Safe Surfing

Your kids are being targeted by spyware and other Internet-based threats. What can you do to help them surf safely?

In the first installment of this series, we showed how various Web sites and software publishers target your children and teenagers with threats such as spyware and adware. Now let’s look at what you can teach your kids about how to surf more safely in spite of the dangers. We’ll highlight some of the danger signs that can provide a tip that something is amiss, and show how to respond in a way that can protect your kids and your computer.

Selecting Safe Sites

If your kids are young enough, one way you can help them stay safe on the Web is to strictly control the sites they can visit. If you set up desktop shortcuts that lead only to reputable, children-oriented sites like Nick.com or Disney.com, you can be confident that your children can enjoy hours of fun without going astray.

Once your kids are advanced enough to type in Web addresses on their own or to discover search engines, though, everything changes. At that point all the dark alleys of the Web are just a couple of clicks away. And since you can’t be watching over their shoulder every time they go online, you need to teach them habits that can help them make good decisions even when you’re not around.

Instead of stating a company name, this publisher urges you to “Click yes to continue”. Don’t fall for these kind of hard-sell tactics.

The good news is that a few simple techniques can help your kids surf safely. The most important thing to learn is never — and we really mean never — to download software of any kind from untrustworthy sites. Once your kids agree to download one piece of compromised software onto your system, it’s game over: that software has virtually unlimited access to your machine and can begin downloading all kinds of other undesirable programs.Of course, the devil is in the details. How can your kids determine which sites are trustworthy and which ones aren’t? Let’s look at a few factors that can provide hints.

All About ActiveX

There are generally two kinds of downloads that sites will try to entice your kids with. The first type are “ActiveX controls”. We won’t bore you with the technical details about what an ActiveX control is; the important thing to know is that it’s just a way for publishers to package up software components, often so that the software can run from directly within your Web browser.

Sometimes when you visit a Web page, you’ll get a message like the one above, saying that you need to download an ActiveX control in order to continue. Occasionally, these messages are for legitimate ActiveX controls that really provide a useful function. For example, if you visit McAfee.com, you can download an ActiveX control to scan your system for viruses. Unfortunately, though, most of the publishers of ActiveX controls you’ll encounter on the Web have ulterior motives.

Your kids should be suspicious the moment a Web site tells them that an ActiveX control is required. Since there’s no way of knowing what that ActiveX control might do if you give it permission to download, their first reaction should be to reject the download. Only if they’re absolutely confident that the site is trustworthy — and that the ActiveX performs some function that’s truly useful — should they give permission to proceed.

One clue that a site isn’t trustworthy is if it engages in hard-sell tactics. For example, some sites will give you warnings saying that you must do something in order to continue. Other sites put misleading information in the security warning dialog that Internet Explorer shows; as we show in Image 2, a publisher or site may urge you again to click yes instead of disclosing its name. Both of these practices should be warning signs — why would a legitimate site offering a legitimate control need to resort to such tactics?

Detecting Dubious Downloads Starting with Peer to Peer

It’s not just ActiveX controls that can be infested with adware and spyware, though. Any software you download is a potential carrier. As we mentioned previously, a few types of software are particularly notorious for including unwanted extras. Peer-to-peer file-sharing programs that your kids can use to trade music are a particular problem. But they’re not the only one: other software that’s often infested with adware include free games, screen savers, and packages of emoticons (“smileys”).

In fact, downloading any software from an unknown source is potentially unsafe. We’ve seen spyware bundled along with downloadable games, screen savers, emoticon packs, utilities, Flash animations — you name it. In fact, some companies even sell software that claims to help control spyware but in fact installs spyware.

As a rule of thumb, any time your kids see a product that claims to be free, they should take a moment to ask whether that makes sense. Is it possible that the software can be free to download because its publisher generates revenue from some other source, like popping up ads while you surf?

There’s no definitive way to tell in advance whether a program you want to download contains spyware or adware, so once again the fundamental issue is whether you trust the software publisher or not. If you’re downloading software from a well-known company with a reputation for playing fair, you can feel more comfortable that they won’t want to tarnish their image.

There are other clues you can look for before you download to help provide more information. If, for example, a program comes in both free and paid versions, look closely at the differences to see whether the free version includes adware. Don’t take blanket proclamations like “no spyware” at face value, though — software publishers may be using a narrower definition of the term “spyware” so that they can still get away with including adware. (They may argue that it doesn’t technically “spy” on you.)

You can also learn a lot from taking a quick look at the EULA, or end-user license agreement, that comes with a lot of software. During the installation process you’ll probably be asked to check a box to indicate that you’ve read and agree with the terms of the EULA. Although few people bother to read these tedious pieces of legal fine print, there’s a lot of information in there that can tip you off that extras like spyware might be bundled into the software.

Skim the EULA for suspicious terms like “ad-supported” or “third-party software”. (The phrase “third-party software” usually means that the software you’re downloading will also install software from other companies — and usually that software is adware of some sort.) Additionally, if during the installation process you’re asked to agree to multiple EULAs, you can be almost certain that you’re installing more than just the one product you really wanted to download. Your best bet: Cancel the installation process while you still have a chance.

One other thing your kids should absolutely never download is illegally “cracked” software — that is, software that hackers have modified to disable copy protection. That’s asking for trouble.

Misleading Dialog Boxes

This may look like a Windows dialog box, but it’s an advertisement. Even if you click “Cancel”, you’ll be taken to the company’s Web site. Click the Close (X) button at the upper right instead.

Another way your kids might be enticed by adware-infested software is through bogus pop-up ads and fake dialog boxes. Sometimes browser windows like the one shown in on the right will pop up, imitating a dialog box claiming that your computer is infected and needs to be scanned. Don’t believe them: This ad is just like a billboard from a company that wants to scare you into downloading something you don’t need. Don’t click any of the fake buttons in the ad, either, or you’ll be transported to the company’s site. When an ad like this appears, your best move is to simply click the X in the upper right corner of the window to close it.

Other sites pop up a barrage of browser windows and dialog boxes quickly in the hope that you’ll get confused and do something foolish. Is this the kind of site you want to trust? Of course not — but sometimes browser windows will pop up so quickly that you may not be able to close them in time. If this happens, one trick you can use is to press Ctrl+W, which closes the topmost browser window. (To help remember, just think of W as meaning “window”). If things get out of control, just start repeatedly hitting Ctrl+W until all the open browser windows are gone. And put the site on your mental list of sites you don’t trust — any site that needs to resort to tactics like this doesn’t deserve your business.

E-Mail Threats

E-mail that looks legitimate might take you to a criminal’s site.

Your kids face threats from places other than Web browsing, too. E-mail can be a particular problem. We all know how annoying spam, or unsolicited commercial e-mail, can be. But believe it or not, spam can actually be dangerous, too. More and more spam messages use a technique known as “phishing” (pronounced like “fishing”) to try to get you to part with sensitive information like credit card numbers, bank account information, or passwords. These scams are even worse than adware and spyware because they have the potential to ruin your finances and your life, not just to wreck your computer. (Fortunately, though, they tend to target adults more than children because adults are the ones with credit cards etc.)

The way a phishing scam works is that you receive an e-mail that looks like it comes from a reputable source such as your bank. The e-mail tells you that you need to log on to verify some account information. But if you follow the link in the e-mail, it doesn’t take you to your bank’s Web site — it takes you to a hacker-run site that looks like your bank but captures your account details.The moral of the story: Never click on a link in an e-mail. Don’t even trust the fact that the e-mail appeared to come from someone you know: e-mail addresses can easily be forged, and sometimes spam and phishing attacks can come from the account of a friend or family member whose computer has been infected with a virus or worm.

Earlier we mentioned how important it is not to download software from sources you don’t trust. The same goes for e-mail attachments. Never open an e-mail attachment that isn’t both from someone you trust and is something you expect. Don’t open games, screen savers, or cartoons that friends and family send because they, too, can be infected with adware. Kids who receive files from friends via instant messenger software should have the same concerns.

While we’re discussing instant messaging, let’s also take a moment to highlight personal safety. Remind your kids that, just as in real life, they should never give out personal information like their last name, phone numbers, addresses, or other private details to people online who they don’t know. Older kids who might flirt in online chat rooms need to be particularly cautious; while we don’t want to overplay the threat from online stalkers, the truth is that you never know who might be on the other end of an online conversation if it’s not someone you know and trust from the real world.

Surf Safely

Emphasize to your kids that safe surfing doesn’t have to mean depriving yourself of fun. If they encounter, say, a lyrics site that insists you download an ActiveX control to continue, they should just back out, go back to a search engine, and find another site that doesn’t try to fool them into downloading software they don’t want and don’t need. If they want peer-to-peer music-sharing software, which is often infested with truly staggering amounts of adware, your best bet is to pay for the adware-free versions. Much as we hate to suggest you give your money to a company that endorses adware, in practical terms it’s far better than the alternative of slowing your computer to a crawl. If it’s games they’re looking for, urge them look for trial downloads or reputable free games sites like pogo.com or games.yahoo.com rather than using suspicious ones.

Nobody’s perfect, so you should supplement these techniques with tools that can help keep your computer secure even when someone makes a foolish mistake. Run anti-virus and anti-spyware software (and make sure you download updates regularly). Use Microsoft’s windowsupdate.com site to make sure your system has the latest security patches. Turn on the Windows Firewall. If you’re really concerned, consider using a Web-filtering program that blocks URLs of sites known to include dangers.

Robert P. Lipschutz is president of Thing 7 and the father of three children. John Clyman is president of technology consulting firm Narrative Logic, LLC, and a leading expert on anti-spyware software.