Hong Kong University has changed its Internet policy a week after The Standard reported that improperly indexed material listed on its Web sites could be accessed by users of the Google Internet search engine.
In an e-mail to students, MCPong, user-services manager of the school's Computer Center, announced changes will be made to the way the Web servers handle material listed by students and staff.
"In light of the recent Independent Police Complaints Commission incident on exposure of personal data on the Internet, the Computer Center has reviewed the current practice in relation to security issues," reads the e-mail sent to students Friday.
In addition to reminding students that they should prevent others knowing their passwords, Pong warns them to be careful about how they index data on the Web.
Working with security technicians, The Standard found last week that directory files for the school's undergraduate admissions offices were viewable on a cached, or stored, Web page accessed via Google.
"You should also check the protection level [for example, read/write privileges] of your directories and files to ensure that they are set appropriately," the e-mail said.
"[The university] appears scared of students being able to accidentally publish something on the Web," said Maren Leizaola, who runs HK.Com, a Web applications company.
"They are still providing similar functionality but it is not as visible with a browser, [so] search engines will not find and cache the information [The Standard was able to find in its Google search]," Leizaola said.
The HKU e-mail directs student and staff members that if they want to let others download files under the ".dir" suffix, they need to create a Web page to list those files for downloading. It also tells them that if they want to put up sensitive material for viewing, they should visit a university Web site that explains how to set passwords for more security.
It also urges them to remove Hong Kong identity card numbers from Web sites.
While one university is making improvements in Web security, The Standard found another security hole in another university's Web systems.
The Hong Kong University of Science and Technology lists a ".pdf" file online, searchable through Google, that lists a password and an administration Web site address for changing course offerings. Security consultants say such public information is unnecessary - and exposes the university to hacking.
"It is very serious because I could log on with the password in the manual, the password does not change at all," said Anthony Lai, a security consultant.
"The whole manual is published only with sensitive information. I could remove their courses, student list, or even manipulate those enrolled student information for spamming," Lai said.
Also, Chinese University of Hong Kong has put 150 student records online without any password protection.