Things You Should Know About Your Kid’s IT Habits

Teens and iphone

No less than once every day, my kids will ask me to have [fill in the blank of the latest social media app.]  Yesterday it was Snapchat, today it’s live.ly, and who knows what they will be asking for tomorrow.  It’s exhausting.  I’ve found some effective ways to encourage the conversation and in some cases, shut down the conversation (at least temporarily.)

  • “What is the App Rated”

For iOS devices, the apps have an age rating found within the iTunes store and it looks like this:

 There are several categories of ratings, from all ages to adult.  I found this nice chart on Wikipedia showing, by store, the age group recommendations.

If all of their friends have an app that is rated for older age groups than the age of your child and you’re considering giving them access, there are websites dedicated to giving parents a detailed description of why these apps were rated the way they were .  Here is an example of one of these websites.

If you want to take a hard-lined approach, you can restrict downloads not in their age group completely.  Instructions for iOS devices can be found by following this link.

  • “How Do You Know That You Are Safe Within the App”

Once you approve downloading the app, now you have to worry about your child’s security and privacy WITHIN the app.  How does the the app use your child’s data?  Google the words “privacy of [name of app] to get background on this.  I did a search for “privacy of musical.ly” and got the following link.  To keep their personal information private, my kids will create accounts with dummy emails, such as dumdum@dumdum.com.  When an app requires a valid email address, I have created a separate Gmail account from their personal email account, to ensure that their current email account stays clean and can be used to prioritize the important emails.  Plus, then I can monitor how this information is being used (or sold.)  This is a great teachable moment for them when you discuss security.  Free is NOT free when it comes to apps and how they use personal data to make money with marketers.

Each app handles personal data differently.  When your child registers with Pokemon Go, it accesses their entire Google account.  This means that the company that develops the app, and the one who is selling your data, has access to all of your kids’ friends’ contact information, current location information, and pictures.  And when you remove full Google access from your Pokemon Go account, you might as well be playing with a brick.  They have since called this issue a “security flaw.”  Whatever the reason, companies want their personal information and as parents, we need to understand what personal data the apps are using.  The most important message to your kids is that you trust them, but you don’t trust any company to protect your privacy better than you can.  No one will care more about your child’s security than you – remember that.

  • “Is Your Social Profile Public or Private”

As a parent trying to keep my kids secure and safe, my responsibility has gotten A LOT more complicated when you include social media.  I took for granted that my kids understood the difference between a public and private profile in social media apps, but was told the other day that one of them didn’t understand the difference until they discussed it in the classroom.  In some cases, these apps encourage kids to keep their profiles public.  For instance, in musical.ly you can’t do duets with the musical.ly stars unless your profile is public.  By having your child go public, you encourage strangers to know information about your family and what your children do on a daily basis.

To see how your kid has set up his profile, play stupid.  Ask them to show you on their apps how they have make their profile private and see if they know what that means.  If they are public, ask them why.  If they think they’re going to be the next big vlogger or Muical.ly star, probably not a good enough reason to risk their personal security and your family’s privacy.

  • “How Are You Downloading Your Apps”

You need to make sure your kids download legit versions of the app.  Hackers are opportunistic and once Pokemon Go became hot, several fake apps popped up.  172 fake Pokemon Go apps have been discovered across a mixture of the AppStore, GooglePlay, and AppBrain.  You are responsible for identifying what’s fake versus what’s a real app before they install the app.  Look at the reviews, the number of downloads, rating, etc, before allowing your child to do the download.  Or ask a parent of one of their friends to send you information on the app they want.

Additionally, a lot of apps these days ask for access to your address book.  When this happens, the app developer now has all of the information for all of their friends and relatives in their address book without their approval, obviously a violation of everyone’s privacy.  Again, a simple Google search on “why does the [name of app] need access to my address book?” will give you enough information to understand how the app works, and if you’re lucky, will identify a fake app before your child signs up for the service and inadvertently exposes everything on his/her phone, including the address book, photos, and even credentials to all of their social media apps.

All of this oversight into their day-to-day lives may seem overwhelming, but you should look at it as an opportunity to build trust between you and your kids.  If they know that you are in their corner when it comes to technology, you might just open the doors to communication on a lot of other things, too!

Things You Should Know About Your Kid’s IT Habits

What Your Employer Knows About Your IT Habits

I recently overheard someone telling another person to clear her browser history to prevent her company from seeing the websites she visited on her work computer. (Spoiler Alert: It Doesn’t Work)  This made me realize that you may not be aware what your company knows about your work habits:

  1. Your company tracks what websites you visit.
    This technology not only tracks the websites you visit, but categorizes them for easy reporting.  Someone I knew told me that an employee denied doing online shopping during work hours, until he told her the stores she buys shoes from, her shoe size, and the colors of shoes she bought.  Needless to say, this data tells companies a lot about what you do at work.
  2. Your company has copies of all your emails.
    It doesn’t matter if you delete the email from your inbox; There are copies of all your emails (even your deleted ones) on back-office systems.  The amount of time they are kept depends on each company, but could go back years and years.  So I recommend that you do not use company email for personal use; you risk embarrassing yourself with your family’s latest drama or worse.
  3. Your company knows what phone calls you make and receive.
    There are systems that log every call you make, every call you receive, and has a copy of every voicemail message.  Deleting the voicemail message does not guarantee that there’s not a copy on some back-office server somewhere.  Your company knows who you called, who called you, how long you talked, and the cost of each call.  Ditto for your corporate cell phone.
  4. Your company knows your corporate cell phone habits.
    If you think you can avoid being tracked by browsing on your corporate phone, WRONG.  The same systems that track your computer browsing history also tracks your wireless phone browsing history.
  5. Your company knows what apps you use on your corporate cell phone.
    Your company can track what apps you have installed, what you are actively using, and how much you’re using them.  If your management is curious how many people are playing Pokemon GO at work, the information is available.
  6. Your company knows where you are at all times.
    Through the same technology that tracks app usage, it can track where you are at any given time.  IT can set this up on a corporate phone so that you have no option to block this.
  7. Your company can track your behavior even when you’re not in the office.
    Through technology that manages your corporate hardware and software, it will track your IT behavior, irregardless of where you work, whether it be in an office, at home, or at a customer location.  The systems track all corporate devices no matter what.  So don’t use your corporate computer at home to do personal business; IT is tracking this behavior, too.

Companies will comply with all domestic and international privacy laws, but most companies have IT Policy documents that all employees sign, which will acknowledge your IT behavior at work is not private.  Companies have a legal right to most of the information I noted above.  My advice is, limit your personal activity on ANY corporate device and while using ANY corporate or company’s guest network.  Or in the spirit of Despicable Me, follow Gru’s Third Rule “You will not cry, or whine, or laugh, or giggle, or sneeze, or burp, or fart. So, no, no annoying sounds…” at work!

What Your Employer Knows About Your IT Habits

AT&T to Customer: Ignore the (Bad) Man Behind the Curtain

Uverse image

I have AT&T Uverse for Internet access and officially challenge them to show me how they are committed to their customers’ security.  If you’re an AT&T customer and think your family’s Internet security is not your responsibility, then you can assume that none of your devices on your home network are protected.

I had experienced some slowness issues and decided to to log into my AT&T router to check the event logs.  The router is the equipment your Internet provider installs to connect you to the World Wide Web and every person with Internet access has the capability to do this.

I went to the event log and saw some unusual activity that a simple Google search couldn’t identify.  As I had read about hackers using routers to launch DDOS (distributed denial of service) attacks, I grew concerned and called AT&T customer support.  I had an interesting dialogue with the representative.  Here is a summary of our conversation:

  • Me: I’m having network slowness issues.
    Rep: Reboot your computer.
  • Me: I did that.
    Rep: Check your speed.
  • Me: I did that.  The issue is that I saw strange activity in the router event logs.
    Rep: You need to run a virus scan.
  • Me: That’s not where I have an issue. It’s with the router; my computer will not show the issue.
    Rep: Don’t worry about the event logs.  You can clear the logs and you won’t see the problem anymore.
  • Me: But if I see strange activity, clearing the logs won’t solve the potential malicious activity that might be going on.  Can you walk me through updating the firmware?
    Rep: You need to reset the router back to factory defaults.  That should fix the issue.
  • Me: But that won’t install any security patches that I am needing.  Plus, then it changes my password pass to the default, which is the same for every customer.  I don’t want to do that.
    Rep: You don’t have to do anything once we install the router.
  • Me: So this device AT&T gave me will never have any new vulnerabilities.  That sounds a bit naive.
    Rep: You’re probably right.  Why don’t you go to the manufacturer’s site to figure out how to do this.
  • Me: Are you sure that AT&T will give me permissions to do that?
    Rep: If you can’t install it yourself, then you’ll have to pay for our Advanced Configuration service to do it.
  • Me: So if AT&T restricts my ability to have a secure router, then I have to pay AT&T to do this?
    Rep: As an alternative, we can just send you a new router. It only costs you $4/month more for leasing it.
  • Me: But I don’t pay for a router today.
    Rep: That was part of a promotion that we don’t allow anymore.

At this point, I decided to pursue other ways to protect my home network.  OpenDNS has a free service for home users that basically ‘filters’ the Internet traffic and delivers only ‘safe’ traffic.  To enable the service, I had to make a change on the AT&T router and couldn’t find the settings for this.  I found this on an OpenDNS help page:

“Unfortunately, due to the firmware restrictions that AT&T has placed upon UVERSE-enabled devices, it is not possible to change the DNS settings on these devices. This is a limitation due to AT&T and unfortunately cannot be changed.”

I could put in another router behind the insecure AT&T router, but I find it unbelievable that not only does AT&T deny the customer basic security services but also won’t allow a customer to protect themselves.  Remind me what I’m paying $175/month for?  It’s definitely not security.

AT&T to Customer: Ignore the (Bad) Man Behind the Curtain

To Be (Updated) or Not to Be (Updated) That is the Question

I LOVE TESLAS.  The day my youngest child walks through graduation, I will be getting myself a graduation present.  The ‘cool’ factor of these cars is not just the incredible design, but it’s the fact that they are one of the only car companies right now that have SAFELY jumped onto the Internet of Everything bandwagon.

Just like how your computer periodically updates itself, the Teslas do the same.  It’s just like updating an app, and they even publish release notes – so cool!  (With the latest updates, the car basically drives itself.)

So for the rest of us peasants, we have to deal with the risk of having our car compromised.  There were a couple of guys who proved that you can hack a car and basically take over all of its functions – climate control, radio, and even scarier, the steering, brakes, and transmission.  All over the air, using the same wifi networks you use every day.  You can read about it here.

Here’s the problem: While hackers can compromise your car over wifi, the car companies can’t fix your vulnerabilities over the air.  You actually need a USB stick to do it and if you’re not technical, you’ll have to bring it into the dealership for the update.

So the most hackable cars today are the 2014 Jeep Cherokee, the 2015 Cadillac Escalade, the 2014 Infiniti Q50, the 2010 & 2014 Toyota Prius, and  the 2014 Ford Fusion.  If you have this car, please do your family a favor and make it a priority to get the update.

The OnStar app is also vulnerable to hacks.  See here for a recent article on how people with the OnStar app can be compromised.  Pay attention to these things and update, update, update!!

The government is now getting involved and trying to pass legislation to establish an auto security rating system.  It’s a good idea, but for the 471,000 of us with vulnerable cars, it’s a little too late…

To Be (Updated) or Not to Be (Updated) That is the Question

The Internet of Things and the Terrible, Horrible, No Good, Very Bad Days Ahead

iot-cloud-of-things-platform

If you haven’t heard of the Internet of Things, think Smart Cars, think drones, think of your electrical company’s Smart meter, think of that dog collar that allows you to find your lost dog.  The Internet of Things (also known as the Internet of Everything) is basically any device that uses the wifi signal to transmit information.

The problem is that in an effort to get these kinds of solutions out to the consumer, companies are not considering the security implications like they should.  The most basic form of protection on your computer is your anti-virus.  However, manufacturers connecting everything from insulin pumps to baby monitors have not enabled these devices to use this most basic form of protection. Even worse, they have not built in ways for devices to even receive patches if a hacker compromises your system.  Your only recourse in many cases is to turn the device off or replace it.  Think of the cost to replace your Smart TV or automobile – yikes.

The Economist recently published a short article on this very issue.  Please take five minutes to read it and you’ll understand why we’re going to be talking about this again, but hopefully without a consumer’s loss, including loss of life.

In my next post, I’ll be discussing this new threat as it relates to automobiles.  (Yes, someone has figured out how to run your car remotely, with you still in it!!)

The Internet of Things and the Terrible, Horrible, No Good, Very Bad Days Ahead

Why do cyber criminals do it?

Securitydemystified ransomware pic

People ask me all the time why criminals work so hard at stealing our data.  No longer is it just about some nerd in his dorm room trying to see how far he can breach a company.  Now, it is a way to make easy money.  As the article states, a $5900 investment in crypto-ransom kit generates a one month return of $90,000.  And that’s just an average!!

Here are only THREE easy things you can do to protect yourself:

  • Invest in an external hard drive.  Save all of your files to it and then DISCONNECT it.  Periodically reconnect it to backup new files, but by keeping it disconnected from the computer you connect to the Internet, you are keeping your files away from the bad guys and if you happen to fall victim to a ransomware extortion attempt, you’ll have your files protected and you won’t have to pay the money.
  • Pay attention to the reminders to install your software security patches/updates.  I know it’s annoying but it’s for your own good, so do it!!
  • Have anti-virus software on your  machine.  Not having it is like keeping the door open to your house.  You might as well have a ‘Welcome’ banner on your computer if you don’t have anti-virus software.

You can read the full article here: Why criminals do it

Why do cyber criminals do it?

Two-factor Authentication Explained

Two-factor picture

There is a lot of discussion around the use of two-factor authentication to better secure the websites you use.  But what is two-factor authentication?  Basically it is having to prove who you are using two different methods.  I just discovered a website where you can find out what sites have the capability to enable two-factor authentication.

I suggest that you pick your most popular site and enable this enhanced security.  See how it feels to go one extra step to better protect you from hackers.  I would guess that you will not see much of a time drain by adding the additional step.  Plus, you exponentially remove the possibility of becoming a target.  Hackers are looking for easy targets and by enabling this simple step, you are protecting yourself better than many others out there who think that it is more important to have easy access than to not get compromised.

The website can be found at https://www.turnon2fa.com.  If you try it out, I would welcome any feedback!

Two-factor Authentication Explained