Teaching Cybersecurity to Our Kids Part 5 – Trust and Privacy
The objective of this 5-part blog series is to help you to educate your children in safe cyber usage and prudent precautions, to keep them from becoming victims of cybercrime. Here are links to the previous 4 parts:
- Part 1 – ways to help school-age children raise their cybersecurity IQ
- Part 2 – the basics of how to scrutinize email and maintain good email security
- Part 3 – how to implement good password practices
- Part 4 – updating software and using two-factor authentication
The next time your kid scoffs that you play it too safe, and jibe 'YOLO, Mom!' You can think of how your data privacy situation and say 'You have no idea how much YOLO I've got going on up in here'.
I Always Feel Like, Somebody's Watching Me ...
Some of us have a cover or tape over our laptop webcams, but not on our phone cameras. Security expert Joanna Rutkowska took it to the next level! The first thing she did when she got her new iPhone was to open it up and remove all of the cameras and microphones. Wait, how does she make a call? I guess you have to plug in the earbuds or use a bluetooth headset. We don't need to go to such extremes, but be mindful of all of the devices in the house and car with microphones and cameras. And those devices like Alexa, Siri, and Google Home have to send your audio to a server to get translated to text and recognized. So if you device is configured to listen to 'hey Google', rather than pressing a 'listen to me now' button, pretty much everything you say in close proximity touches their servers. Here's a good Wired article on how Alexa and Google Home uses your voice recordings.
For Windows 10, you can view your Cortana voice recordings in the cloud at https://account.microsoft.com/privacy.
All of this 'advice' for the young is nice, but it doesn't compare to the incredibly well done essay of life advice for the young written by Mary Schmich in 1997 that was later made into a song entitled "Everybody's Free (To Wear Sunscreen)". Even if you dipped yourself in SPF 50, and continue to do so, it doesn't hurt to visit a dermatologist to get a quick yearly skin check. [Full disclosure: My eldest son is a dermatologist and skin checks do save lives.] As all medical centers do, they ask for SSN, DOB, employer, and lots of personal details that could be used for identity theft. What are the chances that a small independent medical office can successfully protect your data from targeted attacks? Or for that matter, size is no protection, there are plenty of larger medical data record breaches.
If you have applied for a mortgage in the last 15 years, you were probably asked to send in tax records, details on all financial accounts, and pretty much every important document you have. Chances are high that you sent it to them via email. And that email is probably a free public email service like Yahoo, GMail, or Hotmail/Outlook... which keeps copies of all your sent emails in your 'Sent' folder. All that data, just sitting there on a server, unencrypted. And if your email is hacked, that person could go through your message history. On the other end, the mortgage company probably isn't good about cleaning out it's email inboxes with sensitive documents. YOLO Privacy, indeed. The good news is that mortgage companies have started to move to a better system, where you can securely upload sensitive documents. Consider going through and deleting old emails from your inbox and sent folders that contain sensitive information. And make sure to use strong multifactor authentication on all your email accounts and don’t leave email client sessions perpetually open on your devices if they are unlocked and accessible to others.
Microsoft Windows Defaults
When you created those new 'Standard' accounts in the first part of this series, you were probably guided to use a 'quick setup'. You probably want the exact opposite of all of these default settings that are part of a quick setup. The following lists a few of the settings. There are lots of good articles about the Windows 10 privacy settings, here's one: Protecting Privacy with Windows 10.
Some settings to avoid:
- Send info about how I write to help us improve typing and writing in the future.
- Cortana : send voice recordings to server for commands
- Connect to open hotspots
- Send location information
We know that search engines track our interests so they can know how best to sell to us. Is one search engine really so much better than the others? This is one search engine called Duck Duck Go, which doesn't track you! Last I checked, it uses Yahoo search under the covers. Long-term users report using for years as their main search engine on all their devices and computers and rarely needing to bail out to Google. Some suggested reading here is the Google Transparency Report.
Full disclosure: I confess to regularly using Google searches in my work and personal lives and to navigating my commute around Austin traffic congestion with Google Waze. I also use a cloud-based dashcam with full GPS that uploads time lapse videos of all my drives to the cloud, while carrying a cellphone that tracks my movements with both GPS and cell site proximity. They know and archive more details of my life than any surveillance state in history ever could. Sad.
Every Good Bar Needs a Bouncer
After asking nicely, and using every ounce of your civility, sometimes you have to start throwing fools out the door (or window). Even better, let only the nice peeps in, leaving the rif-raf at the door. Since the web operates on assigned 'domain' names (e.g. 'ziften.com', 'wikipedia.org'), it's possible to filter out web domains that you don't want. Since one web page may load data from about 100 different domains, it's not a list you typically create manually.
Cisco OpenDNS Umbrella is a service that manages this for you. There are a couple of free tiers, and a $19.95/yr 'Home VIP' service that comes with usage statistics and more configuration options. Want to block 'adult' websites and 'gambling' websites? Easy. If someone on your home network goes to a site on the block list, they get an OpenDNS page explaining that it's blocked, and ask the Administator (that would be you) for an exception. You have to know how to configure your home internet router to pass all Domain Name Service (DNS) requests to OpenDNS servers. They provide documentation to do all of this. It's not perfect, but it's quite good. Here are a couple of things to be aware of: - Sometimes you have to login to opendns dashboard and add exceptions manually. - If the Internet Address of your home router changes, you have to either login to the dashboard and update it or run an app on one of your home computers to keep it in sync.
HTTPS is Good
We are finally at the point where browsers are playing hardball with websites that aren't using HTTPS and showing them as 'insecure' to users. This is a good thing. Anytime we enter our credit card number online, we want to AT LEAST make sure the data is encrypted when passing through the internet.
Here's how the system of trust works... Imagine you and 3 friends (Bob, Lisa, Toto) started this certificate system, and decide that you each get 'root' certificates, and can issue certificates to others. When I visit Acme Widgets Inc, they proudly display a certificate to me. I don't know enough about Acme to trust them, but by looking at the hierarchy on the certificate, I see that it was issued by JoJo, who has their certificate issued by Lisa. I have no idea who JoJo is, but I trust Lisa, so I feel good about trusting Acme.
HTTPS May Not Be Private!!!
When you see that little padlock in your browser's URL bar, the connection is encrypted, but you may be unpleasantly surprised to hear that it may not be a private link between you and the website you are accessing.
In 2015, security researchers discovered that Lenovo PCs were shipping with a certificate issued to 'Superfish Inc', that allowed preinstalled adware to intercept all of your encrypted communications. Horrors! This ArsTechnica article on Superfish does a good job of explaining the details of this 'Man in the middle attack'. The bottom line is that you can be connected to a computer on your own network, when it looks like you have a secure connection directly with your favorite website.
Additionally, consider that you work at a mid to large size company. If they manage your device (PC or phone), they are probably intercepting your traffic, and storing it short-term unencrypted. Yes, typically the IT staff will install a company firewall certificate in your device's trusted list. All your communications that pass through their firewall will be able to get decrypted. All your private email, browsing, and communications... not so private. Part of this is for security, as the firewall is inspecting traffic (F5 for example) and looking for malware and attacks. It also may be for legal reasons, needing to have documentation when employees are under investigation. I don't think you need to be worried about an IT employee actively browsing all the data and looking for private details. Most IT staff have too much on their plates as it is and have no time or interest in my boring life.
Lastly, there are several governments that require their own root certificate preinstalled on phones and computers, so they can intercept traffic to monitor citizens.
Extra Credit: This is by Design, Unfortunately.
You may be thinking: How can this happen, and why aren't people rushing to fix it?! It is part of the design. You want to connect to www.starbucks.com, your computer does a DNS lookup on the name and gets an address like 126.96.36.199 (which corresponds to a cloud server hosted by Akamai). Your browser asks the server who it claims to be, and the server responds with a certificate. Their certificate can say I am '*.starbucks.com', or possibly 'www.starbucks.com', 'app.starbucks.com', etc.. As long as their certificate is issued by a company in your trusted list, it's good. The problem is when your trusted list contains root certificates that can claim they are any website. If I look on my Macbook's keychain application, I can see that I have 164 'System Roots' certificates configured, presumably a list managed by Apple as they update macOS.
Extra Credit : What If
Going back to our example of rewriting history by founding the certificate system with your three friends Bob, Lisa, and Toto. What if Bob was careless with his rubber stamp used to issue certificates to others, and bad guy "borrowed" it to stamp their own certificate. It would look good to us, and we wouldn't know, until someone discovered what the bad guy was up to, and the news got to us. What if a legitimate company was hacked, and their certificate's private key was stolen? Bad guys could then place that certificate on their own malicious server, and we would still trust it. Again, it takes time for people to discover the bad actions, then time for the news to make its way to us. In both cases, it requires the owners of these trusted private keys to be extremely careful with them. Sadly, many are still unaware of these details. In 2017, for example, it was discovered that drone maker DJI left their private keys open to the public for years.
This is why there is a 'revocation' mechanism, a way for our computers and browsers to get updates on certificates we should no longer trust.
App, Identify Thyself
You already know that you must be careful when installing an application downloaded from the internet. Especially from download.com, tucows.com, and other freeware sites. MacOS has a component called Gatekeeper under Settings/Security and Privacy/General, and by default is configured to block installation of any application that is not from the App Store. By changing the setting to 'App Store and identified developers' you obtain more freedom. It should be quite rare to need to install an application that isn't from the App Store. Similarly, Microsoft released "Windows 10S" in 2017 that is more rigid in apps, and thus more secure. You can only install applications from the Windows Store. As they put it, applications that are 'Microsoft-verified for security'. This is a great trend that likely stems from lessons learned from the Apple iOS ecosystem. While some may complain that they are 'locked in' to a vendor, without freedom to install whatever they want, it limits the risks.
For both Apple’s AppStore and Google’s PlayStore, they should be adequate for downloading any needed mobile device apps. Downloading from third party sites is especially risky and the primary vector for mobile device malware infections. But even the Apple and Google app stores can miss malware with highly obfuscated malicious content, which happens continually. You should ensure that both the download source and the app authors are highly trusted. Mobile OS’s provide another safeguard, in that they will prompt you to authorize the app permissions. Do not take this responsibility lightly and click through without thinking, you could be passing the point of no return on your spiral into total pwnage. If the permissions don’t make sense for the application functionality, then cancel out and don’t install that app.
The Canary and the Honeypot
That title would make for a pretty good Grimm's Fairy Tale, but these names have specific meaning in security. A 'canary' is a decoy file that you know never to open. You place it among your documents, and if it ever gets opened (by an intruder), it connects to a server to notify you. It's like a document tripwire. We talked earlier about your sent email history with sensitive data. How would you possibly know if someone (other than your email provider) was in there poking around? A canary document attachment on a sent email would be a way to be notified of such an event. That would be rather advanced topic, as you would need an online server or service to receive a connection and turn it into a notification. Thinkst provides a way to generate free token files.
A 'honeypot' is a decoy computer or server placed on a business network. If it gets unexpected attention, then the business will get notified that they are under attack. Both canaries and honeypots are examples of deception technology designed to trick attackers into revealing their presence by taking the bait. So make your bait as enticing as possible, something an attacker would be seeking and expect to find on your system. Something like a file named ImportantAccountNumbers or PasswordsToRemember or AccountCredentials or perhaps a directory named AmazonOrders or BrokerageRecords.
Challenge : Back up Device
Wow, we reached the end of this series, and this is the first section on backing up your data. For the most part, kids have little important data to backup that probably isn't backed by a cloud service. However, we are trying to raise awareness and good habits. Your challenge is to get your young ones to backup their phone or tablet. For Apple devices, this usually means installing iTunes on their computer, connecting the device using a USB cable. Ensure that the data is password protected. The password manager is a perfect place for keeping track of this new password. My kids would destroy their phones about every six months, so the backups are in their interests. Your phone, your most personally important digital device, is sadly also the most fragile.
But your tablets, laptops, and desktops also need backups. There are enough free cloud storage services with multi-gigabyte free storage limits, that there is no excuse not to backup. In fact, keep your files in the cloud in the first place. Your device should just contain a local copy, not the primary copy. For example, Google Photos will back up all your personal photos for free for your lifetime, as long as you are comfortable with their default image compression, and you can configure your mobile device to do the uploads automatically.
When you go to save a document or create a file, do it to cloud storage, and configure the cloud storage account to sync across your devices. If the document is sensitive, then employ encryption and use your password manager to help with key management. Of course you are syncing your password manager database across your devices, so all is good. There are certainly legitimate concerns about cloud storage security and privacy, but replication and encryption can address most of these. You can pretty well assume that leading intelligence agencies have some level of access to the major cloud storage sites, as we learned from the Snowden revelations, for example, so be advised. But consumers will probably get all the data security (i.e. confidentiality – integrity – availability) they need from the major cloud storage providers, and certainly more than most can do for themselves at home.