May 2012


New Staff Email Service Launched - How to Access
Security Toolkits on Vendor Management
Web Application Security Standards Open for Consultation
SPSS Software Licence Renewal for 2012/13
Web Security Day 2012 Highlights
Secure Development Life-cycle for Web Application – Part 3
June Staff IT Training Programmes

New Staff Email Service Launched - How to Access



As you are aware - The new Staff Email Service is launched today and has replaced the Campus Email System. It will also replace GroupWise in 2013 upon completion of the campus-wide data migration exercise.


How to Access the New Staff Email Service

The new Staff Email Service can be conveniently accessed by all staff members anytime anywhere:

URL: (select 'Staff Email Login' from the left menu)

Login username & Password: NetID & NetPassword

Email address: <Preferred Address Name>  (e.g.

Please visit our Staff Email Service Website for the User Guide of the new service.


What about the old Campus Email System /WebMail

With the launch of the new Staff Email Service, all new messages sent to your Campus Email account will be automatically routed to your new Staff Email Service account. Or they would be sent to your GroupWise account if you have set to forward all emails from Campus Email to GroupWise.

As for 'old’ messages received before 31 May 2012, they are still accessible in your Campus Email account till 30 September 2012 after which the Campus Email System will be officially closed down.


What about the Migration Schedule for GroupWise

GroupWise will continue to be available at initial launching of the new Staff Email Service. However, it will eventually be phased out upon the completion of data migration from GroupWise to the new Staff Email Service.

The migration exercise is tentatively scheduled to commence in end June 2012. It would be conducted by phases by departments and the whole exercise is expected for completion by Q1 2013.

Departments /offices would be contacted individually to work out their migration schedule. To ensure a smooth transition, training sessions will be arranged for individual departments/ offices prior to their migration exercise.

Upon completion of the campus-wide migration exercise, GroupWise will be closed down in around Q2-Q3 2013. The confirmed schedule will be announced in due course.


Training for Staff

To prepare for the launch, a series of service launch seminars, hands-on training workshops for general users as well as technical training for departmental IT support personnel have been conducted.

Over 900 staff members have already participated in the various workshops / seminars to learn more about the new Staff Email Service. Hands-on training workshops will continue to be offered monthly and please visit the Staff IT Training Workshop Enrolment System for the training schedule and registration.

More than 1,000 colleagues have also visited our information booth that has been setup on the Podium during 21-23 May 2012, to try out the new service, to ask questions and to participate in the quiz to win a Smart Phone!

Last Chance to Win a Smart Phone

If you have missed the chance to win the Smart Phone, here’s another chance - Just take part in the Web Quiz and you will also be eligible to participate in the lucky draw to win the Smart Phone! Deadline is 30 June 2012!




Security Toolkits on Vendor Management


Organizations that fail to adequately address security and confidentiality in their business process, IT infrastructure or application outsourcing contracts are more likely to experience physical and logical security breaches, data leaks and intellectual property violations.  This can lead to significant unexpected costs, damage to reputation, legal disputes and even prosecution.

In this connection, we have developed some toolkits to help our user departments to ensure that third party IT service providers will implement adequate security controls to protect the University’s information assets during the service engagement:


Guidance Notes for Security Controls in 3rd Party Agreement for IT Related Services

This document provides some sample tender specification clauses on information security that user departments may use as a reference in developing their security requirements when acquiring information system or professional services related to system development.

Third Party Vendor Security Questionnaire

The purpose of this document is to assist in insuring that critical services, such as information processing, transaction handling, application hosting, network services or electronic storage of information provided by outside sources receive the same levels of control and information protection as if those activities were processed within the University's IT infrastructure.




Web Application Security Standards Open for Consultation


With rapid global penetration of the Internet and smart phones and the resulting productivity and social gains, the world is becoming increasingly dependent on its cyber infrastructure.

Criminals, spies and predators of all kinds have learnt to exploit this landscape much quicker than defenders have advanced in their technologies. Security and privacy has become an essential concern of applications and systems throughout their lifecycle.

During the Security Review on the Central Internet Web Hosting Platform conducted earlier, security weaknesses on some University websites have been identified. Some of these vulnerabilities are caused by insecure coding practices and inadequate controls throughout the application development lifecycle.

In this connection, a 'Web Application Security Standards' has been developed for user departments’ reference. This document constitutes the security practices that web application developers, including both staff members of the University and third party vendors, shall observe throughout the entire application development lifecycle of an Internet-facing web application.

You are invited to provide your views on the proposed Web Application Security Standards. Please forward your views and comments on or before 29 June 2012 by email to




SPSS Software Licence Renewal for 2012/13


A number of departments have acquired licences for the SPSS statistical software, and the  licences will expire on 31 May each year.

For departments which would like to continue using the SPSS software in the next year,  please proceed with the licence renewal procedures as soon as possible by completing and returning the web-based SPSS Licence Requisition Form accessible under the 'Software Licence' section of the ITS website. The licence price list for 2012/13 can be found here.

An invoice will be issued by ITS and sent to the requestor in due course for endorsement by the Head of Department; and the licence fee will be charged against the departmental general expenses account (please specify on the Form if otherwise).

Upon completion of the licence renewal procedures, the new licence code for 2012/13 will be sent to the Departmental CLOs for distribution to colleagues concerned.

For enquiries regarding the SPSS licence renewal arrangements, please contact the ITS General Office at Ext. 2413.



Web Security Day 2012 Highlights


To continue upkeep the security awareness of the University community, a Web Security Day was organized on 4 May 2012. The event focused on providing our colleagues with the updated cyber attack trends targeting web applications and the corresponding countermeasures.

About 100 colleagues from various departments as well as those from sister institutions attended the event during which the speakers shared their expertise in data privacy and web application security with the audiences.

Below please find the presentation decks of our guest speakers:



Secure Development Life-cycle for Web Application – Part 3


The implementation phase for web application development is the phase when the code is written. In this phase, web application shall be developed per secure coding guidelines including but not limited to Open Web Application Security Project (OWASP) guidelines and CERT Secure Coding etc., to prevent common vulnerabilities.


Input and Output Validation

If the web application accepts input from users, and the input is used for dynamic content generation and is displayed to users in a subsequent script-enabled application screen, there may be cross site scripting (XSS) issues. It can be avoided by validating all output that may include user client-originating input.

By checking the validity of incoming data and rejecting non-conformant data, most common vulnerabilities can be remedied. The large number of input and output fields in a web application, however, may make manual validation of every field impractical. As an alternative, the use of anti-XSS libraries, or web UI frameworks with integrated XSS protection, can minimize the developer’s efforts by correctly validating application input and output.

User input data shall be verified to ensure that the data is strongly typed, of the correct syntax, within length boundaries, contains only permitted characters, or that numbers are correctly signed and within range boundaries. Input validation should be performed both on the server side as well as on the client side. As client side validation can be easily bypassed, input validation on the server side shall be performed as a minimum.


Avoid String Concatenation for Dynamic SQL Statements

Using user input to build up SQL statements is common in web applications. Unfortunately, the most common and dangerous way to build SQL statements is concatenating input data with SQL string constants. Successful SQL-injection attacks can read sensitive data, modify data and even execute operating system level commands.

Parameterized input with stored procedures or functions rather than dynamic Structured Query Language (SQL) should be used whenever possible as an effective defense against SQL-injection attacks. Also, proper database configuration is a vital defense in depth mechanism and should not be overlooked, such as granting the system accounts which serve database requests with the least privilege necessary for the application to run.


Error Handling

Another major issue with web application is information leakage. An attacker may collect configuration information and business logic flaws using the information the application reveals either passively or as a result of the attacker’s action. Information disclosure may be unintentional or due to error messages that reveal more information than is necessary. Therefore non-verbose error messages shall be displayed which only show the necessary information. Moreover, when the code is running with error, data access shall be denied by default, e.g. “On Error Resume Next” shall not be allowed.


Session Management

Improper session management can result in attacks such as bypassing authentication, compromising passwords or authentication tokens to assume other users’ identities, hijacking session. Attackers can also place themselves in between established session conversations and control the sessions. This can be due to account credentials and session tokens not being protected properly, or session identifiers are not random and can be easily guessed. Poor logout implementation is another reason in which the logging out and abandoning of sessions is not explicit, but allowing to timeout on its own, giving an attacker a greater window to compromise authentication and sessions.

The most effective protection against broken authentication and session hijacking is using unique and non-guessable session identifiers, strong cookies, along with performing session-integrity checks and hardware-based tokens. Secure communication, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and IPSec, can also help to mitigate disclosure of credential information.


Direct Object Reference

Referencing internal objects directly from functionality exposed to the end user with no security protection like input validation is a common mistake made by developers. This may lead to unauthorized access, disclosure of sensitive information, manipulation of parameters, and injection attacks due to exploited vulnerabilities. To avoid exposing direct object references to users, index, indirect reference map, or other indirect method should be implemented to refer to internal objects and the implementation should be easy to validate.

Besides the implementation considerations covered above, areas including but not limited to buffer overflows, inadequate access control, insecure storage, denial of service and insecure configuration management should also be considered in the solution implementation.

To safeguard an application, security considerations should be taken into account in the whole development life-cycle. Stay tuned with ‘Get Connected’ for the best practices to observe in other phases of the system development life-cycle.



June Staff IT Training Programmes


Training Workshops

You may view the full list of workshops offered in June and make online enrolment via the Staff IT Training Workshop Enrolment System. You will be notified instantly of the enrolment results.


Online Courses

  June Online Courses


Access 2007: Level 1, 2, 3 & 4

  Access 2007: New Features
  Acrobat 9.0 Pro: Level 1 & 2
E Excel 2007: Level 1, 2, 3 & 4
  Excel 2007: New Features
  Excel 2007: VBA
G GroupWise 7.0 Level 1-1: Using GroupWise E-mail
  GroupWise 7.0 Level 1-2: Organizing E-mails and Address Book in GroupWise
  GroupWise 7.0 Level 1-3: Using GroupWise Calendar and Resources
  GroupWise 7.0 Level 2-1: Exploring Advanced Mail and Message Features
  GroupWise 7.0 Level 2-2: Exploring WebAccess, Rules and Access Rights
P PowerPoint 2007: Level 1 & 2
  PowerPoint 2007: New Features
  Project 2007: Level 1 & 2
  Publisher 2007
S Security Awareness (Part 1): Protecting Information and Countering Social Engineering
  Security Awareness (Part 2) : Maintaining Computer and File Security
  Security Awareness (Part 3): Promoting E-mail Security and Proper Responses to Security Incidents
  SharePoint Designer 2007: Level 1 & 2
V What's New in Visio 2007
W Windows Vista : New Features
  Word 2007: Level 1, 2 & 3
  Word 2007: New Features


Please click here for the detailed description of each course. To enrol, please complete and return the web-based proforma reply and you will be informed of the enrolment results in early June via e-mail.

Enquiries: 4566