Even if you don’t have school-age children, or aren’t living in a region where schools are currently closed, the video contains a wide range of advice that will help you stay secure at home anyway.
Learn more:
[embedded content]
Watch directly on YouTube if the video won’t play here. Click the Settings cog to speed up playback or show subtitles.
Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.
We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).
Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.
You probably don’t need to be told what sort of products were on offer at an online retail site called DarkMarket.
As you can imagine, it operated on the so-called dark web, and you’d have needed the Tor browser to access it, using a special web address ending in .onion.
Onion addresses can only be reached via Tor – you don’t, and indeed can’t, look up the IP number where they can be reached on the internet, as you can with regular sites like nakedsecurity.sophos.com (192.0.66.200 at the time of writing, if you were wondering).
Instead, you need to connect to the Tor network and ask it to locate and connect to onion sites for you, assuming you know what onion address to use in the first place.
Using a special anonymising protocol, Tor arranges for the “other end” of your anonymised connection into Tor to be paired up with the “other end” of the relevant onion site’s connection into Tor, after which you can talk to each other.
Your traffic gets all the way to the onion site, but you have no idea where that site is because you can only trace your packets until they first enter the Tor network.
Similarly, the server’s replies get back to you, but the server has no idea where you are, for the same reason in reverse.
Dark in the literal sense
As it happens, the epithet dark in the word dark web isn’t a metaphorical reference implying that everything on the dark web is evil and dystopian.
Instead, it refers to the fact that the back-and-forth network traffic of dark web users is dark in the more literal sense of being unilluminated.
Your traffic is shielded by multiple layers of enrcyption and randomised redirection, which not only prevents it being snooped on but also stops it being tracked and traced.
That makes it surprisingly difficult for anyone, notably including governments and law enforcement, to tell what dark web users are up to online.
It also means it’s hard to locate and shut down servers that fall foul of the law.
Dark in both senses
As a result, some dark web sites are pretty much operated in plain sight – their onion addresses are widely known and publicised on the regular web, along with descriptions of what the site is for and what you can buy if you visit.
So it’s no surprise that some dark web sites are dark in both the literal and metaphorical sense.
They’re deliberately set up to be unilluminated so they are hard to keep under surveillance and shut down, giving them a chance to peddle, often rather openly, illegal (sometimes seriously illegal) products and services.
Prohibited recreational drugs, perhaps unsurprisingly, are the products for which the dark web is best known.
Not perfectly private
Despite all the encryption and redirection, Tor’s anonymity and unilluminated invisibility only go so far, meaning that dark web operators sometimes do get caught and servers do get shut down.
The best-known example is probably Silk Road, best known for drug sales, which was run by a man called Ross Ulbricht, whom law enforcement took nearly three years to track down.
It didn’t end well for Ulbricht, who is currently serving a life sentence in prison with no possibility of parole. (Technically, he’s serving two life sentences plus additional sentences of 5, 10, 15 and 20 years.)
Yesterday, Europol announced another dark web takedown, shuttering the abovementioned DarkMarket site and replacing its online content with a warning page:
Multinational co-operation
As you can see from the logos in the takedown page above, the operation required multinational co-operation from law enforcement teams in Germany, Australia, Denmark, Moldova, Ukraine, the UK and the USA.
According to Europol, the servers that were taken down were located in Moldova and Ukraine; additionally, the man alleged to have operated the service was an Australian citizen who was arrested in Germany, close to the Danish border.
Now that the servers behind the operation have been seized (more than 20 altogether, apparently), Europol says it’s confident that data pulled from those servers will “give investigators new leads to further investigate moderators, sellers, and buyers.”
Of course, those servers won’t have the real IP numbers and network locations of DarkMarket visitors recorded in its logs.
Thanks to the Tor network, visits made via Tor will show up as coming from one of Tor’s several thousand active nodes, rather than from the IP numbers of the visitors themselves.
Tor always sends traffic through at least three randomly chosen nodes in its system. There are just over 6000 nodes altogether at the time of writing, run by volunteers. The first node knows your IP number, beacause you connect directly to it, but has no way of telling what you are browsing for or where you want to end up. The last node knows where your traffic ended up, but has no direct way of telling who you are (and no way, if the destination server is itself part of the Tor network, of knowing where you were going or what you were looking for). The middle node effectively serves to keep the “entry” and “exit” nodes apart, which greatly reduces the chance for entry and exit nodes to collude and try to match up exits with entries in order to figure out who went where.
Despite Tor’s help in keeping users anonymous, however, we suspect that anyone with more than just a passing association with DarkMarket is probably pretty worried right now that their identity or location might somehow be revealed by the seized server data.
There is almost certainly a huge amount of data for authorities to analyse.
According to Europol: “At the current [exchange rates, purchasing on the site] corresponds to a sum of more than €140 million [$170M/£125M]. The vendors on the marketplace mainly traded all kinds of drugs and sold counterfeit money, stolen or counterfeit credit card details, anonymous SIM cards and malware.”
Logged cookies and browser metadata (including data leaked due to browser bugs); “private” messages shared with operators or administrators on the site with personal giveways in them; metadata left behind in uploaded files; or information derived from products traded on the site…
…any or all of those might be clues that could help law enforcement follow a few more links in the chain.
We explain how two French researchers hacked the Google Titan security key product (but why you don’t need to panic), and dig into the Mimecast certificate compromise story to see what we can all learn from it.
With Kimberly Truong, Doug Aamoth and Paul Ducklin.
Many pupils are starting their new school term from home rather than the classroom.
For families with younger kids, home schooling is often the first time that their children have needed to use computers (rather than gaming consoles) in earnest.
Whether you’re new to home schooling, going back to it after a break, or an old hand, it’s worth taking a moment to ensure you’re doing it securely.
Taking the time to establish good security practices now will lay the foundations for safe IT use in the years to come.
Shared devices
Many pupils will need to use a shared device to access their schoolwork, perhaps the family laptop or a tablet that their siblings use as well.
Give each child a user account of their own on the shared device.
This enables you to set up parental controls without affecting your own access. It also helps you children get into good security habits, such as having their own password (although depending on their age they may need to share it with you).
To support home schooling, many teachers provide links to online learning resources.
These may be videos hosted on third-party sites like YouTube and Vimeo, materials hosted by the school, or resources on external sites, either free or purchased by the school.
Teachers may also set tasks that require students to do their own web-based research.
All of these activities require children to have access to the internet. The challenge is to enable learning while also protecting your kids from inappropriate websites and keeping adult content out of their search results.
We recommend that you set up an account for your child and then enable the parental controls in your operating system to limit which sites your child can access.
If you’re a Windows 10 user, you can type family options in the search bar and enable parental controls from there. Strict web browsing on Microsoft Edge is then turned on automatically, and InPrivate (incognito) browsing is turned off. For more details, check out the Microsoft guide.
If you’re on a Mac, you do this in several ways depending on which version you’re running. Either search for instructions for your chosen version or follow the steps in our Setting up a Mac for young children article.
We also suggest that you:
Use a home antivirus product that includes parental web filtering. This gives you control over the web content your children can access on the computer.
Take advantage of search engine features to restrict access to adult websites. While these filters are not 100% effective, they do reduce the likelihood of inappropriate results appearing on screen.
Home schooling often requires you to download new apps. These could be dedicated educational resource apps or apps that enable you to work online, such as to annotate digital documents or to attend online classes.
Whichever apps you use, stick to the official app stores. (On an iPhone, you have no choice but to use the Apple App Store; on Android you have the freedom to go “off market”, but we recommend that you stick with Google Play.)
It’s worth also reading other people’s opinions and experiences of new apps before downloading them to make sure that the apps do not include traps such as fleeceware, treacherous programming that sneakily fleeces you for money after a “free” trial period.
By the way, we suggest that you ignore the reviews and star ratings on the app stores themselves. You have no idea who gave those ratings or left the reviews, or even if they ever used the app at all.
Fake ratings and official-looking app store reviews can be bought online at a price that’s almost literally ten-a-penny. Look for reviews in independent user forums or for discussions in online cybersecurity groups.
Should you wish to enforce tight app controls, some parental control features allow you to limit your children to specific apps.
Passwords
Home schooling is often the first-time children need to manage passwords. They likely have a password for their school email and online learning resources, and if they have a separate account on a shared device, they will have a password for that too.
Some passwords, such as those for online resources that the school has allocated, will have been set by the school and you may be unable to change them. However, for all passwords that you’re able to update, it’s good practice to change the default to something that only you know.
Creating hard-to-crack passwords is something children can do for themselves, which gives them a sense of ownership.
This is a great opportunity to introduce them to passphrases: start with words that reflect their interests to make the phrases easier to remember, and then work together to make them more complex.
Depending on the age and ability of your child, you may want to start with simple pass phrases before moving to more complex, mutated ones when they’re ready. For example:
Child’s phrase Simple passphrase Complex/mutated passphrase
------------------ ----------------- --------------------------
Ice cream is yummy Icecreamisyummy IceC^eam?YuMMy!
My teddy Eddy Myteddyeddy MyTeddy//E4d3d2y1
Even a simple passphrase is likely to be significantly more secure than the default password provided.
With default passwords set up by someone else, you can never be sure how many other accounts were set up with the same password, or how many other people have access to the list of defaults that were chosen.
No one wants to start their week with the hassle of re-setting forgotten passwords, and it’s worth acknowledging that children often forget their passwords or phrases.
You could introduce a password manager, but the low-tech approach of writing down the password or phrase and keeping it a safe place that’s separate from the device is often a more practical solution for families.
Historically, password advice has often included rules such as “never write down your passwords”, but if you write them down and lock them away (rather than putting them on a PostIt stuck on your monitor!), the risk of an intruder breaking into your house and stealing them is very slim.
A prerequisite for secure home studying is a secure device. Make sure your devices are fully patched and up-to-date and have good quality security software installed.
Sophos Home (free and paid versions are available) and Sophos Intercept X for Mobile (free) provide business-level cybersecurity for your personal Windows computers, Macs and Android phones, including web filtering.
You can manage the protection for multiple devices from a single Sophos Home account, making it easy to keep all your family’s computers and phones secure.
Privacy
Home schooling is a good reason to talk about digital privacy with your children. There are many steps you can take to maintain your online privacy, including:
Checking the permission settings in your browser. Ensure that location, camera, microphone, and notifications are set to “Ask before access” (or similar wording).
Taking care when the camera is on. Be mindful of what’s in the background when your camera is active. Don’t give apps or websites access to your camera unless you know you need to, and don’t reveal anything you shouldn’t.
The most important tip when it comes to privacy is education.
Talk with your children about the importance of privacy when sharing personal content – what they share, how they share it, and with whom. There’s a huge difference between providing your teacher with a link to a video on a personal drive and uploading it to YouTube for public viewing.
Home Wi-Fi
It’s worth taking a few minutes to check that your home Wi-Fi network is secure, both to protect your personal information and, if a family member is working from home, your company network.
Once an attacker has a foothold on one device inside your network, it’s much easier for them to snoop on what’s going on in your family’s digital life, as well as to break into other devices, including your personal or work laptop, and from there perhaps even to get access to your work network.
Managing home schooling alongside everything else is a major effort for most families, and it can be difficult to find the time and energy to focus on good security as well.
If that sounds familiar (and we write from experience), set aside some time on the weekend when there is less pressure to hand in schoolwork. Many of the items we’ve covered only need to be set up once.
Education is, as always, the key to good security.
One unexpected advantage we’ve found of home schooling is that the increased number of shared mealtimes has provided the perfect opportunity to talk about security and privacy as a family.
Here’s our latest Naked Security Live talk, explaining why HTTPS is vital, even if you’re publishing public data that isn’t confidential.
Thats because HTTPS isn’t just about the confidentiality of the data you browse to – it’s also about improving your privacy in respect of what you chose to look at, when you looked at it, what you browsed to next, and so on.
HTTPS not only stops just about anyone out there scooping up an awful lot of data about your online lifestyle, friendships, hobbies, interests and more, but also prevents those very same people making unauthorised (and undetectable) modifications to the content you view or download in order to mislead you, cheat you or infect you unsuspectingly with malware.
Learn more:
[embedded content]
Watch directly on YouTube if the video won’t play here. Click the Settings cog to speed up playback or show subtitles.
Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.
We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).
Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.