The whole outreach initiative was part of the joint ASIA–NSW Government Cyber.Check.Me pilot program to improve cyber security across the state, including supporting smaller businesses and regional entities. As festival goers dropped into the festival’s famous Science Tent, UTS cyber security student interns Marcus Karozis, Ben Christian, Jemma Swaak, Declan Seeto and Ben Carroll took turns inviting people to recharge their phones and enjoy a free donut while showing them practical ways to ramp up their cyber security ‘posture’.
Some of our volunteers dressed up in shark costumes, dancing outside the tent and delivering the message, ‘There are sharks out there – so cyber secure yourself!’ Others wore inflatable duck costumes, talking about rubber ducky attacks and how important it is to be careful about what you plug into your devices. We chose the theme of ‘Cyber secure yourself!’ because while we wanted to help young people, we also wanted to convey the message that everyone needs to take some personal responsibility for upping their own digital security. Having a bit of a break from the hectic music festival line-up, visitors enjoyed a relaxed chat with our Tuners and a walk-through of the Big Four of cyber security for end users on their devices: patching, multi-factor authentication (MFA), password management, and encryption. The team gave out privacy camera slide covers and USB data blockers to those who tried out a Tune-Up. For Australia to successfully ramp up its digital security, we need to secure the whole ecosystem, not just select silos. Young workers bring their devices into work all the time, potentially exposing their organisations – especially smaller companies that may not have their own IT security teams or training – to cyber threats. Getting the message to this demographic is difficult; to be effective, we need to step into their worlds with positive messaging about digital privacy and security.
TAKING SIMPLE STEPS
We kept things easy and low-key, showing how tuning up devices – like you regularly tune up your car – can reduce risk. A large barrier to reaching young people that are tech savvy but time poor is a perception that it is all too hard – from the climate emergency to digital privacy. If the problem looks insurmountable, people simply give up and walk away. So, the public outreach message we crafted was that just three or four simple steps will improve your cyber security to a good level of coverage.
We started with patching. ‘First, we helped them check if their soft ware was up to date,’ says The University of Melbourne PhD student Cath Thompson. With a head of magnificently purple hair, freshly dyed in celebration of Splendour, Thompson summed up the importance of patching to a cluster of drop-ins. ‘If your phone is running an obsolete version of its operating system, exploitable holes will appear in your cyber defences – like a giant piece of Swiss cheese. And sometimes, unfortunately, all those holes line up,’ Thompson says.
‘We also highlighted new and evolving features of these systems that help users better understand and manage their digital footprint exposure to third parties.’ Thompson showed Splendourites both how to update and change their device settings to make sure that their devices would auto-update when new patches came out in response to cyber security attacks observed ‘in the wild’.
One of the more common problems was that visitors to the Cyber Tune-Up clinic had little space left on their devices. Since most updates need additional space, patching in the clinic often led to an impromptu clean-up of unwanted photos and fi les.
Next on the Tune-Up was setting up MFA. Undergraduate student Marco, who prefers to just use his first name, walked another group through how to set up MFA on important online accounts, like their Gmail or Instagram.
‘MFA is usually based on “something you have” and “something you know”. Think of your ATM card – you need both the card and a PIN to make a withdrawal,’ he told them. Marco noted that, ‘While many people still choose to use SMS as the second method of identification, you can get better cyber protection with an authenticator app, like Google, Microsoft Authenticator, Duo or Authy.’
Marco explained: ‘Attackers can use “SIM jacking” to evade MFA when set up with SMS messages.’ He told a small group of curious young people who had gathered around him that in a SIM jacking attack, a scammer uses social engineering to convince a mobile phone service provider (like Optus or Telstra) to transfer your phone number to a new SIM – which is under the scammer’s control. The scammer will then receive all your SMSs, making it easier to get access to your online accounts even if you have MFA enabled, because they control one of the avenues of verification.
Festival goers were keen to learn more. Using an authenticator program – many of which are free – you can limit the damage from SIM jacking, Marco told them. By using an authenticator program, you are not dependent on your telco service; however, Marco added, ‘You then need to plan for backup access if you lose your phone.’
Student volunteer Emma Baillie showed festival goers how a password manager works, as well as some free, open‑source software options, like Bitwarden and KeePass. ‘People often re-use passwords, or add “1, 2, 3” at the end of the same password. Well, attackers have that well and truly figured out,’ she said. ‘If you have to change your password when your dog dies, you need a better password. ‘Imagine that your account is compromised in a large data breach – say a Yahoo or LinkedIn breach. Attackers who get your password then try it on all your other known accounts. If you’ve re-used it, then it’s game over. They now have access to your other accounts, too,’ she said. ‘No-one can remember the hundreds of unique passwords we need for all our accounts these days. A password manager handles all that for you, giving each account a unique, hard-to-guess password, so you only have to remember one very good master password.’ An added bonus is that using a password manager can help to thwart phishing attacks. Many people are often fooled into entering their password into a phishing site that looks just like the real site, allowing attackers to capture the password, she said. But a password manager that’s configured to autofill won’t be fooled: the fake site won’t match the URL saved within the manager.
REACHING THE HARD TO REACH
One surprising outcome of the AISA–NSW event was the appetite the public had for learning more about cyber security. Our team took part in a public panel of cyber security experts hosted by comedian and former Triple J radio presenter Adam Spencer. The topic – ‘ChatGPT meets Hackers from Hell’ – brought together Troy Hunt, who runs the site ‘haveibeenpwned.com’ (which checks if your email has appeared on lists of hacked accounts), Deloitte partner Chris Gatford, The University of Queensland’s Shelly Mills, and Dr Suelette Dreyfus from The University of Melbourne. Much-loved science commentator Dr Karl dropped in to the panel, impressing the audience with a little dance on stage while also discussing digital security.
Music and cultural festivals create a great opportunity to reach young people with a cyber security education message. Susie Sheldrick, a research student from The University of Melbourne, said the clinic’s peer-to-peer help style made it easy for young people to ask questions about cyber securitywithout the fear of looking like they didn’t know how to use technology. ‘There’s such a brilliant community vibe at Splendour – we’ve got this great team of staff and students across three universities, working together with cyber security professionals who are AISA members volunteering all over the event,’ she said. ‘The professionals are sharing real-life stories with us, giving us a sense of what it’s like to work in the field, as well as practical knowledge in applying cyber security improvements.’
Many who had their devices tuned up stayed for a while to ask deeper questions. The relaxed setting of the festival combined with the ‘no judgement’ chats with the volunteer team made people comfortable with the process, Sheldrick says.
‘There’s no blame, no shame – just friends helping them out to make their devices more secure.’
Dr Suelette Dreyfus and Dr Shaanan Cohney are both academics in the School of Computing and Information Systems at The University of Melbourne. Dr Suelette Dreyfus is also a national board member of AISA.
Photos by Dr Shaanan Cohney. An earlier version of this article first appeared in The University of Melbourne’s publication Pursuit.
