Estimated Reading Time: 14 min

Newsletter – Feb 2023

Welcome Grasshopper! Your Training Continues...

Welcome to the first monthly Ninja Training. This month we opted for an information-packed newsletter with something for everyone.

Google Dorks & Tips of the Month

1. Google queries are not case sensitive.

2. Using an * will represent a singleword, and is pointless at the beginning or end of a search string.

3. Using a period, will represent a singlecharacter in a search string.

4. Google’s spell checker automatically uses the most common spelling of a given word, whether or not you spell it correctly. If the word you want to search for is deliberately spelled wrong, put it in quotes “burthday boyz”. This is handy if you notice someone has their own nuances and phrasing, and you are trying to see if they may have posts on a different site but you don’t know the site.

5. Want to see if you can find a username on different sites? Try this: username*com

6. If you suspect someone is on a site, but you don’t know their username, rather you know phrasing or language they use, you can always try site:site.com “burthday boyz”.

Tiny Ninjas: Roblox & Scary Things

Divine Intel sponsors a 4th grade classroom. One of the goals is to create a safe space for children to express their feelings and share their experiences regarding technology, while at the same time developing reading, writing, spelling, and speaking skills. Our Tiny Ninjas are valuable sources of intelligence. If we make the time to talk with them and create a safe space for them to share ‘the scary’ things they experience, we can glean valuable information.

This month we asked the children: “Describe something that really scared you when you were doing something online. Maybe there was a person who contacted you? A video you saw? Something you read? A meme?

Not only did we get some very disturbing stories, the exercise also revealed things we as adults take for granted such as knowing how to block a number, assuming a kid-focused platform actually applies parental settings. We forget (or don’t know) to tell a service provider to lock down a child’s phone line or sit with the child when configuring it the first time. We give children devices, but we don’t teach them how to stay safe when using them.

Another revealing data point from this exercise is the “new” favorite platform Roblox. After reviewing their platform’s documentation we find a disturbing paradigm. The platform is designed for and targeted at children, yet the security, privacy, and content management practices are designed for adults (open-fist approach) despite what the documentation says. What we discovered was everything is open and must then be locked down, rather than being locked down first and then requiring proof of age to unlock settings (closed-fist approach.) So we performed an experiment…

Roblox: Not so Locked

Child: My account was hacked!
Parent: Pfft! Nobody wants to hack your account!

We created an account, for Matthew who is 10 years, 1 month and 7 days old.

During the account creation, which had a “real name” along with the birth date as part of the user name we found that if you put any consecutive 7-digit number either before or after the name, it would flag as ‘possible’ real information.

Although Matthew at age 10 has the option of turning on multi-factor authentication later, he is allowed to make an extremely weak password, that is easily crack-able. While Matthew was not allowed to use “password”when he added the 0 to the end, it passed validation.

So it stands to reason a child claiming his or her account was hacked is a reasonable claim if the site, such as Roblox, does not enforce strong password policies or multi-factor authentication (which almost forces parental participation).

HINT: Parent’s teach kids to use a passphrase instead of a password.

Here we see the Roblox platform does allow for a passphrase instead of a password to be set.

Despite the Roblox Privacy and Cookie Policy documentation being clear in paragraph 4 (which I’m sure every 10-year old read) “You must not create a username that includes your real name or other Personal Information. It is also important to create a password that is not easy to guess. You may share your password with your parent(s) or legal guardian, but never share it with anyone else, not even your friends“, it does little to prevent the use of a weak password, enforce a hard-to-guess password, suggest the use of passphrases, or detect weak passwords, which from a programming perspective is simple to do.

When is the last time you read the Privacy and Cookie Policy of a site your child frequents?

But the Policy Says...

In their Privacy and Cookies Policy, paragraph 10 Children’s and Parental Controls it states “When you register an account with Roblox, we make sure your account is set to a restrictive mode, which means that you won’t have access to certain features, such as social media links, if you are not 13 or over and your text filtering will be restricted.

This made us ask - how restrictive are the other settings?

Well, not very restrictive at all by default as we discovered.

Certain account restrictions were not turned on for Matthew, which again is a male child 10 years, 1 month, and 7 days old.

Communication was set to Default which allowed chatting with Friends. This seemed logical, however I was able to change that setting without needing parental approval. Granted the chat filtering was set to Maximum according to the policy and I was not able to change it, but hold on, this gets better…

While only Friends can message and chat with my account in the app, EVERYONE can chat with me in an “experience.” Despite searching the Definitions (section 2 of the policy), a definition for an “experience” could not be found.

Whatever it is, all a predator has to do is reach the child through an “experience” and be added as a friend. Another alarming setting was that this new friend has the ability to make my account a member of their private server. Aside of the everyday genius under 13-year old, I don’t know many children in my 10-year-old age group that would begin to know how to even stand up and run a private (gaming) server, so I’m still a little baffled as to why this is enabled by default.

As a 10-year-old, I’m also allowed to follow people without making them my friend, and if I do that, then they can join me in an “experience.” Are you beginning to see the problem? Last but not least, the one setting that creates a socially-acceptable vector for a anyone to reach a child in Roblox, and is reason to have a discussion on the platform with a complete stranger is “Who can see my Inventory.” As this platform promotes sharing and community, this is the perfect way for a stranger to create rapport with a child. Although the default setting is Friends, as a 10-year-old, I’m allowed to change this setting, without parental approval, to Everyone; Friends, users I follow, and my followers; Friends and users I follow; Friends; and No One.

And just as we were wrapping up our quick scan, we noticed a setting that creates a socially-acceptable vector for a anyone to reach out to a child in Roblox, and is a “logical reason” for a child to have a discussion on the platform with a complete stranger. That setting is “Who can see my Inventory.” As this platform promotes sharing and community, this is the perfect way for a stranger to create rapport with a child, and be added as a friend. Although the default setting is Friends, as a 10-year-old, I’m allowed to change this setting, without parental approval, to Everyone.

Before we closed out, we decided to take a look at one final setting, and noticed something disturbing. The platform clearly determined (top right corner) that I was under 13, but the “Allowed Experiences” default setting was set to the highest age group, and could be changed without parental approval, and the platform allows a 10-year-old to decide if the parental PIN must be turned on.

Tiny Ninjas Share Scary Things

Here we share a random selection from the kids to help our readers find ways to relate to kids, and have a better idea of things they are facing. Surprisingly, many of the children admitted to not telling their parents or being too afraid to say something.

Jordan Age 10

While playing a private game reports someone accessing his account, taking his information, and then cursing at him.

Abe Age 10

Says random people sent him “a bunch of girls in one room”, but they weren’t wearing any clothes. He received these as text messages. His mom was taking a nap so he told his brother who shared that he had received the same texts. He also reports that he keeps getting the picture repeatedly despite ‘deleting’ the number.

Madison Age 9

Was playing a game when someone started putting other people’s addresses in the game chat, and when she tried to leave she was bullied.

Case Law Trivia

True or False

Accessing an online forum on which criminal conduct related to computer crime is conducted (e.g. a “Dark Web” site selling zero-day exploits) is likely to constitute a federal crime under the Computer Fraud and Abuse Act (18 U.S.C. §1030) (CFAA), even if the forum is accessed using legitimate credentials provided by the operator of forum.

False. According to the Cybersecurity Unit of the U.S. Department of Justice, Computer Crime & Intellectual Property Section Criminal Division, merely accessing and passively gathering information from an online forum, even one on which criminal conduct related to computer crime is conducted, is unlikely to constitute a federal crime, particularly when done for the purposes of collecting cyber threat intelligence to prepare for or respond to cyber incidents. Additionally,posing as a fictitious person or using a pseudonym to gain entry to and communicate on the forums, by itself, does not violate federal criminal law, so long as that conduct is not a means of committing fraud or other crimes and access is gained in an authorized manner.

Source: Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources – Version 1.0 (February 2020) https://www.justice.gov/criminal-ccips/page/file/1252341/download (accessed 20 January 2023)

Health and Wellness

Sleep, that elusive commodity!

Part 1 of 2

We’ve all heard we need good healthy sleep.

And yet, most of us struggle to get enough or experience quality sleep. We are too busy and stressed trying to get all things done. So, we push through, telling ourselves “I’ll get more sleep tomorrow or when the kids are older or just one more thing/show/post before I go to bed”. Is it just one more thing?

And at what price are we paying for cheating sleep?

This is a 2-part series where we will explore what is “healthy” sleep, what are the factors preventing quality sleep and most importantly, tools and tips to help you sleep like a baby.

Our bodies operate on many interconnected rhythms. The circadian rhythm is a series of 4-5 phases within 90-minute cycles. Ideally 7-9 hours duration. Various hormones and chemicals influence these phases.

Sleep is the time when your body can process and detoxify toxins; rebuild and repair the damage of the day and essentially create a clean slate for your next day. The liver degrades toxins and releases unwanted compounds through the kidney at 3-4 am. The brain has its own cleanup process through its lymphatic system called the glymphatic. When there is less sleep or interrupted sleep, the brain cannot remove the trash. The next day you may experience brain fog or decreased memory/cognition. Your emotional center (Amygdala) is set on fight or flight. This triggers a cascade of other body immune-inflammatory responses.

Research has proven a link or association between decreased healthy sleep and cardiovascular disorders, metabolic resistance (weight gain, diabetes) and cognitive decline (Dementia and Alzheimer’s). Brain cells begin to die and their connection to other cells decrease 20 years before symptoms. Meanwhile, our bodies become more inflamed and diseased as all other hormones and systems breakdown. This sets the body on a fight or flight pattern, releasing more cortisol and preventing Melatonin release. Ultimately this either makes it harder to fall asleep or stay asleep.

What prevents you from experiencing that refreshing sleep?

There are 9 major contributing factors:

In this first part of the series, we will focus on tools and tips for the first 3 factors. Most people have heard the phrase you are what you eat. “Ultra-Processed foods” have chemical preservatives, coloring, and toxic flavorings. Remember MSG? it is now “natural flavoring”. These UPF foods have been shown to Inflame the gut, the body, and the brain. A brain on fire cannot relax and release the proper neurotransmitters to allow deep sleep. Ultra-processed foods are what Americans commonly eat: sugars, trans fats or heated oils in processing, French fries, fried foods, soft drinks, chips, cereal, chicken nuggets and any fast food, hot dogs etc…..

What you drink and when can also influence your sleep cycle.

Caffeine in any form is typically processed and denatured 8-10 hours after ingestion. Then there is Alcohol in any form. The sugars and fats anesthetize the brain and trigger a dopamine response helping us to feel better. When alcohol breaks down it triggers the brain to wake up, usually in the middle of the night. If You happen to be a “slow liver detoxifier” than it can take longer for caffeine and shorter for alcohol to denature and shifts stimulation/ somnolence on the brain. Coffee in the morning and limited alcohol in the evening.

Whole unprocessed foods easily break down into essential vitamins and minerals, which the body needs to remove toxins, repair damaged tissues, and create hormones and neurotransmitters thereby improving your sleep.

For better sleep, try modifying your eating habits to consume proteins and vegetables for your meals and snacking on fruits and vegetables. And 10-12 glasses of water.

Melatonin is our natural sleep inducer. Our entire body makes this neurotransmitter, with the gut creating the majority of it. When there is darkness (sundown), Melatonin is released. Our internal wake up alarm clock is cortisol (sunrise). To maintain our body’s sleep rhythm, we need high melatonin levels to fall sleep and high cortisol levels to wake up. When our eyes receive electronic light, it inhibits the release of melatonin. If whatever we are watching or electronically reading stimulates the brain, the cortisol level (fight- flight) elevates and inhibits falling or staying asleep. Blue- green eyeglasses do decrease light stimulation, but not completely. If you sleep with a nightlight or any electronic power light, this also may influence your ability to obtain sound sleep. And then there is EMF waves. Wi-Fi signals pass through the house and your neighbor’s house. None of us can eliminate all these influences, however, you can make some changes. Try to sit in a darkened room if you are watching tv or switch reading with a light on a paperback book or even listening to relaxing / meditative music.

Body aches and pains can cause restless sleep trying to get comfortable. Pain also triggers a fight-flight response increasing the cortisol level. Thus, placing you in a light sleep or wake up and not fall back asleep. Calming the muscles in a 10-minute bath of Epson salt and then doing some stretches will allow you to wake up with less stiffness after having a sound sleep.

Try this nighttime routine for sound sleep:

  • Have your last meal 2-3 hours before bedtime
  • Be in a darkened room 1 hour before sleep
Before continuing with the following, please first consult your doctor if you have any physical or low blood pressure issues.

  • Try an Epson salt bath for 10 minutes followed by floor/ bed stretches
  • Bedtime stretch routine:
    • Lay on your back with knees gently pulled toward your chest, slowly rock side to side x3 each side
    • Roll onto 1 side- fetal position and hold for about 1 minute
    • Roll onto all 4 limbs, slowly arch your back & then release (cat-cow) x 3
    • Lower yourself down over your thighs. Stretch out your arms onto the floor over your head (child pose)
    • Hold child pose for 1-2 minutes. Relaxing your body with your chest outstretched forward of your thighs
    • Roll onto your back, knees to chest for count of 20 then release 1 leg down straight at a time
    • Raise both legs up on a wall or headboard. Let the wall support your legs
    • Outstretch your arms with palms upward while your legs are on the wall for 1 minute
    • Bring the legs down together and bend toward your chest, rock side to side x 3
    • Roll onto your side and use your arms to push up to sitting
    • Get up go to bed and sleep like a baby

Sleep the elusive Commodity: Part 2 continues next newsletter