Online Predators – A Security Risk to Our Homes and Families

I am going to take a break from enterprise information security and talk about computer security on the home front for a bit. The security aspects of online predators, children, and the Internet are yet again getting a huge amount of publicity, and are worth discussing. In a recent news article in Denver, “Police crack down on Internet predators,” police are using online chat rooms to lure predators into a situation where they think they are going to meet a child for sex, and they then actually get arrested. The article goes on to list the names and personal information about these worthless scum for all to see.

First of all – Good on the cops and law enforcement agencies nationwide who are cracking down on these worthless animals that prey on our kids. Bad on the liberal morons who are criticizing this effort and saying that these people getting caught are victims of entrapment. The predators are making the conscious decision to pursue their uncontrolled urges online. The cops are just acting as the decoys for the predators to go after instead of the predators going after our kids. One predator going after a decoy means that one less kid is becoming the next victim. Kind of like why we use “honey pots” on our corporate networks – to give the bad guys something to attack so as to keep them distracted, and so that they won’t attack our real servers, right?

Now – in my opinion, there are two parts to the solution for deterring would-be predators. One strategy being that which is already being done by our law enforcement agencies, as cited in the article. Shows like Chris Hansen and Dateline’s “To Catch a Predator” are giving high visibility to these pathetic people, and showing these perverts getting busted publicly, exposing them for who they really are. Chris Hansen and John Walsh (“America’s Most Wanted”) are two of my biggest heroes. They are making a difference, and are truly positive forces in our society today. Good job guys – you are two of the true heroes of our time.

The other part of this solution is that parents need to be more proactive in protecting children from these online perverts, and in fact protecting children from their own inability to protect themselves. Children are immature, lack experience, and just don’t have the knowledge and logical thinking tools developed yet to allow them to rationally deal with these types of situations. This is through no fault of children themselves – that’s part of being a child, right? Many will argue that parents should not censor their children’s activities. There is a fine line between censorship and protecting them. True, children can indeed think for themselves on many issues. But their thoughts are often not logically constructed, and tend to be rather impulsive at times. Of course, I could say the same for many adults! Children often do not know any better, believe what they are told, and these animals have become so good at disguising themselves that it is easy for a child to be deceived. Children think that they are hiding behind the anonymity of the Internet, and often feel very uninhibited when chatting online. They then get pulled into the webs spun by these scum bags.

Parents don’t need to hover over their children’s shoulders every minute that they are on the computer to be god parents. Rather, they can take some very easy technical and low-tech steps to protect their children’s Internet usage. All they have to do is be a little pro-active and put a few safeguards in place to show their children that they care about them.

Enforce Internet Hours:

Much of what the experts will tell you about how to prevent your children from venturing into dangerous waters on the Internet has to do with not allowing them to be up all hours of the night chatting. Even if you have the family computer in a common area as suggested, how do you monitor usage if it is late and you are already in bed? If you have broadband service, you can use your router to specify hours of operation. Even if you have only one computer (and think you don’t need a router), people have heard me say over and over that you need to have one of these routers anyway - for the other security measures that they offer, such as firewall protection. I am harping on people yet AGAIN to get one because the broadband router can also help you protect the people that use the computer, not just the data on the computer. Most broadband routers allow you to set hours of operation for all or certain specified computers. The computer will still work as it normally would - allowing your children to print, access files on another computer, and do their homework. Should they be up all hours of the night doing it is your concern, but at least the Internet access will be turned off. If you have multiple computers, you can limit Internet hours to some, but not necessarily all. Many times I am in my office late at night researching something (during a bout of insomnia) and need the Internet to be accessible. But the kids can't use my computer from fear of death, or at least my strong password gets in the way :)

Use Parental Controls:

Just like the V-Chip on your television, your broadband router has the ability to help you sign up for and put parental controls in place. You can specify and allow only content that is appropriate for your family, protecting them from questionable material and web sites that cater to a variety of offensive content from pornography to web sites that contain hidden malicious code. These sites are also often used for phishing and other identity theft scams. Much of what is being discussed as far as the dangers of online predators is the idea that children are often lured to seemingly innocent web sites or chat rooms, but are then exposed to all kinds of things that can lead to, among other things, identity theft - theirs and yours. By signing up for the parental controls services, you can leverage the ability of the service by knowing that they are keeping their definitions up to date and monitoring for the many new dangerous sites that pop up so that you don't have to worry about constant upkeep. You can also specify your own list of prohibited web sites using your router's built-in functions as well.

Use Protection Software:

There are also a wide variety of software packages out there that will allow you to permit and restrict web sites that your children can visit. NetNanny is one such product. There are many others - the Internet Filter Review web site provides a wealth of info, as well as software comparisons. Many of these types of software allow you to prevent access to suspicious web sites, monitor chat room and email activities, and even send you alerts of suspicious activities that are taking place.

Even the more sophisticated personal firewall software has the ability to restrict application access to the Internet. ZoneAlarm, for example, has the ability to allow or disallow any application of your choosing access to the Internet. If you feel your children's usage of their favorite chat program has gotten out of hand or is suspicious, simply turn off access, talk to them about it, and then come up with a strategy for safer usage.

For those of you who use Comcast broadband Internet service, McAfee Personal Firewall comes to you free of charge. I use McAfee, although I have been a ZoneAlarm fan for many years - because it is free with my current service. The McAfee product provides a very robust set of features to allow protect you and your system from harmful activities.

Upgrade to Windows Vista:

The parental controls features of Windows Vista allows parents to more tightly control what and when their children use the Internet. Parents can set hours for computer use, set sites as off-limits or even limit browsing to only a few sites, and even monitor what sites their children are viewing. Easy to confuse this with censorship, but we are talking about children, after all. It is (in my humble opinion) the parent's job to keep children from things that will hurt them or bring liability for illegal activities onto the parents. This allows for a more granular setting of computer restrictions. The other thing I personally like about it is that the parental controls block what you specify, but give a reason why - letting the kids know that you are taking an active interest in their computer activities.

A Low Tech Approach to Web Site Access Prevention:

Within your computer is a low-tech way to prevent the computer from accessing questionable web sites and sites that host chat rooms called the HOSTS file. When you type in a web site address or click on a link in your web browser, you have just told your computer you want to visit an address somewhere on the web. We as humans can only think in terms of plain English names, like www.wflinn.com or www.google.com. Our computers, however, only think of this in terms of addresses known as Internet Protocol (IP) addresses. An IP address looks like the form 192.168.1.1. For instance, what you know as www.wflinn.com is actually located at address 66.226.64.9. When you type in the plain English name, your computer has to do what is known as "name resolution" to find out what IP address you need to go to. The HOSTS file is a file that your computer looks to first to find out the IP address of a web site's location. If it doesn't find a suitable address in the HOSTS file, it goes out to what is known as a Domain Name Services (DNS) server to get the address. Therefore, if you put an entry into your HOSTS file to tell your computer the address of a specific site, it will look no further for the address.

So - you fake your computer out by telling it that the address of a questionable web site is 127.0.0.1. The address 127.0.0.1 is a special address - it is the loop-back address of your own computer. Regardless of what address your Internet Service Provider assigns you, your computer's internal address is always 127.0.0.1. When you tell the HOSTS file that the address of a questionable web site, such as www.myspace.com is actually 127.0.0.1, your web browser will try to go to that address, find out it is not a web server, and simply display the plain white "Page not found" error that you get when you try to go to a web site that doesn't exist. I'm not necessarily trying to pick on MySpace, by the way - but they have been singled out lately as one of the most popular sources that many online predators look to for victims, so I have chosen to outright block all access to that site from all of my computers.

This method, by the way, is an easy method for preventing all those annoying advertising pop-ups in your web browser. There are many web sites where you can obtain entries to copy and paste into your HOSTS file - so you don't have to do the research to figure it out and type them all yourself. The good news is that this method is easy, no cost, and works very well. The bad news is that it must be updated, and if you r kids are computer savvy, they can can find this file and erase the entries to give them back access to web sites that you have blocked.

Summing it all up:

The Internet has exploded into a virtually unlimited resource for finding things and getting information. Unfortunately, it has also brought out the worst in some people. A recent news article made mention of the fact that most of these online predators wouldn't be able to carry out their abhorrent behaviors if not for having a computer and access to the Internet. It was interesting when one young girl on the news article said that parents tell them not to talk to strangers and such - all things related to being safe outside the home. But now, the Internet has brought certain dangers inside the home and can affect your whole family.

There are many ways to protect your kids, from outright prohibition of certain things, to allowing access to everything, but helping them make wise choices. As I said, I am not going to get into this whole debate about what is and isn't censorship and invasion of privacy - that's up to you as parents to decide for yourselves. I will, however, tell you that you can use technology to help enforce your choices, and I encourage you to explore and use the various technologies at your disposal to do so. Not only will you be ensuring more safety for your family, but you will be adding to your overall computer security posture as well.

See my article on my web site from last year for a repeat of this information with images to help you configure the items mentioned in this article :

http://www.gonzosgarage.net/computers/archive0506.html

Thought for the day: Stupid people suck, but worthless predator scum suck even more!

When “Smart” People Make Stupid Security Decisions

Warning: Here’s the deal – I have had a week consisting of four “Mondays” in a row. Bad drivers and stupid people have been working my last nerve, so I gotta vent! This is an angry rant about stupid people. If you are a stupid person and you are easily offended, then you should turn away now. Maybe go play on a porn site for awhile. Either that or get some brains and rational thought, and you can join us for some intelligent conversation.

Here’s why I’m angry - I read an interesting article recently that highlights the folly of allegedly “smart” people who show their information security ignorance and make stupid decisions when they don’t even understand the most fundamental of technologies and reasoning behind information security requirements. Then, when someone with intimate technical knowledge of what the issues are and how to solve them steps in, they are instantly rebuffed when even daring to mention the problems. I have experienced this type of thing my whole working life: I see people go through college, get a degree in underwater basket weaving, then somehow get into the pipeline to become managers. Either that or they drink their way through college, become lawyers or doctors, buy beemers, and act like spoiled children the rest of their lives. I had to laugh when I read the following line in this article:

“The attitude among the legal staff was, ‘This is my computer and my network; you’re just a computer janitor.’”

To give a quick synopsis of the article – there are a bunch of attorneys in a District Attorney’s office (city unknown). These lawyers are the very buffoons behind creating an environment which operates with a wide open network, wide open access to data, and confidential data exposed to anyone on the network (and possibly outside the network) who wanted it. Additionally, there were malware and peer-to-peer applications installed on numerous (most) computers throughout the office. When a network support person in the IT department mentioned the dangers of this existing environment, he/she was presented with numerous roadblocks – arguments from lawyers rationalizing how their activities (mostly music file sharing via Napster) were acceptable. Lawyers, after all, are great at making an argument to support ANY position, no matter how lame or morally wrong it may be. It appears from this article that they expended great energy to make their attitude toward information security seem justifiable instead of facing the fact that they were putting their network and data at grave risk. Essentially, non-technical people were allowed to dictate the standards for technical systems, and all because they didn’t want to be inconvenienced and have their toys taken away. The network support person was later fired for being insubordinate to his/her “betters.” In other words – he/she told these cry babies how it is, what it would take to fix it, and they didn’t like it. Need I remind you – this was allegedly a District Attorney’s Office. I sure wouldn’t want to be that District Attorney when the network gets breached, the data gets stolen, and even ends up getting distributed though the peer to peer sharing network. Notice that I didn’t say “if,” I said “when” because it is going to happen unless they fix it and fix it quick, fast, and in a hurry. What a story that would be in the national news! Of course it wouldn’t be the first time a top lawyer was found to be criminally negligent of something, now would it?

That is why this article seemed to call out to me because I hear of and even see the same thing everyday. The attitude that:

“Your computer security mumbo-jumbo is fine for everyone else, but don’t you dare inconvenience ME!”

It’s all about “ME” and it’s all about the fact that these people are so very important that inconveniencing them would be the most heinous crime committed against humanity.

And this “ME” attitude is coming from people with master’s degrees, doctorates, professional status, and high power positions. Seems the richer they are, the more spoiled and whiny they are. The lawyers in this article are perfect examples. But not only are these types of people complaining about security that keeps them from playing with their toys on the corporate network, some managers these days are complaining about security measures that are revealing large numbers of vulnerabilities and security problems. It’s not even that there are problems that need to be fixed – it is that the numbers are making them look bad. It’s all about the numbers, and it’s all about looking bad. No thought is given to the fact that they look bad because they ARE bad. If they want to look good, then why not just fix the underlying problems? Is that so hard?

(This is the part where I rant about the bad drivers) This is the same population of people, no doubt, who are claiming the roadways as their own as they carelessly drive their beemers with no regard for others. While keeping a cell phone glued to their heads, they are then complaining that the speed limits and laws of common sense are keeping them from totally owning the road for themselves. In fact just today, one of these morons couldn’t find a parking spot at our building, so they parked their car in the motorcycle parking – how stupid is that? Justice was served – the campus police slapped a parking ticket right on that Mitsubishi. Hope the laziness was worth it. (Bad driver rant completed).

In many cases, it all comes down to this:

“Your security reports are making me look bad, so my management is giving me heat and withholding my budget until I fix the problems. So why don’t you come up with a way to make me not look so bad?”

They will try to rationalize how the data needs to be collected a different way so that the numbers (of problems) look better. My answer to that: Rather than waste so much time and energy trying to manipulate numbers to make you look good, why not just fix the problems and it will make you be good – for real! Manipulating numbers and hiding vulnerability problems is one way to make it looked fixed, but taking real action will actually fix it. But, as one of my graduate professors often said: “Figures don’t lie, but a liar sure figures.”

Another clever issue evasion strategy: the smoke screen. When faced with data that clearly shows that their area has problems, the management will ask irrelevant questions and demand explanations in order to throw off or divert effort. They have no idea what they are asking in many cases, and often look like jack asses because their questions show their glaring ignorance of information security concepts. These activities will often tie up security professionals for days while they make every effort to ensure that they are explaining the justification for valid and relevant security measures. Security people shouldn’t have to do this – it is a waste of time and keeps them from the business of keeping networks secure. Security professionals shouldn’t have to agonize how to explain something so simple to allegedly intelligent people. This is more like explaining to your small kids why they can’t run down the hall with scissors.

But time after time, these people want to send us off to find an answer that will appeal to their twisted sense of logic. It may not be the right answer, and it may not be the one that is actually going to solve the problems. This is what an acquaintance of mine refers to as a “find me a rock” exercise. Someone will tell you to go find a rock, and when you bring one back, they say: “No! That isn’t the kind of rock I wanted! Go find me another one.” These types of senseless tactics are meant to waste other people’s time and buy the stupid people some time to think up another excuse. And these people are making decisions! Wow – no wonder so many companies are in trouble.

OK – so let’s bite the bullet and see what it will take to do something about this. In the case of the lawyers in the story above, or even the situations I have described here, it is going to take some work - a lot of work - up front. It is going to take a huge amount of effort and many staff hours in the beginning. But the interesting thing I have found is that if a methodical plan is put into place, and some reasonable time given to remediate the problems, they will eventually get fixed or at least minimized to a tolerable level. If some well-spent time is dedicated up front toward attacking the problems, then the rest of the effort simply becomes a continual maintenance routine. If there are a lot of security problems, it is a matter of prioritizing them in order of severity, tackling the most serious first, cleaning up the rest, then putting a plan in place to keep them under control.

New security issues will always come up as new attacks are discovered, and patches from vendors are released. But if the bulk of the serious issues are already taken care of, then tackling these new issues will be a fairly simple exercise.

But in order for any of this to work, people’s attitudes toward information security have got to change. IT people are not janitors, the computers and network that people in the work place are using do NOT belong to the workers, and these are not toys simply put in place for their enjoyment. Being negligent about information security can get people in trouble – big trouble. So before a plan is put in place to tackle the technical issues, perhaps a plan should be put in place to teach security awareness. Teach people why security is so important, how to be secure, and how they will be held accountable for non-compliance. The touchy feely attitudes have got to give way to terminating buffoons who refuse to comply. If you were a CEO, and your employees continually put your company’s finances, data and reputation at risk, just how long would you put up with it?

My closing Thoughts:

Computer Janitor – indeed! My last tax return I reported income from salaries and earned military pensions in the $$$,$$$ range (six figures for you folks who didn’t get it). Many of my colleagues are pulling down similar salaries, and they are so far from being janitors – to make a statement such as that, or even think such a thing is just so wrong. I don’t know too many janitors who make that much money and have post-graduate educations. But I see all too many instances where otherwise smart, educated people feel and behave just that way – they feel that the equipment and resources that they use on the job don’t belong to anyone but them, and that the IT people are just there to help them when they can’t figure out how to copy a document from one folder to another, or their mouse isn’t doing the little “clicky” thing like it should. Heaven help anyone who should inconvenience these poor babies by telling them that they can’t run Napster un-abated on the corporate wire. Give me a break! Maybe there is a lot of validity to Nick Burns’ (Saturday Night Live) attitude toward users. Automatic drink holder giving you problems today?

Ooops – gotta run. Time to get out the Swiffer and get after those viruses. And by the way… You’re Welcome!!!

Reference: “When Lawyers Use Napster At Work” (Anonymous, InfoWorld, 2/27/07)

• What do you call 350 lawyers resting at the bottom of the sea? A good start!

• Stupid people – you can’t live with them, and there are only so many of them that you can cut up and stick in an ice chest.

• Hey – my rat terrier is smarter than your CEO.

• Hey you in the beemer – hang up and drive!

• There is en epidemic in America - Fools! (Mr. T)