Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Facebook and E-Mail Security for a New Teenager

Cross-posted from a Goal Keeping DBA blog:

Just recently, my oldest son entered the ranks of the teenagers. I shouldn’t actually say teenagers, because I have come to not like that word, mainly because of the influence of the book, Do Hard Things. But with 13 came access to email and to Facebook. Here’s how I tackled things, not only setup, but initial education.

E-Mail:

The first thing I did was set him up with an email account with one of the many providers that are out there. I could have set him up through one of my domains, but I decided this would be easiest for him, especially since I had already planned on getting him a decent cell phone. When I chose the name, I avoided obvious “tells” such as references to video games, to popular cartoons, or to anything else that might scream, “I’m not an adult.” Instead, I went with one variant of his full name, one that would be appropriate on a professional resume.

Now, most email accounts have the ability to contact another email in case you need to get into the account. I set up the emergency email to be one of my wife’s accounts, and I promptly gave her the email address and password to my son’s new email account. I have it, too. The email account password is a strong passphrase with some alterations. It’s not one you’d tie to him in any way but it is one he can easily remember.

Then I pre-loaded his contacts list with the folks he would most likely want to contact and sent an email from his account to all of those contacts sharing the email address and indicating that it was me setting up his email since he was a newly minted 13 year-old. This, of course, served three purposes:

  1. It gave him access to the email addresses of the people he’d most likely email.
  2. It gave those people his legitimate email so they wouldn’t be tricked by an account they though might be his.
  3. It gave them an opportunity to wish him a happy birthday!

Facebook:

With his email account set up, it was time to set up my son’s Facebook account. I used the email address just created, but chose a completely different passphrase. This ensures that should one password be compromised, the other one isn’t. I went through his profile, configuring the basic information that was necessary, hiding the rest. While Facebook does offer some protection for those who are classified as minors, I’m not going to rely on that. So among some of the things I did:

  • I did not specify his current city. He has already been told not to set this.
  • I specified his hometown as an older ones. Folks who legitimately know him will recognize the hometown and know they have the right person.
  • I did not publish his birthday to Facebook (yes, he’ll get posts on his birthday, but how old he is will remain hidden).
  • I locked things down to friends of friends for much of his information, because he is in a youth group and so there has to be some flexibility there.
  • I turned off the location features that Facebook now offers.
  • I configured initial interests that I knew were appropriate for him. For instance, Chris Tomlin as a musician he liked.
  • I picked up a reasonable profile pic that I had. He eventually changed it to another one that it is acceptable, too, of one with him and his grandfather.
  • And again, my wife and I have his password.

The Phone:

Truth be told, I was looking for a really basic phone that would allow him to call us and to text.For those teens thinking, “No fair! My parents won’t let me have a phone!” it is truly a mixed blessing. As the old AT&T commercial went, him having a phone means I can “reach out and touch someone,” namely him, whenever I want. We have a dispersed church campus and we spend a lot of time there, and tracking him down could sometimes be a chore. Not any more! Now I can get him any time. And believe me, my wife and I have (ab)used this greatly since he got his new phone.

He’s on our plan, which is pretty robust since me and my wife both carry smartphones due to my ministry and professional commitments. Looking at the phones, however, the only decent set of phones that I saw also had the built-in camera and ability to connect to Facebook and Email. As I thought about that, though, it occurred to me that this was just fine. So we got him a good phone, and I set up Facebook and his mail on it, because I knew this would be his primary interface to those two mediums. That restricts some of what he can do, but it also protects him a great deal because the phone doesn’t have a lot of functionality. It’s not a smart phone, so certain security threats are naturally eliminated.

The Education:

Next came educating him on everything. I started with the phone, which is his primary means of communications. First there was the explanation of the shared plan and that his phone use should be limited. He knows my wife and I will check the minutes religiously, so he’s been good about his usage of his phone. Then I showed him how to call out, how to text, and how to access Facebook and e-mail, to get him started quickly. The rest he picked up from reading the instructions that came with his phone. He knows his phone only has a 1 GB card in it, so he has to limit the photos and pictures he might take.

Then, when we got home, I went over email and Facebook. The first rule is, if it looks too good to be true, it probably is. Then we talked about the mentality of attackers on the Internet. They basically don’t care how they get you, as long as they get you. While this is slightly overstating things, and may seem a bit paranoid, having worked in IT security for a number of years, I know it’s not. My son knows I worked in IT security and so when I said “Pay attention,” he really did. Let’s talk about the basics:

Getting Something from Someone You Don’t Know: Unless you know something was coming in, like from a school or something and you just didn’t know the address, automatically be suspicious of this, whether it’s email or a Facebook message or a Facebook friend request. This is a play on your trust.

Getting Something from Someone You Do Know That Doesn’t Fit: This is the classic con game. I explained to him that it’s not too hard to make an email look like it came from someone you know, when it really didn’t. Technically, it may have, but their computer is infected. So if they send something that’s out of character for them, like sending an attachment, don’t open it. Instead, write them back and ask them if they really meant to send it. Even if they did, be suspicious.

If You Get an App Request for a Photo or Video, Close Out the Tab: Facebook photos and videos do not require an application request. If you get one, that means it’s not legitimate. Don’t play around with navigation. Simply close that tab, open a new one, and go back to Facebook. If it was posted to your wall, go into your profile and delete it so it doesn’t get someone else.

If You Get a Prompt Saying You Need to Update Software, Check with Me: We talked about how attackers have used false software updates to push malware onto a system. The unsuspecting user thinks they are getting a needed software update to say, Adobe Flash, and what they are really doing is infecting their system. His account doesn’t have rights to do a software update, so he has to check with me anyway, but should he see such a prompt, he needs to tell me right away.

If It Appeals to What You Know You Shouldn’t Be Messing with, Avoid It: Scantily clad girls, adult content, beer/alcohol ads, etc., it makes no difference. Not only should he not be going after such things because of his age, but it’s just dumb on the Internet. Attackers know what our vices are. And they know that when it comes to our vices, we’ll let down our guard, meaning it’s easier to push malware onto our systems. So knowing that attackers are using our weaknesses against us, it’s just smart to steer clear. It’s not just about purity, it’s also about IT security.

Limit the Facebook Games You Play: I used to play a handful of Facebook games. One was because my cousin was in QA for Zynga and he asked me to play one to give him honest feedback. But over time I started tracking the number of hours spent each week on those games. I wasn’t pleased with those numbers. They are incredible time sinks. They also collect personal information on you from Facebook. So I told him to limit it to a few sets of games I’d approve of. Bejeweled Blitz is one, though that can be addictive. But any of the -ville games are definitely out. This isn’t an IT security one, just a common sense one.

Understand What a Phishing Attack Is: We talked about how attackers will make a link look legitimate but it’s not. Therefore, if it’s something that asks him to disclose any personal information, even his email, he immediately should delete/ignore it. If he thinks it might be legitimate, then he needs to let me see it.

If You Have Any Doubts, See Me: I knew that with the brief education I gave him, he would occasionally come across things he wasn’t sure what to do with. In those cases, he needed to talk to me or my wife (who would likely just ask me). And then I reminded him of the next one.

On the Internet, Be Paranoid: As a security professional, I came to understand the following maxim very well: “Just because I’m paranoid doesn’t mean there isn’t someone out to get me.” There are plenty of attackers looking for anyone they can take advantage of. There are sexual predators out there who will pretend to be a teenage boy or girl and want to be his friend, all to arrange a meeting with him. If you don’t know the person, if you aren’t sure you can trust something, check in with me. It’s better to be safe than sorry.

Likely More to Come:

I’m sure there are some other things I’m leaving off, but this is what we started with, so far as I can remember. It was sort of like a brain dump on him, but he’s done well thus far. Now it’s about ensuring he stays diligent.

Comments

Posted by Steve Jones on 7 December 2010

Excellent advice. I need to do this with my 12 year old. I gave him email last year, mostly because of Scouts, but it's IMAP, on my personal domain so I can monitor it.

Posted by Rob Sullivan on 7 December 2010

Seems like a lot to dump on a kid all at once... Did you think about doing it in phases?

Like Steve, I would definitely use my own domain for the email and mirror the messages to a monitoring account especially for when settings change.

Lastly, (and not that this will necessary be a problem) for those of us in security, everything you said is very easy to buy into. For someone that isn't, it can be a lot to try to understand because you don't see it first hand. Try to be patient and know that some lessons are learned the hard way.

Posted by Keith Mescha on 7 December 2010

Remember when you had to tell your kids about strangers and not to talk to them. Things were so much easier before the internet! Nice job filing this away for a few years when I'm in this situation.

Thanks,

Posted by K. Brian Kelley on 7 December 2010

DataChomp,

 yes and no. That's actually one of the things Do Hard Things is about. The whole concept of a teenager came about in the 20th century due to excesses in the factories. My son has read that book, and we're going through it in youth group and thus he understands that the expectations on him are high. So, too, though are the privileges as he meets those expectations. So he has showed in the last week or so that he has done a good job remembering the lesson.

Posted by DataChomp on 8 December 2010

That's awesome Brian!  Thanks for the extra back story, and of course, best of luck!

Posted by Chopstik on 10 December 2010

Good advice - and advice that I will certainly be taking to heart as I will need to be doing this with my own soon-to-be-teen.  I sometimes forget what I know and that he doesn't yet!

Posted by tymberwyld on 10 December 2010

You could also use "OpenDNS" which you simply use by changing your DNS Servers on your router.  If this is something you can do, it's worth it since you can manage which sites are blocked and OpenDNS does a good job blocking things that look "fishy" anyway.  There are sometimes I've had legitimate sites blocked, but its really easy to go into their control panel and unblock it.

Posted by lvokoun on 10 December 2010

I thought this was excellent advice, and I passed the link on to all of my family with teens and pre-teens.  I am also going to ask my 20 somethings to read it and make sure that they have taken their own precautions.

Posted by Mdapache6 on 10 December 2010

One thing I failed to mention to my teenager when I set him up with a phone, email and facebook account is that he should never log into any of those services from a phone that isn't his.  He made the mistake of checking his facebook from one of the display phones at Sprint one time when I was getting some maintenance done on his.  Of course his profile stayed logged in and people posted things from him that were not.  Kids don't think about these sorts of things...

Posted by LOOKUP_BI on 10 December 2010

This is a very good article,I will pass this information to other friends who have kids in the 'soon to be teenager's list'

Posted by toddq on 10 December 2010

Good article, something I need to go check on my 14-year-old daughters Facebook and email.

Leave a Comment

Please register or log in to leave a comment.