WAKE UP PARENTS!! Your children (mostly girls) are doing STUPID things online

I’m not a psychologist or therapist, so I’m not going to get into those aspects of the disturbing trend I saw on the TODAY show this morning, but I will speak to the Information Security/Keeping Kids Safe aspect of it.  Turns out that (click on the link below) tween and young teen girls have taken to the Internet (mostly YouTube) to ask complete strangers on the Internet if they’re pretty or attractive. 

Now to YouTube’s credit, they’re starting to scrub these videos.  And, as I wrote above, I’m not going to get into the psychoanalysis of whether it’s a good idea for these girls to do this, other than to state that as a parent (although, admittedly, I have two grown sons), I think that this trend is disturbing and girls should not be doing this.  But from a security viewpoint, this is extremely dangerous.  Young girls asking complete strangers to view their videos and post comments on their attrractiveness can lead to pedophiles and other criminals viewing these videos, and luring the girls into meeting them.  Not only that, even if these sick people never meet the girls, the girls have willingly given up images/videos of themselves that can be readily passed to other such sickos, or, even in another sense, could be used for blackmail or extortion purposes.

What can parents do?  As I’ve said over and over again, even if the child purchased the computer with birthday money, earned money, bar/bat mitzvah money, etc., in almost 100% of families the parent pays for the Internet broadband connection.  While it’s possibly extreme to state that because of this, such tween/teen girls (and boys) have no inherent right to privacy, it’s close.  The # 1 thing parents can do to prevent this, besides having the requisite talks with their children regarding self-esteem, (etc. in that realm) is to have an honest discussion of what is proper and improper on the Internet, monitor what the child posts, and if possible, place the computer in a “public” area of the household.  Yes, I know that we’ve moved a long way from around 2000 – 2002 (light years in terms of computing) when we only had one computer households.  But most tweens/teens have laptops, connected wirelessly (wireless security is a discussion for another day), and while we don’t want our children to feel as if Big Brother is watching them, a wirelessly connected laptop with a webcam in a child’s room is looking for trouble.  Forcing the child to use their laptop in a “public” room might be too much of a restriction, but an honest discussion of what’s proper and improper on the Internet must be heldAnd no, shooting the computer is waaaay over the top and won’t solve anything.

Asking the world “am I pretty” is a pretty bad idea

Kevin Mitnick 101?

The longer I teach and work in the IT field, the more I realize that people are as gullible as I suspect they are.  I’d like to think that all of those who send out mass e-mailings describing dire consequences if you don’t do this, or you do do that, would have checked Snopes or Breakthechain.org or About.com’s Urban Legends pages, or some reputable fact-checker before they burden us with their warnings, or ersatz knowledge, or whatever it is they’re trying to convince us of.  But they don’t.

Look, today I even received another e-mail for the gullible in my inbox, this one from a phisher purporting to be Citi, telling me that my debit card has run afoul of their validation services, and that someone may be using it.  The e-mail even provided a link for me to click on to go to Citi’s “site.”  The only problem is, my debit card not only is not from Citi, but I don’t have, and have never had, a Citibank account.  Not for a credit card, not for a mortgage, not for an auto loan, not for anything.

So it comes as no surprise when I read the blog post below in Computerworld today:

A social engineering story

Regardless of whether you think global warming (let’s get real here, and call it what it really is, climate change) is a hoax, or whether the scientists who are investigating it are part of some mass consipiracy (no Rick Santorum and the Koch brothers, they’re not), you have to wonder how anyone at the Heartland Institute would believe that someone purporting themself as a member of the Institute’s board really was a member of the board and really had changed his or her e-mail address.  Since the employee of the Institute gave out what can only be presumed to be confidential data (donators and the amounts they donated), you have to wonder how that person just presumed that the request for the information, and the “new” e-mail, was legit.  In the end, it appears that the bogus requestor was an environmental scientist.

Organizations have to do more in (a) providing secure methods for divulging information to legitimate requestors (b) confirming that those who call in as employees/board members are legit, and (c) confirming that e-mail changes are legit.

You’d think that years after Mitnick pulled off all of the capers he detailed in Ghost in the Wires employees would be wise to these kind of social engineering attacks, but I guess we still have a long ways to go.

More on passwords (pw problems seem to NEVER go away)

So you’ve got a password that you use at home, and you still use that same password on every site you go to, even though you know that you shoudn’t.  So how much harm could there be if you decided to use that same universal password at work?  None of the “bad guys” are ever going to make that connection, are they?  Well, maybe they will.  More and more companies are becoming victims of just this kind of behavior.  There has to be a way to get around it, and darkreading.com has some possible policies that every organization ought to consider implementing.  Here they are:

Have your users passwords already been hacked?