Your Weakest Security Link? Your Children

What do you do when the biggest threat to your cybersecurity lives under your own roof?

It’s a fact of life online: a network is only as strong as its weakest link. For many people, that weakest link is their children. They inadvertently download viruses. They work around security to visit sites their parents don’t want them to. They run up huge bills using their parents’ one-click ordering.

And, most frustrating of all, many of them are far ahead of their parents’ ability to keep them from making mischief—in fact, many of them act as the family’s de facto tech support.

In a recent survey, half of Americans with children under 18 reported that their children had breached their online security in some way. And the cost of those breaches can add up, whether it’s damaged computers, lost productivity or money spent on unauthorized purchases.

ENLARGE

12 year old boy illuminated by the blue light of a computer monitor PHOTO: GETTY IMAGES

Keeping one step ahead of children is all the more complicated because it’s not enough for parents to prevent mischief. They also must be mindful that their children are looking to them for guidance. So any security strategies they use also need to be object lessons that help their children stay on the straight and narrow.

Happily, there are plenty of steps that not only will ensure your security but also make you a useful guide to your child. Here’s a look at the measures you should take.

Assess your tech—and your children.

Well-behaved 5-year-olds and rebellious 15-year-olds represent radically different security risks. Your toddler might accidentally bang on a bunch of keys and rename your hard drive; your fourth-grader might be tech-savvy enough to download a bunch of files—and viruses. Figuring out how to deal with those potential problems involves getting an accurate picture of the technology in your house and how your children use it.

First, make sure you know exactly which machines, devices and files your children use so that you know what you need to lock down. Not just their own computers or tablets; remember that many of us hand our own phones and tablets to our children at times. Also don’t forget any other Internet-connected devices, like your gaming console, e-book reader or cable box.

Then take a realistic look at your child’s temperament and behavior. Have you got a teen who’s constantly testing your limits? A natural hacker who is relentlessly curious about what she or he can get into, break or reprogram? That means taking a tougher stand on security.Next, identify which passwords your child knows and consider which should be adult-only. With preteens, a good practice is to have separate profiles on any device your children use, giving each child a profile that allows them to log in to educational apps or games, while reserving full administrative access for yourself. Teach your children that other people’s profiles are off-limits, and ensure they only have the password for their own profile. Older children will likely want to manage their own profiles and devices and keep their browser history private, but you should still keep track of their access to your own devices and accounts, or shared ones.

Next comes figuring out just how skilled your children are. You need to track your child’s ability to circumvent parental restrictions, and as they get older, their ability to alter your devices. One way to do this is to approach any surprising discoveries with curiosity and humor, rather than panic. Lightly asking, “How did you manage to rename my hard drive?” is more likely to yield insight than shouting, “What made you think it was OK to rename my hard drive?”

There are other tactics you can use to see what your children know. Check your own browser history regularly, as well as your children’s, to see what they are browsing (and look for gaps in browsing history that suggest they’ve figured out how to purge their history). Notice if you find an app running on your phone that wasn’t running when you left it on the coffee table. Periodically check your computers for child-initiated downloads by searching for files with recent modification dates.

Beef up your security.

Next comes securing your network as much as possible, and making sure your children are serious about security.

First, secure your passwords. The best practice is to use a password manager like LastPass or 1Password to generate and remember unique, complex passwords for each site you use. What matters is that you use different passwords in different places, and that you don’t use a password your children might guess.

Second, make sure that the files on your personal computer are shared only if someone accesses your computer with a password. That way, your children can’t access, delete or modify files on your computer by logging in remotely.

Third, set up a backup system for all the computers and devices in your home. The best approach is to rotate between two backup drives, so if your child downloads something that infects one drive with a virus, you’ve still got a previrus backup.

Fourth, prevent unauthorized purchases by turning off one-click ordering and ensure that each in-app purchase and media download is possible only by entering a password.

That covers the basics. Next comes the more complicated part: teaching your children to reduce the risks of their online activities. Show them how to recognize the difference between a trusted source and a potential source of malware. Show them how to choose a secure password or use a password-locker application. Educate them about when to use real names online, and when a pseudonym is safer.

And yes, awkward though it may be, talk to your teen (or even preteen) about pornography. Chances are they will stumble on it or go searching for it themselves. So teach them how to avoid stumbling onto disturbing imagery, browse anonymously, stream rather than download and avoid clicking on any link that could introduce malware into your system.

Clean up messes right

While good security practices can reduce your overall level of risk, you also need a plan for when that plan fails.

If your children are used to talking with you about what they do online, train them to report breaches. Let’s say your child shows you how she got around parental restrictions on her phone. You can ground her—and ensure that next time, she keeps her hack to herself. Or you can praise her ingenuity.

This teaches her to tell you about any activity that could weaken your security. It also subtly encourages her to keep curious, and keep developing problem-solving skills. Likewise, asking children to help you fix any problems they’ve caused not only teaches them to take responsibility, but also helps them keep their skills sharp.

Of course, it can be hard to take this kind of measured response when you’re looking at a virus-ridden computer or a $700 bill for in-app purchases. That’s why you want to plan both your parenting and tech-recovery strategy before disaster strikes.

Apple Explores Ways To Secure, Set Up And Sell iOS Devices While Still In The Box

Apple has a new patent application (via Patently Apple) that could make it even easier to get started with a new iOS device before you even take it out of the box – using settings from your existing device to configure the new one. If implemented, this could take the sting out of upgrades, or make it even easier to expand your iOS universe with newly acquired additions like iPads, or the Apple Watch.

The new patent application describes packaging that includes a “Tap here” sticker, indicating where a user should tap their existing device. The brand new packaged device would then be able to communicate via some kind of short-range wireless communication method, like Bluetooth or NFC, and transfer settings, lock screen art, user information and even a list of apps to download from the existing gadget to the one in the box.

Apple’s invention includes provisions for multiple power modes for the packaged device. This would allow it to offer both a completely non-powered state, likely used for transport from factory to retail stores or distribution enters, for instance; and a low-power state, whereby it would be able to receive inbound communication requests from a user’s existing device for setup, prompting it to shift into full-power mode.

The patent goes further, discussing situations in which the packaged device would occasionally transmit “discovery messages” in its low power state, perhaps based on a timer, or prompted by activity detected by its internal accelerometer. These could be used to ping owned devices about the setup process once the packaged device is taken home, but it’s also described as being able to facilitate in-store purchases: Meaning, when you pull a boxed iPad off a shelf, it could give you a message on your iPhone asking you to add it to your shopping cart.

It goes further still, suggesting that the communication between the two devices could first ascertain whether the packaged device was actually purchased first, locking it from setup in cases where it determines that it has been stolen instead. It could use transmissions from store staff to authorize it, for example, or pre-shipping authorization for a set email address, if mailed.

The patent is fairly amazing in terms of scope and potential impact on the retail and gadget setup experience, and was only filed in the third quarter of last year, meaning it could very easily still make its way to production devices.

When Cybersecurity Meets Geopolitics

FireEye Chief Executive David DeWalt says all major powers have “somewhat national-born security companies.”

 

Achille Bigliardi

Before American computer-security company FireEye FEYE -0.88% releases a report on new hacker activity, it sometimes gives the U.S. government an advance copy. Dutch competitor Fox-IT trains the Netherlands’ cyberwarriors. Moscow-based Kaspersky Lab helps Russian authorities investigate hacking cases.

The cybersecurity industry is growing more provincial as digital warfare has become a routine part of statecraft. To investigate and clean up after an attack, corporate hacking victims typically must choose among a handful of companies, each with ties to a national or super-national government, in the U.S., Europe or Russia.

Segmenting online security this way creates the potential for blind spots on the World Wide Web, security companies and experts say. It also opens the possibility that security firms might look the other way for certain types of hacking — though no clear example of this has been found.

Major powers “all have somewhat national-born security companies,” FireEye Chief Executive Dave DeWalt said in a recent interview. “You end up, I think, with sort of cyber-blocs of superpowers that are racing to gain an advantage.”

Added Peter Singer, a senior fellow at the New America Foundation and author of several books on computer war: “For all the talk that the Internet is a global commons, the security of it is a place where national borders still matter.”

The issue gained new attention last week after Kaspersky’s founder and chief executive, Eugene Kaspersky, wrote an 1,800-word blog post attacking a Bloomberg News story that accused his company of being too cozy with Russian spies. Kaspersky is a force in the antivirus market in Russia, Europe and South America, and has a growing presence in the U.S. consumer and small-business market.

“I must have said this a million times, but we do not care who’s behind the cyber-campaigns we expose,” Kaspersky wrote. “There is cyber-evil and we fight it.”

Bloomberg asserted Kaspersky attends sauna nights with Russian spies and is deeply intertwined with the Kremlin. Kaspersky didn’t deny the sauna gatherings, but argued they weren’t conspiratorial and the presence of spies was coincidental.

Some people close to Kaspersky said the report captured the spirit of the company — non-Russian employees are sometimes asked, half-jokingly, if they work for foreign intelligence services. The company’s chief legal officer, Igor Chekunov, has military kitsch in his office, one of these people said.

Kaspersky representatives didn’t respond to requests for comment.

The company made news this year when it released a detailed report on what former U.S. officials said was an American hacking campaign to spy on Russia, China and some countries in the Middle East. As a rule, Kaspersky doesn’t say where it thinks attacks originate, though it sometimes drops hints.

Silicon Valley-based FireEye does the opposite, in a sense. The company publicizes hacking campaigns it discovers and links to China, Russia or Iran. In the interview, CEO DeWalt said he would think twice before publicizing a similar hacking campaign by Americans.

To be sure, these firms do not march exclusively to a geopolitical drum. Kaspersky has reported on computer intrusions thought to originate from Russia, and sometimes works with Western law enforcement. Symantec SYMC +0.12%, based in Silicon Valley, in 2010 it played a leading role in outing Stuxnet, a computer worm the U.S. and Israel used to slow Iran’s nuclear program.

FireEye, founded in 2004, received early backing from In-Q-Tel, a nonprofit that acts as a venture capital firm for the Central Intelligence Agency. But as the company has started to expand internationally, it occasionally runs into trouble with potential customers in France and Germany, spokesman Vitor De Souza said.

The company has trained its sales employees not to play up the company’s government ties or In-Q-Tel backing, De Souza said. FireEye generates roughly three-fourths of its revenue in the U.S., according to securities filings.

Ronald Prins, co-founder and director of Fox-IT, the Dutch cybersecurity company, acknowledged that the Dutch military buys encryption tools and hacking lessons from the firm. But he notes the company has been aggressive investigating breach attempts linked to the U.S. and U.K. — both Dutch allies. He says fragmentation in the security market has more to do with where security companies are based and less to do with politics.

A recent effort at Kaspersky may show the limits of those efforts. In recent years, the company started a walled-off division to try to win U.S. government contracts. Kaspersky Government Security Solutions reports to its own board and only hires people eligible for American security clearances.

So far, the company is yet to win a prime contract with the U.S. government, though it has worked on a couple of sub-contracts with U.S. firms, a person familiar with the matter said.