Cyber Threats Targeting Our Children This Holiday Season

Morey Haber, Chief Technology Officer
December 18th, 2017

This holiday will fill our stockings with electronics, toys, and mobile devices that are the envy of children around the world. Many of the devices have been around for a few years, seen major revisions, and some brand new and inherently have risks based on their design, usage, or just carelessness by their manufacturer. Unfortunately, there are a wide variety of cybersecurity threats that can harm children. These are above and beyond traditional cybersecurity vulnerabilities, exploits, and configuration problems, and can include:

  • Insecure toys that require internet access to operate for voice recognition, data modeling, or even just basic warranty registration. Last year, v-tech was breached and parent and child information stolen for toys they leveraged the cloud in order to operate.
  • Insecure online games. Hacking gaming platforms is not reserved for teenagers and adults to gain privileges, install mods, or gain an advantage during play. When targeting a child’s gaming platform like Minecraft or RoadBlox, prized collections, features, and avatars can be compromised impacting play and moral. Many times, these attributes are not earned during play and have a monetary value attached (paid for with gift cards or in app purchases) in addition to the Personally Identifiable Information (PII) stolen at the same time.

Children are gullible. They are more likely to click on a shiny icon or link they see online or in a game. They will likely fall victim to simple URL scams and even phishing via email or SMS text. The IT Security threats we try and teach adults to avoid at home and work are prime targets for children. And, are easy prey too.

The Risks of Children Playing Online

Basically, the cybersecurity threats adults experience everyday are amplified by the naivety of children. The techniques used are the same (vulnerabilities, privileges, exploits, etc.) but the results can place the child in a life altering position.

If parents allow their children online, they could face a variety of threats well below the line based on content, exposure, and the lack of safe basic computing knowledge:

  • Exposure to inappropriate content such as violence of pornography.
  • Identity threat and account hacking based on stolen credentials impacting games, school accounts, and social media. Children tend to re-use passwords more frequently than adults simply based on the ability to remember a password.
  • Vulnerabilities and exploits infecting a device with malware. Children surf the web with naïve passion. Any compromised or rogue site represents a risk from a watering hole to steal credentials all the way through sites containing drive by malware.
  • Devices children use on the Internet are not up to security standards. Most technology does not get security patches after release and children do not click “apply update” as regularly as parents or security professionals. That little update icon tends to last a lot longer before someone actually invokes the update.
  • Cyber bullying. With the advent of social media, chat features in games, and other mass communication technology, cyber bullying is a problem worldwide and has resulted in serious crimes and unfortunately depression, suicide, and exposure of private information.
  • Misinformation and “fake news”. Children believe almost anything they read, and the rampant proliferation of fake photos, news and bad advice is everywhere on the Internet. If you ever need proof, research “Tree Octopus” or even my name, “Morey Haber”. You will be surprised what you find and even my name reveals an online identity crisis I can never resolve.

Tips for Keeping Kids Safe Online

Now that children have become accustomed to using mobile devices on their own, parents need a way to keep them safe. Parents increasingly have a hard time supervising children on the Internet, so to assist with their responsibilities, there are a few recommendations parents should follow:

  • Enable parental controls in iOS or Android to supervise in application purchases, new application installation, and inappropriate device modifications without permission.
  • On Windows or MacOS, create another account for children using Standard User privileges. This will limit malware and the ability for them to modify the system in an adverse way; intentionally or not.
  • For social media, change the content and permission settings. For example, on Twitter you can limit the ability to view “sensitive content”. This has recently come into light with President Trump’s retweet of anti-Muslim content. If the feature is enabled (and it is by default), the content is suppressed.
  • Some platforms have Parental Monitoring add-ons and applications that limit content from known “bad” sites and provide reports on activity. While this may seem extreme, it may be necessary for children that are experiencing any of the problems above or as a pure preventative measure.

As a parent, we expose our children to the latest technology we use. Whether we have the latest phone, smart watch, or online game, children naturally mimic their parents. If we choose “WhatsApp” to communicate over iMessage or SMS, we most likely will install it for our children too so they can communicate seamlessly. The same is true for Facebook, Twitter, and even Snap Chat. If we use it as adults and parents, children will most likely follow suit. Arguably, the same is not true in reverse. We have seen this with Tinder, Instagram, and a variety of technologies targeting a specific audience.

All of these revelations, should have us wondering if we should monitor the online activity of our children. Deploying all of the latest security safeguards to protect children is only as good as the latest vulnerability, exploit, and last time you typed your password on an open Wifi network. While I am not an advocate of spying on anyone (even children), periodic review of activity and applying security updates is a prudent safeguard as a parent to ensure they are experiencing safe computing.

It Starts With Education

So, how do we keep our children safe online and with the latest technology? It is all about education. You can teach a child not to talk to strangers, but online, it has a whole new meaning when using technology and playing a game. Online games are designed in the first place to play with strangers. Therefore, we need to teach children safe cybersecurity above what we learn as adults. These basics include:

  • Never share your real name, phone number, age, etc to anyone online that asks.
  • Never arrange to meet anyone online that you have met without consulting with your parents
  • If you see a bad web page or images, close your browser and tell a parent. We can always review the content (if needed) via browser history
  • Never share your password with friends
  • Do not install new games or applications without asking your parent’s permission

These are above looking at .ru in a URL link or a malformed email from a Nigerian Bank. If we can teach children cybersecurity safety basics, and learn to trust parents when they need help, we can minimize the risks.

As a parting thought, I would recommend one final task every parent and child should heed for safe computing online. Never reuse the same password for multiple online services. Make sure every password is unique. At some point in time, one of them will be compromised and your password will be stolen. If you reuse the password, every other site is at risk too. If you can remember them, keep them all unique. If you cannot remember them, use a password manager like iCloud Keychain to keep them all distinct.

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.