There is a group of IT professionals called “white hats” who spend their days looking for security vulnerabilities in systems, using techniques similar to “black hats.” However, their intention is not to launch attacks or extort, but rather to engage in a constant battle, ethically hacking systems in a controlled environment to discover vulnerabilities before actual hackers do, helping to fix problems and preventing tragedies from occurring.
The virtual world is much more fragile than we imagine. Once personal information is leaked, it is difficult to escape the fate of becoming a “transparent person,” stripped “naked” by hackers. From small-scale phone harassment to large-scale extortion, hacking is strong enough to disrupt social order and leave everyone living in fear. On 14th November 2023, the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) and the Hong Kong Productivity Council Cyber Security (HKPC Cyber Security) jointly released the results of the “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness” in 2023. It showed the largest decline ever recorded in the cybersecurity readiness index for local enterprises. Around 70% of the surveyed companies experienced at least one type of cyber security attacks, primarily through phishing emails, phone calls, and SMS. The Office has received 119 reports of data breaches as of the end of October 2023 and is currently reviewing amendments to privacy regulations.
In this issue of Cubic Zine, we feature Professor Chau Sze Yiu from the Department of Information Engineering, the Faculty of Engineering, the Chinese University of Hong Kong (CUHK) and his team of students, Doria and Cousin, who are also “white hats.” We explore their little universe and witness how they relentlessly work day and night to patch vulnerabilities in the virtual world, safeguarding the security of the multiverse and mitigating the crisis of data leakage in real life.
Cybersecurity Is No Small Matter
Even during his secondary school years, Professor Chau had a keen interest in cybersecurity issues. Amidst the playful and mischievous days of his student life, he engaged in “friendly attacks and defenses” that made him realize the fragility of information security barriers. This sparked his curiosity to further research: “How can we do better, help the people around us, and assist people from different social classes?”
From the small-scale data breaches resulting from lost computers to VPN software stealing company secrets, to large-scale information leaks in institutions worldwide, particularly with recent incidents in Hong Kong where several organizations, enterprises, and even ordinary people fell victim to cyber attacks, Professor Chau has studied numerous cases, fully aware of the negative impact of cybersecurity incidents on society. A single intrusion into the public water supply network system is enough to destroy a water pump that supplies water to thousands of households, or to contaminate the water with sodium hydroxide levels over 100 times the safe limit. A ransomware attack on a power company is enough to plunge a city into darkness for half a day. Theft of data from a major institution that holds large amounts of data can turn hundreds of gigabytes of personal information into commodities with clear prices. Countless cybersecurity incidents, once successful, can indiscriminately trample on people’s privacy or even their lives. (Read more in the side article)
After completing his Ph.D. in Computer Science at Purdue University in the United States, Professor Chau started teaching at CUHK in 2020. Leveraging his expertise in information engineering, Professor Chau leads his team of students to identify cybersecurity vulnerabilities and strives to stay one step ahead of hackers to provide timely remedies.
Teamwork with a Sense of Social Responsibility
Where does the cybersecurity research begin? Professor Chau usually plans the research direction from a macro perspective and assigns team members with different strengths and backgrounds to work as “white hats” in various areas, such as communication software and office software. The team’s daily work involves conducting systematic investigations within their respective domains, comparing different products in the market, and analyzing the reasons behind their strengths and weaknesses. Professor Chau and his team strive for in-depth investigations, attempting to find vulnerabilities from different perspectives and levels, often resulting in research projects that span over a year. In addition to the ongoing exploration of email and VPN vulnerabilities, there are many different ecosystems yet to be thoroughly explored.
Professor Chau finds satisfaction in discovering and solving problems, emphasizing that having the support of a team is always better than working alone. Cousin, a graduate student working alongside Professor Chau, is delighted to provide different perspectives and contribute to the professor’s research projects.
With relentless pursuit, they are driven by a conscience and a sense of social responsibility, aiming to stay one step ahead of lurking hacker attacks and eliminate the threat of vulnerabilities. Professor Chau also hopes that this sense of responsibility can be passed down through generations, so that regardless of the paths chosen by team members in the future, they can continue to contribute to the construction of cybersecurity.
EQ and IQ
Engaging in cybersecurity research requires logical thinking, cryptography knowledge, and a strong IQ foundation, but EQ is also extremely important. In terms of EQ, Professor Chau believes that patience and communication skills are essential.
“The code online is not something you write, which means you have to spend a lot of time guessing and trying. This process takes a lot of time and tests your patience,” says Professor Chau. If you don’t have enough patience, hackers may have more patience than you do. As a result, the team often immerses themselves in experiments, sacrificing sleep and meals. Team member Doria often searches for vulnerabilities and tests until three or four in the morning, and even if she has a stroke of inspiration, she will continue working at the office on weekends.
Once vulnerabilities are discovered, Professor Chau and his team make every effort to contact the organizations affected by the vulnerabilities. However, this is not always smooth sailing. Large corporations may handle it transparently, make timely corrections, and even give rewards as thanks. “Android and Chrome accepted our suggestions and released software patches, and Google rewarded us with more than HKD 150,000.”
But the response from small and medium-sized enterprises varies greatly. The team has experienced making long-distance phone calls, only to be questioned about their intentions. They have also tried traditional communication methods like sending faxes and registered mail, but often receive no response. Communicating with those companies truly tests their EQ: “They have a feeling of not wanting to air their dirty laundry. We have to convince them that we are helping them enhance their brand credibility, not harming them. This process has taken a lot of time, effort, and sweat from the team members.”
The Crisis and Opportunities of Cybersecurity
Earlier, there was an interesting story behind the VPN update by the Information Technology Services Centre at CUHK. Professor Chau’s team analysed more than 7,000 Wi-Fi setup guides from more than 2,000 higher education institutions worldwide and found that approximately 86% of these institutions had at least one system instruction that led users to adopt insecure Wi-Fi settings. The research team tested 132 VPNs commonly used globally and discovered that nearly half of them had serious vulnerabilities. They also found configuration issues in more than 300 of the 2,000 VPN user manuals from higher education institutions worldwide, potentially exposing users to easy password theft by hackers. Professor Chau’s team took the chance to investigate the VPN software used by CUHK, as a result, CUHK updated its VPN software to establish a stronger digital fortress for the university.
In the market, companies, organizations, hospitals, and schools all rely on cybersecurity products to maintain their daily operations. Businesses also need to prioritize cybersecurity to counter the rapidly changing business environment. This undoubtedly presents a promising business opportunity. At CUHK, with its talented researchers and technical expertise in cybersecurity, there is an opportunity for knowledge transfer and using research to benefit the society.
During our conversation, we discussed the significant risk of non-governmental organizations handling large amounts of donors’ private information. We suggested that Professor Chau could seize the opportunity and establish a social enterprise related to cybersecurity. Professor Chau believes it is worth doing, providing consultancy to businesses at affordable prices. At the same time, it would give students the chance to apply theory to practice, interact with clients, and apply their knowledge to solve real-world problems.
As software programs evolve and hacker intrusion methods become more diverse, cybersecurity researchers must keep pace and maintain an indomitable spirit. “We always say attacks only get better. With new challenges and new traps, there are always new opportunities.”
Hope Everyone Qualifies and Strives for High Scores
Returning to the essence of the problem, the best way is still to improve the overall information security level of society. Professor Chau believes that individuals and organizations need to strive to do their best.
“At the end of the day, cybersecurity is a human problem, whether it’s people making mistakes when developing software or people making mistakes when using it. People often have an optimism bias that they are not going to get hacked.” While it is difficult for the general public to completely prevent all attacks, they can pay more attention to current affairs and gradually raise awareness of cybersecurity problems and best practices. When websites or apps ask for personal information, it is worth considering how to provide as little as possible to protect personal privacy. “Don’t always select ‘allow’ for everything.” Also, when encountering suspicious pop-ups, it is important to think twice before clicking “confirm”: Do you really need to proceed? It’s not about everyone achieving a perfect score of 100, but “when you usually score 40, if you can now score 60, that is still a good progress.”
At a higher level, whether it is companies, enterprises, or government departments, they should abandon traditional thinking and carefully examine whether the current cybersecurity measures are sufficient to deal with increasingly serious cyber attacks. They should be cautious against unforeseen losses caused by cybersecurity vulnerabilities. Organizations should also establish better communication channels, formulate contingency measures, and adopt an open attitude to accept well-intentioned reminders from “white hats.”
With the increasing number of cyber attacks, trust among people is being undermined. Professor Chau believes that everyone should proactively build trust by enhancing the awareness of cybersecurity: “If people’s security level is not too low, attackers will not find it easy to exploit vulnerabilities, which I believe will help establish trust in the entire society.”
Wearing the “white hat” and patching cybersecurity vulnerabilities, Professor Chau and his team’s expertise has reached the “black belt” level. Sitting for long hours patching vulnerabilities in the virtual world can sometimes cause back pain. Professor Chau and team members once again set the old goal: in the new year, they will exercise more together. But we know that only when everyone’s cybersecurity awareness improves, Professor Chau will move closer to his goal. Of course, this is definitely not the only goal he wants to achieve in the new year.
Since its establishment in 1989 by Professor Sir Charles Kao, the “father of fiber optics,” the Department of Information Engineering of CUHK has been promoting the advancement of cybersecurity in Hong Kong and even the global Internet and information technology development. In the new era of information, we believe that Professor Chau and the faculty and students of the department will continue to collaborate in research, actively contribute to society, and build a secure and intelligent interconnected world.
Text: HUANG Xiangkun Calvin, Alice Fong
Please feel free to email us at innoport@cuhk.edu.hk to share your thoughts!