Hong Kong Cyber Security Incidents on the Rise HKCERT Urges the Community to Raise Information Security Awareness
(Hong Kong, 8 February 2023) The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of the Hong Kong Productivity Council (HKPC) held a briefing today to summarise the information security situation in Hong Kong in 2022 and release the security forecast for 2023, and invited scholars from the Hong Kong Polytechnic University (PolyU) to share the latest security risks of the Internet of Things (IoT) and Web 3.0. The widespread use of information technology (IT) has accelerated the digitisation process in all industries, and at the same time the number of cyber attacks using new technologies has increased. To prevent cyber criminals from taking advantage of the situation, HKCERT urges enterprises and the public to continue to raise awareness of information security and strengthen protection against cyber attacks to avoid losses.
HKCERT summarised the information security situation in Hong Kong in 2022. Last year, HKCERT handled 8,393 security incidents, an increase of 9% over 2021, the first increase in four years. The majority of the incidents was botnet (4,858 cases), up 40% from 2021; whereas the second major incident was phishing (2,946 cases), which was 21% lower than in 2021, but the number of URLs involved (15,736 links) increased by 4%, with more than 60% of them related to e-commerce, online banking and cryptocurrency.
Mr Alex CHAN, General Manager, Digital Transformation of HKPC, and spokesman of HKCERT, said, “While global economic activities and business transactions have gradually resumed normal over the past year, the reliance of enterprises and individuals on the internet and emerging technologies has increased, and so has the variety, volume and sophistication of cyber attacks. HKCERT will continue to actively study the trends of cyber attacks and security technologies, and assist the community in meeting the ever-changing security challenges through various channels, such as issuing early warnings of cyber attacks, security recommendations, etc. We will also organise large-scale international conferences and competitions, including the Information Security Summit and the Hong Kong Cyber Security New Generation Capture the Flag Challenge, to raise awareness of information security locally and nurture the next generation cyber security talents.”
The report also identified five major information security risks that warrant attention in 2023:
- Phishing attacks for identity or credential theft: In 2022, phishing attacks were consistently ranked among the top security incidents handled by HKCERT. Credential phishing is commonly the first step in identity theft by hackers to obtain sensitive personal information from users. Hackers are also using new techniques to bypass multi-factor authentication (MFA) security measures.
- Attacks using artificial intelligence (AI): AI systems have a deeper and wider range of potential cyber security risks than traditional systems. For example, if multiple services use the same AI model, and the model is tampered by an attack, all services using the model will be affected. Hackers can also use AI to generate malware or create fake messages, such as images and sounds, to spread rumours or blackmail.
- The low cost of cybercrime services will attract more criminals: As the business model for cybercrime changes, cyber attack service has evolved, significantly lowering the hurdles to launch an attack. Cybercrime services can be very inexpensive, for example, one can buy 1,000 stolen accounts for less than US$1.
- Web 3.0: The core concept is “decentralisation”, the most familiar application of which is cryptocurrency and metaverse. 12% of phishing links handled by HKCERT in 2022 involved cryptocurrency. The Hong Kong Monetary Authority has brought virtual currency exchanges under regulation and required virtual asset service providers to obtain a licence on or before 1 June 2023, demonstrating that the security risks of Web 3.0 cannot be ignored.
- Widespread application of IoT creates more opportunities for attacks: Digitisation drives the development of "Industry 4.0", helping enterprises to improve their operational efficiency through smart manufacturing. “Industry 4.0” is one of the key elements of Hong Kong's new industrialisation, which integrates IT and operational technology (OT) systems and often uses different IoT devices to connect IT and OT systems to the Internet, increasing the number of entry and exit points or network interfaces, bringing new information security risks and threats.
To address the above five information security risks, Mr CHAN urged all sectors of the community not to take it lightly. He said, ”It is important to protect personal information carefully. Today's personal information includes not only date of birth and ID card number, but also biometric features such as fingerprints and voiceprints, which we should beware of being used by cyber criminals. It is also important to pay attention to the best results provided by search engines and the English spelling of website domain names to prevent malicious and phishing websites. In addition, it is important to understand the security threats posed by new technologies such as AI, blockchain, cryptocurrency and metaverse, and to develop relevant security strategies and countermeasures. Enterprises should prepare for the integration of connected industrial and IoT devices with adequate security, for example, by establishing a security framework with reference to international security standards. The integration will also require an update of corporate security policies and operational practices. In addition, the security of networks and systems should be regularly assessed, and the configuration of all connected internet equipment should be continuously monitored.”
In response to the increasing sophistication and diversity of phishing attacks, HKCERT will organise an anti-phishing campaign with publicity booths in different districts of Hong Kong to raise the awareness and capability of the public in combating phishing attacks; work with internet service providers and computer emergency response teams around the world to remove suspicious and malicious websites; release cyber security publications to alert the public on emerging risks; proactively collect and analyse malware samples; and provide the public with solutions and advice on how to tackle cyber security incidents. Furthermore, it will actively promote the information security awareness of the IoT and OT to enterprises. Seminars and training courses will be organised in collaboration with trade associations of different industries to enhance SMEs' information security knowledge and response capability.
Today’s briefing also invited Dr Daniel LUO, Associate Professor of the Department of Computing of PolyU, to share the latest security risks of IoT and Web 3.0. He said, “If IoT devices connected to the Internet fail to have their default passwords changed or software updated, hackers can exploit these weaknesses to launch attacks. Moreover, IoT companies should adopt a holistic approach to enhance the security of their IoT systems, including securing IoT's hardware and firmware as well as AI algorithms, applications and servers, network protocols and connections, and implement the Zero Trust Architecture. On the other hand, more attention must be paid to the security risks of Web 3.0 because of the existence of many unknown or known vulnerabilities in blockchains and smart contracts as well as many deceiving malicious smart contracts and sophisticated attacks existed on the blockchain platforms. Developers of blockchains and smart contracts should adopt a systematic approach to secure their products, such as code auditing and testing, security assessment of algorithms, software hardening, transaction monitoring and online defencing, detection of malicious smart contracts or frontend applications, etc. PolyU's research institute for artificial intelligence of things (RIAIoT) and research centre for blockchain technology (RCBT) have conducted extensive research on these areas with fruitful results.”
Enterprises or the public who wish to report to HKCERT on information security related incidents such as malware, phishing, denial of service attacks, etc. can do so by completing the online form at: https://www.hkcert.org/incident-reporting, or call the 24-hour hotline at 8105 6060. For further enquiries, please contact HKCERT at [email protected].
The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of the Hong Kong Productivity Council (HKPC) held a briefing today where Mr Alex CHAN, General Manager, Digital Transformation, HKPC, and spokesman, HKCERT (left), summarised the information security situation in Hong Kong in 2022 and forecasted the five key information security risks in 2023. It also invited Dr Daniel LUO, Associate Professor, Department of Computing, The Hong Kong Polytechnic University (right), to share the latest security risks of the Internet of Things and Web 3.0.