//collapse mobile menus
Free content filtering for your kids and family

Free content filtering for your kids and family

Free content filtering for your kids and family 1

I have been on a mission for quite a long time now to find a reliable parental control solution and content filtering solution and created a detailed post on the subject a few years ago.

I have tried all kinds of software, most of which has been lacklustre or simply unreliable as it will randomly stop working (Microsoft Family Safety, Bitdefender Parental Controls) or simply doesn’t do what it claims and gives you a false sense of security (Qustodio).

Avoid iPhones

Many parents cannot afford to pay for software for all their devices as it is, and Apple has now made this an even more difficult solution for parents by blocking all 3rd party software vendors from using parental controls on iPhones and iPads or by crippling their software and making it useless.

So if you are thinking of buying your child an iPhone or iPad, I would suggest you consider an Android device instead if you want any kind of parental control.

DNS Filtering

Lately, I have been trying out a number of DNS filtering services and I believe I have finally found one that not only works, but is also FREE, at least for the basic service. It is called CleanBrowsing DNS.

How DNS works
How DNS Works

What this basically does is that it takes you DNS requests and instead of just return the IP address to your device as normal DNS would, it will process the request itself and returns the website content with any filtering applied.

So it will either completely block any website on the not allowed list, or will enforce the SAFE SEARCH mode on sites like youtube and google, thus overriding local settings on your devices.

Using DNS filtering is a simple case of changing the DNS servers on your broadband router admin, which will affect every device in your house that is using WIFI or connected to the router via cable.

If you have older kids with mobile phones, then you would also need to apply the cleanbrowsing DNS settings to their phones directly, otherwise, it would have no effect when they are connected to the mobile network.

You can find various setup guides over on the CleanBrowsing website for most devices.

Other Considerations

Please bear in mind that DNS filtering is very easy to bypass for any kids that are quite computer literate or even just know how to use google to search for a workaround.

So for older kids, you will need to have some parental control software on their devices in order to stop them changing the DNS settings, and be sure to check for yourself that it cannot be changed. I recommend MMGuardian.

On Windows computers/laptops, you simply need to make sure that your kids are not administrators, and only standard users, then they will not be able to change network or DNS settings. You should make yourself the only administrator.

The free version of CleanBrowsing will not block social media sites. If you want to do this, then you will need to purchase the paid plan so that you can add your own filters to block those sites or others which are not blocked by default, you can also create separate profiles for each child if required.

If you have set the DNS filtering at router level and want to bypass the DNS filtering on your own devices, then simply set different dns servers on those devices. I recommend using CloudFlare DNS rather than your ISP.

Are you sharing sentitive data & passwords on freelancer websites?

Are you sharing sentitive data & passwords on freelancer websites?

Are you sharing sentitive data & passwords on freelancer websites? 2

As a freelancer/consultant I use freelancer sites like PeoplePerHour or upwork to get gigs. One of the issues evident in every job I have done is the disregard for security.

Most IT or web related jobs done on PPH are going to involve the exchange of sensitive data, which is required in order to do the job. Clients will gladly share everything with multiple freelancers without a second thought, including their logins for control panels, hosting accounts, domain registrars, website and everything else.

This unconscious sharing of such details has massive security implications which I will address below and offer better and more secure alternatives.

Security Bad Practices

Your login details are for your own use, and everything that is done with your login credentials links back to you. If you share these credentials with multiple people and there is a security breach, you will have no idea who is responsible. If you are an employee and have a boss, then you will most certainly be blamed for the security breach, which could cost your company dearly.

You should not post any sensitive information in the job chat/discussion on the freelancer site (unless they are temporary logins which will be revoked). These conversations will most likely be stored in plain text and not encrypted in any way. Certainly, in the case of PeoplePerHour, I have asked them directly and they have confirmed this is the case.

Are you sharing sentitive data & passwords on freelancer websites? 3
Hackers are everywhere

Thousands of sites get hacked and data is stolen every single day. Most of them are unaware they have even been hacked and the breach can go unnoticed for months or even years in some cases.

If any of the freelancer sites suffer a security breach, the hackers will have access to any data which is not encrypted, which includes all those login details that clients have entered in the chat with their freelancers. Not forgetting that the support staff can also read all your discussions as well, so any dishonest support agent could simply lift your login details and use them for illicit purposes.

Sadly there are also a lot of unscrupulous freelancers out there too, who will intentionally do damage to your systems in order to generate more work for themselves, or may seek revenge in the event of a dispute or disagreement.

I have had several jobs cleaning up after such situations and have found all kinds of back doors, insecure plugins, malware and extraneous logins which presumably had been created by other freelancers.

SECURITY GOOD PRACTICES

Ideally, you should find a single reliable freelancer/company who you are happy with and stick with them, rather than using a different freelancer each time. Not only is this better for security, but using multiple freelancers can also cause other problems as they are oblivious to what work their predecessor has done, and so will often break or undo each other’s work.

Sticking with the same person/company creates a relationship as well as a recurring income, which will, in turn, result in better quality of work, fewer issues and less expense as they will know your systems and the work they have done before and be more inclined to keep you happy.

Plus any decent freelancer/contractor will use a task/project manager and will keep notes on the work he does for ongoing clients which also improves communication and project management.

Do not post sensitive information in the workstream/chat. An exception would be if you are providing a temp login which will be revoked once the job is done.

If you do need to give a freelancer (or anyone) temporary access to your accounts or website, then ideally you should provide them with their own login, not give them yours, which you should revoke (delete) once the job is done.

If it is not possible to create a separate login for your freelancer, then you should always change your passwords after the job has been completed.

HOW TO SECURELY SHARE YOUR DATA

Are you sharing sentitive data & passwords on freelancer websites? 4
everyone should use a password manager

Cloud document sharing

Everyone has access to cloud storage and the ability to share files and documents FOR FREE.

I come across a surprising number of people who are unaware of this, but every single Windows user has access to OneDrive by default. It is part of Windows operating system and allows you to sync up to 5GB of files to the cloud for free. You can then share these files with anyone simply by sending them a link.

Even if you do not use Windows, you can still get a free Microsoft /
OneDrive account.

So you could temporarily put all the info you need to share into a text file or word doc, and share that link with your freelancer. Once the job is done, unshare that file and delete it.

NOTE: This is also not an ideal method and still not very secure to have your login stored in plain text, but it is certainly better and putting them into your workstream where they be on display forever or sending them via email.

If you do not know how to share files with OneDrive, then please read this article “how to share files with others using OneDrive“.

You can also do the same with Google Drive, which you also already have access to if you have a free Gmail account.

Use a password manager

Are you sharing sentitive data & passwords on freelancer websites? 5

Using a password manager is something I recommend to everyone. It will remember all your passwords and other personal info for you, software licenses, bank details etc. It will automatically log you into websites, fill in forms, generate strong passwords for you and more.

The two solutions I generally recommend are LastPass and Dashlane, both of which offer a free edition, although there are many other apps available which vary in features and simplicity.

Password managers are also the most secure way to share logins and other sensitive information with your freelancer and then revoke the share once the job is done. You simply choose to share a login, enter the freelancers email address, and it will send them a share request. If they already use the same password manager, then job done, otherwise, they simply need to register for the free version in order to accept your share request.

As a result the login details are never shared in plain text, as the freelancer will only use the password manager.

WORDPRESS ACCESS

I am going to mention WordPress specifically because this is somehting I deal with a lot, since I build, support and manage WordPress websites.

In almost every WordPress job I do, clients will send me their own admin login, which they have sent to every freelancer before me, who still have access as the password has never been changed.

If you need to give someone permanent access, then create a new admin user just for them, if just need to provide temp access, then I suggest using the “temporary login without passwordplugin , which will allow you to provide a temporary login which will automatically expire after x number of days.

Adult Website Blackmail Scam

Adult Website Blackmail Scam

Adult Website Blackmail Scam 6

This week I have started receiving a new blackmail/scam email which seems to be doing the rounds

This scam works on the premise that the recipient of the email has been visiting porn websites such as xvideos or pornhub, which of course is most of the male population, and the blackmailer then tells you that he installed malware on your computer via the website and has recorded a video of you spanking your monkey, which he will share with all your contacts if you do not pay the ransom.

Firstly, stay calm and don’t worry, none of this is true, it is a scam.

While this type of scam is nothing new in itself, the convincer is the fact that the scammer has one of your passwords which is linked to your email address and thus which makes the threat more believable.

I have received several of these emails so far, all almost identical, demanding various different amount of money via bitcoin. In all cases the email did indeed quote a real password I have used in the past, which has obviously been obtained from  hacked websites, but they were old passwords that I have not used for at least 10 years, and the same is true for other reports I have read, so these scammers are obviously using some very old data.

As i’m sure everyone knows by now, websites get hacked on a regular basis, in fact roughly 37,000 websites per day get hacked, but only the big well-known sites/companies make it into the news.

The cybercriminals steal all the personal details of all the users/members from the hacked websites database and then use them for fraudulent purposes, such as phishing, identity theft, blackmail etc. They also use the gleaned details to  try to access other sites where you may have used the same login details. The cybercriminals also often put all the obtained details online for other criminals to use.

How do you know if your data has been stolen?

There is a handy website called haveibeenpwned.com which keeps track of hacked websites and stolen data, and will tell you if your email address appears in any of those known data thefts. I checked my own email and found that at least 15 websites I have used in the past have been hacked and my details stolen.  So I would strongly suggest you check  haveibeenpwned.com for your own email address and see if any of your passwords have been hacked, and if so, reset them ASAP.

This is why it is really important NOT to use the same password on multiple websites, and to use a password manager  such as Dashlane or LastPass to generate and store random passwords and to use a good cyber security product to protect you online, such as BitDefender.


Adult Website Blackmail Scam 7

Adult Website Blackmail Scam 8Adult Website Blackmail Scam 9

 

Here is the email I received. I can imagine this might scare the crap out of anyone who was actually visiting xvideos.com recently, is not very security savvy and uses the same password on multiple websites.


FROM: Juliet Blount <[email protected]>

I do know (REDACTED) is one of your pass word. Lets get directly to the purpose. None has compensated me to investigate about you. You may not know me and you’re probably thinking why you’re getting this email?

actually, I placed a malware on the X vids (pornography) web-site and do you know what, you visited this site to have fun (you know what I mean). While you were watching videos, your internet browser began operating as a RDP having a keylogger which gave me access to your display screen and web camera. Immediately after that, my software program collected all of your contacts from your Messenger, Facebook, as well as email . After that I made a double-screen video. First part shows the video you were watching (you have a fine taste ; )), and next part shows the recording of your cam, & its you.

You actually have two different choices. Lets check out these types of choices in particulars:

First solution is to neglect this e mail. In that case, I will send your recorded material to just about all of your personal contacts and also imagine about the shame you feel. Moreover if you happen to be in a loving relationship, precisely how it is going to affect?

Next choice will be to pay me $7000. I will call it a donation. As a result, I will promptly delete your video recording. You could carry on with your way of life like this never took place and you surely will never hear back again from me.

You will make the payment via Bitcoin (if you do not know this, search for “how to buy bitcoin” in Google search engine).

BTC Address: 1FCxzQitbQb9VVz6y7cqkdPdZbeJcfYrYM
[CASE-SENSITIVE copy and paste it]

In case you are thinking of going to the cops, look, this mail cannot be traced back to me. I have dealt with my steps. I am also not attempting to charge you so much, I simply want to be paid. You now have one day to make the payment. I have a specific pixel in this e-mail, and right now I know that you have read through this e mail. If I don’t receive the BitCoins, I will definitely send out your video recording to all of your contacts including family members, colleagues, etc. Nevertheless, if I do get paid, I will destroy the recording immediately. This is the non-negotiable offer, thus please don’t waste my personal time and yours by responding to this email message. If you need proof, reply with Yea! and I will certainly send your video to your 6 contacts.

Tech support scams on the rise

Tech support scams on the rise

Tech support scams on the rise 13

A typical technical support scam works like this:

1. A user receives a phone call, claiming to come from Microsoft or your ISP, claiming that a security problem has been found on their network or computer.

One trick fraudster may use to gain a less technically savvy user’s confidence by tricking them into looking for error messages in Windows Event Viewer’s logs.

Tech support scams on the rise 14

In fact, such entries are completely harmless and should not be considered evidence of a malware infection.

2. The scammer tricks their intended victim into giving them remote access to the user’s computer in order to “fix” the issue. In truth, they install a remote access trojan (RAT).

3.The scammer claims to have identified fake “threats” on the victim’s computer and scares the user into handing over their payment details or making an online purchase to “fix” the computer.

Usually, the scammer will present the situation as urgent and be requiring immediate action in order to prevent their intended victim from checking with a tech-savvy friend or relative.

In some cases, the scam will begin with the user seeing bogus security alerts on their computer, which urge them to “call support” for advice.

Tech support scams on the rise 15

New statistics published by Microsoft reveal that the number of complaints its own customer services team have received about tech support scams has risen 24% since 2016, with some 153,000 reports from 183 different countries around the world.

15% of the complainants admitted that they have lost cash to the scammers, losing between $200 and $400 on average. The financial losses can be much higher, however. One report received by Microsoft in December 2017 detailed a scammer who had drained a bank account belonging to a victim in the Netherlands to the tune of 89,000 Euros (US $108,000).

The problem isn’t limited to Windows desktop PCs – all manner of devices and operating systems have been targeted, including mobile platforms and Apple Macs – but I think it is fair to say that most commonly the callers do claim to be calling from Microsoft, or on behalf of a company working with Microsoft.

Microsoft is itself at pains to point out that it does not send unsolicited email messages or make unsolicited phone calls offering to fix computers, or requesting personal or financial information.

It simply isn’t in the business of proactively reaching out to people to offer them technical support.

In a similar vein, a genuine Microsoft error message or security warning will never include a phone number. So don’t ring it!

This is all fairly simple advice for you and me to follow, and I’d like to think that if you’re reading my blog, you’re already more security-savvy than the typical computer user.

But don’t forget that even though you may not be duped by technical support calls like those described in this article, it’s perfectly possible that you know somebody elderly or vulnerable who could be fooled. Always be on the lookout on their behalf, be sure to warn them about “friendly” unsolicited technical support calls as they could be the next to fall victim.

If you believe you have been on the receiving end of a technical support scam you can report it to Microsoft via an online form at www.microsoft.com/reportascam

If you do not currently have a cybersecurity solution in place, then I recommend BitDefender. This is the product that I use myself, and I also offer managed BitDefender GravityZone solutions to clients.

Hacked Websites Report 2017

Hacked Websites Report 2017

Hacked Website Report 2017

The Hacked Website Trend report is a report produced by Sucuri. It summarizes the latest trends by bad actors, identifying the latest tactics, techniques, and rules (TTPs) seen by the
Remediation Group (RG). This report will build on the data from the previous quarters, including updated data for 2017.

The one constant you’ll find in this report is the issues pertaining to poorly managed or unmanaged websites.

This report will give trends based on the CMS applications most affected by website compromises, the type of malware families being employed, and updates on the state of website
blacklisting. It does not consider data related to WordPress plugin configurations.

This report is based on a representative sample of the total number of websites the Sucuri RG performed incident response services in the Calendar Year (CY) 2017. A total of 34,371 infected
websites were analyzed in this report. This sample provided an accurate representation of the infected websites worked on by the remediation group in 2017.

If you would like your website managed, feel free to contact me about my website management services.

Qustodio Review

Qustodio Review

Qustodio Review 16

If your kids have multiple devices on different OS’s (Apple, Android, Amazon, Windows, Mac, Linux), then parental control can be a real nightmare, as most apps are not available on all platforms.

For desktop security, I was using Microsoft Family Safety for time limits and activity reporting plus BitDefender for cybersecurity + openDNS for an additional level of content filtering at the router level.

For my kids mobile devices, I was using MMGuardian + Kid-Control. If your devices support these 2 apps, then I would recommend using these over Qustodio.

Last year I bought Amazon Fire tablets for my eldest boys, and due to their age I could not use the built-in “fire for kids” mode as it was too childish and restrictive, and they just refused to use the tablets.
Sadly MMGuardian is not available on Amazon marketplace, so I had to look for something else, as It quickly becomes very confusing and a lot of hassle if you are using different products on different devices, so I started looking at the limited options available on the Amazon store.

Due to the ongoing issues with Microsoft family safety. I was also looking for an alternative solution for my kids desktop PC’s as well.

 

Qustodio

There was little choice on Amazon marketplace, so I decided to give Qustodio another try.

TL/DR summary: Qustodio has very poor security and is easy for kids to bypass or simply uninstall the app. You definiately cannot rely on Qustodio and will need to be diligent and technically aware enough to also manually check and monitor your kids devices every single day to make sure they have not tampered with Qustodio.

I tried out the trial version of Qustodio a few years back when I wrote my article Cyber Security: How to protect your kids online, but it was lacking in several areas so didn’t bother installing it on my kids devices and  opted to go for MMGuardian + Kid Control at the time, as MMGuardian had better monitoring, better activity tracking, better security and more control but lousy GPS tracking, which is why I used kid-Control as well.

Overall, the first impression of Qustodio is that it seems to do a fairly decent job at blocking content and controlling screen time. It blocks dangerous sites, it enforces safe search in all browsers and on youtube, it allows you to block or allow specific apps and websites either globally or per device, and it also allows you to set time limits.

The interface is not especially intuitive, and until you get used to the app, it is quite an effort to figure out how some features work and where to find the settings as some options are rather disjointed and the web interface does not match the Android app. My wife still struggles to find where or why something is blocked or disabled.

With the screen time, you can enable/disable time controls, by setting which hours of the day the device can be used and you can also set allowed number of hours each say. So you could, for example, say that they can use their tablet for 4 hours per day between 9am – 7pm.

Since I have started using Qustodio, they do seem to have implemented one of my suggestions, and you can now set time limits on specific apps as well, which means you can limit time on games or social media only for example.

All access levels is very much an all or nothing solution though, so you cannot make a change that applies today only for example, so if you block access on Tuesday, it will be blocked every Tuesday until you undo it.

What I really wanted is a time quota solution like Microsoft Family safety, allowing time to added ad-hoc on a daily basis,  so kids have no time by default,  they have to come home from school, do their chores etc, and then they could request time, at which point I would grant the request and give them x number of hours screen time. This was very flexible and very easy to manage and meant that if they were banned for being naughty, I just did not give them any time that day.

Lack of Monitoring

One huge issue is the complete lack of any social media or chat app monitoring. Qustodio claims on their website to have social media monitoring, but this is not true. The only option they have is for Facebook on desktop pc, which requires the child to install the Qustodio facebook app, which can just as easily be removed by your child, so is essentially useless. There doesn’t seem to be any support for the facebook mobile app or monitoring for the many other social media websites or apps on mobile devices such as Twitter, Instagram, Google+ or any of the myriad of chat apps such as WhatsApp, Skype, Saraha and all the others.

The whole reason for monitoring your kid’s online activities is to make sure they are not being harassed, threatened, bullied or getting involved with bad people.  In this respect, Qustodio completely fails and is essentially useless. They could be chatting to paedophiles or being groomed by drug dealers, and you will never know.

Location Tracking is Unreliable

Most times I tried to use the location tracking to find out where my kids were, it gave a completely wrong location or was still reporting an old location from hours or even days ago.

For this reason, I do not rely on a single product, as none of them has been perfect. I primary used kid-control for the location tracking, but this has also become unreliable, so I am again looking for alternatives.

Changes require a reboot

This one really does defy logic for me. If you make any changes to your child’s settings, such as block/allowing an app, adding/removing time etc, this will often not take effect until the next day unless you reboot the device.

So let’s say your child is being naughty or has not done their chores, and you lock their phone as punishment, you think they now have no access. In fact they are sitting up in their room using their phone as normal.

Tomorrow comes, the block has now kicked in, but your child has now gone out with the friends. You remove the lock, but of course, it has no effect. So unless your child thinks to reboot their phone, they are now stuck unable to use their phone or make calls think you have done it on purpose.

Poor Security, Easy for kids to bypass

Sadly, any good features about Qustodio are rendered completely moot by the fact that the security is terrible and it is very easy for kids to bypass.

The first thing I noticed, is that when the screen time runs out, Qustodio locks the screen whenever you try to do anything, but it takes a few seconds for it to kick in. This means that the kids can still use the device in those few seconds, as they just continually keep opening the apps for a few seconds to read messages etc. It is also possible for them to perform blocked actions if they are quick enough, as they can perform the action before Qustodio blocks it.

For example, even if you have blocked access to the play store, so they cannot arbitrarily install apps, this can be bypassed. Granted it is repetitive and arduous, but kids will go to any lengths to get around restrictions.

All my kids are quite IT literate, and since I wrote this review originally, one of my boys figured out how to completely uninstall Qustodio and told his brother how to do it. Frankly, it wasn’t hard, a quick Google search brings up a youtube video showing you how to do it. It took me a couple of weeks to notice since Qustodio does not alert you that the app has been removed and is no longer being monitored, so that was 2 weeks of unrestricted access for both my boys.

Since then I have discovered an even easier method. You simply uninstall Qustodio in the usual way (hold icon, drag to uninstall link), but if you do it quick enough then you will bypass the anti-tampering, as it takes a couple of seconds to kick in.

There is no easy way to stop your kids from doing this either, so my only option was to tell them I was now monitoring for the app being removed and to regularly check their phones. I did contact Qustodio a few months back to report this issue, but they don’t really seem to care.

A few weeks later my kids had then figured out how to bypass Qustodio instead by using the android Guest account, meaning that when I checked their phones, everything seemed fine to me. I only found out about this due to them slipping up and using their phones right in front of me after bedtime when they were supposed to be locked and forced them to show me what they had done. If not for this slip-up, then I would have been oblivious for who knows how long.

I advised Qustodio support about this issue too, and again no real feeling that they care and clealry nothing has been done to address this as it is not exactly a new hack. The best they do is offer a workaround, which is to make yourself the primary user on your kids phones, and then add them as guest accounts. Not ideal.

So if your kids are good with IT and computers, or are even just savvy enough to use Google to search for “how to hack Qustodio”, then they are going to get around Qustodio easily, and it might potentially take you months until you twig.

Since I did not have these issues with MMGuardian, which seems to be more secure overall, I would have to recommend MMGuardian over  Qustodio, which while not perfect, is more secure and does have better monitoring. I will be switching back to mmguardian myself and finding something else for the Amazon tablets.