I've written this article to help parents understand the dangers inherent in allowing children to use the Internet. Please feel free to contact me with any additional questions or comments. The ICP Webmaster

Quick summary

For those of you who just want a quick summary of what to do or not do, this section is for you. You really should read the rest of the article to understand why I make these recommendations.

• Never believe that email is coming from who it claims to be coming from. It's very easy to falsify that information.
• Never click on any hyperlinks (like www.anywhere.com) in any emails sent to you. Click on the link above and it'll take you back to our home page.
• Discuss obscenity, untruths and unkindness with your children. Talk about why you don't feel obscene content is appropriate for them. You must decide what obscenity means for your family.
• Discuss confidentiality and how not all information is meant to be told. Discuss how insecure communications is and how outsiders would love to listen in on conversations with their real friends.
• Understand that social engineering is essentially interrogation. Trained professionals will use these techniques on you and your children. And your helpful and trusting children are only too willing to help people. Teach your children not to give out "too much information."
• A discussion about trust and who is trustworthy is probably a good idea as well.
• Email addresses should be treated as confidential. Don't let your children enter their email addresses for contests or sweepstakes.

Phishing

I get phishing mail all the time. Phishing is a method to bait you into sending sensitive information to a con man. Your sensitive information includes your name, address, social security number, mother’s maiden name, any personal information, any usernames or passwords.

Current phishing scams are very sophisticated but start with a single email. They usually look exactly like a legitimate email from somebody you do business with. Ebay, PayPal, Citibank or even your current bank are very common phishing targets. The mail purports to be from the company and asks you to send them username and password for security purposes. Or it asks you to login to the company and go to the security section. But while the email says www.ebay.com, they are using a clever HTML trick to actually redirect you to the conman's website, which looks exactly like the logon page you expect to see. After you login to the conman’s server (giving them your username and password to ebay), it errors out or transfers you to the real ebay. But the damage is done: they have your username and password and now they can commit fraud with your name or steal your money. The scams get infinitely more complicated than this basic version. So beware out there.

One way to figure out if it is not a legitimate email is to put your cursor over one of the hyperlinks like if it says www.ebay.com/security. Look at the bottom of your email window and there is usually a status bar down there. When you move you mouse cursor over a hyperlink, the place it will link you to when you click the mouse shows up in the status bar. Simple phish mail will have some numbers down there like 61.32.183.3/security.htm. They are redirecting you to their server and try to fool you into typing in your username and password. A more complicated scam would use the Citibank / Ctbank switcheroo. By the way, this method of rooting out fraud is not foolproof. An more sophisticated email could easily work around this.

The best rule is to NEVER click on links in mail, even from people or businesses you trust. Type the link into the browser manually or go to the website and call their customer service number. And remember, even if the email were from your friend or colleague, it could be a email virus sending copies of itself to you.

The other rule is that very few companies send you Security Alert emails like this. Always be suspicious.

Obscenity in all its forms

The more I think about obscenity, the harder it gets to tell what is obscene. And clearly the younger your child, the more things are obscene. While many people call nudity obscene (great art is nude – remember that David by Michelangelo is nude), isn’t neo-Nazi hate a more obscene thing? It really depends on your family's values. Just remember that there’s a whole lot of information on the Internet that your child is probably not quite ready for. Things like Sex Videos, violence against other humans, pictures of murders, various atrocities, you name it, you can find it on the Internet.

The disinformation and outright lies that are on the Internet could cause your child a lot of problems. So think about all the things you’d like to talk to your child about instead of just reading lies on the Internet (did the Holocaust really occur? – some websites would say not).

In addition, many things that are meant to be funny are just plain mean or unkind. Do you want your children to think that being unkind is OK as long as it's supposed to be funny? Can your children judge for themselves?

Exercising judgment and assessing credibility are important skills for adults to have, and at some point your children will have to learn these skills. But is that time now? Only your family can decide.

Trusting other web users

How do you get information out of other people? You’ve seen interrogations on television shows. They use techniques like Good Cop – Bad Cop, threat of violence or retaliation and asking for confirmation for something they don’t know. Interrogation techniques like these are all used for social engineering (getting enough information to “hack” into an organization for nefarious purposes).

“Hackers” break into organizations by getting small bits of information through dumpster diving (looking through trash bins), asking people nicely, threatening people and tricking people who are naturally being helpful. Each bit of information gets them closer to whatever they want. Click here to read about a company which specializes in social engineering for corporate security.

Remember that social engineering works because people naturally want to be helpful. As we teach our kids in preschool, we ask them to be helpful. So your kids are very vulnerable to this.

Information is valuable. Don’t tell anybody anything which may be used against you. I want you to imagine how easy it would be for a stalker to convince your mother that they are your best friend. How many little trivial nuggets of fact would it take for your mother to believe they were trusted by you? “I heard about their trip to South America in 1999. Didn’t they visit Rio for Carnival? And of course I heard about the miscarriage last year. Rachel was such a good choice for a name.” Pretty soon, these funny little bits of trivia will convince your mother that you must have told these things to this stalker and your mother may start telling the stalker some really secret information (like where your family is going for vacation or which preschool your child attends). This is social engineering at its finest.

Look at some of these articles for more information on social engineering.

http://abcnews.go.com/Technology/ZDM/story?id=1754729

http://www.securityfocus.com/infocus/1527

http://www.securityfocus.com/infocus/1533

http://www.securityfocus.com/infocus/1860 

If you are wondering if it is OK for your kids to Instant Message or talk in a Chat room, you need to know that there are a lot of adults pretending to be children on the Internet. And if they know any social engineering or interrogation techniques, then they can get your child to tell them all kinds of facts that could cause harm to the whole family. Just remember that the smallest piece of information from somebody could be the straw that breaks the camel’s back on hacking.

An example that really occurred in 1997 is the corporate espionage regarding DiGiorno pizzas. DiGiorno was ahead of Freschetta in getting a high capacity factory up and running. And Freschetta hired a detective agency to find out how many pizzas the new factory could produce. They did social engineering on a lot of people in the factory, they learned the organization chart, and they learned who the vendors for this factory are. In the end, they learned the capacity of the plant by asking people how many of those round cardboard sheets that the pizza is packaged with would be supplied to the factory. Remember these guys are professional social engineers. Your kids are not. These social engineers prey on innocence and naivet.

It’s a scary Internet out there

Now that I’ve scared you into throwing away your computer and unplugging from the Internet, let’s talk about what are the obvious and prudent measures that you should do to make using a computer a relatively safe and enjoyable thing to do. If a professional absolutely needs to hack into your computer or network, it can be done. It’s actually the same as life: locks on your house doors only delay a thief five minutes or less, but it’s easier for them to find a house with unlocked doors than to break into yours. It keeps honest people honest.

What can I let my child do on the Internet?

As an example, I was asked whether it would be safe to let a 10 year old use a website which is essentially a child’s chat site, where users weren’t allowed to type anything in, just respond with pre-scripted sentences. Now without even visiting the site, I will guess that it is advertisement supported (how else are they making money?). I always wonder about the security of the servers as well as the ad servers (hackers loading malware onto your machines). Then I wonder about who checks the appropriateness of the ads. Then I wonder if any popup windows could somehow move children off this site (one ad moves you to the next, which moves you to the next, etc) into some website where children might be exposed to more obscenity than this site allows. And I wonder if kids would put in email addresses or even home addresses for a sweepstakes to win a coveted prize (Game Boy, Playstation, etc).

So the long answer is, I don't trust my children on any websites unless I trust them to talk to strangers, understand obscenity, and to understand confidentiality for information. Teaching them to resist social engineering would be a bonus.

I don’t like the idea of kids giving away their email address. That just subjects them to unwanted commercial email and we all know that that means pornography, drugs, phishing and all kinds of questionable emails. People in the business of collecting email addresses or mailing addresses for mailing lists will tell you that each address they get is worth anywhere from $10 to $20. Once they have these huge lists of addresses, they sell these lists to businesses so you can get junkmail and spam. And once your address is on these lists, it will never be erased. Teach your kids that email addresses shouldn't be given away to anyone they can't trust. And their friends should be told not to give away their email addresses to anyone.

So what can I do?

The last section of this article will start talking about what you can do to help protect your computer and your family.

Back to Part 1

Go to Part 3

Glossary

Spam

Spam is a common name for unwanted commercial email. Typical spam can be pornography, illegal prescription drugs, advertisements for questionable medical procedures and supplements to solve "sexual performance" problems.

Identity Theft

The process that allows criminals to pretend to be you so they can charge purchases on your credit cards.

Phishing

The process by which unwanted email is used to defraud people to send money or secret information which may lead to identity theft or actual theft, burglary or other crimes.

Viruses, worms, trojan horses, spyware, adware and malware

These are various names for rogue programs which try to take over your computer and do bad things unbeknownst to you. Viruses can trigger your computer to erase itself or even destroy itself. Worms send themselves around in emails sent from your machine. A Trojan horse allows somebody else to take control of your machine from anywhere on the Internet. Spyware will tell their creator what you do on your computer. Adware forces advertising to show up on your computer without your knowledge. Malware is the general term to describe any program that does anything described above.

Rootkit Virus

A Rootkit is a virus which hides itself from anti-virus programs as well as us humans. When you look for it where it is installed, it disappears like magic. It's very difficult to detect.

Keystroke loggers

These programs keep track of every key that you press as you type. The program records your keystrokes in special files that somebody will read at a later date. It's a very efficient way to read documents, email, instant messages and especially accounts, social security numbers and passwords. Formerly used by computer owners to eavesdrop on their spouses or children. Now used by cyber thieves.

Tracking Cookies

A file installed by a website, which identifies you as a specific shopper. Other websites check for this same file and suddenly they know that shopper XYZ238 shops at mybabytoys.com and banks at yourhomebank.com.

Tracking Pictures

Commercial email often sends pretty email with pictures. Except the pictures don't get sent in the email at all. The email includes the web address of where to find the picture. When you display the pictures, the person who sent the email finds out that you actually read the email.

Website hijacking

If you misspell a website address at all, you can get whisked off to some undesirable site (fraudulent, malware, pornographic or maybe worse).

Social Engineering

The art of convincing people to tell you their secrets. Interrogation can use social engineering techniques. "Con" men use these techniques as well.