The Truth about WordPress Security

The Truth about WordPress Security

 

One of the services I provide is managed WordPress websites, and a common negative comment I hear from people is about WordPress security, claiming “WordPress is not secure.”. More often than not these words of misplaced warning come from other web designers or IT guys who clearly have not done their research, and really should know better. The obvious major drawback of this information is that clients then become fearful of potentially falling victim to malicious behaviour.  But the truth is, WordPress core is one of the most secure publishing and web development platforms you can choose to develop a site on.

What most people don’t realize, is that WordPress is not a set it and forget it system

WordPress security isn’t about setting and forgetting. Rather, it’s about taking every measure you can to harden your website to prevent it from being hacked. It’s not just up to WordPress to implement security for you either.  Using WordPress, as with any off the shelf CMS, means YOU are responsible for your website maintenance, including security. This actually true of ANY website, especially bespoke built websites, which are the most likely to have gaping security holes since they will have never been maintained or updated.

While WordPress already does a lot to harden its core, there’s a shared responsibility between you, your hosting infrastructure, and WordPress to be vigilant about enforcing security best practices, or hire someone like me to do it for you.
So, if you are rejecting WordPress due to WordPress security concerns, let me enlighten you with a few reasons to convince you that WordPress is actually more bullet proof than you might realize.

The No.1 culprit of a hacked WordPress website is due to an outdated extension or outdated core caused by poor or non-existent maintenance.

Hacking is newsworthy

cyber criminals hacking your website
WordPress wasn’t always as secure as it is now. Back in 2009, when WordPress was on the brink of massive popularity, the CMS contained a number of security vectors that were exploited and
picked up by the news. The platform received extreme criticism, in which was really the community’s way of saying that WordPress needed to up its game and become more bulletproof.

These security concerns were addressed in version 2.8, following a string of security patches to strengthen the WordPress codebase. While security was on the shaky end then, today WordPress is quite secure. Yet, because WordPress makes up such a huge chunk of the internet (28 percent and rising; 1.2 billion downloads) if a hacker is scouring the web to cause trouble, there’s at least a quarter chance they’ll land on a WordPress website.

As such, these security exploits are publicized when any high-profile attack occurs. This gives WordPress a reputation for being less secure than comparable CMSs, like Drupal and Joomla. However, this is completely inaccurate.

The reality is, WordPress is secure enough for millions of end users and a number of Fortune 500 companies to trust their online business with.

Other popular CMS’s like Drupal and Joomla aren’t targeted as much, simply because they aren’t as widely used as WordPress. While WordPress powers over half (52 percent) of all CMSs on the web, Drupal powers a mere two percent and Joomla only six percent of the CMS market. So, when WordPress does get hacked, it’s commonly covered by media outlets and the news. But what many people don’t realize brings us to the next point.

Most security exploits are a result of an outdated component.

Most security attacks on WordPress occur through an outdated theme, plugin, or through WordPress core. Of all the high profile exploits in recent years, each attack has targeted vulnerabilities that
could have been avoided with a simple update. Therefore, it is not the fault of WordPress when these breaches occur, it is the fault of the website owner not properly maintaining their website.

It’s your duty to update plugins, themes, and WordPress core accordingly.

While so called managed WordPress hosting providers like WP Engine or GoDaddy may run automatic updates to the WordPress core for you, they do not update all your plugins and themes to ensure they contain the latest security patches, this is still down to you, so the term “Managed WordPress” is obviously rather misleading to many website owners, who are unwittingly under the impressions that EVERYTHING is being managed, which is not the case.  Just to be clear, the managed WordPress solution I provide, does include everything.

If you do not have someone like me managing your site and are managing your own website, then It is also up to you to familiarize and educate yourself regarding plugin and theme best practices. While free plugins and themes are awesome, when browsing the plugin repository, make sure the plugin/theme has been updated recently and works with the latest version of WordPress. If you activate a plugin/theme that’s more than a year old, you could be potentially opening up a portal for hackers because the extension will most likely not have been patched with the latest security update.

Premium plugins and themes are less likely to contain security vulnerabilities because they are monitored and updated more regularly. That’s one benefit of paying for a premium component
— you won’t have to worry about the author going astray and neglecting to keep the theme/plugin up to par with the latest security standards. However, do not try to pirate premium themes and
plugins; this is a bad idea because they most likely won’t contain the latest security scripts.

There are many security vendors working quickly to detect and patch vulnerabilities.

In terms of security, no system is perfect. According to WordPress.org, “Security is about risk reduction, not risk elimination, and risk will never be zero.”
This is true not just for WordPress, but for any system. That’s why, in addition to the WordPress core team, many third-party security providers work endlessly to detect and fix vulnerabilities.

Even against the most secure systems, hackers can still find a way in if you don’t take the right precautions;

 

The open source nature of WordPress means that anyone can contribute to detecting security vulnerabilities, meaning faster fixes. For instance, you might have heard about a recent WordPress security breach through the REST API (introduced in version 4.7.0) where 1.5 million-plus pages running that specific version were defaced. Various security vendors detected the vulnerability and immediately reported it to WordPress to build an update.

If your enterprise site contains highly sensitive information, or you are just worried about this happening to you, there’s no way it could have as long as you invest in managed services that automatically run WordPress updates for you. I was notified of this breach as soon as it was made public and immediately started issuing patches across all my client sites so that nobody was affected.

So Just remember…

WordPress is as secure as you want it to be.

If you want your site to be shielded with layers upon layers of security shields, then you can. But laxity in security will only result in exposure to vulnerabilities.

It’s your duty to take additional measures to harden the security of the WordPress site you’ve built. With the help of managed hosting and service providers like myself, security is taken to the next level. To avoid a treacherous site invasion, there are some additional security measures you can (and should) take to harden the security of your WordPress site. The hosting I use for WordPress includes web application firewalls, intrusion detection, brute force protection, malware scanning and more.

Enforce Strong Passwords

This is the most basic of security measures you should be taking. If a hacker decides to run a brute-force automated script, an easy to guess password will make it more accessible for them to crack the code. Instead, use a strong password generator to make sure your password is secure enough. You can also use a plugin like Force Strong Passwords to enforce strong passwords for other users on your site or with WordPress Multisite.  By default, I always use strong randomly generated passwords on all client sites.

Use 2FA (Two-Factor Authentication)

Enabling 2FA adds an extra layer of security to your login credentials. 2FA works by requiring a second factor of information that only you can give, like a code sent to your phone to verify your
activity on a specific computer.

Use SSL For Data Security

SSL (secure sockets layer) encrypts all information submitted to your site. This means hackers won’t be able to see or intercept the data your users share on your site (like credit card info). While WordPress doesn’t come with automatic SSL, most hosting providers offer SSL and many now offer Let’s Encrypt.

Since Google has started issuing “Not Secure” warnings for pages not secured with HTTPS, it’s now important to make this transition to HTTPS if you haven’t already in order to avoid your clients seeing this warning message. Therefore I now enable SSL on all client sites by default.

Security patches not being rolled out to Windows 7 & 8

Security patches not being rolled out to Windows 7 & 8

Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.

Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator’s Update. But this vital repair work is only occurring slowly if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.

This is all according to researchers on Google’s crack Project Zero team. The fear is that miscreants comparing the various public builds of Windows will notice these vulnerabilities are being silently fixed in Windows 10, realize the same holes are present in earlier versions of Windows – which are still used in homes and businesses worldwide – and thus exploit the bugs to infect systems and spy on people. And if hackers haven’t realized this, they will now: Google staffers have publicly blogged about it.

Redmond engineers are quietly addressing these Windows security flaws as part of their efforts to improve components within the Windows 10 operating system. For instance, a team may be tasked with improving memory management in the kernel, and as a result, will rewrite chunks of the source code, boosting the software’s performance while squashing any pesky exploitable bugs along the way. For the marketing department, this is great news: now they can boast about faster loading times. Malware developers, meanwhile, can celebrate when they discover the programming blunders are still present in Windows 8 and 7.

“Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform,” Google Project Zero researcher Mateusz Jurczyk said on Thursday.

Azure fell over for 7 hours in Europe because someone accidentally set off the fire extinguishers

READ MORE

“This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows.”

As an example of the problem, Jurczyk highlighted the wobbly use of memset() within the kernel. This is a function that is supposed to overwrite bytes in a specific area of memory to a specific value, such as zero, thus scrubbing away whatever was previously stored in that portion of memory.

When the kernel is told by an application, via the NtGdiGetGlyphOutline system call, to fill an area of memory with information, and copy it into the app’s memory space, the OS doesn’t fully overwrite the area using memset() prior to the copy operation. This means the kernel ends up copying into the application’s memory space left over private kernel data, thus leaking information it really shouldn’t. This can be useful to snoop on the OS and other programs or gain enough know-how of the system’s internal operations to pull off more damaging exploits.

This information-disclosure bug was fixed in Windows 10, but remained present in Windows 7 and Windows 8.1 – until it was reported by Project Zero to Microsoft at the end of May this year and fixed in patches for Windows 7 and 8.1 systems in September. Google typically gives vendors, including Microsoft, 90 days to address any reported security shortcomings before going public, forcing developers and manufacturers to play their hand.

This months-long lag in deploying patches to previous flavours of Windows is leaving systems vulnerable to attack. By broadly upgrading the security defences in Windows 10, Microsoft is making it easier for hackers to see where they could exploit weak spots in older versions.

“Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security,” Jurczyk explained.

“This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls.”

While it’s not realistic to expect a vendor to maintain major updates and produce patches indefinitely for older software versions, as many as half of all Windows users are still running Windows 7 and 8 – meaning millions of people are being put at risk by Windows 10’s security improvements, ironically.

Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020.

“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told The Register.

“Additionally, we continually invest in defence-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Translation: please, please stop using Windows 7 and 8. ®

Why You Should Be Using a Password Manager

Why You Should Be Using a Password Manager

Every few weeks, we hear the news that another major corporation and their website has been hacked, just last week we heard about Equifax being hacked and data on millions of users being compromised. We of course only hear about the major newsworthy hacks which have been discovered or disclosed, but the scary truth is that around 30,000 websites are hacked every single day.

Often these hacks mean your personal information has also been compromised, most likely without your knowledge as often website owners either do not know they have been hacked, or choose to keep it quiet.  In this post, I cover the important reasons for why you should use a password manager to protect your online identity, and how to get started with LastPass, a free password manager.

Passwords & Online Security Best Practices

Most websites rely on a simple login process for a user to gain access their account–a username and password.

As an online security best practice, you need to have long, complex and unique password for every web account you use.

Strong passwords need to be:

  • Long – The more characters in a password, the longer it would take a hacker to guess your password.
  • Complex – By adding additional characters to your password you add complexity or password entropy. Password entropy is a measurement of how unpredictable a password is, based on the character set used (a combination of lowercase, uppercase, numbers and symbols) as well as password length. Basically, your password needs to be something you could never pronounce.
  • Unique – You need a different password for every web account you use. Yep, that’s right. Every login on every website needs to be unique and never reused.

Unfortunately, in the real world, meeting all three criteria for strong passwords is basically impossible without the use of a password manager.

Why Use a Password Manager? The Nightmare Scenario

So why is having a long, complex, unique password important?

If you use the same email address and passwords for multiple websites that you log into (as a lot of people do), what happens when one of those websites gets hacked?

The hackers now have your username and password on a list that will be used to try to log into thousands of other websites around the internet. If you use the same email address and password for all your websites, now the hacker will be able to log into all your accounts at once and get access to all your personal data and details. If those same login details are used for your email account as well, they can now access

If those same login details are used for your email account as well, they can now access pretty much anything. Any site they cannot get into, they can simply issue a password reset, which will come to your email, which they now have access to. Identity theft at this point is a high possibility.

Once your password has been compromised, you now have the challenge of updating your information individually on every single website that has the same login information. Do you even remember them all? If you use the same email and password again on each one, you’re probably going to have to repeat this process again in the future.

Don’t Use Common Passwords

Here’s Keeper Security’s list of the most common passwords of 2016. Do you recognize any of them?
These are all lazy password, achieved by just pressing keys which are next to each other on the keyboard, and are easily hackable in seconds by automated hacking tools.

1. 123456 10. 987654321 19. 555555
2. 123456789 11. qwertyuiop 20. 3rjs1la7qe
3. qwerty 12. mynoob 21. google
4. 12345678 13. 123321 22. 1q2w3e4r5t
5. 111111 14. 666666 23. 123qwe
6. 1234567890 15. 18atcskd2w 24. zxcvbnm
7. 1234567 16. 7777777 25. 1q2w3e
8. password 17. 1q2w3e4r
9. 123123 18. 654321

Password Managers vs. Browser Password Storage

Note: While most major web browsers today will offer to remember your passwords and fill them in automatically for you, this is for convenience and not security. 

A Password Manager such as LastPass not only remembers your login information but also helps you generate long, complex passwords and stores them and other useful information  securely.

You may have noticed that your browser prompts you to save login details, but be warned that the password storage built into your browser is a solution of convenience, but is not secure. Anyone using your computer can access those saved details and login to websites, plus you will not have access to those details from other devices. Also bear in mind that if you lose your device or it is stolen, or your hard drive dies, or any disaster, you have lost all those details.

LastPass vs. Other Password Managers

There are numerous excellent options for Password Managers available:

It is also worth mentioning that if you use BitDefender Anti-Virus then this includes a simple password manager called BitDefender Wallet.

Ultimately, using any one of these password managers is a good choice, but I personally recommend LastPass, especially for business users, because it offers the most value in free vs. paid features and is the most configurable with additional security options and options.

So as well as passwords, it is great for storing bank details, licences, card details etc and is very easy to share passwords with other people. It is also very secure, you can set your LastPass to auto lock after xx minutes so that anyone else using your computer cannot access your passwords without your master password. You also have the option of 2-factor authentication.

However, it can be over complicated for the same reason if you are not very competent with computers, in which case one of the simpler solutions might be better for you for personal use.

Here is a review of the top password managers for 2017

Watch LastPass Tutorial for Beginners

LastPass Free vs. Premium

LastPass Free has everything you need to securely store and fills passwords on a single kind of device (for example, a Mac computer, a PC Computer, an iPhone, an Android Phone).

But if you want to access LastPass on different kinds of devices, you will need to upgrade to LastPass Premium for $24/yr. LastPass also offers Business and Enterprise versions that focus on sharing data among multiple users and creating rules and policies for your staff/users.

If you need help to get LastPass configured or require some training, then please contact me.

Cyber Security: How to protect your kids online

Cyber Security: How to protect your kids online

To be blunt  (no insult intended),  most parents are not very computer literate and as a result are also oblivious the dangers of letting their kids loose on the Internet. This is not specifically because you are parents but simply a statistic based on research that shows that 69% of the population are not very computer literate and 26% cannot use a computer at all. In most cases, your kids are probably more computer literate than you are.

But while your kids might be better with technology, they have ZERO knowledge or experience of staying safe online, and will happily look at much of the inappropriate stuff you would rather they didn’t and of course the more you tell them not to, the more they want to.

Are you aware of the most common dangers that the Internet and social media (Facebook, twitter etc) present?  children are regularly bullied online, your little darling could even be the one doing the bullying and this cyber-bullying has led to many children committing suicide. They can be easily manipulated into performing any number of dangerous or perverted acts, or groomed into meeting a sexual predator.

Using the internet without protection can also cause you a lot of damage, and if you are allowing your child to use your computer or tablet, then you could end up being the target of cyber-crime. Everything from malware and ransomware attacks, trojans and bots using your computer to attack other people to identity theft, and emptying your bank account.

Just as you do in the real world, you need to offer guidance, set boundaries, and, depending on your child’s age and maturity level, carry out some safeguards.

You also need to be aware of where the threats are coming from, so it is your responsibility as a parent to educate yourself about online security and take action not just for your kids, but for yourself and other people’s children too, who can be indirectly affected by your lack of knowledge or action.

I do of course lock down my home internet connection and my kid’s phones and tablets and PC’s, but the problem is that the majority of their friends parents have not done this. This then means that all the content I have blocked can easily be viewed on their friend’s phones, computers and consoles. This includes looking at porn and whatever else unencumbered, thus bypassing my efforts. So these are practices you not only need to put into place yourself but ideally your friends as well and encourage your school to promote them, post them on social media for other parents to see as well.

If you need help in getting your home network and devices secure, then I can provide this as a service, which in most cases I can do remotely, but can also offer on site support if you are based in Thanet.

 

Things you can do right now to protect your kids


1.  Install anti-virus and parental controls on all your computers and mobile devices

Children are just as vulnerable as the rest of us, if not more so, to clicking on bad links and downloading malicious software. Every device that is connected to the internet needs to be protected from malware. You also need the ability to block them from viewing inappropriate websites.

Some anti-virus software has parental controls built in, but generally, it is not very good and you are better off using separate products.

Anti-Virus

Windows computers do have Windows Defender built in, which is better than nothing, and may well be sufficient for the savvy or safe user who never clicks on dodgy links, never visits porn sites or downloads pirate software etc. But for anyone else, you need something better.

There are some of the most popular free products available from trustworthy brands. Bear in mind that the FREE versions are limited, and may not be much better than Windows Defender, so for the best protection you do need to use a premium product.

For your mobile devices, just search for the names in the Apple or Android store.

If you are happy to pay for your protection and security product, then there are so many choices out there from excellent to terrible. I personally recommend the premium edition of BitDefender, which is a full cyber-security suite and has consistently been the #1 in the industry and is what I use on all my devices, previous to that I used Kaspersky, which is also a good product. If you have multiple devices in your household, then the BitDefender family pack is a great deal to protect them all, there is also a mobile version. The other very handy thing with BitDefender is that you can monitor and manage all your devices from the website, and apply new rules and filters etc.

I suggest avoiding random brands you have never heard of or which you get spam emails about, as these are quite likely malware themselves or next to useless products.

Parental Controls

According to the Pew Research Institute, 50 percent of parents have used parental control tools to block, monitor, or filter their child’s online activities.

Here is a review of some of the top FREE parental control software of 2017
http://www.techradar.com/news/the-best-free-parental-control-software

The ScreenTime app is available for Apple, Android and Amazon devices. The app is free for one child and includes the ability to monitor the device remotely and to see your child’s web and search history. A $4-per-month premium version adds daily time limits, the ability to block apps, and block the use of the device during school hours or after bedtime.

Other apps:

Some of these apps (such as mmguardian) will let you track your child’s location, monitor their text messages, and generally spy on their activities. Which one you use depends on your requirements.

When dealing with older children, explain to them why you are using these parental control apps, that you are only protecting them, and tracking them in case something happens to them so you can find them. Remember that you would not be happy with this level of control, especially if it was forced on you with no explanations.
The last thing you want to do is lose your child’s trust and have them go out of their way to bypass your parental controls, whch will no doubt figure out how to do given enough time, or to get themselves a burner phone which you cannot tracks.

I use MMGuardian and also kid-control on my boy’s phones, and they fully understand why, and they do not mind. The only time they moan is when I lock their phones at bed time or when they have been naughty. The kid-control also allows them to see where everyone else is too, so they can find each other or me if required.

2.  YouTube

YouTube is the new children’s TV. It is one of the most popular sites out there, but a massive number of videos are not suitable for young children. One minute they will be watching someone playing Minecraft, the next they will be bombarded with swearing and making sexual references, even from children’s characters like Elmo.

My best advice is “Do not give your kids unrestricted access to YouTube”. Ideally, you want to limit youtube to use on a TV or PC where you can monitor what they are watching, if this is not possible then I suggest you block YouTube altogether. This can be done in your parental control software.

The youtube site does have a “restricted mode” safety feature, and if you are going to let your kids loose on YouTube then you should take advantage of this, although be warned that there is absolutely no way to block the majority of explicit content because it has not been flagged as explicit by the maker, so is thus regarded as safe by YouTube. There is also nothing to stop a savvy child from turning this setting off again.

On the desktop site, if you scroll down to the bottom of the screen, there’s a “Restricted Mode” setting that hides videos that have been flagged as containing inappropriate content.

In the mobile apps, click on the three dots at the top right and click on Settings > General and scroll down until you see the “Restricted Mode” option.

If your children have phones or tablets, then you can remove the Youtube app and install Youtube Kids instead, which is a kid-friendly version with filtered content. Don’t forget that you will also need to install some parental controls to stop then undoing your changes.
If you are thinking of buying a tablet, then I recommend the Amazon Fire tablet for kids, which is completely locked down by default and only allows child-friendly apps and content, had child-friendly videos, and also has a 2 year guarantee, during which time they will replace the tablet for FREE if your kids break it for any reason.

3.  Help your kids set the privacy controls on their social media accounts

Most social media sites have an age limit of 13, but kids sign up regardless and lie about their age, and frankly, if they have the ability to do this behind your back anyway, then you are better off at least letting them do it so you can monitor their activity.

If your children share messages, pictures or videos on Facebook, Instagram and other social media platforms, they might not be aware of who can see their posts, in fact, many adults do not realise that everything they post/share is public by default.

Most apps do have privacy settings, however, letting your children control who they let into their lives is not really the responsible or safe thing to do, so you should take a hands on approach to this too.

Here are the links to information about the privacy settings on the most popular apps:

 

4.  Set up separate accounts for your kids on your computers

If you share a device with your children, then you need to set up a separate account/user for them. Each account would have its own home screen and, depending on the device and platform, a different choice of features, apps, and permissions.

Not only does this help you protect your own data — or video recommendations — but you can also set up customized security and privacy settings for each child.

On Windows computers, you can set up a new user account for your children. Go to Settings > Accounts > Add a family member > Add a child.

Windows 10 Kids Account

You can blog specific apps, games, or websites, or set screen time limits. Visit https://account.microsoft.com/family for more information. Although I would not rely on this alone, as Microsoft family safety has were notoriously unreliable and randomly breaks.

On Apple computers, you can set up Parental Controls for some user accounts, where you can, for example, restrict access to adult websites. Learn more here: https://support.apple.com/en-us/HT201813

5.  Set up separate accounts for your kids on your mobile devices

Android parental controlTablets and smartphones also allow multiple user accounts on the same device.

On Android tablets, you can create a restricted account for your child, with limits on which apps they can use.

On Android phones, you can create a new user account for your child, but the only account restriction now available is to turn off the ability to make phone calls and send text messages. However, you can restrict their Google Play account. Go to Settings > Parental controls and turn them on. You will able to set specific content restrictions on apps and games, movies, TV, books, and music.

On the Apple side, iPhones and iPads have controls for apps and features, content, and private settings. Launch the Settings app and go to General > Restrictions and tap on “Enable Restrictions.”

6.  Secure your gaming systems

Don’t forget that your gaming console is also an Internet device these days. Children can download games and make in-game purchases, and even surf the Web.

Most devices have parental control features that allow you to restrict the kind of content your children can get, limit their purchases, and restrict or turn off their Web browsing. You should take some time to use your kids games consoles and find out what they can do setup the parental controls accordingly.

The best console for parental control is the Xbox, which because it runs on windows 10, has quite granular controls allow you to set age limits and actions which can be performed, down to allowing and blocking individual games.

More info here on Xbox parental controls

The PlayStation is not so good, you must setup a parent account and then create sub-accounts for your kids, which is an all or nothing solution, with no granular control. This is fine for the little ones, but for your older kids who want to play online with their friends and use game sharing mode, I find it far too restrictive. And the only workaround is for them to setup a full adult playstation account.

More info here on Playstation parental controls

7.  Consider using kid-safe browsers and search engines

For added control, you can install a kid-safe web browser for your children to use.

Zoodles, for example, offers a child-safe environment, and there’s a free version for Windows PCs and Macs, and for Android and iOS tablets and smartphones. The premium version, which costs $8 a month, includes ad blocking, time limits, and other features.

Another alternative kid-safe browser is Maxthon.

There are also some built-in tools in the browsers you’re already using.

If you use the Chrome browser, you can set up a “supervised profile” that will block explicit search results, show you what websites your children visited, and even restrict what websites they can go to. The way the restrictions work is that you can either have a list of approved websites, where your children can only visit the sites on this list, or a list of restricted websites where they can visit any website except for the ones you’ve banned.

More information here: https://support.google.com/chrome/answer/3463947/?hl=en

Also check out these kid-safe search engines:

 

8.  Lock in apps for youngest children

If you want to be able to hand your phone to your child to play with in the back seat of the car without worrying about them messing up your phone or surfing the web for creepy content, what you can do is open up an app for the child and then set it up so that they can’t exit the app.

On phones running Android 5 and higher, it’s called “screen pinning.” First, go to Settings > Security > Screen pinning and turn it on and also enable “Ask for PIN before unpinning.” Then load your app, hit the overview button — the little square on the bottom right — and swipe up until you see a pin icon come up in the lower right corner. Now your child will need your PIN in order to switch apps.

Screen Pinning on Android

On iPhones and iPads, this is called “Guided Access.” First, go to Settings > General > Accessibility > Guided Access to set up Guided Access. Then when you’re in the app you want to lock in, triple-click the home button to bring up the Guided Access settings. You can turn off Guided Access either with a PIN or by setting it up to work with your Touch ID through Settings > General > Accessibility > Guided Access > Passcode Settings.

10.  Make sure your kids are only using safe chat rooms

Some kid-friendly platforms offer chat rooms where kids can talk to other kids. Vet the sites first, to make sure that the chat rooms are monitored.

In addition, teach your kids not to share their real identities on such platforms, and use anonymous screen names, instead.

Teach, Educate and Talk with Your Children


11.  Teach your children not to respond to messages from strangers

If they get a text message, instant message, email or social media message from someone they don’t know — they should just delete it.

Make sure they know not to open it, not to respond to it, and, of course, not to click on any links or attachments.

If those girls from Pretty Little Liars followed that advice, the show would have been over after one episode.

12.  Educate your children about the risks of “sexting”

Last year, in a report to the U.S. Congress, the Justice Department revealed that the most significantly growing threat to children was something called “sextortion.”

It’s bad enough when minors send nude images of themselves to boyfriends or girlfriends, and those images then get distributed to others.

In addition to the psychological damage, children who both send and receive the “sexts” are breaking the law — and could result in prosecution and even registration as a sex offender.

And it gets worse.

According to the FBI, the “sextortionists” have gone pro, with individual criminals targeting hundreds of children each. They pretend to be the same age as their victims, trick or coerce them into producing child pornography for them — and even get them to recruit friends and siblings.

In a review of 43 such cases, the FBI found that two victims committed suicide, and ten others attempted to kill themselves. Victims also have their grades decline, drop out of school, get depressed, and engage in cutting or other types of self harm.

According to the National Center for Missing and Exploited Children, reports of sextortion were up 150 percent during the first several months of 2016 compared to the same time period in 2014. 

In 4 percent of the sextortion reports, the children engaged in self-harm, threatened suicide or attempted suicide as a result of the victimization, the Center said.

13.  Warn your kids about file sharing

Uploading illegal files is, of course, illegal.

And so is downloading, though fewer media companies seem to be prosecuting kids these days.

But downloading illegal files also carries other risks, such as viruses.

Fortunately, there are now many free and low-cost services out there where kids and teens can get videos and music.

14.  Warn your kids about online polls and surveys

There are lot of fun, harmless polls out there, like the one that tells you what kind of poodle you are.

Others ask for too much personal information, and could land your kids on spammers’ email lists, or open them up to identity theft.

Many adults have a separate, throw-away email account for when they need to provide an email address in order to register for something. If your child have a legitimate reason to fill in questionnaires that require an email address, consider helping them set up a throw-away email account of their own.

15.  Warn your kids about getting too close to strangers

When you’re meeting someone for the first time after, say, communicating with them via an online dating app, you know to set the meeting in a public location, such as a coffee house, and to let friends know where you are.

This is common sense.

But children and teenagers often lack that basic common sense — or might be tricked into keeping their online relationships secret.

Of course, predators can also communicate with potential targets via traditional mail, or meet them at bus stops. But the Internet allows them to scale up their activities dramatically.

Attackers can use online relationships to lure children to meet them in person. Or, more frequently, they will try to trick children into making unnecessary purchases, or sharing information, photos, or videos.

Know your children’s online friends. And, just as with regular friends, confirm their identities, and talk to those kids’ parents. If those “kids” are, in fact, kids.

16.  Help your children deal with cyberbullying

Cyberbullying affects up to 15 percent of children, according to a report released last year by the National Academies of Sciences, Engineering, and Medicine.

And the rates are even higher for children who are overweight, disabled, or LGBT, or members of a minority group.

Victims have physical problems such as sleeping, upset stomachs, and headaches and also suffer psychological effects, such as depression, anxiety and alcohol and drug use.

Let your kids know that they can turn to you for help, and find out what resources are available from your local schools.

You should save messages and other evidence of the cyberbullying and report the bully to the social media platform, telephone or Internet service provider, school, or local law enforcement authorities. In addition, you should block the bully from your child’s social media, telephone, or email accounts.

More information here:

17.  Set a good example

How many baby pictures and vacation photos have you posted online? Before lecturing your kids about staying safe, make sure that you yourself are a good model. Learn about the privacy settings in the social media apps you use most, then check that you aren’t sharing private, personal moments with the whole Internet.

Also, don’t drive while texting or talking on the phone.

Wait until we all have those self-driving cars, and do your texting then.

18.  Set rules about what your kids can share online

As an adult, you know to be careful about what information you post online. You know not to share your financial information or social security numbers with strangers.

Make sure your kids know the rules and understand the reasons behind them. Even seemingly innocuous information, like vacation pictures, can let criminals know when your house is empty.

Some information, like funny picture of your cat in the snow, can be shared with everyone. Some information, like vacation plans, can be shared with family and close friends. And some things should never be shared online at all.

In addition, the recommended age for children to have their own social media accounts is 13.

The Family Online Safety Institute has a sample family online safety contract here: https://www.fosi.org/good-digital-parenting/family-online-safety-contract/

19.  Add your kids as “Friend”

If your children have their own accounts on Twitter, Facebook, Google Plus, Instagram, Snapchat or other social media sites, follow or friend them.

Don’t let your kids tell you that other parents don’t do this. According to the Pew Research Center, 83 percent of parents are friends with their teenage child on Facebook.

You’ll be able to see if they are posting inappropriate things online and can step in before problems escalate.

It’s not foolproof — there are ways that children can keep their communications hidden from you. And if you are too heavy-handed in your monitoring, it may cause your children to be more secretive.

20.  Set limits on how much time your children can spend online

According to a recent national survey, tweens spend an average of six hours a day with their devices, and that’s not including the time spent on school or homework. And teens spend an amazing nine hours a day staring at their screens..

Sure, some of that is listening to Spotify while exercising. But the bulk of the time is spent watching videos, playing games, and using social media.

The American Academy of Pediatrics used to recommend that children under two should not have any screen time at all, and had very conservative limits for screen time for older children. In late 2016, the organization re-evaluated current research and loosed its recommendations.

Some screen time, such as video chats with relatives, or educational applications, can be very valuable, even for the youngest children.

Now, the organization suggests that families create a Family Media Plan.

However, the organization recommends that parents limit the use of screens during meals, and for an hour before bedtime. Also, phones and tables shouldn’t be charged overnight in the child’s bedroom, to limit the temptation to check the devices at all hours of the night.

21.  Additional resources

Internet Matters: Resources for parents looking to keep children safe online, with age-specific how-to guides, free apps, and device safety checklists. https://www.internetmatters.org/

Family Online Safety Institute: Parenting guides and news and reports about online safety issues. https://www.fosi.org/

Safe, Smart & Social: Social media training guides and safety tips for parents and educators. https://safesmartsocial.com/

Thanks go to John Mason for most of this content, who conveniently emailed me which reminded me I had this article in draft, so saved me a lot of typing.

Linux can be hacked using only the backspace key

As any I.T. person will know, Linux geeks consider Linux to be the most secure OS on the planet, and many will even claim it is so secure and un-hackable that they do not need any malware protection or such. So it is ironic that a Linux hack has now been discovered which is probably the worst and simplest hack ever discovered, far worse than any hack or vulnerability ever discovered for Windows. If you press the backspace key 28 times on a locked-down Linux machine you want to access, a Grub2 bootloader flaw will allow you to break through password protection and wreck havoc in the system.

Researchers Hector Marco and Ismael Ripoll from the Cybersecurity Group at Universitat Politècnica de València recently discovered the vulnerability within GRUB, the bootloader used by most Linux distros.

As reported by PC World, the bootloader is used to initialize a Linux system at start and uses a password management system to protect boot entries — which not only prevents tampering but also can be used to disable peripheries such as CD-ROMs and USB ports.

Without GRUB password protection, an attacker could also boot a system from a live USB key, switching the operating system in order to access files stored on the machine’s hard drives.

The researchers discovered the flaw within GRUB2, of which versions 1.98 to 2.02 are affected. These versions were released between 2009 and today, which makes the vulnerability a long-standing and serious problem.

In a security advisory, Marco and Ripoli said the bootloader is used by most Linux distributions, resulting in an “incalculable number of affected devices.”

Exploiting the flaw — and checking if you are vulnerable — is simple. When the bootloader asks for a username, simply press the backspace button 28 times. If vulnerable, the machine will reboot or you will encounter a Grub rescue shell.

The shell grants a user a full set of admin privileges — within the rescue function only — to load customised kernels and operating systems, install rootkits, download the full disc or destroy all data on a machine.

The researchers say the fault lies within two functions; the grub_password_get() function and the andgrub_password_get() script which suffer integer overflow problems. Exploiting the flaw causes out of bounds overwrite memory errors. When a user presses backspace, the bootloader is erasing characters which do not exist — damaging its memory enough to trigger an exception in authentication protocols.

Not only does the vulnerability give attackers the chance to steal data and tamper with peripherals and passwords, but Linux entries can be modified to deploy malware.

While there is an emergency patch available on Github for Linux users, the main vendors have been made aware of this security flaw. It is recommended that users update their machines as soon as patches have been deployed, but it is worth noting an attacker needs physical access to the machine to exploit the flaw.