Is your fish tank spying on you?

No Comments

Recently, over 10 GB of data was stolen from a casino when a PC used to regulate the temperature, food and cleanliness of a fish tank was hacked by an unknown group. While this is objectively funny, it is also a great reminder about the “Internet of Things” and the security concerns that are introduced as our homes are populated with more and more computers disguised as everything from toasters to baby toys.

Most of us have become used to installing security patches and updates on our PCs, phones, and tablets. But that smart sous vide cooker is also a “computer” as is your gaming system, smart outlets and smart lightbulbs. Anything connected to your home’s Wi-Fi network is a potential avenue for a hacker to compromise your home network. The consequences for this can range from having your personal data sold to identity theft or even a compromise of OMB data if you are accessing work resources from home.  

There are a few simple steps you can do to help keep yourself and your home network safe.

  1. Be conscious of where you buy IoT products and who manufactured them. Off brand products sold at discounted prices may include spyware or other security vulnerabilities. Do some research for known security issues when purchasing a product from a vendor you do not know.
  2. Keep a spreadsheet of IoT devices in your home. Whenever you connect something to your home network add a row to your spreadsheet with the manufacturer’s model number and a link to the manufacturer’s website or a site where you can download patches and security updates.
  3. Make sure your home Wi-Fi network is using strong WPA2 encryption and your Wi-Fi router(s) are updated with any patches or upgrades.
  4. Change the default password on devices if possible. Use unique random passwords and record the passwords in your spreadsheet (or better yet in a password manager) so you don’t lose them.
  5. If you are not using a device anymore disconnect it from your network. Especially things like baby monitors or security systems.
  6. For an extra level of security, use a separate Wi-Fi network for your IoT devices. Most Wi-Fi routers allow you to configure a “Guest Network” which can connect to the internet but cannot access other devices on your home network. While this may not work for all devices, adding devices to your Guest Network will help protect your PCs and other computing devices from compromise if the IoT device is hacked. In the Cybersecurity game, we call this “restricting lateral movement”.

As always, if you have any questions or concerns I’m here to help. Thanks for your time and stay safe out there.

Link to article about the fish tank hack:

https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/

Smartphones Are the New Security Blanket for Kids

No Comments

This is a very interesting essay on how to view your kids relationship with their smartphone or other electronic devices.

Adolescence makes many kids feel adrift. Their phones can help them feel connected to their friends and more importantly, to their stable identity. Let’s not shame them for these transitional objects.

Link: Smartphones Are the New Security Blanket for Kids – LOVE/HATE – Medium

 

Categories: Links

How (and why) to freeze your kid’s credit

No Comments

Ummm… my kids don’t have any credit. What are you talking about?

Freezing your kid’s credit is much more important than most parents realize. Here in the U.S. a person’s credit score is the major factor in many financial dealings. Your credit score determines if you can buy a home, get a credit card or a car loan, and in some cases can even be a factor in getting a job. Normally, we develop a credit score by paying bills and taking on loans as we enter adulthood. There are lots of good arguments for and against the current credit system, but it is what we have and so it is important to understand how the system works and how to protect yourself.

OK, but what does that have to do with my kids?

Stolen identity information is used to apply for loans/credit cards. Stolen information may also be used to defraud an employer. Sometimes to avoid immigration and work permit regulations. Sometimes for other more nefarious reasons. In the past, no credit history was a liability when applying for new credit. More recently most creditors have few if any concerns if someone lacks a credit history. So an identity with no credit history, and one that is likely not going to be checked on for many years, is a perfect target for identity thieves. In fact, Social Security numbers from infants are some of the most valuable stolen identity information sold on the dark web.

Criminals combine stolen Social Security numbers with other stolen information. A stollen Social Security number is combined with a stolen name and address to create a realistic but fake identities. These identities are then used to apply for credit. The criminal may apply for credit cards, take out loans, and even apply for government benefits. A credit check run on the fake identity will show that the “person” has no bad credit history.

When the real owner of the Social Security number starts to apply for credit they discover a long history of bad debt. This can be difficult and costly to clean up. It can take years to recover your good credit and even then the bad records can come back to haunt you again and again.

Some victims of identity theft have petitioned for a new Social Security number. But even in the worst instances of identity fraud, the Social Security Administration is very resistant to issuing a new Social Security number.

That all sounds horrible. Will freezing my kid’s credit really protect them?

Mostly. Freezing your child’s credit will prevent anyone from opening new lines of credit. It will also make the frozen identity less attractive to criminals. For adults who may be actively using your credit to apply for loans freezing your credit can be an inconvenience. But for kids it should be a non-issue. So there is very little downside.

Alright. I’m convinced. But what about my credit?

Freezing your own credit is a good idea as well. Any minor inconvenience from freezing your credit pales in comparison to the effort required to recover from identity theft.

Freezing your credit will not affect your ability to use your current credit cards or access funds on existing lines of credit. If you have an existing mortgage or car loan the existing loan will not be affected. If you want to take out a new loan, refinance an existing loan, get a new credit card, or request an increase in a current line of credit you will have to unfreeze your credit first. unfreezing your credit usually requires just a quick call to the credit bureau. In some cases you can freeze/unfreeze your credit online from your cell phone.

If you are house hunting or looking for a new car you can unfreeze your credit while you are shopping and then turn the freeze back on. Having your credit exposed for a short time will still make it much less likely you are victimized than if your credit is open for long periods of time when you are not necessarily paying close attention to it. Many cases of identity theft go undetected for months or years.

How to freeze your credit

The major credit reporting agencies have made it very easy to freeze your credit. It is best to freeze your credit at all three of the major credit bureaus. All three offer an online option, but generally it is easier to do this over the phone. So set aside an hour and have at it!

Protecting your home network

No Comments

October, as I’m sure most of you know, is Cybersecurity Awareness Month. Unquestionably the most important month of the year…. Wait, you didn’t know it was Cybersecurity Awareness Month? You didn’t even know there was a such a thing as Cybersecurity Awareness Month? You are wondering why we don’t have a clever acronym for Cybersecurity Awareness Month so I could stop typing Cybersecurity Awareness month over and over again in order to make this joke work? I’m curious about that last one too.

Cybersecurity Awareness Month was launched by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) in October 2004 as a broad effort to help all Americans stay safer and more secure online. One of the themes this year is “Make Your Home a Haven for Online Safety” which I acknowledge is pretty cheesy. However it is a very real and very important goal. Your home network not only protects your personal assets and information. It’s also a major avenue of attack against corporate or government systems. Many, if not most people today work from home or access resources on our employers’ networks from our home computers. If an attacker can infect your home computer they can use that to capture your work credentials or even attack your employer’s systems. Compromised home computers can also be used to build “botnets”. Collections of thousands of computers controlled by a single person or group that can be used to crash websites or harvest bitcoins without the computer owner’s knowledge. So protecting your home network is important not just to you but to all of us.

The single most important thing you can do is to make sure every device you own has the latest updates installed. Recent studies have found that more than 80{12810d732553a0644ecc90a0e23d1efc26a399b3533b5403ed90d6fcf4bb1dcd} of the attacks used by bad actors are effectively defeated by running the latest version of the attacked software. This should include your computer(s) as well as cell phones, tablets, and smart watches. In most cases, these devices will prompt you to install updates as they become available. Make sure you know what the update notifications look like and install any updates as soon as possible. For many devices, you can turn on automatic updates and you should do this whenever possible. Even with automatic updates turned on, make a recurring reminder in your favorite calendar or reminder app to check at least once a month to make sure all updates are installed and that automatic updates are turned on.

Windows 10 automatically downloads and installs updates to make sure your device is secure and up to date and Apple computers will get critical security updates automatically. In both cases you should still be checking at least monthly for other updates by looking in the applicable App Store. Remember that in addition to updating your Operating System you also need to update any applications you have installed. Applications installed from one of the major app stores will handle this automatically so whenever possible, you should get your applications from the store rather than downloading them directly from a vendor site. This is also a good way to make sure you are getting the “real” program you wanted and not an infected version that can infect your computer.

Apple App Store update screen
Microsoft App Store Update Screen

Instructions on how to enable automatic updates for your mobile devices can be found here:

Apple iOS: https://support.apple.com/en-us/HT202180

Android: https://support.google.com/googleplay/answer/113412?hl=en

The second most important thing for you to update (and it is a close second) is your modem or router. This is your first line of defense against an attacker and is also your most vulnerable point. If an attacker can compromise your router, they can see everything on your network making it easy to gather passwords and other sensitive information. The exact process for updating your router will vary depending on the make and model you have. This article on WikiHow has a good set of general instructions with pictures that can help you figure out the right process for your specific system. https://www.wikihow.com/Update-Router-Firmware

You should also be updating any other “smart” devices in your home. This can include smart TVs, gaming consoles, lightbulbs, thermostats, baby monitors, security cameras, refrigerators, those cool video doorbells, etc.  Anything you can control with your cell phone or get online content from. Most modern devices provide an easy way to install updates when needed, but some can be annoyingly complex. I’m not going to sugar coat this one. Updating all of your “things” is going to be a pain, but think of it like changing the batteries in your smoke detectors or replacing the fire extinguisher in your kitchen.

Side Note: I know right now a bunch of you are thinking, “When did I last change the batteries in the smoke detector? Do I even have a smoke detector?” And even more of you are thinking, “Am I supposed to have a fire extinguisher in my kitchen?” If you can’t remember when you last changed the batteries in your smoke detector, go change them now. Better yet, go out and get some of the newer ones that have a built in battery good for 10 years. If you don’t have smoke detectors you should get at least one on each floor of your home. You should definitely have a fire extinguisher in your kitchen. You don’t necessarily need the big red ones. You can get small aerosol can sized ones like the First Alert AF400 Tundra Fire Extinguishing Aerosol Spray.

There are some things we can do to make this easier though. And add some extra security to our home setup along the way.

  • First, we want to make an inventory of every device in our home. You can do this in a spreadsheet or a word document. Whatever you like. You can even do it on paper if you want.
  • Second, however you decide to keep your inventory, write down the name of the product, when it was purchased, and if available, write down the serial number or other identifying information.
  • Third, make a note about how to update the item’s software (Sometimes we call it firmware. Don’t worry about the difference). These instructions will usually be in the instructions that came with the product. If not, Google the product name and “install updates” and you should find instructions. Usually the instructions will give you a website to go to for updates. Make a note of the website and any other information you will need.
  • Fourth, Test your instructions by checking for updates for your device and installing them if needed. Whether you update or not, make a note of the current version or at least the date you checked for updates.
  • Fifth, set that recurring alert or event to check your inventory every month. When you do a check, update the date or version number.

If you want to go for extra credit, you can see if the product vendor offers a mailing list you can subscribe to that will notify you of updates. You might want to create a new email account or a special folder for these emails to go into so they don’t get lost in your email.

I know this sounds like a lot of work. But once you get into the habit and have things set up for automatic updates it will not be as bad as it seems. And the additional protection for you and your family is definitely worth it. Just like the smoke alarms and fire extinguisher.

There are a few things you can consider that will reduce the burden somewhat. The easiest and most effective is to really think about the kind of computer you need. The mobile operating systems like iOS and Android are much easier to update and keep current and are built with security in mind so tend to be less vulnerable. So if a tablet would meet your computing needs consider not using a PC at all. If you do still need a laptop but use it mostly for internet and email consider a Chromebook. ChromeOS, used in Chromebooks, is another very secure operating system which is automatically updated for you. If you are a heavy user of GMail and Google Docs, this may be the right solution for you. Especially for kids or casual users of the internet, one of these devices may be a better choice than a traditional laptop or desktop computer.

There are many other ways to improve your home security. Using strong passwords, setting up WIFI in a secure way, and having a reliable backup strategy for your information are all important parts of securing your personal information and protecting your home network. We’ll cover many of these topics in future posts, but making sure you are updating your devices in a timely manner will make a huge impact on your home network safety.  

For more helpful tips from our good friends at US-CERT, check out the US-CERT Home Network Security Tips.

The Talk

No Comments

Not THAT talk. That’s beyond my expertise and if anyone has good advice on THAT talk please let me know. This talk is the talk with your kids about online safety. As parents, we want to arm our kids with the knowledge and an appropriate caution to avoid the truly dangerous hazards of the internet, but we don’t want to scare them so much they have nightmares or never want to engage online at all. We all grew up with the basic rules for staying safe in the real world. Stranger danger, the buddy system, and never get in a car with someone, and we were pretty much all set. But these rules need a few tweaks and additions for online safety. Here are some tips for how and when to talk to your kids and some simple rules you can teach them.

When to talk with your kids

It’s never too early. The right time to talk to kids about online safety is before they have to deal with it. A good first step is to find some YouTube channels or Twitter feeds (Facebook would also work but I don’t recommend facebook at all) that your kids will be interested in. Spend some time watching the videos or reading posts with your kids and talk about the comments or other interactive features of the site. If your kids like a video, help them post a comment. Take some time to review what kinds of things it is OK to post. Supportive comments are great, but no personal information.

This is also a good time to review the golden rule and talk about etiquette. We want our kids to understand that online content is someone’s creative effort (we’ll teach them about mega-corporate advertising later) and that it is OK if they don’t like it but if you can’t say something nice, don’t say anything at all. Cyberbullies learn early, just like other bullies.

How to talk to your kids

First of all, this isn’t going to be a one-time talk. You’re going to have a lot of small conversations rather than one long one. If your kids are anything like mine, then they are going to lose interest after about 5 minutes so we are going to have to prioritize what we want them to know and deliver it quickly. Remember, the most important part of talking to your kids about online safety is that they are willing to talk to you. You can’t prepare them for every situation so what you want is for them to feel comfortable coming to ask for your advice or help when a situation comes up.

I was looking for a picture of a bored child, but then I found this cute picture of a girl with a rabbit.

When I was in high school, I had a “deal” with my parents that if I ever found myself in an unsafe situation, for example if I was out with friends and someone was too drunk to drive, I could call my parents and they would come pick me up no questions asked. I recommend something similar with your kids here. Make sure they understand that even if they are doing something online you have forbidden, they can still come to you and get a free pass. If this ever happens you should praise them for being honest and open,  help them address the issue, and then you can block the site or content if necessary. We are working on a post explaining how to block online content effectively so if you are interested, please subscribe to be notified of new posts.

So, keep it short but also make it clear that this is an important discussion. You may want to explicitly lay out what’s in it for your child. You might say something like, “I want you to be able to chat with your friends or play online games, so we are going to talk about some rules for online safety. Just like we have rules for going to the park or the store, there are some rules I need you to follow online.”

I recommend against trying to scare kids straight in these talks. There may be times when it is appropriate or even necessary to share some of the awful stories about kids going missing or people’s homes being robbed while they are on vacation. But generally I find it is sufficient to say “These rules help to keep you and your friends and family safe. There are some bad people on the internet and if they have too much information about you they could do bad things.” If your child is old enough and wants more details you can talk about things like identity theft or online fraud. These are less scary but still help kids understand some of the potential consequences.

What to say (Dan’s basic rules for online safety)

For my kids, I like to keep rules simple and absolute. Yes, there will be exceptions and as they get older I’ll expect them to use more of their own judgement to decide when it is OK not to follow these rules. In the beginning, I want these rules to be walls protecting my kids. As they get older, these should be guidelines that remind them to consider carefully before sharing information or trusting people and content online.

As I mentioned earlier, this isn’t going to be a one-time talk. So pick a few items from the list you want to cover each time you talk. The priority for some of these will depend on your child and the kind of activities they are engaged in online. I try to touch on the first three rules every time. A key fact to remember is that no online attacker can reach through the internet and grab your kid. So making sure that kids don’t give out any information that could help a bad actor is the most important part of online safety.

  • Rule 1: Friends you meet online don’t need to know anything about your real life. Don’t tell them your name, where you live, where you go to school, or how old you are. 
  • Rule 2: If someone online is asking you for any of this information, in addition to not answering, you should tell a parent right away. 
  • Rule 3: Never agree to meet someone IRL (in real life)
  • Rule 4: People online may not be who they say. If you get a message from someone who is claiming to be a friend or even a family member or teacher, you can respond, but all the rules about not giving out any information about your real life still apply. If the person really is who they claim, they will have other ways of getting your information.
  • Rule 5: There are other topics you should avoid with online acquaintances. These can give a bad guy information they can use to learn more about you. Don’t talk about the weather or big public events in your area like concerts or rallies. If talking about sports, try not to refer to a “home team”. For the most part, it is best to avoid small talk and focus on the game or the topic of the online discussion.
  • Rule 6: Never open files or download anything an online friend sends you without checking with a parent. Often times gamers may send you a link to download a game plugin or even a free game. These links may contain viruses or other dangerous programs, or they may be illegal copies of a game (Pirated Software). Downloading pirated software, even if you did not know it was illegally obtained, is a serious crime. So always check with a grownup before trusting a link or file from someone you only know online. You can check the safety of links or files using some easy online tools like this Google service. Another good online tool for checking websites is Virus Total. This site will also scan files for you to see if they contain known viruses.
  • Rule 7: Never tell someone online your password. Not even if they claim to be from the company that made a game or website you are trying to use. No legitimate technical support should be asking for your password. Never share your password with online friends either. They may ask for your password to give you some loot in a game or to help you level up. You should not trust these kinds of offers. Just not worth the risk. Plus it is kind of cheating.
  • Rule 8: Never threaten anyone else online. Cyberbullying is a serious issue and in some places can be a serious crime. We are not as anonymous as we think we are online. So don’t say or do anything you would not do in real life.
  • Rule 9: If someone online ever threatens you or makes you feel uncomfortable, tell a parent or another grownup as soon as you can. If you can save the messages or capture them with a screen shot, that will help your adults put a stop to this behavior.
  • Rule 10: Talk to your parents. Show them the games and sites you are interested in. They may have some interesting information to share with you (probably not, they are parents after all, but who knows?). But knowing the kinds of online communities you are a part of will let your parents help you stay safe online.

What if my kids won’t listen?

Yeah, my kids don’t listen either. Keep trying. Maybe ice cream will help? 

Screen time is also quality time

No Comments

One of the most common questions I’m asked by parents is,

“My kids are always on their phones/tablets/xbox/playstation/ etc.”

To which I usually reply,

“Well that’s not really a question. It’s more of a statement, but i get what you mean.”

My kids each have an iPad and a Kindle Fire, we have 3 Apple TVs a Chromecast, and an xBox. When I want to tell my kids it’s time for dinner I usually FaceTime them and my youngest has been able to text since he was 2. So… I obviously have a different opinion than many about how much screen time is too much.

The general argument for screen time

There is a lot of good science out there about how screen time affects our little one’s developing brain. There are also a lot of studies that highlight the positive effects screen time can bring. In my opinion, the benefits of our modern hyper-connected electronic epoch far outweigh any cultural side effects. But even if I didn’t believe that, it seems unlikely that we are going to be able to put the “always online genie” back in the bottle. Digital literacy is going to be a critical life skill for our children. Believe it or not, playing video games and watching YouTube is preparing your children for the jobs of the future. There are certain constants in the computer-human interface and the more time someone spends with a computer, the more intuitive these constants become. That’s why many IT professionals can sit down with an application they have never used and “figure it out” much faster than someone who has logged fewer hours in front of the keyboard (as we like to say in the industry). It’s not because of the IT professional’s knowledge of how to write programs or setup websites. It is because most programs share certain common design elements and as you get used to these, it becomes much faster and less frustrating to figure out new variations.

Whether you think an hour of screen time a day is too much or you’ve completely abandoned your children’s care and education to YouTube, what I’m going to talk about today is ways you can make sure screen time is also quality time

Educational content

There are a lot of ways you can make screen time more productive. The most obvious ones involve educational apps and websites. There is a lot of great education content out there. And the creators generally do a good job of making content interesting to kids so they won’t even realize they are learning!

It’s best to review any website or app yourself before turning your kid loose on it. You want to watch out for apps that have lots of ads. Sometimes the ads are not appropriate and they can distract your kids from the educational goodness. Many of these apps or websites will cost money, often as a subscription. Of course everyone’s situation is different, but for the most part paid subscriptions are how these content developers are able to deliver such high quality services. So paying a couple of bucks can often get you more content and supports than the free-tier of service.  

Some of my Favorites Apps and Web Sites include:

For toddlers

https://abcya.com/ is a great site with content for kids from pre-k through 6th grade. They also have good apps for iOS and Android. The site has educational games in different subjects. For the youngest ones they have games that teach shapes, colors, counting, etc. As the kids get older they can play more challenging games that help with math, reading, etc.

https://gonoodle.com/ is a great resource for those rainy days when your kids have too much energy. The site has lots of fun interactive videos to get your little ones moving and active. There are a few calming videos, but generally this is not something you want to get into near bedtime.

The GoNoodle and ABCya websites both have very good apps. A few others that have been big hits with my kids are First Words Animals by Learning Touch LLC and Toddler Counting by iTot Apps, LLC. First Words is an iOS application that helps kids learn those first important sight words and also teaches letter shapes and sounds. Learning Touch has several other apps that teach other languages as well. Toddler Counting is an incredibly simple app that displays a random number of pictures. The kid has to touch each object once at which point the app says the next number in sequence. This teaches kids one-to-one counting and also helps them learn numbers. The app demonstrates one of the advantageous of electronic education. Skills like counting need repetition for young ones to develop proficiency. The iPad is endlessly patient with the kid which is exactly what is needed to teach the foundational skills.

For older kids

Puzzle and strategy games can help kids build important problem solving skills. One of the best games of this genre is The Room Three. There is actually a The Room and The Room Two, but your not missing anything by jumping straight into the third edition. This puzzle game has a spooky feel but remains safely PG. In the game, you find yourself in a series of rooms each with some kind of machine you need to activate. You have to find objects in the room and figure out how they fit together to solve the puzzle. The game gives you hints over time so you likely won’t get stuck for days on a puzzle. This game is a great chance for kids and parents to play together. There is a great feeling when you finally solve one of the puzzles and sharing that with a parent will be a great bonding opportunity.

Trivia games are also a great choice. There are hundreds of these on different topics so look for something that matches your kids interests. Kids can challenges themselves and each other, but this can also be a fun twist on family game night. Let your kids be the trivia master and ask questions of the grown-ups.

Many popular board games are also available as apps. Monopoly, Life, Risk, etc. as well as things like chess and backgammon. Many of these can be played single player against the computer for practice but can also be multi-player. The nice thing about playing the electronic versions of these games is that there is no setup time and no mess to clean up.

Screen time is the new family drive

Screen time, even when it has no redeeming educational aspect, can still be a valuable parenting tool. Back in the long long ago, when there was no cable TV much less Netflix, families would pile into the steel and fiberglass tank that they lovingly referred to as “the family car” and go for a long drive. Without any specific destination in mind, this was simply a way to spend time together as a family. Families would talk and play games because, let’s face it, they were stuck in the car with nothing else to do. Screen time can be a way to recapture this family time but with more binge watching.

Sure, sometimes screen time is how we keep the kids occupied while we indulge ourselves as parents and do things like cook a meal or do laundry. But screen time can also be an important opportunity to spend time with your kids. Many of the family-friendly movies and TV shows today are entertaining for both children and adults and teach valuable moral lessons. Watching Frozen or Smallfoot with your kids can be a fun bonding experience. After, or even during the movie, take time to talk to your kids about what the characters did, how they might have felt and what lessons they can take away from the show. 

For older kids, movies like The Avengers series or Spider-Man are packed with teachable moments that can serve as an opportunity to discuss very serious issues in a lighter and relatable way. Also, revisiting some of those fun 80s movies can be a great way to bond with our kids and also teach them valuable lessons like what to do if you turn into a werewolf or how much electrical energy is in a bolt of lightning.  

And then there is YouTube

This post would not be complete without some discussion of YouTube. There are literally millions of hours of high quality educational content on YouTube. The trick is finding this content amongst the billions of hours of absolute crap. Here are a few tips to help you:

  • YouTube Red is a subscription service. It allows you to watch some of YouTube’s premium content and also allows you to download YouTube videos to watch offline. Most importantly though, it removes ads from YouTube videos. This is 100{12810d732553a0644ecc90a0e23d1efc26a399b3533b5403ed90d6fcf4bb1dcd} worth the cost.
  • There are 2 official YouTube apps. YouTube Kids provides a simplified interface and a curated library of videos appropriate for kids.
  • Even the regular YouTube app provides some options to filter content.

Lastly, and this is going to be the hardest part, sharing screen time with your kids is going to require some amount of compromise. Yes, you can and should force your children to watch Star Wars with you when they are of the appropriate age. And yes, you should watch them in the original release order (4,5,6,1,2,3). And yes, you have to watch episode 1. We all had to suffer through it, so do our children. But you will always need to let your kids take the lead sometimes and pick the movie. You may even need to spend at least some time watching those Fortnite videos with your kids. Again, this is an opportunity to find teachable moments. Talk with your kids about how you feel about the language and actions of the YouTubers. Make sure they know what you consider OK and what is inappropriate.

In conclusion

The most important factor in making sure screen time is quality time is to be engaged with your kids. This is the chance to learn what they like and think about, and to share with them some of the things you love. Screen time should not be a substitute for family time, it should BE family time.

Back to School

No Comments

The start of a new school year. A time of promise and excitement and shock at the cost of new shoes. Going back to school or going to school for the first time can be exciting and sometimes a little scary for kids and parents. In addition to the joys of peer pressure and unreasonable expectations from teachers that we all went through, our kids today also contend with a sudden avalanche of new online content, and the threats and challenges that come with it.

The start of a new school year will often find kids sharing the websites or online communities they have become used to over the summer, so kids are exposed to a lot of new online options in a short period of time. And for kids heading off to school for the first time, it’s never too early to talk about online safety. Even our youngest kids are surprisingly connected, and that can be a great thing. But it also means we need to be educating kids as early as possible about how to stay safe.

The best thing you can do is talk to your kids about what they are doing online. Encourage them to show you the funny (or usually not so funny) YouTube videos that are going around and ask them to introduce you to their online communities. You don’t need to join all their Facebook groups. They can and should have some sense of privacy, but you want to know as much about their online friends as you do about their real life friends. This goes beyond just having kids tell you when they think something is wrong. You want them to share with you the things they don’t see as a problem so you can help them develop the judgement needed online.

US-CERT put together a nice list of resources to help Parents talk with kids, https://www.us-cert.gov/ncas/current-activity/2018/08/10/Back-School-Cyber-Safety. And I particularly like the Safe and Secure program, https://safeandsecureonline.org/.

You should also check out what computer classes are available at your school. Contact your local PTA or your school administrators and ask if/how computers are being integrated into classrooms, and if there is specific instruction about information technology and basic computer skills. Most middle and high schools offer classes in basic computer skills and many offer classes in things like coding or graphic design. These can be great opportunities for kids to develop some basic skills that will help them no matter what career they choose.

There is a great program called the Hour of Code. The program aims to provide every student from kindergarten though high school with a minimum of one hour of instruction in computer science. The program tries to show kids that anyone can learn to code (that’s what we geeks call making computer programs) and to spark an interest in computer science. I’ve volunteered at my kids’ elementary school the last few years and it’s amazing to watch what these little kids can learn to do in just an hour. And to see the joy on their little faces as they make a cat dance around the computer screen. You don’t need to know anything about computers yourself to help with the Hour of Code. It’s always helpful to have extra adults in the room for crowd control and you will probably learn a few things yourself. If your school doesn’t have an Hour of Code program, you can work with your PTA and your school administrators to create one.

Like everything, the key is to talk with your kids and engage with them about technology. Tech is one of the great topics where you can probably learn as much from your kids as they will learn from you. 

Passwords

No Comments

Quick note: This is a longer post and will help you understand some of the more technical aspects of cybersecurity. You may want to go grab a beverage before getting started… 


Passwords are the one security tool that almost everyone is familiar with. But surprisingly, I find passwords are also one of the most misunderstood tools for protecting yourself online. Today I’m going to talk about the real purposes of passwords and how you can improve their effectiveness with a few easy steps.

First, it’s important to understand what we call the CIA triad. Which, now that I write it down, is kind of a scary sounding name. CIA is an acronym -yes I know it is also an acronym for that other thing, but in this case is stands for Confidentiality, Integrity, and Accessibility. These are the three goals we are trying to achieve whenever we talk about cybersecurity.

  • Confidentiality refers to protecting information from disclosure to unauthorized parties. So you and your bank should both know your account balance, but no one else.
  • Integrity is about making sure information is not changed improperly. So if you withdraw $200 from your bank to buy 18 boxes of delicious Tagalong cookies from the Girl Scouts, then it is important that your account be debited exactly $200, but you wouldn’t want anyone besides your bank to be able to make those kinds of changes.
  • Availability is probably the most often overlooked piece of the cybersecurity puzzle, but it is equally important. If your bank account balance is kept confidential and no unauthorized changes are made to it, it’s still not very helpful if you cannot check it to see if you can afford those little globs of peanut butter goodness.

The CIA triad is commonly represented as a triangle to show that the three goals require a balance. In every case we have to accept compromises in one or more of the three goals. If you turn your computer off and unplug it and lock it inside a safe guarded by poisonous cobras, I can pretty much guarantee that no one is going to be able to access your computer without permission, so we have very high confidentiality and integrity, but the availability of the computer will be severely reduced.

Now that we have that basic understanding, let’s talk about what the purpose of a password is. Passwords are obviously intended to preserve the confidentiality of your information. By protecting your bank account (or your email account or whatever) with a password, you are trying to ensure that no unauthorized people can access that information. Passwords also preserve integrity. When you login to your bank account, you are providing proof to the bank that you are who you say you are. Like showing your driver’s license when you go to the bank in person. Your password is kind of like a digital fingerprint that should be able to uniquely identify you.

If your password is going to be the way your identity is verified online, obviously you should never share it with anyone. I make an exception here for your kids. It is OK for your kids to share their passwords with you, but you should not share the other way around. If you are sharing your password, you need to make sure that whomever you share it with is going to protect it as effectively as you are. Unless you are confident your kids can do that, you are better off setting up seperate accounts for them with their own passwords. Keeping our password a secret is a good first step, but we are talking about computers here and computers are exceptionally good at guessing things. In this case, when I say “guessing” what I mean is trying every conceivable combination of letters and numbers until they find the right one and doing it very fast. So we want a password that is complex, meaning it would take a computer, or a person, a long time to guess the password. Let’s pause for a minute to talk about how that works…

Think of a number between 0 and 9. Got it? Good. Now, it doesn’t matter what the number was. I can definitely guess it in no more than 10 tries, right? Good. Next step, pick again, but this time you can pick a number 0-9 or a letter of the alphabet. So now it will take me a maximum of 36 guesses. I might still stumble onto the right answer on the first try, but the maximum is 36 guesses. If we treat capital and lowercase letters separately then we have 62 possible answers (26 lowercase letters + 26 upper case letters + 10 numbers). If I had you pick 2 characters then the number of possible solutions is 3844 (62*62). So that will already take a person a pretty long time to guess. But for a computer, a computer can guess thousands or even millions of options per second. So this isn’t going to be a problem for me to crack using a computer. But if I have you pick 16 characters then that is 6216 = 47,672,401,7 06,823,533,450,263,330,816. That’s gonna take me a bit even using a pretty powerful computer. If I add in a few common punctuation characters, I can make this number even higher. There are a lot of other things we can do to make it take even longer to guess a password, but the important point is that even with all this math, ALL passwords can be guessed or “cracked” as we call it.

Well that sucks! I can hear you saying it. I guess we may as well just give up and go back to bartering with chickens, right? Well, hold on all is not lost. There is one very easy thing you can do to almost eliminate this risk. Change your password.

Huh? Let’s say it is going to take someone with a really fast computer 100 days on average to guess your password. If you change your password on the 90th day than the bad guy has to start all over. There is still a chance that the bad guy could guess your password on the first try, but given the numbers involved it is staggeringly unlikely. In fact, this is how we in the cybersecurity world pick those annoying time limits for you to change your password.

Feeling pretty good now, right? Well hold on. We have been assuming a truly random set of characters here. If I only have to check for dictionary words let say and not all possible combinations, then I can drastically reduce the number of attempts I need. If I have some information about you like your kids names, or your birthdate that I think you may have used, I can bring that number down even further. For example, let’s say you have three kids. Alex, Scott, and Jane. If I think you have used some combination of these names as the password, then I only have to check the unique characters in each name. So that is just 10 letters (a,l,e,x,s,c,o,t,j,n) to try. Even in a 16 character password that is only 10,000,000,000,000,000 options which is a lot, but is only 0.00000000002{12810d732553a0644ecc90a0e23d1efc26a399b3533b5403ed90d6fcf4bb1dcd} as many as when we used all the letters and numbers.

Sorry but your password must contain an uppercase letter, a number, a haiku, a gang sign, a hieroglyph, and the blood of a virgin.

One more factor to consider. Suppose you use the same password for two different websites. For example your bank and your Starbucks account. We can assume your bank is being pretty darn careful about protecting your password. Starbucks maybe not as much. And if someone gets your Starbucks password, they now also have your bank password. Same thing if you write your passwords down. If all my  passwords are on a sticky note next to the computer or in a note on my phone, the bad guy just needs to get one quick look at that and I’ve lost everything.

We now understand we want random passwords with uppercase and lowercase letters as well as numbers and maybe some punctuation. We also want a unique password for every account and we don’t want to share our password with anyone ever or write them down. This is great and I now have very low risk in the confidentiality and integrity of my data. Except now I can’t remember any of my passwords and I can’t access any of my accounts so my risk for availability is very high. The answer to this is password managers.

A password manager is different than a document or note on your computer. It is usually a seperate program or service that does just one thing. Store your passwords for you. Most also will generate random passwords for you and many provide some extra features like alerting you to weak passwords or sites that have been hacked. Password managers can be integrated into your web browser so they will automatically fill in your password for you, so you really don’t need to remember it at all or even know what it is. Most modern web browsers have a built in password manager which is pretty good, but they do need to be set up correctly. Most importantly make sure your passwords are being securely backed up so if something happens to your computer they are not all lost. For a better solution, you may want to look at a dedicated password management service like LastPass, 1Password, or Dashlane. Most browsers and all password managers will generate secure random passwords for you and this is absolutely the best way to make your passwords more secure.

Dr. Malware, or how I learned to stop worrying and love the Internet

No Comments

Viruses, Worms, Trojans, Ransomware… they go by many names but they all mean the same thing. For now we’ll just call them all malware, short for malicious software. Malware is any computer program that does something we don’t like. It is kind of like the definition of a weed. If you didn’t plant it and you don’t want it there, it’s a weed. Your weed may be someone else’s flower, although that isn’t often the case with malware.

Whatever it’s called, most people have the same reaction when they hear someone was “infected”. You did something you shouldn’t have and now your computer is broken. Except neither of those things are true. With very few exceptions, malware is going to affect how the software on your computer functions, not the computer itself. This is good news because software is much easier to fix than hardware. More importantly, getting infected with malware doesn’t mean you did anything wrong. One of the most common ways malware is spread is when a bad actor creates an ad with malware in it and then submits that ad to an advertising service. This very legitimate advertising service then shows the ad on Facebook and Google and a hundred other sites where it is viewed by well-behaved internet users who can now be infected. So getting infected doesn’t mean you did anything wrong, but this also means you can’t protect yourself by just staying on “safe” websites.

You can do a lot to protect yourself though. It’s pretty easy, and free, to do. Here is a list of helpful tools and practices that can protect you and your computer.

Antivirus Software

This is important if you are using a Windows PC. If you have a Mac you can skip this section. Antivirus software looks at the programs installed on your computer and compares them to the “signature” of known malware. It will usually scan files you download from the internet and can be set up to scan your computer on a regular schedule. “But wait!” I hear you saying. “If it scans the files when I download them, why would I need to scan them AGAIN every week?” Good question, the answer is that the antivirus software can only find malware it already knows about. So you might get infected with something which the antivirus vendors have not seen yet (this is what we call a Zero Day attack. Sounds cool right?) but once the malware is identified, the vendors will update their “Definitions” meaning the list of viruses they know to look for, and when they re-scan your computer they will find and, hopefully, eliminate the malware.

Malware is just like any other program. The Windows version won’t run on a Mac and vice-versa. Most malware today is written for Windows. The good news is that Microsoft provides a very good antivirus program for free. The program is called Windows Defender and it comes free with all modern versions of Windows. Microsoft has some very simple instructions on how to enable and use Windows Defender.

https://support.microsoft.com/en-us/help/17464/help-protect-my-computer-with-windows-defender

Don’t use an admin account

This one is also MOSTLY for Windows people, but Mac owners should read this one as well. Both Windows and Mac have two basic kinds of accounts. Administrator accounts are more powerful and allow you to do things like install new software and make changes to security settings on your computer. User accounts usually cannot do these things. Since most malware needs to be installed or change settings to have any effect, using a regular user account when doing things like browsing the web or playing games can drastically reduce your risk of being infected. The best idea is to have one or more user accounts on your computer and to use these all of the time. You should have one or two administrator accounts and only use these when you need to make changes or install new software.

Macs have the same two kinds of accounts, but in Mac OS X it is a bit safer to use an admin account all the time. This is because whenever you try to do something that actually requires your admin permissions, you will need to type in your password. This next sentence is important for both Mac and Windows users:

 When you get a pop-up message, you MUST actually read the words in the message!!!

The message should very clearly explain what is about to happen and what program initiated the request. If it doesn’t, or you don’t understand it. Say No or click Cancel. Malicious programs can sometimes control the text in these pop-ups so sometimes you’ll see a pop-up like this:

Related image

In this case, the text may be misleading or just an outright lie. Notice the grammar in this example. If you get a pop-up like this and you have any doubt about the validity, click Cancel or No or Don’t allow.

Browser configuration

This issue is probably going to be covered in a future post, but for now, there is a very good summary over at UC-CERT about why and how to configure the major browsers for online safety, https://www.us-cert.gov/publications/securing-your-web-browser

Adblock plugins

As we mentioned earlier, one of the most common ways bad actors attack our computers these days is through ads. Additionally, ads are one of the main way our online activity is tracked, for good or evil. One of my favorite Adblocking plugins is AdBlock, https://getadblock.com/.

Securing Your Web Browser

No Comments

Another great article from US-CERT, this time on how to configure your web browser to protect yourself online. The article is a little technical so feel free to contact us for help.

This article will help you configure your web browser for safer Internet surfing. It is written for home computer users, students, small business workers, and any other person who works with limited information technology (IT) support and broadband.

Link: Securing Your Web Browser

Categories: Links

Multiplayer online games

No Comments

Focus Photo of Super Mario, Luigi, and Yoshi FigurinesWhen I was growing up, kids would come together at parks and swimming pools to play under the usually not so watchful eye of a handful of parents. As we got a little older, these social centers were replaced by “the mall”. Once we could drive, kids in my home town spent most Friday and Saturday nights “cruising”. That is, we would drive up and down the same 5-mile stretch of road and do stupid things in cars and yell out the windows to our friends in other cars doing the same stupid things.

Frankly, it’s a miracle any of us survived.

Today kids have an opportunity to interact with their friends and peers, but also with other people from around the world. Learning to play as part of a team in an online FPS (First Person Shooter) or collaborating with a small society to build an online world in Minecraft provide wonderful opportunities for kids to make friends, build relationships, and learn valuable life lessons all from the relative safety of their home. Now, I know what you’re thinking. What about those evil cyber predators? I don’t want my kids getting kidnapped by some weirdo online. Well, let me put your mind at ease. Despite all of the recent advancements in the development of online interactive gaming, we still do not have the technology to transport children into the computer and eject them into a cage in some cybercriminal’s basement. In other words, your kids are not going to be kidnapped or victimized online. Interacting with strangers online is unquestionably the SAFEST way to interact with strangers. It is certainly much safer than those trips I made to the mall.

However, just like letting your kids go to the park or the mall on their own, we need to be sure we teach them the rules to stay safe and that we know at least as much about the environment they will be playing in as they do.

Football Referee TouchdownBasic rules for online safety

  1. Never EVER tell anyone online ANYTHING about yourself. And I mean nothing. Not your real name, not your address, or even the city or country you live in. Don’t tell them what school you go to, how old you are, what your favorite color is, if you have any siblings, nothing. None of that should matter and if someone asks you for this information, you should stop playing with them immediately.
  2. Make sure your gamer tag (the name that shows up online for you) doesn’t give away any of this information. JosephNY725 is a bad gamer tag. Assuming your name is Joseph and you live in NY. If you’re Cindy from Oregon then it’s fine.
  3. Know what games your kids are going to play. Many games have options to restrict what kids can do online. Enable as many restrictions as you can. The point here is for your kids to play games online, so things like inviting people to become friends or posting comments are activities you can do together if at all.
  4. Kids should have their own separate accounts.  Create an account for yourself and a separate account for each child. Make sure you know the password for your kids’ accounts. This isn’t spying, it’s parenting.
  5. Play with your kids, or at least watch them play.
  6. Teach your kids to be responsible for the people they are playing with. If someone is using bad language or being abusive, they should know to quit. If someone is asking for their real name or information, tell a grownup.
  7. Review these rules at least once a week for the first 10 years. Make your kid tell you the rules. If they can’t, then they can’t play till they can.

Playing online can be a great experience for kids. And the lessons we teach them about how to stay safe online will also help them stay safe in real life.

The Safe & Secure Online program by the Center for Cyber Safety And Education has good resources for both parents and kids. There is a short and helpful video on online gaming.

I’ve created a page that lists popular games and links to resources about how to help your children play them safely.

How Spammers Spoof Your Email Address (and How to Protect Yourself)

No Comments

Most of us know spam when we see it, but seeing a strange email from a friend—or worse, from ourselves—in our inbox is pretty disconcerting. If you’ve seen an email that looks like it’s from a friend, it doesn’t mean they’ve been hacked. Spammers spoof those addresses all the time, and it’s not hard to do. Here’s how they do it, and how you can protect yourself.

Source: How Spammers Spoof Your Email Address (and How to Protect Yourself)

Categories: Links