the specification, design and coding of web applications is the primary defense mechanism to mitigate web application vulnerabilities. The following are some best practices for web application designers to follow:

  • Validate all input parameters, use of a security encoding library is recommended.
  • Sanitize application responses to capture all outputs, return codes and error codes.
  • Do not trust HTTP referrer headers, client browser parameters, cookies, form fields or hidden parameters unless they are verified using strong cryptographic techniques.
  • Keep sensitive session values on the server to prevent client-side modification.
  • Encrypt pages containing sensitive information and prevent caching.
  • Implement session management.
  • Implement proper end-user account and access right management.
  • Restrict access to back end databases, or to run SQL and OS commands.
  • When making system calls, do not make calls to actual file names and directory paths.  Use mapping provided by web server as a filtering layer.
  • Use the most appropriate authentication methods to identify and authenticate incoming user/system requests.


Identifying Web Application Vulnerabilities by Scanning

There are a variety of tools that can help find and eliminate web application vulnerabilities.  For example, web application security scanners could facilitate the discovering of potential security vulnerabilities.

Similar to other testing tools, web application security scanners are designed to focus in certain types of vulnerabilities and the developers and testers need to make selection based on the nature of their web applications.

Furthermore, web application scanning should be conducted in a controlled environment because the scanning process may stimulate some web application attacks to reveal the potential vulnerabilities on the application.

It is highly recommended that a web application vulnerability scanning exercise be conducted before the production launch of a website/web application or upon any major application changes.

ITS does provide web application vulnerability scanning service and requests could be made through our Help Centre (2766 5900).



Updated Staff and Student Handbooks


With the start of the new academic year, the updated Staff/Student Handbooks on IT Facilities and Services are now available online under the ITS Home Page.

In these Handbooks, you can find handy and up-to-date information on various central IT facilities and e-services provided by the University including the PolyU NetID, e-mail service, University Portal, Internet and network services, central academic computers, e-learning platform, Help Centre, etc. The Handbooks will be continually updated to reflect the latest IT developments on campus.




September Staff IT Training Programmes


Training Workshops

You may view the full list of workshops offered in September and make online enrolment via the Staff IT Training Workshop Enrolment System. You will be notified instantly of the enrolment results.


Online Courses

  September Online Courses


Access 2007: Level 1, 2, 3 & 4

  Access 2007: New Features


Acrobat 9.0 Pro: Level 1 & 2


Excel 2007: Level 1, 2, 3 & 4


Excel 2007: New Features

  Excel 2007: VBA


GroupWise 7.0 Level 1-1: Using GroupWise E-mail


GroupWise 7.0 Level 1-2: Organizing E-mails and Address Book in GroupWise

  GroupWise 7.0 Level 1-3: Using GroupWise Calendar and Resources
  GroupWise 7.0 Level 2-1: Exploring Advanced Mail and Message Features


GroupWise 7.0 Level 2-2: Exploring WebAccess, Rules and Access Rights


PowerPoint 2007: Level 1 & 2


PowerPoint 2007: New Features


Project 2007: Level 1 & 2


Publisher 2007


Security Awareness (Part 1): Protecting Information and Countering Social Engineering


Security Awareness (Part 2) : Maintaining Computer and File Security


Security Awareness (Part 3): Promoting E-mail Security and Proper Responses to Security Incidents


SharePoint Designer 2007: Level 1 & 2


What's New in Visio 2007


Windows Vista : New Features


Word 2007: Level 1, 2 & 3


Word 2007: New Features


Please click here for the detailed description of each course. To enrol, please complete and return the web-based proforma reply and you will be informed of the enrolment results in early September via e-mail.

Enquiries: 4566