Generation TikTok needs cybersecurity more than ever but getting this message out there is hard.
Everyone’s pictures and thoughts are posted for the world to see. But our team of researchers and students are firmly shoving digital privacy and cyber security into a social-media friendly spotlight.
At this year’s Splendour in the Grass, our team brought cybersecurity education into the heartland of youth culture in Australia.
Each year, around 50,000 people (most under 26) come together from around Australia – and the world – at the Southern Hemisphere’s largest music festival. The festival is three days of music and entertainment, near the backpacker’s mecca of Byron Bay in New South Wales (NSW).
So, what better place to reach a generation that shares most of their lives online with lessons in cybersecurity and digital privacy?
TALKING TO THE CYBER-SAVVY
Young people are cyber-savvy. They know there is danger and risk – but they haven’t connected the simple steps they can take to tune themselves up.
This is where our crack team steps in. Sixteen university staff, graduate and undergraduate students in total from across three universities in three states – the University of Melbourne, University of Queensland and University of Technology Sydney – ran a cybersecurity ‘Tune-Up’ each day of the festival.
Our Cybersecurity ‘Tune-Ups’ were done with the support of the Australian Information Security Association (AISA), the professional association for information security professionals and its partner, the NSW state government.
Hundreds of festival-goers visited the famous Science Tent with their devices – smart phones, tablets and even laptops – to get advice on how to up their cybersecurity ‘posture’.
They would drop in to have a relaxed chat with our Tuners and a walk-through of the Big Four of cybersecurity on their devices: patching, muti-factor authentication, password management and encryption.
TAKING SIMPLE STEPS
Tuning up your devices – like you regularly tune up your car – can reduce risk. And it’s not hard – just three or four simple steps will improve your cybersecurity to a good level of coverage.
We started with patching.
“First, we helped them check if their software was up-to-date,” said University of Melbourne PhD student Cath Thompson.
With a head of magnificently purple hair, freshly dyed in celebration of Splendour, Cath Thompson summed up the importance of patching to a cluster of drop-ins to the Tune-Up.
“If your phone is running an obsolete version of its operating system, exploitable holes will appear in your cyber defences, like a giant piece of Swiss cheese. And sometimes, unfortunately, all those holes line up,” she explained.
Cath showed Splendourites both how to update and to change settings to make sure their devices would auto-update when new patches came out in response to cybersecurity attacks observed ‘in the wild’.
“We also highlighted new and evolving features of these systems that help users better understand and manage their digital footprint exposure to third parties,” she added.
One of the more common problems was that visitors to the cyber tune-up clinic had little space left on their devices. Since most updates need additional space, patching in the clinic often led to an impromptu clean-up of unwanted photos and files.
Next on the tune-up was setting up multi-factor authentication, or MFA.
University of Melbourne student Marco, who prefers to just use his first name, walked another group through how to setup MFA on important online accounts like their Gmail or Instagram.
“Multifactor is usually based on ‘something you have’ and ‘something you know’ – think of your ATM card, you need both the card and a pin to make a withdrawal,” he said.
Marco noted that “while many people still choose to use SMS as the second method of identification, you can get better cyber protection with an authenticator app, like Google or Microsoft Authenticator, Duo or Authy.”
Marco explains: “Attackers can use ‘SIM Jacking’ to evade MFA when set up with SMS messages.”
In a SIM Jacking attack, a scammer uses social engineering to convince a mobile phone service provider (like Optus or Telstra) to transfer your phone number to a new SIM: a card under the scammer’s control.
The scammer will then receive all your SMSs, making it easier to get access to your online accounts even if you have MFA enabled because they control one of the avenues of verification.
Using an authenticator program – many of which are free – can limit the damage from SIM Jacking. By using an authenticator program, you are not dependent on your telco service.
However, Marco adds: “You then need to plan for back-up access if you lose your phone.”
University of Melbourne PhD student Emma Baillie showed festival goers how a password manager works, and some free, open-source software options, like Bitwarden and KeePass.
“People often reuse passwords, or add ‘1,2,3’ at the end of the same password. Well, attackers have that well and truly figured out,” she said.
“If you have to change your password when your dog dies, you need a better password.”
“Imagine your account is compromised in a large data breach – say a Yahoo or LinkedIn breach. Attackers who get your password then try it on all your other known accounts. If you’ve re-used it, then it’s game-over. They now have access to your other accounts too,” she said.
“No one can remember the hundreds of unique passwords we need for all our accounts these days.
“A password manager handles all that for you, giving each account a unique, hard to guess password, so you only have to remember one very good master password.”
An added bonus is that using a password manager can help to thwart phishing attacks.
Many people are often fooled into entering their password into a phishing site that looks just like the real site, allowing attackers to capture the password. But a password manager that’s configured to auto-fill won’t be fooled: the fake site won’t match the URL saved within the manager.
REACHING THE HARD-TO-REACH
Our team also took part in a public panel of cybersecurity experts hosted by comedian and former Triple J radio Breakfast presenter, Adam Spencer.
The topic – ‘ChatGPT meets Hackers from Hell’- brought together Dr Suelette Dreyfus from the University of Melbourne, Troy Hunt, who runs the site haveibeenpwned.com (which checks if your email has appeared on lists of hacked accounts), Deloitte partner Chris Gatford, and the University of Queensland’s Shelly Mills.
Music and cultural festivals create a great opportunity to reach young people with a cybersecurity education message.
Susie Sheldrick, a University of Melbourne PhD student, said the clinic’s peer-to-peer helping style made it easy for young people to ask questions about cybersecurity without the fear of looking like they didn’t know how to use technology.
“There’s such a brilliant community vibe at Splendour – we’ve got this great team of staff and students across three universities working together with cybersecurity professionals who are AISA members volunteering over the event,” she said.
“The professionals are sharing real life stories with us, giving us a sense of what it’s like to work in the field as well as practical knowledge in applying cybersecurity improvements.”
Many who had their devices tuned up stayed for a while to ask deeper questions. The relaxed setting of the festival combined with the ‘no judgement’ chats with the volunteer team made people comfortable with the process, Susie says.
“There’s no blame, no shame, just friends helping them out to make their devices more secure.”
