Security and Children's Web Sites

Two NY teens were arraigned last Wednesday for trying to extort $150,000 from Myspace.com.  They threatened to release exploit code that would allow for the pilfering of identity information of Myspace.com users.  (See story.)

Late last year, I was asked in an interview where I thought the arena of online attacks would go.  My response was to look at children-friendly sites and games like Neopets, MapleStory, and Runescape.  Well, my prediction was not exactly correct.  None of these sites have been hit by any automated or programmatic attacks, though each suffers from its own versions of social engineering attacks (more commonly referred to by kids as "scams").  However, shortly thereafter, worms were released on both Myspace and Xanga.

It's always a good time to discuss computer security issues with your children.  Here's some thoughts to start:

1)     Generally, don't talk to strangers.  Unfortunately, children are not going to abide by this, as part of the fun of online games is to meet and play with other people.

2)     Don't tell anyone your real full name.  A first name should be good enough.

3)     Don't tell anyone your age.

4)     Don't tell anyone where you live.  For purposes of playing with new-found friends on-line, just tell them the state, or the time zone and when it would be possible to play together again.

5)     To register online for games, don't give out your birthday!  As a general rule, always use January 1^st.  If the site has a requirement to verify the user's age, then the year of birth could be used.  But all online birthdays should be January 1^st.  (All horses have a birthday of January 1.)

6)     Many sites now ask only for your zip code.  But even there, if you've ever lived at a different address than you do now, use that old zip code.  In fact, if the site is not going to be actually sending you anything via US Mail, use that old address for all registrations.

7)     Establish an online email account for the purpose of using it as the registration email address for any online registration.

8)     Establish an answer to the online "security" questions, like "Name of favorite pet" or "Mother's maiden name".  Especially for something like "Mother's maiden name" which is actually used for identity purposes later in life, make up an answer.  If your children have a school mascot, what's its name?  And just use that same answer for all the *online game* registrations.

9)     And if there's going to be money involved, always require that a parent be involved.

Computer security starts with being aware.  And children need to be made aware.  Or tell them it's just another form of "hide and seek."