Protecting your child online

This is the second post I have done on this topic and the reason for this is the increasing amount of questioning that I have been getting from parents around this area. I think in the past year the message is starting to sink in that real threats do occur online and you need to be aware of how to mitigate against them. First of all can I say that educating your child on how to use a computer can be very beneficial but use this time wisely educate your child how to master IT skills through the likes of your local coder dojo or local computer classes for children, I would not however suggest letting your child have unlimited access to your ipad or family computer. In many cases, kids are more technologically advanced than adults, so some parents may feel intimidated and refrain from enforcing rules that are imperative to protect their children as they surf and socialize online. This is a very real fact there are however ways for parents to educate themselves so they can take a more interactive role in how they deal with there children's use of online forums. Security software is one way to restrict what kids see and do on the web, taking a lot of pressure off parents to stay current with every new risk. But it’s still important that parents get involved with their kids’ online lives, and make sure that their children know how to act and how to react to what they see on the web. Communicating the dangers of the web to your child and staying involved in what they can and cannot do online helps build up an understanding of what is safe and acceptable.

In order to communicate these dangers parents firstly need to understand what the potential threats may be. The number one threat to children today be meeting a predator online, but there are many other online experiences that can result in inappropriate or illegal activity. Kids need to be told that not everything they read online is true, and that there is a lot of material on the web that is not meant for them. This material can include fascist sites, pornography sites, drug sites, and other explicit content that an unprotected child can easily view. To help mitigate these risks there are many new software options available such as filtering technologies, child-safe browsers and search engines that restrict where your child can surf.

Loss of privacy is a another big risk. Kids must be shown how important it is to protect their personal information and the information of their family and friends. Many child-oriented web sites solicit information from kids in surveys and forms in exchange for prizes, and get them to register online for fan clubs. In chat rooms, sharing their gender, age, and favorite hangout could seem harmless, but predators can easily use this information to track down the child. Parents need to be aware that digital predators often pose as children in order to gather information and ultimately meet their unsuspecting victims. But kids also flirt and pretend to be older than they actually are, not thinking about the potential results of such actions. It is also common for kids to get into online fights or become the target of bullying via email, chat, and instant messaging, this type of behavior can sometime consume the victim so much that they become withdrawn and with no physical marks to show from such behavior it can become hard for parents to figure out whats going on. With the introduction of such apps like snapchat where the messages disappear from the victims phone within seconds it can be very hard for a child to prove that the bullying exists. I would strongly recommend that parents are very aware of what messaging apps your child is using and carefully monitor there activity especially if the child's behavior starts to change.

Blogs such as this one and Social networking sites such as Facebook are places where kids can share too much information—not only names and addresses but also personal photos that sometimes show illegal acts, such as underage drinking or drug use. Ask your kids to share their blogs or online profiles with you so you can check the content. If you are spicious that your kids are hiding content from you then use Google, along with the search tools on social networking sites, to search for profiles your child may have posted. Use your child’s full name, phone number, and other identifying information. You can also use Google images to upload a picture they may use on social media sites and this will trawl the web for that pictures or ones that may be similar.

The next threat vector parents need to be aware of is Peer-to-peer (P2P) file sharing this alone creates new issues and privacy problems. These programs allow people to browse and download files from Internet-connected personal computers of anyone else who uses the same program. This makes it easy for cyber criminals to spread viruses, Trojan horses, and spyware. Kids can also accidentally download pornography that is labeled misleadingly. I would strongly suggest that you don't allow your children to use such services unless you are able to closely monitor the content. Setting up a virtual machine will help mitigate the threat of malware and virus's to your main machine if you run your p2p service off the virtual machine but it will not prevent your child accidentally downloading porn.

So how do parents go about becoming proactive about the above? I have complied a list of ten things that you should sit down with your children and go through. The below list will set out clear boundaries for your child and let them know that you care and are taking a proactive role about there online security. 

1) Monitor your child's online activity this is by far the most important step to take. Limit the chance that they are looking up inappropriate material by putting the computer in a high-traffic family area and limit there usage. There are loads of child monitoring software packages out there so do your own research to find a software that meets your needs and budget.

2) Fortify your computer with strong security software and make sure to keep it up to date I have wrote about the importance of this in past blogs so take a look through my posts if you need help with this. Using software such as The McAfee® Internet Security Suite guarantees protection from viruses, hackers, and spyware. It filters offensive content, pictures, and web sites. The anti-virus software will also protect your computer from viruses and spyware by automatically scanning email attachments and files downloaded from P2P file-sharing sites. For the most complete way to keep your children safe online, use McAfee Family Protection. It keeps children of all ages safe from exposure to inappropriate content, social networking risks, strangers, and other online threats. With McAfee, kids are free to safely explore, learn, and enjoy their online interests.

3) Make sure kids understand basic rules for using social networking sites such as Facebook and blogs. They should guard their passwords, and never post personally identifying information or inappropriate photos. Blogs and social networking sites offer privacy tools that can be turned on to restrict potentially dangerous users. The sites automatically provide these protective tools to kids under 15. Kids should share information only with people they know from the real world. Make sure that your kids understand that there are bad people online to and they may not be who they claims its very easy make up a fake social media account.

4) Never ever let your child arrange in-person meetings with people they meet online. If however for some reason you think that this is acceptable you should confirm the person’s identity, and you should accompany your child to the meeting in a public place.

5) When using P2P file-sharing programs, kids should not download files from users whom they don’t know. They could be downloading infected files, pictures, games, and music that are inappropriate, or media files protected by copyright law. As I said above using a virtual machine for this activity will save your computer if they do download a virus. Also its important to note that kids should not allow users to upload their music files unless they’re certain that they have permission to share them. You can disable the upload feature so that your kids don't inadvertently share files without permission.

6) Don’t allow kids to fill out online forms or surveys. If there is a legitimate site where they want to register, such as Nickelodeon or Disney, have them come to you first so you can check the site’s privacy policy and rules of conduct. You should take the time to read there privacy statement but I suggest use a throw away email address for such sign ups and limit the amount of factual information you need to share.

7) Only allow your children to use monitored chat rooms, and have them use a screen name that doesn’t hint at their true identity. As with blogs and MySpace, kids should never reveal personal information or share photos. Make sure they understand that people can lie about who they are and that online friends are still strangers.

8) Teach your kids to ignore emails and instant messages from people they don’t know. They should never open attachments they are not expecting nor click on links in messages. As with blogs and Facebook, they should not send out personal information.

9) Use browsers for kids and kid-oriented search engines. Children’s browsers such as Google safe search for kids do not display inappropriate words or images. It comes pre-loaded with kid-safe web sites and pre-set word filters.

10) Set you kids goals to research online safety be themselves as them to write you a little report on what they think the dangers online might be. Fact Monster is an excellent reference site, packed with information and homework help. For Ireland you should check out the office for internet safety.

How safe are messaging apps

With the massive rise in popularity of messaging apps in the past few years with Snapchat said to have at least 30 million active monthly users while WhatsApp and LINE sport 400 million and 300 million registered users, respectively. The ever increasing risk of cyber attacks against such accounts and there retrospective servers is a given. The issue with a lot of these apps is they request a mountain of personal information in order for you to be able to use the service. Giving this information requires a lot of trusting of the application developer and from past exploits its hard to say a lot of these developers deserve your trust. The question now is "how do you protect yourself whilst using such application?"

Well in order to help you with this I have compiled a number of steps that if followed should help minimize your risk of exposure if your account becomes victim to a cyber attack.

1) Be discreet. If you want to use messaging apps as a way to contact certain people, avoid using real-life identification details that can be traced back to you. If that can’t be avoided, use as little real information as possible, depending on the app you’re using. Avoid linking your social networking profiles to your messaging app accounts.

2) Secure your messaging app accounts. Use a unique email account for your messaging app. Don’t reuse passwords.

3) Don’t share anything you wouldn’t want the public to get wind of. Oversharing is one of the biggest mistakes you can ever make online; using messaging apps is no exception. Be aware of what you share. And when in doubt, keep sensitive information to yourself.

4) Limit what access you give your messaging application eg don't give access to your location or photos unless you need to.

Recovering "Deleted" snapchat messages

You have just arrived at this post and read the heading "recovering deleted snapchat messages" and now your thinking snapchat deletes my messages after 10 seconds doesn't it? Well the simple answer to that question is no. This isn't any kind of a new revelation the research has been around since 2013 it just doesn't seem to be well known so I have decided to do my part to try and highlight it. The main reason for writing this post is to try and get the message through to teenagers and young adults that the content you are sending may not be secure and could come back to bite you. There is also a massive legal issue with the sending of explicit images if both parties are seen as minors and you could land yourself in a whole lot of trouble with the law. It is important to presume that anything you send or do online can be traced and made public so the safest approach to take is think twice before sending anything out there that may prove harmful to yourself or others.

If you would like to read through the report on how to recover snapchat messages and I suggest that you do the link can be accessed here. After reading this report maybe you might consider sending a snap to your friends just to let them know you have a code red situation and you need to meet up. For anyone who is to lazy to click on the link I have copied in the body of the report below.
-------------------------------------------------------------------------------------------------------------------------

Methodology

We used two android devices to examine artifacts left behind by Snapchat. An account (rhickman1989) was created on a Samsung Galaxy Note 2, and pictures and videos were sent to another account (DeciphForensics). The receiving account was logged into on a Samsung Galaxy S3, when some of the images and videos were viewed, while others were not. We then acquired the phone using AccessData’s Mobile Phone Examiner+ version 5.2.1.499. After the acquisition was complete, the image was exported as an .AD1 image file, and then imported to AccessData’s Forensic Toolkit version 4.0.2.33.

After a brief examination of the contents, a different account (decipforensics2) was created on the Samsung Galaxy Note 2, and more pictures and videos were sent to the account on the Samsung Galaxy S3 (rhickman1989). This was to determine if there are identifiers for the sender account of a “snap.” The same acquisition process was followed again after the second batch of “snaps” were sent.

After another brief examination of the contents, pictures and videos were sent from the Samsung Galaxy S3 with the rhickman1989 account to both the DeciphForensics and DecipForensics2 accounts. The same acquisition process was followed again after sending these “snaps.”

All examination took place using AccessData’s Forensic Toolkit version 4.0.2.33.

Snapchat Structure

The majority of Snapchat data is stored within the data/data/com.snapchat.android folder. There are four folders within this directory, with two folders within the cache folder.

Examination of the Samsung Galaxy S3 revealed that within the shared_prefs folder are several XML files: CameraPreviewActivity.xml, com.google.android.gcm.xml, com.snapchat.android_preferences.xml, and SnapPreviewActivity.xml.

The com.snapchat.android_preferences.xml File

This file is where the majority of information stored by Snapchat is located. Within this file is a listing of all the contacts stored on the device. This is done with the permission allowed by the user for the application to read the contacts on the device.

Below the list of contacts is a listing of Snapchat messages. It appears that there is a set of fields stored for each message in Snapchat. The following are the fields stored in this section of the XML file: type, mSender, mWasViewed, mCaptionPosition, mCaptionOrientation, mIsLoading, mIsTimerRunning, mIsBeingViewed, MWasOpened, mWasScreenshotted, mDisplayTime, mId, mTimestamp, mStatus, mIcon, and mMediaType.

We sent only two pictures from the DecipForensics2 account, and one was viewed and expired. Within this XML file are two records that show the mSender field set to “decipforensics2.” Of those two records, one has the mWasOpened set to “true.” The author kept documentation as to which images were opened and allowed to expire and which are not, so it is known which image is tied to this record.

The mTimestamp field is stored in Epoch format. Upon conversion of this value, it showed the time that the image was either taken or viewed. Further research will need to be done to determine which it is, however, the time is within the timeframe of both being sent and viewed. Unfortunately, the author did this within a few minutes of each other and did not record the exact time sent.

The mId field for the picture shown to the left is “270518365528484358r.” The mTimestamp field in the same record is “1365528484358.” After converting the Epoch time format to readable format, the time stamp is for April 9, 2013 11:28:04 MDT. The similarities here will be address further in a later section of this paper

The received_image_snaps Folder

Within this folder were located every image sent to the DeciphForensics account on the Samsung Galaxy S3, including the images that had been viewed and were expired. There were some duplicate images with different names as well, the reason for this is unknown.

Android developers created a way for media files such as graphics to be stored on the phone for application use and function without being put into the Gallery application as an image to be viewed. The way that they did this was with .nomedia files. “If a directory has a file named .nomedia, then the media store will not scan and record the metadata of files in that directory” (Hoog, 2011).

Each of the images within the received_image_snaps folder had a .nomedia extension appended to the end of the file name. For example, the name of the file figure 3 is “h1a81hurcs00h1365528700423.jpg.nomedia”. This was likely done to prevent the images stored within this directory from being placed in the gallery or from being scanned by the media store. AccessData’s Forensic Toolkit recognized the .nomedia extension that was appended to the end of the file name and ignored it, displaying the images.

Correlations between the XML Records and the Image Names

There is a small correlation between records within the com.snapchat.android_preferences.xml file and the name of the image file stored in the received_image_snaps folder.

As shown above, there are three correlations between the name of the image, the mTimestamp value, and the mId value. While this is consistent with this image, it is not always consistent with all images. The section in blue is present in several of the other images, only with different numbers following to separate the image.

Conclusion

The author began this research in an attempt to answer several vital questions about the Snapchat application as it is stored and used on Android devices. The author has concluded that metadata is stored for Snapchat images, as shown by the com.snapchat.android_preferences.xml file, and that it contains metadata about expired “snaps” as well as unexpired “snaps,” and that images that are sent via Snapchat are indeed recoverable, and do not “disappear forever.”

Securing your iot devices

2016 has been named the year that the internet of things (iot) takes hold, with a reported 50 million plus devices sold worldwide to date with everything from smart fridges to smart plugs iot is here to stay. It must be noted however with all of this extra connectivity comes a juicy threat surface for cyber criminals to prey on. The main thing consumers need to remember that if you bough a devices that connects to the internet then you can be guaranteed that it needs to be secured. In this post I am going to outline a number of steps you can take to help protect yourself and your family from becoming victims of a cyber attack.

1) Keep your devices up to date

This goes for all devices that connect to the internet but I would especially recommend it for iot devices as new exploits are exposed manufactures may push down patches to solve the vulnerability and therefor you should regularly check to make sure your device is running the latest software.

2) Change the default password on your device

This is a very important step to take as the majority of iot devices are mass produced with a default login and not changing this on day one will leave yourself vulnerable to attack. May I suggest using a password that is at least 10 character long with special characters and capitals and numbers i.e don't use your last name and type 123 after it.

3) Be familiar with your devices privacy section

What kind of information are you saving or sharing through this device and what guarantees are put in place that this information is been protected. Don't assume just because the manufacturer says its a secure device to use that it is and make sure your information isn't been shared with third parties.

4) Be carefully buying a second hand device or selling your own device

Buying a second hand device on line may come pre-installed with malware or a backdoor only buy second hand devices from a reputable dealer. On the flip side think long and hard about selling your device, resetting a device may look like all your data has been cleared but with a little know how a lot of this information may be retrieved. There are a number of programs out there that ensure proper data erasure and this may be something you should look into first.

Securing your android (the basics)

I have been asked a bit lately about securing android devices as I tend to focus on the apple side of things as I myself use the iPhone. There is a myth out there that android is inherently insecure and this really isn't true, android out of the box is pretty good its the user that make the device insecure. The real issue with android is anyone can make an app and upload it to their store they don't check first to see if you are a potential cyber criminal. I think from memory that at one stage in the past few years the top 5 apps in the android store were in fact trojan horses this might be wrong but I am pretty sure their is some truth their I need to go back and double check this. So to minimize the waffle you ask "what do I need to do to secure my android?" Well I have put together a number of steps that if followed will definitely help you get to a place where you can feel "secure".

1) Do not save all of your passwords in your device! I don't know why I need to say this but people naturally tend to save their passwords for easy access of whatever the reason on their devices. This is a very bad practice and you should avoid this, think of memorizing your passwords of a way to delaying Alzheimer's and not getting ripped off by cyber criminals.

2) Use your devices inbuilt security features, If you are running on Jelly Bean, you can have a screen lock and encryption enabled to further enhance your security. Use these features they will help you keep your device safe.

3) Androids allow you to lock your apps you should use this feature especially for apps that hold sensitive information. Their is a free app that you can download to enable this feature called App Lock.

4) If you are installing an app read what permissions the app want's!!! If you are downloading some recipe app it doesn't need access to your camera, microphone and contacts. This should be common sense but for some reason people download apps and click ok to everything.

5)  Download a mobile security app, androids are very much open to virus's and malware in comparison to their i0S counterparts. An app I think is pretty good is avast!mobile security.

6) One of the most important things you can do to secure your android is secure your network. I know you wont listen but try to avoid using public networks. You can protect your information by using apps like Hideninja VPN so that your outgoing connection is always encrypted, making it harder for anyone to sabotage your data. If you suspect that your device is being attacked, WiFi Protector can help fend off these attackers. To further enhance your network security you can apply settings from SecDroid but note that this app is only for rooted phones.

Protecting Windows 10 (The Basics)

Over the past few months Microsoft have been firing out their new operating system Windows 10 to the world for free. This blog is more aimed at anyone who is just after installing the operating system as chances are if you are a windows user you may have already upgraded or will be doing so in the near future. Like most things that come fresh out of the box to make them work to a level you might expect takes some tweaking. I am going to focus on a few basic steps you should take right away to make your new operating system secure.

1) Run the windows update straight away, I know you may have spend an hour or two installing the dam thing but running windows update will make sure your operating system has the latest patches. To find windows update just click the little search bar at the bottom of your screen and type "windows update" once opened just hit "check for updates" and your done.

2) System restore is turned off by default in Windows 10 so you might want to turn this on. Microsoft have renamed this function as "system protection" so to turn this on head back down to the little search bar and type "This PC" when the logo appears right click on it and select "Properties" click on "system protection" then click "Configure" and turn system protection on.

3) Check your Windows 10 privacy setting by default everything and I mean everything in here is turned on. To get here you go to START > Settings> Privacy spend a bit of time looking over this and make sure you are happy with it.

4) Make sure that all of your applications are updated in an earlier post I mentioned that Secunia PSI was a good application to check this.

5) Make sure you have your anti-virus turned on if you don't have an anti-virus Windows has a build in AV called Windows Defender. You can find Defender by going to the search bar and typing "Windows Defender".

Staying anonymous online (The Basics)

This is a topic that seems to keep popping up over and over again for many different reasons some good and some bad. In my opinion everyone should have the right to remain anonymous online if they choose to do so. I know in the extreme cases Governments are claiming that terrorists and criminals are using encryption of a means to carry out organised crime and nation attacks, however does this mean the rest of free society should give up the right to remain anonymous online? If you believe that the answer to this question is no then you can take a number of steps to help keep your     online identity non-existent. The steps below in no way mean that the FBI won't know who you are if you start doing some illegal shit like hiring an assassin on the dark-net so I strongly advise against doing so.

1)  If you are the type of person who wants no digital footprint then you might not want to join social media sites. The amount of personal data that social networking sites like Facebook, Google Plus and Twitter have harvested from their billions of users is shocking. Head to facebook.com/settings and click ‘Download a copy of your Facebook data’ and you might be surprised to see just how much information is on file. More or less everything you have ever done on Facebook is saved in this file so you can kind of get a feel for just how much information these sites hold on you.

2)  My second tip is another rather simple approach, go incognito The top four most popular browsers - Google Chrome, Mozilla Firefox, Internet Explorer and Safari - have a private browsing mod. With private browsing activated, your browser will not store cookies or internet history on your computer. This is quiet a limited function and is really only of use to hide information from others such as a significant other. I say this because Private browsing does not securely hide your identity or browsing activities beyond your local machine as your IP address can still be tracked.

3)  It is a known fact that many websites track and monitor their users activity, this can actually cost you money. An example of this is that plane ticket that you want to buy so you regularly check to see if its sold out, then when you have the cash the bloody ticket has gone up in price, the reasons for this could very well be website tracking. The issue with website tracking is you can't see if the websites you are visiting are actually tracking you. Ghostery is a free browser extension - available on all major web browsers - that will reveal these trackers, also known as web bugs. You can then decide which web bugs you’re comfortable with tracking you and which ones you’d like to block.

4)  Stop using Dropbox, I know that its a handy tool but as Edward Snowden once stated about Dropbox "they are a cloud service hostile to privacy". Lucky enough if you still want a way to share your files Snowden himself recommends that you use Spideroak to do so. The reason for this being that Spideroak is a zero-knowledge encrypted data backup, share, sync, access and storage service.

5) Use an alternative search engine to the mainstream, I suggested in a previous post that the best search engine for this is DuckDuckGo, which promises never to track your searches and “emphasizes protecting searchers’ privacy and avoiding filter bubble of personalized search results.

6) Reconsider your phone options, if you have a smartphone then staying anonymous just became a whole lot harder. The reason for this is for some reason every app you download these days wants access to your location,contacts,camera,microphone etc which makes staying off the grid impossible really. If you are super parnoid may I suggest investing in the super cool name "Blackphone" This is an ‘NSA-proof’ smartphone that claims to provide privacy features for texts, emails, web browsing and phone calls.

7) Use a Virtual Private Network (VPN)!!! I am sick of repeating this and if you really are serious about staying anonymous online this is simply a must have. You ask what is a VPN? Well essentially it hides your IP address and runs all your online data via a secure and encrypted virtual tunnel, which can keep websites from tracking your online activity or even knowing which country you’re browsing from (which is great for American Netflix). The catch with a using a VPN is don't ever trust a free one so you will need to shell out a few quid every month for the privilege of the service. Their has been a lot of talk recently about how secure certain VPN's are so do some of your own research and find the best one for you.

8) If you are using a popular webmail service such as Gmail then you might want to either change to a more secure provider or else add some security to your current provider. To do this I would suggest installing Mailvelope. Mailvelope is a browser extension for Google Chrome or Mozilla Firefox that brings OpenPGP encryption to your webmail service. Similar extensions exist, such as SecureGmail, which encrypts and decrypts emails you send through Gmail. Alternatively you could start using a webmail service such as Hushmail. Hushmail is currently very popular, it provides a private email account with no ads, built-in encryption and unlimited email aliases. Their is a limited free version of Hushmail however like everything you need to pay to get all the bells and whistles. For the more paranoid their is always the option of Disposable Email Addresses (DEAs). These are anonymous and temporary. They allow users to quickly create new email addresses as-and-when they’re needed, which can then be disposed of after use. There are many companies that provide this type of service however the more reliable one may come in the form of Guerrilla Mail and Mailinator.