Tuesday, June 11, 2013

Security Savvy Kids

My generation came of age as the Internet sprung on the scene ... we did not have the benefits nor threats of social media when we were teenagers. Our children are now growing up in a world where connectedness is ubiquitous.  My 13-year-old son just got his first personal laptop this week (as opposed to using a shared family computer), so much of what I have written over the last few years suddenly has a newfound relevance.  How do I protect him from malicious actors and his own youthful naivety, while at the same time teaching him to become a tech-savvy young adult? I don’t have all the answers yet (truthfully, I’ll never have all the answers), but here’s a sort of "stream-of-consciousness" stab at a starting point.

Some of what I do involves the home network and not his personal computer specifically.
  • All Internet access is through a router with a built-in firewall. The primary purpose of a firewall is to keep someone on the outside from directly accessing my network. Most wireless routers, and some hard-wired routers, have a built-in firewall. More elaborate home installations might have a dedicated firewall, and if all else fails, Windows has a built-in firewall that can be enabled. My personal approach thus far has been to simply use the built-in firewall on my wireless router.
  • This router is set up securely. I changed the administrator password to something other than the default (default passwords shipped on commercial and consumer-grade devices are readily available on the Internet). The SSID is set up with WPA2 encryption (without encryption, anyone near enough to pick up a signal can hop on the network and listen to everything, and older WEP encryption can be cracked in under a minute by a knowledgeable person).  I regularly check for firmware updates (there have been a number of reports lately of bugs in routers themselves that would allow an attacker to compromise the router and get in). I go one step farther and enable MAC address filtering: only MAC addresses (the physical hardware address of a computer's network adapter) I specify are allowed to connect. Given enough time and ingenuity an attacker can mimic an allowed MAC, but they have to obtain that address first.
  • My WiFi router also serves as my DHCP server (providing an IP address to each device on my network), so I can specify several other network settings. Specifically, my DHCP server provides a DNS server from the OpenDNS "FamilyShield" project. DNS, or Domain Name Service, is how a computer translates "www.google.com" into a network address such as "" Most standard DNS servers will simply provide an address for any requested URL. FamilyShield behaves similarly - unless the requested URL is known to contain adult content. If the request is for an adult site, OpenDNS will instead provide the address of a page that kindly says "you can't go there."

Other actions pertain to his computer specifically.
  • Windows and Mac OS both have an auto-update feature that will automatically install any patches and software updates for the operating system (and in the case of Windows, for Microsoft products such as Internet Explorer and Office). Ditto for iPhone iOS and Android. Many software products (Firefox, Chrome, Adobe Reader, Flash, iTunes, Java, to name a few) have similar features.  Patches frequently fix bugs that attackers exploit to do things with a computer that you did not intend. Some of the more famous virus and worm events could have been prevented by simply installing patches already available from the vendors.
  • Some malicious software will inevitably get through these defenses, so I run an antivirus program.  Microsoft's free Security Essentials is pretty good, and you can't beat free.
  • Since this is a child's PC, I then install a parental monitoring program (I currently like Norton Family). The free version will block access to inappropriate content, and keeps a week-long record of everywhere he browses. I can also restrict browsing to certain hours, or to a cumulative time per day or week. The paid version keeps records for up to 90 days, adds monitoring of any video content he watches, and for tablets and smartphones would monitor app installs and SMS / text messaging.
  • His user account is a standard user, not administrator. Older versions of Windows were not really usable without admin privileges, but Windows 7 and newer have made some significant strides. He’ll still need the administrator (i.e. the parent) to log in if he wants to install new software.
  • In addition, I set his DNS resolver to be that of OpenDNS FamilyShield (and not obtained through DHCP). This way even when he is away from our home network, he still goes through the DNS server I prefer.

Since this is my child, I can exercise some additional non-technical controls :-) 
  • He must connect with his mother and I on any social network he chooses to use, and recognize that we will monitor his interaction with other friends.
  • He may not friend anyone online that he does not know offline.
  • The computer is to be used in public areas of the house – not behind a closed bedroom door.
  • For now (at some point this will change, but that’s a future discussion … at 13 I believe this is reasonable) his personal email is mirrored to his mother’s or my account, and he must be aware that we can see anything he sends or receives.
  • Teach him. Set privacy settings on social networks so only friends can see his activity. Personal information can be used in bullying, or identity theft. If an offer looks too good to be true (free iPad! Bill Gates is giving away $$$!), it probably is. If someone is begging him for quick help (Nana was mugged in London and needs money to get home) use some common sense. (When was the last time Nana traveled to London? Would she really contact you on Facebook? Would her 13 year old grandson really be the first one she asked for help?)
  • Teach him more. We avoid pornography because of our family values. It is not Biblical. It is not in line with God’s plan for sex and marriage. It is highly addictive, and damaging to his self-worth and to his future relationship with his future wife. Not to mention that many links claiming to be of “hot babes” are instead malware.
  • Teach him still more. What he does and says today online will be there when he is in high school, and college, and interviewing for a job, and dating his future spouse. What he says in person to a friend might be held in confidence … what he says online is there forever. Teach him not to say something online that he wouldn't say in person – just because you cannot see who you are speaking of, doesn't mean they are not human and cannot be hurt.
  • Teach him to use strong passwords, and not to share his passwords. Teach him to use passwords that cannot easily be guessed (the lead character of your favorite movie is NOT a strong password!)  On the topic of passwords, teach him not to log in to password protected sites from a computer he doesn’t own. If you don’t own it, you don’t know what is on it (which could include password-stealers).
  • Teach him to think before acting. Impulse actions (whether purchasing music or apps, or following risque links, or sharing pictures or information about himself) can get one into trouble. At age 13, these impulse actions tend to have much less significant consequences than they may have at age 18 ... a conversation we have frequently in the context of his all-too-near driving days. Personal responsibility means thinking about what you are about to do.

And a few tips that are more tablet/smartphone centric (not directly applicable to my son's laptop, but definitely relevant to the topic of child/teen security). Thanks to F-Secure's Sean Sullivan (@5ean5ullivan) for several of these ideas.
  • Most of my home network precautions protect WLAN mobile devices just as well as laptops and desktops. Keep in mind that 3G/4G-enabled devices have a separate Internet connection that does not go through the home network.
  • Younger kids might benefit from a "child-mode" app. These apps essentially create a sandbox on the device, preventing kids from accidental purchases, awkward advertisements, and inappropriate apps.  It can also prevent accidently installing a malicious app that mimics a popular app (such as the recent fake "Bad Pigs" app). One I am looking at is called "Kid Mode," while for the Kindle user there is the Amazon-specific "Kindle Free Time."
  • Teach him (and my other kids) to read the permissions requested by any new app or app update. Does "Bad Piggies" (or its malicious doppelganger above) really need access to my phone calls and web bookmarks?
  • Mobile devices need malware protection just like traditional PCs. Most of the names you know from PC security (F-Secure, McAfee, Norton, Kaspersky, etc) also have mobile security products.
I am sure I will add to this over time, as I learn and as he learns, and as we encounter new "teachable moments."  Please feel free to comment on your own suggestions as well!

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen