Blog – Latest stories

The Heartbleed bug has been widely reported over the last month, but what is it and how does it effect e-safety?

Firstly, let us just clear up a common confusion between the terms 'bug' and 'virus'. A bug is a mistake or error in a computer system which can cause a system to malfunction or to behave unexpectedly.

The term bug is derived from the days when computers used valves as opposed to transistors or solid state electronics and actual insects getting into the workings of a system would cause errors.

A virus, is a piece of often malicious software code which is designed to spread from computer to computer and usually has a mission to interfere with the running of that system or access data that shouldn't be available.

A bug may lead to a computer system having a security hole. A virus may be written to take advantage of that bug and thus circumvent system security.

However, it is not just a virus which may 'exploit' a bug. A known error in a system could for instance be utilised by remotely communicating with a computer system using software or direct input from a computer terminal.

So what is the Heartbleed bug?

In order to secure a 'session' between a user and a computer system on the Web, a protocol called SSL (Secure Sockets Layer) is used. The aim is to encrypt data sent over the internet so that is can only be understood by the sender and the intended recipient.

A protocol is a defined standard which software systems implement in order to communicate with other systems with their own implementation of the protocol.

In a Web application there are many protocols and patterns which need to be implemented and rather than building these from scratch for every single computer system, most software languages will utilise tried and tested libraries of common computation requirements, such as for instance the implementation of a protocol. This is good practice as it ensures consistency and in general reduces the amount of potential errors.

The protocol SSL is widely implemented in Web systems by using the library component OpenSSL and it was this piece of software which contained the error. This essentially meant that, once discovered the error could potentially be exploited to allow a third party to access a supposedly secure communication session and retrieve data it should not have access to.

Fixing the bug

Once discovered, the bug was fixed or patched within OpenSSL relatively quickly. The next step was for computer systems to apply the new fix to their servers.

Our own servers, which run this very Web application were patched on 8th April and are now secure against any Heartbleed exploits.

What's all this about needing to change my passwords?

There have been some very confusing mixed messages about whether a user needs to reset their passwords.

Firstly, the Heartbleed bug only effects systems which have used OpenSSL, however this is huge amount of systems, as a rule though, most banks do not fall into this category.

There is a list here on Mashable.com of the most commonly used Web sites together with advice as to whether or not they were vulnerable to Heartbleed and whether a password reset is recommended.

The Heartbleed bug potentially allowed a third party to obtain user details including email address and passwords for a system. 'If' this has happened then that system is no longer secure and the password should be reset. However, it is not know how many, if any systems were actually attacked and thus there is no way of knowing for sure for any given system whether a reset is required.

The risk is low, but ...

Many people tend to use the same password for multiple systems and so it is possible that an email address and password obtained for one single system might be useable to access any number of other systems. SO for instance if the password you use for a compromised system is the same password you use to access your email account, your email is no longer secure.

It is for this reason that resetting your passwords is recommended.

As a rule it is good practice to ensure you have secure (mixed case, letters, numbers and symbols) passwords which are unique to each system you access. It's also a good idea to change these passwords periodically.

For the more tech savvy reader, the ever excellent XKCD had a great cartoon explaining the specifics of the bug.

Michael Gove has done it recently, As has David Camreron and Barack Obama...(courting controversy in its wake too)...we're talking 'Selfies' and a staggering 91% of teens are doing it.

Along with the growing trend, there are accompanying Apps which play up to our insecurities and perpetuate the concept that we need to project the perfect image to the world. The Apps that are most worrying are 'Skinnee pix' and Snapchat.

Skinnee pix is the most worrying app in terms of young people as it’s designed to shed up to 15 lbs off your image. Justifying the app, the makers claim that photos add an average of 15 lbs to the average person and they are simply just taking away what photos add. However, it's still encouraging teens to see and be curious about what they would look like 'if only' they could lose a stone in weight. Moreover is it reinforcing users to sink deeper into narcissism? After all, it's been proven that women and young girls post more Selfies than males, does this prove that females base their self worth on how attractive they are, opposed to intelligence, personality and skills?

Snapchat is another growing app, being used by 24% of 8 year olds. This is a service where you send photos and a short message to a recipient and it will only exist for 10 seconds before disappearing into the cyber abyss. The very concept of this being temporary could be argued that it encourages users to be more risqué or push boundaries further as it won't be a permanent record of peoples online behaviour. It also could make cyber bullying far more difficult to prove or track, appealing to young people out there who are tempted to send things for a 'joke' when it is anything but for the recipient.

Lastly, on the subject of Selfies...if heads of state are able to make errors in judgement about the appropriacy of taking and sharing their Selfies (Nelson Mandela's memorial) then expect our young people to sometimes get it wrong too.

Good advice to give to young people about selfies

- Employers can and will check online profiles...always be mindful that photos are a true representation of you as a person. They should depict you in a positive light, incorporating interests and hobbies, loved ones and positive aspects of your life other than the stereotypical 'duck face' pouts and buffed up shots. Think- how do I want a stranger to perceive me?

- Pictures can tell a thousand lies, as the saying goes...online pics are not and should not be a substitute for the real relationships. Don't hide behind your online profile. Meet people and communicate face to face to build confidence and network!

- Reflect on your need to post a lot of Selfies, ask yourself 'what is my aim?' what do I want to get out of this? ...maybe you need to fulfil yourself in other ways to gain confidence. Think about what maybe lacking in your life?

- Don't base comments and likes on your self worth and popularity ...you have other qualities other than your looks. It means so much more to get a pat on the back for something you have achieved other than what you were born with.

If you would like to add your thoughts on this topic, please use the comments section below. You may also be interested in the 'Selfies' lesson plan available to E-safety Support Premium and Premium Plus members

As the Easter break began for many schools across the UK, Ofsted released their latest version of the 'Inspecting e-safety in schools' briefing document.

In the main, the inspection criteria remained unchanged - the only exception being an amendment to the key features of good and outstanding practice for management of personal data.

This section now reads:

• The impact level of personal data is understood and data is managed securely and in accordance with the statutory requirements of the Data Protection Act 1998.
• Any professional communications that utilise technology between the school and pupils/students, their families or external agencies should:
  

  take place within clear and explicit professional boundaries
  be transparent and open to scrutiny
  not share any personal information with a child or young person.

There is, however, now more information about the reason why e-safety is such an important issue to face in schools, notably the change in device ownership demonstrating the decline in mobile phones amongst young people, in favour of tablet devices. This could be indicative of how young people are using technology - while school work remains the top online activity for UK youth, they are also playing games, viewing TV shows and films, downloading music and, of course, interacting on social media sites.

Figures quoted in the report recognise the rise in usage of social media sites among young people, with the transition between primary and secondary education apparently being a trigger. 28% of young people have a Facebook account as they leave primary school, but this rises to 59% for 11-12 year olds.

Further data provides evidence that parents are now more likely to talk to their children about online activity. 83% of parents trust their children to use the internet safely.

The subject of online personalised advertising is raised for the first time in this edition, with 42% of 12-15 year olds stating that they were not aware that websites could use their information in that way. A definition of this will be added to the E-safety Support Knowledge Base.

As ever, at E-safety Support, we will review the resources available from our website against the latest Ofsted briefing and will update the material as necessary. Members will be advised about updated resources via the Members Dashboard.