The majority of cybersecurity breaches that affect the University of Cape Town (UCT) network originate from mobile devices being used on campus by staff and students, according to Roshan Harneker, senior manager of Information and Cybersecurity Services.
Speaking to mark Cybersecurity Month, a global initiative that takes place annually in October, Harneker said the UCT focus this year is on mobile security, in light of the thousands of devices connected to the university’s network at any given time.
“The majority of devices on campus are mobile, so they are either cellphones or tablets. The most used operating system is Android… On average, about 7 600 Android devices connect to the UCT network daily… Mobile device usage dwarfs desktops completely,” she explained adding that the network sees many botnet and malware infection arising from unprotected and infected mobile devices and laptops.
“These are insidious pieces of software that collect your personal information and data, and transfer it over the internet to a remote host. The individuals controlling the malware and botnets then harvest your information for the purpose of committing cybercrime, identity theft, fraud and more.
“What we've found is that most of the unprotected and infected mobile devices are running older versions of the Android operating system.”
“Most of the unprotected and infected mobile devices are running older versions of the Android operating system.”
The reason that Android devices are at risk, according to Harneker, is that “until recently, Android wasn’t very circumspect about the type of apps that it allowed on [Google Play Store]”.
In addition, many UCT students can’t necessarily afford the latest mobile devices which run more updated versions of the Android OS, that come preconfigured with Google Play Protect.
“What Google Play Protect does is provide malware protection to Android devices,” she explained.
Students and staff could in fact inadvertently expose themselves to malware simply by having Bluetooth switched on.
“A lot of people think: ‘I don’t need to worry about my device being stolen. My phone is in my pocket.’ Yes, but what about the data on your phone? Is Bluetooth on all the time? Do you have a password set for Bluetooth? Is it a strong password, or is it ‘0000’? Can anybody get on it?”
The implications of a data breach
On why it matters so much if someone accesses your information, Harneker said that “before you know it, somebody has committed identity theft, and they’ve created a new bank account in your name, or they’ve gone to a retailer and opened up a new line of credit in your name – and you are getting the bill for something you never signed up for”.
Worse still, you can’t easily prove it wasn’t you.
Besides the obvious financial risks, Harneker warned students their academic research could be stolen, their personal photographs could end up on the internet, or the university’s confidential information could be shared or ransomed.
“There is also a risk to your personal safety if, for example. you use location-tracking applications, which can be found in many fitness applications, because your whereabouts and daily routine are made public.
“In the end, you are actually the weakest link when it comes to exposing your own data,” she said.
How to stay cyber safe
The first rule – which many staff and students do not yet follow – is: do not share your login detals with anyone.
Other ways Harneker suggests using to beef up mobile security include behaviour change: “Don’t reply to mails and texts that request personal information, especially when it is asking you for your username and password. If a company calls you and they want you to verify personal information over the phone, don’t. Don’t open attachments if you can’t verify who the sender is. Don’t click on links in emails if you can’t recognise where the link will redirect you.”
“Don’t reply to mails and texts that request personal information … Don’t open attachments if you can’t verify who the sender is.”
The university environment is also ripe for malware exposure because of the common interests and behaviours of many students.
“A lot of the phishing campaigns that we see on campus are targeted at universities. For example, the subject line will read something like: ‘Please click here to submit your grant request.’ Some people are waiting for that. So they don’t even look at who the sender is,” she said.
During Cybersecurity Month, the CSIRT is running a weekly competition aimed at boosting awareness. Four prizes are up for grabs every week by staff and students who read their useful articles and answer the quiz questions correctly.
The winners will be selected by lucky draw and can win prizes including a Samsung Galaxy tablet, a 1TB USB hard drive, a R250 Canal Walk gift voucher, and a set of Logitech headphones.
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
Please view the republishing articles page for more information.