Back to School Security

Back-to-school time can mean a lot of things — a new backpack, a teary sendoff at the bus stop, or spending way too much on textbooks. But here at Social-Engineer.org, back-to-school means refreshing security awareness for students.

There are plenty of reasons students could be targeted for social engineering attacks. Attackers might try to get information about the child of an executive or public figure. Or maybe an attacker wants to compromise the academic institution students attend, and compromising their assigned email account is one way to get into the system. Some students might even hold leadership positions on or off campus that could make them a target in their own right. Plus, stories about students’ identities being stolen for financial gain have been making headlines for years.

That might sound scary, but hey — students don’t need to unplug totally in order to stay safe. Luckily, there are plenty of ways to keep on top of online security that students already know, whether they know it or not.

So parents: Read on for four steps you can teach your children to keep themselves safe online
(using what they already have in their toolkit).

1. Stalk Yourself

Most students already know how to stalk someone’s online presence, even if it’s just the cute kid in calculus class. They’ve probably scrolled through mentions on Twitter or tagged photos on Facebook to see what someone is up to.

How about encouraging them to turning that trick around on themselves? The less information that’s out there about someone, the harder it is for a malicious attacker to craft an attack designed just for that person.

Parents might not have as much experience with online information gathering, so here are some tricks to teach your child if you’re not sure where to start:

Try a simple Google search first. With your child, type in your their name, then their name with the name of their school or university, then their name with your hometown or the city they live in now. Keep adding bits of information to each search to ferret out the most information you can.

Social media accounts are another good place to check. Remind your child that when stalking their own social media accounts, it’s important to log themselves out first. A few sites, notably Facebook, let users personalize their privacy settings, allowing some users to see posts while others can’t. To see what a stranger can, they need to make sure they’re not using a browser they you or a friend are logged in on.

You can also search for information on data aggregation sites like Spokeo, which can provide a wealth of information for malicious attackers.

2. Organize

Once you find those old home videos and photos from college move-in day, what should you do about it?

Good news: You don’t need to delete everything. Some information about students on the internet is a good thing — some students, especially older ones, need employers and colleges to see that they have a professional online presence. Articles they’ve written, research they’ve published, awards they’ve won, and other professional or academic accomplishments help add to their professional identity.

So how do you decide what needs to be there and what doesn’t? Use your collective imagination!

Tell your child to imagine they’re turning in an application for a job, a college, or an honors society, something everyone has done or is about to do. Now imagine that instead of the normal forms, essays, and recommendations, all the interviewer sees is the pile of information you just found. If your child would be embarrassed or possibly rejected from the position, then get rid of it. You could also use the Golden Standard of social media post litmus tests: If they wouldn’t want their grandmother to see it, they should delete it.

But it’s not just embarrassing content that your child should be wary of. Most of us know you don’t want your bank account password out there, but other personal information may be harder to think through. For instance, our good friend Chris told CNBC why you shouldn’t geotag the photos you upload to social media. Your child might not think including a location in their Instagram post or leaving location services turned on in their phone settings would be that harmful, but there are sad stories everywhere that prove otherwise.

It’s easy to imagine what information would be harmful. Just think of what would be creepy for a blind date to know about your child before meeting them. If you would want your child to call their roommate to pick them up from that particular date, then the information shouldn’t be online.

3. Lock it Down

So now that you’ve decided what stays and what goes, it’s time to lock it down. Students everywhere have done this before – they’ve ferreted out every photo, mention, and tag of them and their ex and taken it all down. Students know how to go to great lengths to scrub information from the internet. They can easily apply that same strategic plan to potentially harmful information they found about themselves, with a few extra tricks below to help them out.

Encourage your child to delete, inactivate, or hide old accounts (looking at you, MySpace) that they don’t use anymore. It’s harder to stay on top of the information that’s attached to those old accounts because it’s easy for privacy settings to change and suddenly make information public. Your child can take down potentially harmful information from websites they control, like social media accounts, and contact the administrative team of websites they don’t (like a high school’s website) if they find potentially harmful information there.

Luckily, because privacy on Facebook is an ongoing conversation in popular culture, great articles like this one have been written to walk users through all the intricacies. Twitter even has its own user-friendly guide that can help users stay safe on Twitter and on other platforms, too. And if you found some information on Spokeo, you can visit this page to have it removed.

Students can also up their Twitter, Instagram, Snapchat, etc. privacy by making their accounts private and only accepting follow requests from people they know in real life. If they have a public presence that relies on sharing content on social media, which some students do, they can consider using two accounts – a public one that they limit to strictly professional content, and a private one that they only use with their friends.

An important note about deleting information: It’s impossible to ensure that everything gets permanently deleted from the internet. Tools and techniques like Google caching or the Internet Archive: Wayback Machine can be used to find information that was once online even after it has been taken down by the user. For really sensitive information, you could talk to your child about strategic ways to distribute incorrect information that makes it more difficult for attackers to identify what’s real and what’s not.

4. Follow up

After your initial searches and scrubs, be sure to rinse and repeat. There’s no way to ensure that information won’t pop back up, and there’s usually going to be a way for a motivated attacker to find information that was deleted. Your child should set a calendar reminder on their phone for every two months or so, to start. Keeping a regular schedule, just like they do with their 8 a.m. classes or after-school volleyball practices, will keep them in the habit of being secure as new information is posted about them.

You and your child can even tell Google to keep you both updated as new information about them pops up online. This article explains how to set up Google Alerts, which will send you emails whenever you want to report new instances of whatever keywords you tell it to.

Facebook privacy settings change often, so your child should be sure to check back at their Facebook and other social media accounts to see what’s new. Following informational accounts like @SocEngineerInc or @SecurityIsSexy can also help keep you both up to date with the newest social engineering and other attacks.

At the end of the day, you shouldn’t let statistics and reports about social engineering attacks scare your child into unplugging forever. Your child’s years in school should be fun, educational, and – most importantly – safe. Students already have all the tools they need, so it’s up to you to encourage them to think regularly about their online safety.

Not every attack mitigation technique can be included in a four-step list. What’s more important than any newsletter about safety is the importance of fostering critical thinking in your child. If they can learn, through your guidance and example, how to judge what type of information they should stay vigilant about, then they’re already more than halfway there.

Written By: Hannah Silvers

Sources:
https://www.nytimes.com/2015/04/18/your-money/a-childs-vulnerability-to-identity-theft.html?_r=1
https://www.spokeo.com/
https://www.cnbc.com/2016/08/15/why-you-should-think-twice-before-posting-that-picture-on-social-media.html
https://www.techlicious.com/tip/complete-guide-to-facebook-privacy-settings/
https://help.twitter.com/en/safety-and-security/account-security-tips
https://www.spokeo.com/optout
https://archive.org/web/
https://www.lifewire.com/google-alerts-3481816
https://twitter.com/SocEngineerInc
https://twitter.com/SecurityIsSexy