Child Safety on the Internet – Some Tips

Excellent article on Microsoft.com:

Age-based guidelines for kids’ Internet use

If your children use the Internet at home, you already know how important it is to help protect them from inappropriate content and contact.

Windows Live Family Safety and the parental controls included in Windows 7 and Windows Vista can help you create a safer online environment for your children.

The American Academy of Pediatricians (AAP) helped Microsoft develop age-based guidance for Internet use with the family safety settings in both of these products. It’s important to remember that these are guidelines only. You know your child best.

Up to age 10

Supervise your children until they are age 10. You can use Internet safety tools to limit access to content, Web sites, and activities, and be actively involved in your child’s Internet use, but Microsoft recommends that you sit with your child when they use the Internet, until the age of 10.

Here are some safety tips to consider when you go online with your 2-10 year old:

  1. It’s never too early to foster open and positive communication with children. It’s a good idea to talk with them about computers and to stay open to their questions and curiosity.
  2. Always sit with your kids at this age when they’re online.
  3. Set clear rules for Internet use.
  4. Insist that your children not share personal information such as their real name, address, phone number, or passwords with people they meet online.
  5. If a site encourages kids to submit their names to personalize the Web content, help your kids create online nicknames that don’t give away personal information.
  6. Use family safety tools to create appropriate profiles for each family member and to help filter the Internet.
    For more information, see Windows Live Family Safety, Windows 7 Parental Controls, or Windows Vista Parental Controls.
    Help protect your children from offensive pop-up windows by using the pop-up blocker that’s built in to Internet Explorer.
  7. All family members should act as role models for young children who are just starting to use the Internet.

Ages 11 to 14

Children this age are savvier about their Internet experience, but it’s still a good idea to supervise and monitor their Internet use to help ensure they are not exposed to inappropriate materials. You can use Internet safety tools to limit access to content and Web sites and provide a report of Internet activities. Make sure children this age understand what personal information they should not give over the Internet.

When your kids are this age it might not be practical to physically supervise their Internet use at all times. You can use tools such as Windows Live Family Safety, Windows 7 Parental Controls, or Windows Vista Parental Controls.

Here are some safety tips to consider when you go online with your 11-14 year old:

  1. It’s a good idea to foster open and positive communication with your children. Talk with them about computers and stay open to their questions and curiosity.
  2. Set clear rules for Internet use.
  3. Insist that your children not share personal information such as their real name, address, phone number, or passwords with people they meet online.
  4. If a site encourages kids to submit their names to personalize the Web content, help your kids create online nicknames that give away no personal information.
  5. Use family safety tools to create appropriate profiles for each family member and to help filter the Internet.
    For more information, see Windows Live Family Safety, Windows 7 Parental Controls, or Windows Vista Parental Controls.
  6. Set family safety tools on the medium security setting, which should have some limitations on content, Web sites, and activities.
  7. Keep Internet-connected computers in an open area where you can easily supervise your kids’ activities.
  8. Help protect your children from offensive pop-up windows by using the pop-up blocker that’s built in to Internet Explorer.
  9. Encourage your children to tell you if something or someone online makes them feel uncomfortable or threatened. Stay calm and remind your kids they are not in trouble for bringing something to your attention. Praise their behavior and encourage them to come to you again if the same thing happens.

Ages 15 to 18

Teens should have almost limitless access to content, Web sites, or activities. They are savvy about the Internet but they still need parents to remind them of appropriate safety guidelines. Parents should be available to help their teens understand inappropriate messages and avoid unsafe situations. It’s a good idea for parents to remind teens what personal information should not be given over the Internet.

Here are some safety tips to consider as you guide your teens online:

  1. Continue to keep family communication as open and positive about computers as you can. Keep talking about online lives, friends, and activities, just as you would about other friends and activities.
    Encourage your teens to tell you if something or someone online makes them feel uncomfortable or threatened. If you’re a teen and something or someone online doesn’t seem quite right, then speak up.
  2. Create a list of Internet house rules as a family. Include the kinds of sites that are off limits, Internet hours, what information should not be shared online, and guidelines for communicating with others online, including social networking.
  3. Keep Internet-connected computers in an open area and not in a teen’s bedroom.
  4. Investigate Internet-filtering tools (such as Windows Vista Parental Controls, Windows 7 Parental Controls, or Windows Live Family Safety ) as a complement to parental supervision.
  5. Help protect your children from offensive pop-up windows by using the pop-up blocker that’s built in to Internet Explorer.
  6. Know which Web sites your teens visit, and whom they talk to. Encourage them to use monitored chat rooms, and insist they stay in public chat room areas.
  7. Insist that they never agree to meet an online friend.
  8. Teach your kids not to download programs, music, or files without your permission. File-sharing and taking text, images, or artwork from the Web may infringe on copyright laws and can be illegal.
  9. Talk to your teenagers about online adult content and pornography, and direct them to positive sites about health and sexuality.
  10. Help protect them from spam. Tell your teens not to give out their e-mail address online, not to respond to junk mail, and to use e-mail filters.
  11. Be aware of the Web sites that your teens frequent. Make sure your kids are not visiting sites with offensive content, or posting personal information. Be aware of the photos that teens post of themselves and their friends.
  12. Teach your kids responsible, ethical, online behavior. They should not be using the Internet to spread gossip, bully, or threaten others.
  13. Make sure your teens check with you before making financial transactions online, including ordering, buying, or selling items.
  • Discuss online gambling and its potential risks with your teens. Remind them that it is illegal for them to gamble online.
  • I would like to add that the most safety is offered through you, the parents. Make sure you communicate with your children. Educate yourself about the Internet.

    Advertisements

    How to secure your Windows machine.

    A recent statistic I read stated that over 70% (SEVENTY PERCENT) of new infections come from surfing to legitimate sites that are infected. A recent case was the New York Times (full story here):

    Here’s a front-page story the New York Times (NYT) would rather not be running: The paper is warning readers to be aware of bogus ads running on its Web site. The paper says “some readers” have seen unauthorized pop-up ads promoting antivirus software on NYTimes.com, and warns visitors who see the ad not to click on it but to restart their browsers instead. While the Times doesn’t spell this out, the newspaper has likely had its site hijacked by a “malware” scammer who is trying to trick visitors into installing pernicious software onto their hard drives

    Thus, to get infected, it is perfectly enough to just hit your legitimate web sites. You do not have to browse to any questionable content anymore to get compromised.

    In light of this, lots of people have been asking me what in my opinion is to reliably secure a Windows machine and protect it from the threats that are out there – viruses, worms, trojans, etc.

    I recommend multiple layers of defense to be setup on a Windows machine. Below items are listed in order of importance, highest listed first.

    1. Keep your Windows machine current with the latest patches.
    Ensure that Windows Update is turned on and configured to automatically download and install patches. Make sure that when you put your machine into standby mode (instead of turning it off every day), that you pay attention to whether patches need to be installed and the machine need to be rebooted. I encounter a lot of installations that never get turned off, where the patches never get installed (although they are downloaded and ready to go).

    2. Install a Anti-virus scanner.
    This can be one of the big names out there: AVG (free), Norton, Trend Micro, McAfee. Get one of their package offerings that include phishing protection, link scanning, encrypted password storage. DO NOT BELIEVE that this is the only thing you need. Although they want to make you think that this is all you ever need, it is not true. Even the best AV scanners cannot keep up with the ever-changing strains of viruses that are out there (strains change hundreds or even thousands of times a day), therefore you need to have multiple layers of scanners to get a higher rate of protection.

    Make sure that the ‘auto-protect’ features are turned on, i.e. the AV scanner runs ‘resident’ in memory. That means that live protection is turned on and viruses do not make it through.

    IMPORTANT: YOU STILL NEED TO DO WEEKLY FULL SYSTEM SCANS.

    Some people believe that they can leave auto-protect on but never scan their systems. The caveat with this is that auto-protect may miss a new strain of a virus and let it through. While the signatures get updated, auto-protect never detects it.

    Therefore, a scan then may find it, but you need to make sure to run these scans.

    Product-wise, I have been using Norton Internet Security for a long time, but I will let the license expire and try out a different AV scanner next year. Norton has disappointed me recently with the failure rate it has, i.e. viruses that do not get caught by it. Ideally, you use at least 2 different virus scanners, but this may get costly if you are looking to purchase solutions.

    I am currently trying out the new Microsoft Essentials ‘AV and Malware’ scanner that was released on 9/30/09. I believe that AV and Malware protection should be free and included in a Operating System, but the MS AV scanner still may need some tuning to be comparable to any $$- solution.

    3. Install a separate Malware scanner. This is important.

    You NEED to have a backup scanner to whatever AV solution you are using. This increases the rate of detection and your total exposure significantly.

    I recommend Malwarebytes’ Anti-Malware for this. It has worked well for me. There is a freeware and a commercial version for it. The major difference between the freeware and the paid version is that in the free version you have to run manual scans and it does not run in the background protecting you from new threats. I recommend you spend the $25 and purchase it. It is worth it. The interface is simple and structured in a no-nonsense kind of way, focusing on scanning, updating its database and showing you results of the last scans.

    If you do not want to shell out the money to buy the full version, I recommend you use the Windows Task Scheduler to run this software daily to update the database and at least weekly to do a full scan of your system. It supports command-line arguments. Shoot me an email at info (AT) gansec.com if you want to have instructions on how to do that.

    4. Install Secunia Personal Inspector to keep your applications up to date

    Install Secunia PSI to keep your third party applications (Adobe PDF Reader, Flash Player, Shockwave, Real Audio Player, any other stuff you use besides Microsoft Software) current. It scans your system and matches it up with an always current database of new versions for the applications you use. It is an extremely handy tool that you will not want to miss once you get used to it. You would not believe how many third party applications can severely compromise your system security if exploits are used against vulnerabilities that they have (example). Secunia PSI is Freeware.

    5. Install a firewall on your Windows machine.

    This usually comes with Windows (Windows Firewall) or with one of the ‘Internet Suites’ of the commercial AV vendors. This is to block annoying connection attempts, Malware that tries to communicate outbound across other ports than your standard web port (80), potential inbound hacking attempts. Make sure it is enabled. When you first enable a firewall you may have to permit standard ports (e.g. outbound Web for iexplore.exe, firefox.exe, etc), but this will settle down after the initial turn-up. Yes, it is extra work, but you need to invest it.

    6. Keep backups.

    Keep backups of your Windows installation. You can burn the data on DVDs or external storage solutions. If you would like to look into external storage (especially important if you own a small business), I recommend Netgears’ ReadyNAS storage solution: About $1K for a fully redundant 1 TeraByte of storage. It is extremely trivial to setup (takes about 10 minutes to configure it to be ready for backups from the time you turn it on). Data will not be lost on this one.

    These are 6 simple steps to get going on Windows Security. It takes some work to get there, but believe me, it beats the ‘man, my system is lost because of infections, I lost my documents, my bank account information got stolen and people write checks in my name via my Online-Banking access‘ by far.

    – Sven Olensky.

    Social Security Numbers Deduced From Public Data (available on e.g. Facebook)

    Interesting article on Wired. Researchers are able to predict correct Social Security Numbers based on minimal information, like date of birth and birth town they mined from social network sites.

    Excerpt:

    After developing an algorithm […], the researchers tested their results using information on birthday and hometown taken from a social networking site […] . Again, they were able to predict Social Security numbers with a high degree of accuracy.

    Again, this confirms my recommendation to NEVER use personal information on public social network sites like Facebook etc. Don’t put your real birth date, birth town etc. on there, it is bound to be used for things much less harmless than birthday reminders.

    Full Wired article at:

    http://www.wired.com/wiredscience/2009/07/predictingssn/

    Facebook worm steals account passwords

    Apparently there is a new (old, but resurfaced) worm out there that spreads through Facebook.

    From Computerworld,

    […] the newest Koobface tries to dupe users into clicking on a link that’s included in a message from a friend. Clicking on the link displays a fake error message claiming that Adobe System Inc.’s Flash is out of date, and prompts the user to download an update.

    The update is nothing of the sort, but is instead an executable file that installs the Koobface worm.

    […] rifles through a compromised PC, sniffs out browser cookies associated with 10 different social networking sites, uses the usernames and passwords within those cookies to log on to each service, searches for the infected user’s friends and then sends those people messages that include a link to the worm.

    It looks for cookies connected to bebo.com, Facebook, Friendster, fubar.com, hi5.com, LiveJournal, MySpace, myYearbook, Netlog and Tagged.

    I fully agree with the last statement:

    Users need to be very, very careful about what they install when they’re on these [social networking] services,” […] “And they should be careful about how they use social networks and what information they put on them. The criminals are gleaning all the information they can and using it against you.”

    Over 330 institutions affected by Heartland Security Breach, number growing

    In reference to the breach of the payment processor Heartland Payment Systems, as I mentioned a couple of weeks ago, more and more institutions are admitting that they are affected by this issue, which means that their customers’ credit card transactions may have been compromised.

    The list of instititutions that are affected so far can be viewed here. It does include major banks, so you may want to skim over it, see if your bank in your state is listed and then contact them for more information.

    Payment Processor Breach May Be Largest Ever

    Check out this Washington Post article: “Payment Processer Breach May Be Largest Ever”. Anything emphasized was done by me.

    A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said today.

    If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.

    Robert Baldwin, Heartland’s president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.”

    […] said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country.

    […] said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

    Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

    “The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.”

    The company stressed that no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were jeopardized as a result of the breach.

    The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

    […]

    The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address,” Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants “is not impossible, but much less likely.”

    This shows that even the Big Guys (and I would characterize a company with over 100 million transactions a month a Big Guy), are not safe from basic attacks like viruses and worms. In fact, if you have a small or midsized business, securing your own infrastructure is much easier then you think. You don’t have to have a million dollar security budget to make that happen. I will talk in more detail about this in one of my upcoming posts.