Author Archives: nathan_sweaney

Protecting your Kids from Online Threats

“The greatest gifts you can give your children are the roots of responsibility and the wings of independence.” — Denis Waitley

As information security professionals, we’re often asked about how to best protect children online. I’ve got four of my own, and discussions about what is or isn’t appropriate, are nearly endless. Because let’s be honest, the Internet can be a scary place with a lot of scary people. But it’s also a wondrous, nearly magical place with a lot of awesome people. Walking that tightrope between valuable experience and neglectful exposure is not for the weak of heart, but it is our jobs as parents.

My goal isn’t to protect my kids forever, but to teach them how to protect themselves; to learn how to survive independently. That, however, is a gradual process. In the beginning they need stricter controls and more guidance. As they grow we can allow them more freedom and responsibility to make wise choices.

In the real world we’re instinctively more cautious with our kids. For example when they’re using a power tool for the first time, or driving, or visiting a theme park, we recognize danger and exercise caution. We teach them about dangerous signs and potential mistakes. We have slogans like “Stranger Danger” and “Just Say No” to help guide them. But online the signs are less clear and mistakes are sometimes harder to avoid. On top of that, technology is complex and always changing. It’s hard to keep up.

Categorizing Threats

To better understand how to protect kids, it’s helpful to separate potential threats into two separate categories. The first type of danger is from targeted attackers like stalkers, pedophiles, traffickers, bullies, etc. These are intentional “bad people” that seek out our kids to do harm. As parents, part of our job is to protect our kids from these scoundrels when they’re too young to do it themselves. But the second half of our job is to begin preparing them for the day that they will need to defend themselves.

The second category of threats is from unintended exposure to materials that the kids aren’t ready to experience. This includes things like pornography, profanity, violence, and other forms of vulgarity. It’s important to note with this latter category that oftentimes our children themselves may actually be seeking it out, whether through curiosity or malicious intent. Nothing gets a kid more interested in something than a boundary that he’s not supposed to cross. But we have to be intentional and careful to draw age appropriate lines for what is acceptable and what’s not.

Behavioral vs Technical Controls

Ultimately, protecting kids from any kind of threat is a balance between behavioral and technical security controls. As infants, a completely technical solution is simple. But as they get older and begin to use our phones and tablets, we have to introduce more behavioral controls. This includes things like time limits and clear family rules with well-communicated consequences. Of course technical controls are still very useful. Things like content filtering, app age restrictions, and monitoring tools help enforce the rules.

Over time, this balance begins to shift from mostly technical to mostly behavioral. If we’re successful, by the time our kids are teenagers, we should be able to lean on their responsibility and experience more than on the technical controls. But the technical controls never completely go away. There’s value, even for adults, in being protected from some of the filth in the Internet sewer lines.

Communication is the Key

To make this shift successful, we parents have to engage our kids. Regular communication is the only way to know what issues they are experiencing and how we can help them handle it. It’s the only way to know whether they are making wise, responsible decisions, or flirting foolishly with danger. Because if we’re honest, our kids are smarter than us, maybe not individually, but definitely collectively. With enough time they’re going to find ways to bypass any technical roadblock we put up. Our job is to be interacting with them regularly enough to recognize what’s happening before it becomes a problem.

Here are a few suggestions for Mom & Dad.

  • Set clear expectations with clear consequences (and enforce them!).
  • Set reasonable restrictions on usage. This includes how much time per day and where devices can be used. For example: No devices at the dinner table or after lights-out.
  • Talk regularly about what apps they use and how they use them.
  • Ask who their “friends” are on various social networks.
  • Discuss what kinds of information is appropriate to share with different types of people.
  • Don’t shy away from hard topics (bullies, sexting, porn, etc).
  • Remember that they will likely have friends with no rules or restrictions, so explain why you have rules.
  • Be approachable.
  • Trust, but verify. Set a rule that parents get to audit all connected devices at will.

And here are a few things to talk about with your kids. These will vary based on the age and maturity of the child, but the goal is to develop critical thinking skills.

  • Never give out your location online.
  • Don’t assume people are who they say they are.
  • Understand how much information you’re sharing.
  • Don’t take pictures you don’t want everyone to see.
  • Anything that’s posted on the Internet will stay on the Internet.
  • Nothing online is truly anonymous. You can be tracked.
  • Don’t assume apps will do what they say.
  • Be respectful of everyone. (The Golden Rule doesn’t end at your keyboard)
  • Be VERY skeptical of anyone wanting to meet in person, and never go alone.


Technical Controls

There are also a number of good technical controls to consider. Both Android and iOS have built-in child restrictions, but they must be enabled. For younger children, it’s a good idea to configure the devices to require passcodes to install applications. This gives the parents a chance to review all apps first. Content filtering is also a great tool for all ages. Popular commercial tools like K9 Web Protection, CovenantEyes, and OpenDNS FamilyShield help prevent accidental access to objectionable material.

Additional Resources

Nathan Sweaney is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at, on Twitter @eternalsecurity, or visit the Secure Ideas – ProfessionallyEvil site for services provided.

Whose Code Are You Running?

One of my favorite ways to eat Oreo cookies is to twist the two halves apart, carefully set the filling aside, eat both chocolate halves, and then slowly enjoy the indulgent filling. Without milk, this is by far the best way to fully indulge in both parts of the cookie. But with a glass of… Continue Reading

We’re Just Like the NSA, and Nothing Like Them

During penetration tests, and especially scoping calls, we often get quizzed about what secret, proprietary techniques we’ll use to gain access to privileged resources. Most folks assume they’re doing “good enough” or at least meeting “industry best practices” so only the latest, unknown attacks will be successful. The notorious ZeroDay always seems to take the… Continue Reading

Introduction to Metasploit Video

The Metasploit Framework is a key resource for security assessors. Whether you’re goal is to become a commercial penetration tester, to demonstrate the risk of a vulnerability, or just need to identify certain weaknesses in your environment, Metasploit is your tool. Understanding how it works, and how to get started is the first step. The Metasploit project… Continue Reading

Granular Privacy Controls

Have you seen It’s a location-sharing site designed to let users share their GPS data with others for a set period of time. The idea is that I can enable the service on my phone for 30 minutes and then send you a link to view my exact location. That way if you’re waiting… Continue Reading

What Do YOU Think About Privacy?

“What do you think about privacy?” That’s the question I asked my wife last week. We had just received an email from Target explaining that our personal data was stolen along with 70 million other customers in their latest breach.  The week before we had received notification from our bank that both of our cards… Continue Reading

Intercepting DNS

Intercepting DNS

Recently during a penetration test, I discovered a Linksys WRT54G wireless router that had been installed on a customer’s network. Surprisingly, this device was accessible from the Internet with default credentials. Watching the client list, I noticed several clients connecting on & off throughout the day. We all know that this is bad, but how… Continue Reading

Why Target’s Breach Included PIN Data

Last Friday Target issued an update acknowledging that encrypted PIN data were included in the data stolen in their recent breach. This quickly became a hot news segment and the social media was abuzz with renewed criticism of the retailer. Though the data technically was stolen, and I applaud Target for publicly announcing it, this… Continue Reading