Internet safety awareness presentation for teenagers. Includes embedded videos, speaker notes, and examples. Based largely on research out of the Crimes Against Children Research Center.
4. SEXUAL PREDATORS – FACT OR FICTION?
• Are they usually people you know?
• Yes. “Regular” Internet predators are rare.
• Is it easy to talk to adults about this?
• No, but it’s very important.
• Are people who make unwanted sexual requests predators?
• Not necessarily.
5. SEXUAL PREDATORS – FACT OR FICTION?
• Do online predators target males or females?
• Males and females are both targeted.
• How are some ways we can respond to unwanted sexual
requests?
6. THE ENEMY TOOLKIT
• Warning signs:
• “Lets go private”
• “Where’s your computer in the house?”
• “Are your parents home?”
• “You seem sad, tell me what’s wrong”
• “What’s your phone number?”
• “LMIRL”
• “If you don’t do what I ask, I’m gonna tell your parents…”
7. THE ENEMY TOOLKIT
• Trolling for:
• Low-hanging fruit
• The lonely
• The vulnerable
• Publicly-available info
9. THE ENEMY TOOLKIT
• Phishing emails
From: FedEx International <fedexint@int4151.co.>Tue, March 14th, 2017 1:59pm
To: Archimedes <asyracuse@circularlogic.gr>
CC:
Subject: Failed Delivery #265358979323846
Dear Client,
This is final notice for failed delivery of order #265358979323846. If you do nothing, the
package will returned to the shipper. Your quick action in this matter is necessary. For
more information, please check our wesite:
https://www.fedex.com/remediation/case/index.php?id=265358979323846
http://pi.noszorun22a.co.ru/7a36fdb91342/
11. THE ENEMY TOOLKIT
• Out-of-date hardware and software
• Rooted/Jailbroken devices
12. DEEPER LOOK
• Q: What are the safest computers and mobile devices?
• A: Those with frequent, automatic updates:
• Mac OSX
• Windows 10
• Nexus phones
• iPhones
14. DEEPER LOOK
• Q: What does a good password look like?
• A: Longer than eight characters, complex, hard to guess, and
easy to remember
• turQuoisetw0p@nda
• splas#4panCake$
• dexteryakpurpleberry
20. BIG DATA – FACT OR FICTION?
• Do websites have to be breached to expose information about
ourselves?
• No! We often give away more than enough info to harm ourselves.
22. MY OWN ACTIONS
Who are you on the Internet? Consider checking:
• Google web search
• Google image search
• pipl.com
• familytreenow.com
• LinkedIn
• Your employer’s/school’s website
• Town and county online records
• Facebook, viewing your profile as “Public”
24. DEEPER LOOK
• Q: What type of information should we protect?
• A: Anything we don’t want on the to tell predators:
• Full Name
• Age / Birthday
• Physical Address
• Email Address
• Phone Numbers
• School Name
• Parents’ Names
• Social security number
29. DEEPER LOOK
• Q: What temporary service can I use to ensure my sext goes
away after a few seconds?
• A: Trick question!…you grant Snap Inc. and our affiliates a
worldwide, royalty-free, sublicensable, and
transferable license to host, store, use, display,
reproduce, modify, adapt, edit, publish, and
distribute that content.
33. DEEPER LOOK
• Q: What percentage of young people have experienced
cyberbullying?
• A: According to survey:
• 95% who’ve seen bullying online report ignoring it
• 52% report having been cyberbullied
• 20% of those bullied have suicidal thoughts
• 10% attempt suicide
34. MY OWN ACTIONS
• Online Disinhibition Effect
Regular Person Perception of
Consequences
Audience Total Jerk
35. CLOSING TIPS
• Don’t be the easy target
• Be aware that nothing on the Internet is truly private
• Keep your equipment up to date
• Be suspicious
Please fill out our quick survey so we can improve our presentation!
Notes de l'éditeur
DO NOT BRIEF: If you don’t know, say so. If you have personal stories about when YOU have made mistakes online, they can help you get through to your audience.
Adam Jones
CISSP, Security +
I live in the next town over
[I’m passionate about this cool part of infosec.] And THAT is why I’m here to talk to you today about Digital Citizenship.
(Video plays)
OK, so we’re starting here with the creepy end of the Internet.
Q: What’s the message of this video?
A: There are predators on the Internet, and they get to choose what they look like online. BE SUSPICIOUS.
For the most part, when we’re talking about sexual predators, we mean adults seeking sexual relationships with adolescents – “statutory rape.” This is, most often, consensual sexual contact. What do we know about these offenders?
(Discussion seeds for answers to questions posed)
The stereotypical Internet sexual predator is rare, but he is out there. Maybe 7% of statutory rape cases are “Internet-initiated.” (http://www.apa.org/pubs/journals/releases/amp-632111.pdf)
What are some reasons that it might be difficult to talk to adults about sexual predators?
Most of the time, these requests come from peers. They may be overly interested in sex, trying to shock the person they’re talking with, or goofing around. THIS DOES NOT MAKE IT OK, but it’s a separate issue from predators.
Just by virtue of being young, YOU are a target. Regardless of gender, race, wealth – there are predators who will take advantage of you if you give them the opportunity. (That said, statistically-speaking, females and gay/questioning males tend to be targeted most frequently.)
Responding to requests: Saying “no” clearly and definitively, telling friends, parents, or other trusted adults, or contacting law enforcement.
DO NOT BRIEF: Use a local example of online predatory activity, if appropriate. NOTE: jumping straight to “you might die if you use the Internet” can be off-putting. Know your audience.
[Describe the case in question]
Let’s talk about some of the tools predators may use to target you online.
If you’re communicating with an online predator, what kinds of messages might you see? <CLICK>
How do online predators find YOU? They’re looking on Facebook, Twitter, Instagram, etc for signs of weakness. They’re looking for lonely people. They’re looking for people who are home alone. They’re looking for specific locations and times they can find you. They want to “groom” you with flattery and vulnerability to make you feel closer to them.
Q: How might you already be giving this information away to the enemy?
A:
Posting “Nobody likes me” on Facebook
Posting revealing pictures on Instagram
Geo-tagged images on Flickr
Tweeting your 17th birthday
Losing that piece of paper with your passwords on it
Clicking that link in the phishing email, etc.
OK [guys/y’all], here’s a friend request that hits your inbox. She wants to be your friend! Awesome!
Q: Did she (point to image) create this account? Is this real?
A: Almost certainly not. Predators create accounts like this because people will respond.
The game is all about getting you to let your guard down. Would you accept this kind of friend request? Do you already have someone in your friend list who you don’t know in real life? Who are they, and why do they want to be your friend?
An easy way for the bad guys to get into your computer, your accounts, and your networks is by getting you to believe a phishing email.
<CLICK> There are some tell-tale signs of phishing. Q: Starting from the top, what is the first clue that something’s off?
<CLICK> A: The email is not really from fedex.com What next?
<CLICK> A: Notice this email is to “Client.” If this were from someone who knew you, wouldn’t they use your name? What else?
<CLICK> A: While the bad guys are getting better at this, bad grammar and spelling are still good indications of a phishing email. OK, how about that web link. That goes straight to fedex.com, right? How do we know?
<CLiCK> A: By hovering our mouse over the link, <CLICK> we’ll get a little tool-tip popup showing where the link really goes.
Picking up on nefarious activity online is often about noticing small changes. If something looks odd, be suspicious!
When in doubt about any links, open your browser and type in the site you want to visit (e.g. www.fedex.com).
Sometimes bad links come not in emails, but in fake ads. Remember: the enemy’s plan is to make something that you’ll click on. BE SUSPICIOUS.
Some of the easiest ways to infect your computer involve out-of-date software and hardware. There are free software packages available that make taking over your devices easy if you aren’t updated. And remember: it isn’t just your iPhone’s iOS and your Flash Player that need updating – it’s “firmware” too. Wireless routers, fitness trackers, and even smart TVs run on firmware that can be updated.
Who here has a rooted or jailbroken device? On phones and tablets, the vast majority of exploits don’t work on stock, updated devices. The protections Google, Apple and Microsoft build into their devices don’t work when you root your iPhone so you can install that Nintendo emulator or play ripped movies.
I know those “update now!” messages can be annoying; no one wants to reboot in the middle of an epic Snapchat session. But those security updates they’re pushing are often for vulnerabilities that bad hackers are already actively exploiting. Note that phones like a Samsung Galaxy can be behind on updates. When a vulnerability comes out, it has to be corrected by Google for Android, then Samsung for a device-specific fix, and then pushed by your carrier to your device. For that reason, security updates on these other phones can come months later – or often not at all for devices older than a year.
The first two columns of awful passwords were in the top 25 most frequently found in breaches in last year. The third column represents common mistakes people make with passwords: names, nouns, sports references, same as the username, slang, etc.
Q: What’s password reuse?
A: When a person uses the same password across multiple accounts. This is bad because when websites get hacked, the first thing the attackers do is try those usernames and passwords on bankofamerica.com, facebook.com, mail.google.com, etc. If your Neopets account gets hacked and you used the same login credentials with your PayPal account, your money is GONE.
Q: What the heck is single-factor authentication?
A: That’s when you log into an account with only things you know: username, password, mother’s maiden name, street you grew up on, etc. Those can all be stolen easily. For any account you care about, you need to use another factor – maybe something you have, like your phone. Most major websites now offer verification codes sent to your smartphone. If you have that required for your tdbank.com account, an attacker steals your credentials, and the attacker DOESN’T have access to your text messages, they aren’t getting your account. Authenticator apps are even better than SMS.
Q: What’s wrong with the last password? Isn’t that secure?
A: It is secure, but it’s very difficult to remember. <NEXT SLIDE>
<Ask question>
These are passphrases. These are generally easier to remember than traditional passwords but harder to crack – as long as you haven’t picked anything easily guessable. These phrases make no sense – and that’s why they’d work well!
Q: Is it OK to write down passwords?
A: Yes, IF you have a safe place to keep them – a locked drawer, not on a scrap of paper in the same bag as your laptop.
Q: Is it OK to store passwords online?
A: Yes, IF you have a safe place to keep them – a well-known password manager (LastPass, KeyPass, Dashlane), not an unsecure memo or that free app in the app store with 500 downloads.
Be aware that there are easy ways to snoop on wifi – especially on networks with no password. There are tools like the Wifi Pineapple (on left) that make it easy even to pose as other wifi hotspots.
It’s even possible for attackers to spoof cell towers (femtocell device on right), and that’s why secure connections matter. Whenever you’re connecting to something you care about or entering passwords, you need to be sure you’re on the site you think you’re on, and you’re on https with no errors.
Let’s see what that looks like.
What you see are two network data captures. When you’re on the Starbucks wifi, anybody nearby can see your communications with the Internet. On the right is what https traffic looks like. For the most part, it’s unreadable and useless to attackers. It’s even harder for them if you’re on a VPN. On the left is what http traffic looks like. You may not know what every line means, but you can see that this is someone logging onto a website <CLICK> with commando as a username and s3critPassw0rd as their password.
The point of this presentation is NOT to make you unhackable. No one is. The director of the CIA got his email hacked a couple years ago. But whatever you can do to make yourself a harder target helps keep the attackers off of you.
Shifting gears a little, let’s consider how much data we give to big businesses. Facebook, for example, knows what you look like, how old you are, who you’re related to, what types of ads you click on, how long you look at ads you DON’T click on, and even what kind of posts you DON’T finish. That’s right – if you start to type out a status update but then delete it before sending, Facebook has already captured it for its own databases.
Q: Why do Google, Facebook, and many others collect so much information?
A: To sell better ads.
Remember: you are not “customers” of these companies – their advertisers are. YOU are the product. This doesn’t make the companies necessarily bad in any way, but you do need to be conscious of what data you’re giving away and what it could be used for.
Realize too that it’s not just about what those companies intend to use the data for. Every company on this slide has had a major data breach. People’s names, social security numbers, banking details, and even fingerprints have been stolen by malicious hackers over the past few years.
Ashley Madison is something of a special case. Does anyone know that story? Long and short: it’s a website for people who want to have extramarital affairs. So millions of users signed up for this service having been promised complete anonymity – which all went away once their site was hacked and their user database was published on the Internet. The point here is that nothing on the Internet is truly private.
Q: By the way, how can victims of any of these breaches have their leaked information removed from the Internet?
A: They can’t. The Internet is forever, and it doesn’t forget.
From here forward, we’re going to look less at what the bad guys are doing and more about what we do to make ourselves easy targets.
Do employers really do this? Do colleges do this? Do military recruiters do this? YES! Nowadays, your reputation is based, in large part, on how you are represented online.
When I was young, reputations were built on how we interacted with those around us. Today, your reputation is largely built on how you appear online.
DO NOT BRIEF: This video: https://www.youtube.com/watch?v=_CIX_PRcQOg
Alternate video (British): https://www.youtube.com/watch?v=JJfw3xt4emY
Each of these sources (and countless others!) can contain bits of information about you. Put all together, what kind of picture can someone construct?
On that last one, <CLICK>
… if you go to your profile and click on the three little dots <CLICK> and click View As. This will show you what people who aren’t your friend see when they look at you on Facebook. Things to remember: your profile picture and splash photo are ALWAYS public. Even past profile and splash pictures are publicly-viewable unless you’ve gone back in and made them private. Also public are groups you’re in, public posts you’ve commented on, and public pictures you’ve liked.
DO NOT BRIEF: Feel free to swap this out with your own profile page.
Each of these, on its own, may not give other people the keys to your fortunes, but the more that’s available about you, the easier you’re making it for the bad guys.
DO NOT BRIEF: Optional slide. Use this slide to do an open-source search on a volunteer staff member. Use tools like pipl.com and inteltechniques.com. Ensure nothing is embarrassing or in appropriate, but do try to find bits of info that the individual might not realize is easily available.
DO NOT BRIEF: Optional slide. Use this slide to do an open-source search on yourself. Ask the students what you could do to shore up your digital defenses. This can help change the tone from, “Here’s what you’re doing wrong,” to, “We’re all on the path to becoming safer online.
(This slide and the next can be replaced by either/both of the preceding)
Here’s a fictional social media profile. What kind of mistakes do people often make when it comes to oversharing online? You can see her full name at the top. <CLICK> Let’s blow up these two sections.
See where Charlese signaled that no one will be at her home? See her real email address? Can anyone here guess her full birthdate? (March 5th 2004). How about her photo albums? Do publicly-viewable bikini pictures attract the wrong kind of attention?
What happens when people go beyond PG-rated pics?
Once you send a message or image, you have given up control. You no longer have a say in what happens. Consider this: only 12% or so of high school students have sent a sext. It’s OK to not do it!
How do you think the sender and receiver feel during and after the experience? There might be some excitement during the experience, but most sexts come out of goofiness. Afterwards, many people involved feel “very or extremely upset, embarrassed or afraid as a result.”
Q: Is it illegal to sext?
A: Sexually-explicit images of anyone under the age of 18 are child pornography. If it’s on your phone, you are in possession of kiddie porn. If you send it to anyone – even if it’s of you – you are guilty of transmitting kiddie porn. If you ask for it you are guilty of enticing child pornography. Any of these can make you a registered sex offender. [Add state minimum sentences for child pornography offenses.]
But is it ever prosecuted? <Next slide>
DO NOT BRIEF:
This video is from: https://www.youtube.com/watch?v=pGkaw44-Ql4
Alternate video (Australian): https://www.youtube.com/watch?v=DwKgg35YbC4
Yes it is! Though most cases that get prosecuted involve blackmail, bullying, or forwarding without permission. The biggest thing to remember if you get a sext is to NOT forward one. If you do, you’re probably guilty of transmission of child pornography.
Oh, and guys, “enticement of child pornography” is also a crime. What does that mean? Asking for sexual images! And ladies, if he asks you for “something hot,” what do you tell him? [Pause] No! And then find a new boyfriend!
[Include local news cases, if appropriate]
<Someone answers “Snapchat”>
<Click>
And has anyone ever read the terms of service? Q: What does this line mean?
<Click> A: it means Snapchat (and anyone they pass your data to) can do WHATEVER they want with your snaps!
<Click>And if you read the description on the app download screen, they’ll remind you (at bottom) that other people can use your images however THEY want.
Not to creep you out completely, but in some cases, attackers can take sexually-explicit images of you without your even knowing. A few years ago, Miss Teen USA had her laptop open in her room. Through whatever means (phishing, out-of-date software, clicking a bad link, etc), attackers got into her computer, waited for the right moment, and took pictures of her while she was changing. From there, they tried to extort her for more explicit images. This is why some people put sticky notes over their webcams.
Here’s another one: in 2014, hundreds of nude celebrity photos were leaked. (Jennifer Lawrence, Scarlet Johansson, Kate Upton, Rihanna…) These weren’t images that the women necessarily sent to anyone, but they were automatically backed up to the iCloud. Then, because of weak passwords or phishing, the photos were stolen from the cloud and put on the Internet. The lesson here is that as dangerous as sending explicit images can be, simply taking them can be just as hazardous.
DO NOT BRIEF: To start cyberbullying section, consider showing a video, depending upon audience:
4 min, focus on bystanders: https://www.youtube.com/watch?v=nWqDtz1LlR0
6:30, focus on victim: http://www.digizen.org/resources/cyberbullying/films/uk/lfit-film.aspx/
What does cyberbullying look like? Maybe like these? <CLICK, talk as pictures appear>
(If youth laugh at the images, jump right on it. Perhaps: “Exactly! It’s easy to feel like part of the cool crowd and not sympathize with the target, right?”)
Why do people do this? Do cyberbullies think of what they’re doing as bullying? Maybe they just think it’s funny? What they think of as harmless may actually be harassment. Could you be part of the minority that bullies? What else can you do if you’re feeling disrespected or angry?
What can you do if you’re the target? What if you see it?
Save the evidence (screenshots, chat logs, emails, etc)
Tell parents, teachers, friends, and even the police if it’s serious.
Call the bully out.
Bystanders need courage. In high school and middle school, your social standing can seem like your entire world. Because of that, standing up to a bully – especially standing up for someone “uncool” – can be just as courageous as a Soldier with the bayonet, charging up a hill. Do you have that kind of courage?
What kinds of things can adults do that might be helpful? Is cyberbullying illegal?
Yes!
[Substitute local cyberbullying news if appropriate]
DO NOT BRIEF: Ending with suicide can be off-putting. Know your audience.
There’s been a lot of research about cyberbullying and suicide statistic. How pervasive do you think it is? <CLICK> <CLICK>
Almost everyone’s seen it – and ignored it. <CLICK>
Statistically-speaking, half of you have been cyberbullied to one extent. HALF of you. OK, now I need [10% of the room] to stand up. <CLICK>
Of those bullied, 20% think about suicide. In this room, the people standing roughly represent that percentage. OK, this half of you sit down. <CLICK>
This many people will attempt suicide – helping suicide remain the #3 killer of people your age (4500 American kids every year). Thanks, you can sit down. I want you to think about that number. I want you to think about what it would be like if one of those were your classmate. Your BAE! Your sibling.
Now, the next time you see bullying, I want you to think about what you can do. Think about what you can do to discourage the bully. Think about what you can do to show the victim that you CARE.
DO NOT BRIEF: Sources: https://nobullying.com/cyber-bullying-statistics-2014/
http://www.cyberbullyhotline.com/07-10-12-scourge.html
This is a named psychological effect. It starts with <CLICK> a normal person. We take away <CLICK> the perception of consequences, add <CLICK> an audience, and create <CLICK> a TOTAL JERK.
Why does this happen? Have you ever felt this effect yourself? What can you do next time you feel like being a bully/troll?
Something to ponder: Does online anonymity reveal our meaner selves – or our true selves?
Kindness, folks. Practice it every day – get great at it.
In conclusion, here are some things to remember
And please fill out our survey to let us know how we did!
DO NOT BRIEF: Depending upon the school’s political environment, you might be OK putting an apropos quite like this on this last slide: “I am sending you out like sheep among wolves. Therefore be as shrewd as snakes and as innocent as doves.”