New Hacker Threat -- Targeting You Through Your Kids

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/david-kennedy/new-hacker-threat_b_4101584.html

As adults get better at avoiding suspicious websites and fake email
attachments, some hackers are shifting their strategy to go after a
family's weakest link -- kids.

With a growing number of kid-friendly websites, online games and mobile
apps now on the market, children are becoming important consumers of online
content -- and a perfect target for hackers.

Why would a hacker want to target your child? Aside from sexual predation,
hackers can use your child as a gateway into the home PC. With children,
hackers have an easier way to install malware (e.g., viruses, computer
worms, remote backdoors) on a family computer that is likely to also
contain financial information and be used for online banking. Once a hacker
is on the home PC, they can do any number of things -- record credit card
data and bank logins (which they will later use to make transactions or
sell it on the black market), steal your identities, spy on you through the
webcam (a practice known as "ratting"), extort you, lock you out of your
computer (known as "ransomware") and more. They're also able to steal
children's identities and sell these on the black market.

It's important for parents to realize that just because you have parental
controls on your computer, that doesn't mean your child is safe from online
criminals. You don't have to go to an adult-oriented website to get
infected. Even children's websites, education sites and well-known brands
are vulnerable to hackers. In fact, web security hasn't progressed that
much in the past few years -- many of the same threats that plagued
websites years ago remain persistent problems today. According to a recent
study by Veracode, 70 percent of web applications fail basic security
standards.

There are dozens of ways your kids could be targeted online, but here are
the ones most likely to happen in your home:

- Infected Websites - If the New York Times, NPR, Washington Post, Twitter
and Facebook can get hacked, do you really think a kid's website is
bulletproof? There's no such thing as a 100 percent safe website, as every
site has a lot of different parts and pieces, and a good hacker can find a
way in. If your kid visits an infected website, they could infect the
computer with spyware, viruses or other types of malware. Recently, hackers
have also used online ads to put malicious code on big websites.
- Spoofed Sites and Poisoned Searches - Kids learn how to Google their
questions at a young age. If you don't have parental controls set, even
innocent searches like "kissing" or "Halloween costumes" could lead to
questionable sites, particularly if they search under "Images." But even
with parental controls set, high-trending search terms (perhaps for a new
movie or toy) could pop up results for fake websites that are deliberately
placed there by hackers to lure victims.
- Malicious Apps - Fake apps that look like games but actually hide viruses
are another growing risk, especially for kids. Malicious apps can spy on
your kids, steal data or try to ring up bogus charges through in-app
purchases. This risk is highest with apps that are downloaded from
third-party app stores, but a number of fake apps have also been discovered
in Android Market/Google Play and, in a few cases, in Apple's App Store.
- Data Breach - Sometimes, security is out of your hands. If your kid
registers on a website, and that website's server is hacked, criminals
could have access to whatever information was included in the registry --
name, age, billing address, credit card, etc.

This doesn't mean parents should keep their kids offline. However, parents
should take a few important steps to protect their children and their home
computers and network:

- Use a Dedicated Device - If this fits within your family budget, consider
getting your child their own computing device -- whether it's an iPad or
Android tablet, iPod Touch or inexpensive laptop (Toshiba, Acer, Asus,
Samsung, HP all have models under $300). This is the best option because if
your child's device gets infected, it won't put your family's online
banking info, credit card data or other online accounts at risk. Stick with
WiFi-only versions, so these aren't registered for a data plan.
- Share More Safely - If you have to share the home PC with your kids, take
a few precautionary measures to lower your risk. First, have your kid use a
different web browser than the one you use for online banking -- Chrome,
Firefox and Internet Explorer 10 all have good security. Disable Java in
your web browser by going into the 'settings' option - this will protect
you against many common attacks. Make sure you have a good anti-virus
program installed and keep both it and your operating system regularly
updated.
- Lock Down Your Kid's Device - Set up parental controls on your kid's
device -- this won't stop every attack, but it will help. Consider
downloading a "white-listing" tool that prevents your kid from being able
to visit websites that have been reported unsafe -- this will help catch
even legitimate websites that might be temporarily infected. Go into the
"settings" tab of your device and make sure it's prohibited from
downloading apps, making in-app purchases or adding friends to online
games. You should also consider disabling the camera, video and "location
services" which track your child's physical location. Also, on traditional
PCs, make sure your kid isn't logged in as a "local administrator."
- Track Your Kids - A lot of parents have mixed feelings when it comes to
spying on their kids' online activities. Given the growing digital threats
-- hacking, cyber-bullying, cyber-stalking, sextortion, etc. -- parents
should push these concerns aside, particularly for younger kids. There are
a wide range of software tools that can help you keep an eye on what your
kids are doing online, what websites they're visiting and who they're
communicating with - these include companies like Symantec, Trend Micro,
MinorMonitor, UKnowKids, etc.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.