PROTECT YOUR FAMILY
"Information is Power"
TARGET: CHILD / TEEN
Any parent will agree that a child changes dramatically with every year (intellect, personality, etc). Regardless of the child's age, however, we can probably all agree on the following points:
1. Children receive access to the Internet at a young age.
2. Children have access to more than one device (school, friends, public library, internet café, etc).
3. Expectations that “parental controls” will work are wishful thinking (this is particularly true for teens, who are usually more tech-savvy).
4. Children and teens often have a lot of freedom.
5. Children and teens are naturally more naïve than adults.
Usually, the last point is a major building block of an Internet attack. According to Wikipedia, “Social engineering… refers to psychological manipulation of people into performing actions or divulging confidential information.”
There are many types of attackers when it comes to children specifically(!), but it’s hard to think of a case where psychological manipulation was not a major ingredient of their attack. Naturally, children are far more vulnerable than adults when it comes to the attack the aftermath is also usually more devastating.
Let us examine some attacks…
Cyber-bullying:
A bully at school posts embarrassing material (text, photos, videos) about the victim on Facebook. Kids can be cruel, and this type of online attack is popular. Schools and authorities are often either in the dark or unable/unwilling to intervene. Maybe the bully also sends text messages, emails, other types of PM (personal messages). Victim impact can be severe, and there are documented cases of suicide.
Public sexual harassment:
Anyone on the Internet may be the attacker. This attack may come as a component of a cyber-bullying attack, or on its own. This can be done via social media (Facebook, Twitter, etc) or on a personal site (such as a blog). Any kids or teens can be targets, regardless of age, gender, physical appeal, etc. The target doesn’t have to be the usual sexual harassment stereotype: an attractive girl. It can be any child. For example, an overweight Asian boy can be made fun of with comments on his Asian ethnicity in light of related stereotypes; and his obesity. It’s one thing to receive such comments in a gym changing room or playground, and it’s a whole other thing to receive them on Facebook, in front of a large and unknown number of friends, family, and strangers.
Private (covert) sexual harassment:
This is similar to the public version, above, but it’s direct. Again, the attack may be supplemented by cyber-bullying. The idea is that a child receives communication that is sexual in nature by private communication (text, email, pm (private message)). This may appear to be a weaker attack than the public version, but there’s no reason to make such an assumption. For instance, a text message exchange may get out of control, and the victim may fear that the attacker will post screenshots of the conversation on social media, escalating the attack. The attacker may even be planning this from the beginning.
Scam:
Kids can be easily manipulated by experienced, cunning predators. An average parent teaches a child not to talk to strangers, not to accept car rides from them, etc. There are many Internet versions of that. While reading the following scenarios, please imagine a grown man/woman in another country sitting at a computer and talking to the target child.
* “Hi Sara, my names Sara 2!!! and I’m also 12. U r a total cutie, u wanna be friends? Add me on FB!! :P “ [FB = Facebook]
* “check out this game, its really cool! U can… [do cool stuff]. And we can play 2gether! Ima send u the file… here.” [attachment sent / file transferred]
The above attack is primitive and typical. A more advanced version can include the following step:
* “u cant install it? Oh, I think I know what the problem is… here, let me go on ur comp and I can do it…”
This attack involves use of easily accessible software such as TeamViewer, LogMeIn, VNC, etc. This type of software is used for Remote Desktop Management, and basically allows one computer to virtually control another computer through the Internet. In this scenario, Sara would have to give “Sara” access to her computer. Needless to say, this is jackpot for “Sara”. Without getting too technical, here is a summary of the attacker’s gains from that exchange:
1) Visual identification - picture of Sara is available on social media.
2) Facebook friend status – escalated privileges for the attacker. This is a security compromise by itself. He/she can now view Sara’s entire friend-level permission information.
3) There was a file transfer. The file could be anything. It could be a dud (for the purposes of executing the last step, involving TeamViewer, and access to Sara’s computer), or it could be a simple Trojan horse virus. The file pretends to be something innocent (a small computer game, in the scenario), but contains a malicious payload. Assuming it successfully bypassed the antivirus, Sara’s computer is now infected and she’s vulnerable.
4) Relationship established. Sara is now under the impression(!) that she has a new friend. This means that there has been a successful social contact on “Sara’s” part, a sort of foot-in-the-door. Sara is now more likely to be successfully led by “Sara” in future communication. Experienced predators have had plenty of experience with failure, and know how to take baby steps towards their goal. Stalking or grooming a victim may take days, weeks, or even months. The important part is the element of (misplaced) trust.
5) Attacker performs intrusion. He/she has access to the child’s personal computer (or phone, tablet, etc). This is mostly self-explanatory. Again, please refer to the “All” target category for technical info on common attacks.
Coercion:
The principle is quite straightforward, but the attacks can vary dramatically. If an attacker has compromising material on the target, the attacker might be able to create leverage. This can lead to an increase in the amount of compromising material in the hands of the attacker. For example, a threat of negative PR…
* “We’ll tell everyone you’re gay. Here’s a screenshot of your conversation where you admit it. Yeah, it’s photo-shopped, but who’s going to believe you? Now give us your email password.”
Yes, this is an illegal act. The attacker(s) may not know and/or may not care. The important part is the existence of the attack, and the pressure on the target. A child can easily submit to such an attack. This is very common in the next type of online attack…
Sexual assault:
In 2017, the first criminal case of intercontinental (online) rape was born. A man in Europe used coercion to force underage girls on other continents to perform sexual acts during audio-video communication with him. He threatened to harm their families if they failed to obey. This is a very good illustration of the magnitude of the problem at hand. The methods used in such attacks may be limited to just social engineering (no technical skills needed above those of a regular end-user). The family is unlikely to become aware. The child is typically secretive (for obvious reasons), and sometimes the family only becomes aware by accident if at all. Of course, if the attacker is not on another continent but is actually a local, the danger is much greater.
Parents may console themselves by thinking “my child would never do that, my child is very smart, I taught my child well.” It is logical to believe this, however there are case studies that disprove such logic. Specific individual girls and boys (ages approximately 10-17) were targeted by study groups with parent permission and supervision. Statistics vary, but almost every parent was convinced the child would not be fooled. As a result of a variety of social engineering techniques, the children would successfully go to the nearby park to meet their new “friend”, get into their vehicle, or allow them into their home.
This was only an introduction to the dangers of Internet use with respect to children and teens. Again, it is important to understand there are many types of online attack, and infinite variations of each. The goal was not to terrify the reader, but if the material scared you then you are on the right path. Fear is not a bad thing in good measure - it is a crucial tool for survival, after all.