Wednesday, August 15, 2012

Do your parents know what they are surfing

It's 10 o'clock at night, do you know what your parents are doing on-line?  Do they?

Let's not kid ourselves, security on the Internet is absolutely crazy complicated.  Security experts are not immune to being targeted and hacked, and so it goes without saying that everyone else on-line is probably being put at risk daily.  If you are like me, you have become the de facto tech support for your family.  Perhaps you set them up with a nominally secure home router, some A/V software, some favored (more secure) software, and a stern yet vague warning about being careful on-line.  So what happens when you are not there?  Do they know what to watch for, and how to react to it?  Have you prepped them?

If you are like me you always get called at the 11th hour, or perhaps the 33rd hour, long after you yourself could have plugged the hole in the dike.  Perhaps it is a live virus they acquired, or maybe they just got hit with a drive-by and unceremoniously shut down their system when they noticed it "acting odd".  Or maybe it is waking one morning to find that their live-in son left thirty-dozen porn site pop-ups on their login account before he passed out the night before, clear proof that their account password is no secret.

In these scenarios you have to treat your parents like adults, and bite back any criticism.  They are completely new to this Internet thing, they do not have the depth of knowledge you do, but you cannot treat them like children.  That being said we can do some things normally reserved for children.

Prep Work:

First off, have an open discussion about using the Internet and what "screen time" should constitute.  Besides all the cool new sites their friends tell them about, identify openly what do they most need to do on-line. These may be things such as banking and brokerage monitoring, backing up the family tree and photos, digitizing their album collection, and watching movies.  This discussion should include clear examples of dangerous behaviors or locations/scenarios to be expected on-line.  Free porn, ripped media, and similar edgy materials may be part of their adult interests, but perhaps you can locate other resources for them.  Maybe not completely legitimate resources, but "better".  A good suggestion may be that they should look into various media subscriptions, since paid material is generally "cleaner".  You are laughing, but you know what I mean.

Next, make it clear that you are in no position to enforce any restrictions on them (they are your parents after all), but that your advice is important and you may not be immediately available in all future instances.  Especially if brownies are not involved.    ;-)    Then suggest they limit themselves voluntarily, such as using various Parental Controls software.  Even if they have the bypass password for these controls, it is an added layer to help limit their exposure and slow down those malicious browser scripts.

Teach them some of the tricks of your trade that they can do themselves.  When setting up their back-ups, walk them through the set-up rather than doing it yourself.  Show them an example of their A/V software or parental control browser add-on blocking something, e.g. an EICAR file or an adult material site.  Provide them with their own copies of your favorite A/V boot disk, and show them how to use it.  At the least you will be able to walk them through using it on the phone.  Provide them with links (bookmarked!) to a tailored list of sensible security sites where they can double-check what you are telling them.  Have them bookmark also!

If your parents are substantially older, or suffering from dementia, you may need to be more authoritarian with some of these suggestions.  You may also need to expand your access to other areas like remote control software and their cell phone plan (TXT monitoring) as well as personal safety and health monitoring.  Facebook activity and shared Netflix accounts have even been used as additional ways to keep tabs on one's parents and their daily activity or inactivity.

Real Suggestions:

Big talk, but what do I do?  I tend to "do things the hard way" personally, so it has been a struggle to provide the family with simple suggestions and frameworks that may not be up to my own preference.  As we know so well, if security is too complex, the users will bypass the controls.  But at the same time, if Internet access is super simple, so are scripted malware drive-bys.

* browser - I standardized my family on Firefox with the HTTP Everywhere add-on to lock them to SSL sites whenever possible.  I included the IE View add-on and helped them configure it for their favorite sites that really do require IE.  I also showed them MozBackup and send them a periodic e-mail reminding them it's time to back up their profile.  While I love the NoScript add-on, it does complicate browsing and can be a bit too chatty when the user does not want to answer and tailor the various prompts just to load a web site.  I hold it in reserve for the next big incident.

* file management - Be sure they know the basics of Copy/Paste, mapping drives, adding/disconnecting devices, and getting around in Windows Explorer and similar file systems.  You would be surprised how often this skill is overlooked or assumed.  There are many free on-line training videos for this sort of elementary material.  Even better, they will learn it from someone who is not you, but who says the same things you have been trying to teach them.

* back-ups - Help them install and configure a regular back-up process.  Get them a large capacity USB drive as a gift, and string it to the back-ups.  If the data is really important, swap the drive out during your periodic visits so on copy is off-site back at your house.  Don't neglect a back-up process for their home router's configuration, their browser profile, and their on-line web mail and Contacts.

* anti-virus - Regardless of which you choose, set it to auto-update and auto-install.  Maybe use it yourself or join the vendor's mailing list so you know when there might be a large update that has to be managed manually.  You will be surprised when that freeware A/V provides no automated path to their next big version, and your parents simply uninstall or disable the prompts.

* firewall - Besides their home router's basic firewall capabilities, help them use a host-based firewall or IPS.  Teach them how to turn it On/Off, especially when they take their laptop on the road.

* wifi - Set up their wifi, and then document its connection details onto a hard copy they can keep at home.  This material should be something they can share with friends who visit, and it should be dirt simple guidelines like you may find at a moderately secure Internet cafe.
  Next, force them to visit your wifi network as well as at least one Internet cafe or other free wifi source.  This will teach them how to configure their own connection, tell the difference between a infrastructure and a peer-to-peer wifi, and to check their on-line status besides depending on only the browser.

* password safe - Acknowledge how many passwords and accounts you yourself manage and then share KeePass or another favorite password safe.  See if they will share the locking password with you, just in case.  And assist them in putting this on each of their favored devices (USB stick, smart phone) where they may want or need it.  Include the data file in the back-ups process.

* drive encryption - Maybe your family is ready for this technology.  Be sure you are fluent in whatever tool they do use, since you will probably have to help fix it in the future.  The same is true for any find-me software like Prey.
  If it is not too uncomfortable, see if you can teach them the basics of encrypting select files with things like PGP/GnuPG or TrueCrypt.  Note that the Polaroids of today are digital, and encryption is the only way to keep them out of young hands.

* power management - Best feature may be to schedule an automated shutdown process each evening and automated start-up each morning.  This will ensure they reboot their Windows system frequently enough, plus it takes their system off-line when many trouble-makers are on-line.

* Parental Controls - These do not need to be draconian measures, but they can serve as a heads-up when they begin surfing outside of the safety ropes.  They can still  put in the bypass password and surf on, but it serves as good notice.  K9 is a simple and free one with a humorous barking warning, and it applies equally for all user accounts on the (Windows) machine.  Once notified of the risk, just put in the password to open up the dangerous category of content for a certain amount of time.  Much better then typical  "Yes, Allow, and don't ask me ever, ever again" security filters.  Windows itself include Parental Filters (although a bit byzantine) and there are various other free and commercial ones available.

Real (Bad) Tales:

* Dozens of browser windows open on-screen.  Closing one spawns two more, each with graphic nudity and advertising.

* Slow Internet connection.  Turns out they got confused and connected to the neighbor's wifi instead of their own, and had that set as their default for weeks.

* Many instances of e-mails asking if something is legitimate or spreading the latest chain letter.

* The classic, "I clicked on it and nothing happened, but the hard drive light stayed on for quite a while".

* Plugging the laptop into the router and refusing to move it around the home for fear of using the wifi.

* Passwords on sticky notes.  Coupled with traveling on vacation and not knowing how to log into any systems they need (e-mail, airline sites, Netflix, et al).

* An e-mail broadcast to the entire address book with a link in it.

You may note that most of the suggestions here are mainly user training and not security training.  They need to be familiar with the virtual environment and the basics of managing their security.  Remember, they are your parents and you owe them a lot.  And they need you a lot regarding computer security, but are not sure how to ask for it.

~~~~ Habeas Data

No comments:

Post a Comment