Students will learn about malicious online users who might attempt to use security weaknesses to gather information about them. Students will be able to describe the risks of being online, develop strategies to engage in safer behaviors, identify spam messages, and explain who should ask for their password.
Ready?
Begin Lesson
When you are using the internet, you may expose yourself to risks through the mere act of accessing a web page, communicating online, or downloading data. It is sometimes possible for websites you access, people on the same network, or even third parties to figure out your location or other information about you when you browse.
When you browse the web, it is possible for malicious hackers to collect data on you the same way internet providers do. In order to reduce this risk, you must use a secure connection between you and the website(s) you are trying to access. Regardless of your connection, many websites try to track your usage patterns across multiple platforms. They can watch your browser, location, and other usage patterns to try to figure out who you are.
Malware is harmful code that surreptitiously runs on your computer. Some malware can collect data from any part of your local computer, from your hard drive to your browser data. It can also allow hackers to take control of your computer and use it anyway they’d like. Most malware is simpler, though, such as websites that imitate secure portals like a bank or extensions that put advertisements in your browser to make money.
Be careful when clicking links, ads, or social media posts.
A good rule is that SSL/TLS should protect any login page for an important account (like Google, Facebook, Twitter, or bank accounts). SSL/TLS makes it very hard for a hacker on the same network to send you a fake website if you type in the correct URL, which could otherwise be very simple.
Some websites will be able to run code to access your personal information or online accounts if those platforms make a coding mistake. They can then use your accounts to spam others.
Only download or install software from trusted sources and be thoughtful about when you download executables (.exe, .pkg, .sh, .dll or .dmg extensions). Executables are anything that will execute an action. Sometimes, these can be bad actions. For example, someone can write an executable text to erase someone’s hard drive or install a fake browser. This is why you should only install content from trust sources.
You can use anti-virus software to prevent you from running malware. Some anti-virus software comes with your computer (e.g., Microsoft Security Essentials for Windows); some operating systems, like those on Apple computers, have security settings that block software from untrusted sources from being installed. Think carefully before overriding these settings.
You may also consider browser extensions that can, for instance, block plug-ins that make it harder for websites to figure out who you are or track you. The same plug-in, however, can block functionality of websites, such as the ability to watch videos. Whether or not you decide to install browser extensions comes down to your preferences and the trade-offs you are willing to make in terms of online security. You might consider questions such as: How inconvenient is it for me to be tracked? How much is my privacy worth? How much do I want to watch this piece of content (if, for instance, the browser extension blocks a plug-in that renders video)?
Part of the content of this activity has been covered in Lesson 4: Connectivity. We defer to your judgment in terms of whether or not you would like to go over this material again or skip it.
Without taking the proper precautions, it is difficult, if not impossible, to successfully protect yourself against these online risks (the ones described in the previous section).
New online risks also pop up all the time, so it’s important to stay vigilant.
HTTPS is a standard used by websites to encrypt data passed over the internet. Encryption can prevent a third party from easily viewing data from your connection. It provides an extra layer of security and can be used in any browser by adding “https://” in front of the URL you use (e.g., https://www.mysite.com). However, not all websites support HTTPS.
You should only enter sensitive information (e.g., passwords, ATM card information, mobile banking password) on web pages with the HTTPS:// prefix. You can use software tools to ensure you always use HTTPS whenever possible. Most major browsers have security indicators that look like locks near the address bar to indicate HTTPS connections. Unfortunately, HTTPS does not guarantee that you are safe as some malicious websites can also support HTTPS. HTTPS secures the connection but does not ensure the website is a good actor.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) are names for the technology that keeps HTTPS secure. SSL/TLS uses digital encryption keys, which work a lot like real keys. If you wrote a secret on a piece of paper for your friend, whoever found the paper could see your secret. Instead, imagine you gave them a copy of a key in person and then sent your secrets in matching locked boxes. If someone intercepted the box, they would have a hard time seeing your secret without the key. If someone tried to replace the box with a similar-looking one, you would notice that your key would not work. SSL/TLS works the same way, but with a website.
Browser security indicators will also communicate Extended Validation (EV) certificate information. EV certificates are given to websites that verify their identity to a certificate authority. In browsers, sometimes the EV indicator takes the form of the site’s name or the registering entity next to the address bar. If you’re suspicious of the content on a particular website, you can check to see if the URL in the certificate matches the URL in the browser by clicking on “View Certificate.”
(It may be helpful, on the projection screen, to demonstrate how to find “View Certificate.” How you navigate to this varies by browser. For example, on Chrome, under “View,” click “Developer” and then “Developer Tools.” From “Developer Tools,” click the “Security” tab, then “View Certificate.”)
Aside from not running software from untrusted sources, anti-virus software can prevent you from visiting untrusted pages and downloading malware. The act of “phishing” primarily occurs over email from a scammer pretending to be a legitimate party. They then ask for your password, which they hope you will send over email or enter into a fake website. Spam filters can prevent some of these emails from showing up in your inbox. To make spam filters better, be sure to mark any suspicious emails that end up in your inbox as spam.
Always double-check that you are accessing downloads from trustworthy websites. Be extremely careful about opening email attachments that you don’t recognize and clicking on pop-up windows and error messages. You might also consider installing reputable anti-malware programs on your computer.
This example is intended to show students common websites where people might think it is okay to share their passwords. The password examples can be further localized to reflect common passwords in the area you are teaching. For example:
It is standard practice that you shouldn’t share passwords with anyone besides the application that requires it for login. As described earlier, phishing is the act of tricking someone into sharing their password.
However, some people may explicitly ask for your password in order to access your accounts, claiming that your account may be in danger. While some of these people may have good intentions, like a friend who wants to help you look at something in your account that is puzzling you, it is unwise to share your password, especially if you use that password for multiple accounts. If you do plan to share a password, make sure it is not used anywhere else and use a password manager to share access.
Sometimes, the people asking you for your passwords may be adults whom you know and trust, like your parents, teachers, or employer. Even though you know and trust these adults, typically, it’s a positive experience for everyone (both you and them) to have a conversation about why they are making this request and how they will handle your passwords. Especially with adults outside of your family, it’s a good idea to ask them directly why they need you to give them your passwords.
Asking polite and clear questions is particularly important when a password request comes from an adult outside your family whom you don’t already know personally. If you are asked by a police officer or other government official for your social media passwords, stay calm and be respectful. Ask if anything is wrong and why they are making this request.
Depending on the circumstances of a request by a parent/guardian, teacher, employer, law enforcement officer, government official, or another adult, you may need to give them your passwords.
The circumstances that would make you need to give your passwords include that there is a law or rule in place that requires you to do so or your judgment that the benefit you would get from their help outweighs the risks of password sharing.
If you get a request from an adult for your passwords and that request makes you uncomfortable in any way, seek out a parent/guardian or other trusted adult immediately, ideally before you need to respond to the request.
Based on the rules and laws in your area, consider adapting the example above to fit your local context.
Divide students into groups of two or three. Distribute the “Spam” handout. Afterward, have students develop a flowchart to show others how they might identify spam and whether they should share specific information with certain individuals/groups of people.
Read each of the scenarios and discuss whether each message is spam and whether you should share information with the person or group of people in the scenario.
Give students 10 minutes to do this.
Afterward, ask groups to share their responses.
It is standard practice for websites and companies to never ask for your password over email. You should never transmit your password to anyone this way, even if it seems like the source is legitimate. Email is almost never secure.
Have students return from their groups because the following exercise is for individual students. Give students 15 minutes to create their flowcharts.
Now, on a sheet of paper, develop a flowchart to show individuals how they might identify spam and whether they should share certain information online with others. It may be helpful to use a specific scenario to base your flowchart on either one of the scenarios presented on the handout (if you choose to do so, please write the number of the scenario above your flowchart) or an entirely new one! If you choose to design your own scenario, please describe it in a brief paragraph above your flowchart.
Give students 15 minutes to create their flowcharts.
Congrats!
You've finished the lesson
Students will learn how to keep their online information more secure by using and maintaining strong passwords. Students will learn about the principles of strong password design and the potential problems of password sharing.
View Page
Students will learn about malicious online users who might attempt to use security weaknesses to gather information about them.
View Page
Students will learn what information verification is and why it is important for news consumers to verify the stories they read or view.
View Page
Students will learn about a five-step checklist they can use to verify the origin, source, date, location, and motivation of a news image or video.
View Page
Students will define what a scrape (a copy from an original) is and explain why this can make the verification process more difficult.
View Page
Students will learn how to keep their online information more secure by using and maintaining strong passwords. Students will learn about the principles of strong password design and the potential problems of password sharing.
View Page
Students will learn about malicious online users who might attempt to use security weaknesses to gather information about them.
View Page
Students will learn what information verification is and why it is important for news consumers to verify the stories they read or view.
View Page
Students will learn about a five-step checklist they can use to verify the origin, source, date, location, and motivation of a news image or video.
View Page
Students will define what a scrape (a copy from an original) is and explain why this can make the verification process more difficult.
View Page
Download Selected
Print All
Previous Lesson 