Teaching Cybersecurity to the Next Generation, Our Kids – Part 1
It's back to school time and we are going to take a little break from product talk to discuss the most important "Next-Gen" ... kids, bambinos, tweens, teenagers, or what Joe Pesci's character in "My Cousin Vinny" referred to as 'youts'. Call them what you will, our future leaders need to be ready to defend against the next generation of malicious actors. Starting young is important, as most security breaches could have been caught sooner or even prevented if people had better habits, or simply more awareness. In this five-part series, we will discuss some easy ways you can help school-age children raise their cybersecurity IQ. You don't even need to be a DerbyCon badge toting expert, and can learn along the way as you pass on the knowledge. These steps are aimed at kids using a Mac or Windows PC.
Preparation: Buy a New USB Drive
I recommend buying a new USB 3.0 flash drive for this lesson. As of this writing, a local Best Buy has a 16GB USB 3.0 flash drive on sale for $6. You could use one that you already have, as long as: 1. You can delete all of the files to start with an empty drive. 2. It's known to be "clean". e.g. You have only plugged it into devices that you own and have done a full AV scan on it. Note there is still a risk of latent firmware compromise with used USB devices, so procuring a pristine new device from a reputable supplier is preferred.
Why Do USB Ports Strike Fear into IT Staff?
We all use USB flash drives. They are small and convenient and can hold a ton of data. Exfiltration of sensitive data using USB drives may be a concern for government and large corporations, but not so much a security concern for us at home. We are more concerned with just where has that USB drive been? Some malware has been known to spread via USB drives, after it has made a home on a computer. Additionally, the Universal Serial Bus can support just about any type of peripheral (keyboard, network adapter). So, what may look like a USB drive can be something totally different. If you came home and found someone furiously typing at your keyboard attempting to login and guess your password, you would be understandably upset. That is what some USB hacker tools are... mini computers coded to run brute-force attacks by masquerading as a keyboard device or sending packets by masquerading as a network device. Which is why the security community was giddy and incredulous when members of the press covering a North Korea / United States Summit in July 2018 were given fans that you plug into USB port for power. Now these types of attacks are not something most of us need to be concerned about, because we are not the targets of such sophisticated attacks. However, we do want to make sure that the next generation always thinks about the trust-worthiness of anything they plug into their computer or network.
Speaking of USB, hotels and airports are conveniently adding USB ports so you can charge your devices. How hard would it be for someone to tamper with the port to hack devices? Consider USB hygiene when traveling. Perhaps bring your own power brick. Or, you can use something like a PortaPow device that makes it impossible for those free public ports to provide anything but power.
Challenge: Test Their Curiosity with a USB Drive
Take that USB drive and clear all of the contents. The easiest way is to do a quick format. What you are going to do is place the USB drive somewhere where your target mark (kid, spouse, etc) would chance upon it. We want them to be so curious about it, that they want to take it with them and plug it into their machine. Perhaps you put a sticker on it, or some tape with writing on it that will pique their interest. You can leave it completely empty if you wish, or you can place a text file named 'YouHaveBeenHacked.txt', or a file named confidential.mp3 containing Rick Astley's "Never Gonna Give You Up" song. The actual contents are not as important as the lesson: Never plug an untrusted device into your computer.
This is a basic technique of penetration testers who are hired to infiltrate and test the defenses of a company. Drop the USB in a parking lot and see if it gets plugged in—Black Hat talks report astounding success rates for this old trick, it never goes out of style. While our test won't have a way to connect to a server and let us know if someone acted upon their curiosity, you will have to have to use your eyes and ears to see if it's been done, or even ask. Either way, follow-up with a recap on why we only want to connect trusted devices.
Forget the Movies
The common scene in movies is a hoody-clad geek breaking through a company's firewall. "I'm in," they say after less than a minute of work. Yeah, that is not quite the reality. The most likely entry point for an attack is via an email (containing a link or attachment), or when you are browsing the web. For the most part, we can take steps to lower our risk of being affected by taking steps mentioned in this blog series.
Principle of Least Privilege
The "separation of privilege" is not about punishing kids when they deliberately fail to perform their chores. Think of it as keeping things on a need to know basis. When you are playing Fortnite on your family PC, do you really need to be logged in as an Administrator? Should you really be using the same user account that you use when you are managing the family finances? The answer to both of these is "no". Yet, the first account you create when you get a computer has Administrator privileges, and most of us end up using that same account for everything ... forever. The main reason for this, is that installing programs typically require Administrator rights. This convenience of having admin rights by default is the exact opposite of the 'secure by default' premise that the security community wishes for. So, what happens when you are logged in as a standard user and try to install a program? You will be prompted to authorize it, only you have to enter the credentials (username and password) for an Administrator account. As you have probably guessed, this approach creates a new layer of protection that makes life more difficult for attackers. If for any reason, malware is able to gain access to your account, the damage will be less than if they had Administrator privileges, where they could create users, mess with system files, and install software. It's not a complete solution, but it's a great start.
What About Windows User Account Control?
Microsoft addressed this very issue with their Windows User Account Control feature, or UAC for short. This security feature prompts the user before allowing important changes to Windows. If the user has Administrator account privilege, they may simply click to allow the changes, but if not, then the user must enter Administrator account credentials. Human nature is the problem, and if only a simple click is required, then an inattentive user is likely to just click through the warning and potentially allow mayhem to ensue. But a user forced to recall or look up new account credentials is more likely to pause and think through the matter, asking themselves, “Do I really want to do this?” Setting up two separate accounts for User versus Administrator privilege forces this re-examination. That way the inherent laziness in human nature works to enhance security rather than weaken it (as is more often the case).
Challenge: Create two new user accounts per person.
Before you close that browser tab, at least hear me out! It's easy to setup and is absolutely the best way I've found to get their young minds thinking about how they use a computer. The first account is a 'Standard' user account, and the second account is an 'Administrator', each with separate passwords. Write the usernames and passwords for both accounts on paper, give to your child, and keep another copy for yourself. We will talk about password management in a later post; don't fret over the details now. Each person will ALWAYS login with their Standard account and use that exclusively. The associated Administrator account will ONLY be used to authorize actions, such as installing a program or changing a setting. If the person's actual name is 'Julie Wilson', perhaps the Standard username is 'jules', and the Administrator username is 'A-jules-A'. Again, the passwords for each account should be different. Let them get used to using this Standard account for a week or two before bothering them with another security lesson.
As a side benefit, you will be forced to copy the files you care about. It's always better to do this before an emergency.
This new account is empty, without any of the data files in your original account. Minecraft game files? Not there. Try to browse to your favorite website and login, and Chrome doesn't have your remembered password. Some programs like Microsoft Word or Steam might not even show up for this new user. Treat this migration as if you got a new computer. Install the programs you need. You will find yourself hopping between the older user login and the new one as you realize what data and files you need. Surprisingly, our test kids had very little to migrate. Most of their school work was on Google Drive. Logging into Steam gave them access to their games. Mainly, there were some settings files they needed. You may choose to use this opportunity to whittle down the set of files and data that you migrate to the new account—the digital equivalent of your kids cleaning their room.
While logged into this new Standard account, have your child install a new program or game. Help them authorize the action with the Administrator account when prompted.
How To Create Users on MacOS
1. Open System Preferences
Click the gear icon to open the System Preferences utility. Find and click the icon for 'Users and Groups', which is likely in the bottom left.
2. Unlock and Add
You need to click on the lock icon to allows changes. You will be prompted for Administrator-level credentials. The left side lists the users, while the main pane shows the user details. At the bottom left, near the lock icon are '+' and '-' icons. Click the plus icon to add a new user.
For a Standard user, the top dropdown should be 'Standard'.
How to Create User Accounts on Windows 10
If you are using an earlier version of Windows, you lack many of the security enhancements Microsoft incorporated into Windows 10, leaving your system more vulnerable to attack. If for some reason you wish to continue running an antiquated system that cannot support Windows 10, or you prefer not to pay to acquire a Windows 10 license, then consider migrating to desktop Linux. Whenever I have to recycle a dusty PC the kids complain is too old and slow, that is my preference, but that is a topic for another blog—the following directions are for Windows 10.
1. Create New User
Open the 'Control Panel'. Select 'User Accounts' option and it will show a dialog like the following. You will want to click on the 'Manage another account' option.
2. Add New User link
You will be presented with a list of accounts. Select the 'Add a new user in PC Settings' link on the bottom.
3. PC Settings - Manage Accounts
The Manage Accounts screen is entitled 'Family & other people'. If you have more than one account, they will be listed under the 'Other people' section. Click the 'Add someone else to this PC' option.
In Windows 10, you have the option of signing in with a Microsoft Account. If you have already used this option for the existing Administrator level account, you will have to choose the other option.
4. Fill in Form
You will be prompted a username, password, and hint. First, we create the standard user account.
5. Adding the Administrator account
That was easy, now let's create another user using the 'A-username-A' convention. Use a different password and write it down. Control Panel Accounts.
6. Accounts added, but we're not done
Now you should see something like the following, listing the newly created accounts. We are not done yet, because they are both Standard accounts. Select the account that should be an Administrator and click on the 'Change account type'.
7. Changing Type
Select 'Administrator' from the dropdown and click 'OK'.
You should now see something like the following, indicating the difference in account types.
9. Logging in as New User
You are now ready to logout and login as a new standard user. Logout by clicking the start button, clicking the user icon will give options to logout or login as another user. The login screen normally shows the last user logged in, and only prompts for a password. However, if you look at the bottom left of the screen, you will see the list of users available. Select the one you want and login.
Using Administrator to Grant Approval on MacOS
As a Standard user, we don't have permissions to install applications or change system settings. When you attempt to install a program, you will be prompted to enter credentials for a user that does have permissions. You will need to enter the username and password for your admin user. Remember that in our example, we used 'jules' for the standard account and 'A-jules-A' as the Administrator user account.
Using Administrator to Grant Approval on Windows
1. Prompted for Authorization
As a Standard user, we don't have permissions to install applications or change system settings. When you attempt to install a program, you will be prompted to enter credentials for a user that does have permissions. You will need to enter the username and password for your admin user. In the screenshot below, it has the original account selected, not the one we want. Click on the 'More choices' blue link on the bottom to reveal the list of users.
2.Select the Right Account
Scroll through the users and select the right one. Remember that in our example, we used 'jules' for the standard account and 'A-jules-A' as the Administrator user account.