OTAN. Outreach and Technical Assistance Network.

Hello, everyone. I'm Melinda Holt with the Outreach and Technical Assistance Network, OTAN. We'd like to welcome you all for joining us for this month's OTAN Tech Talk, Digital Safety for Students and Teachers. Our guest speaker today is Susan Gaer. She is Professor Emeritus at Santa Ana College, President for CATESOL, and an OTAN subject matter expert. Take it away, Susan.

Hi. My name is Susan Gaer, and today, I'm presenting an OTT on digital safety for teachers and students. Understanding digital safety is very important in the era of the internet. I hope that you will take the ideas presented here and use them to help your students as well as yourself to use the internet more safely.

So just a little bit about me. I have a lot of certifications. I write curriculum. I've written textbooks. And I'm currently, which I'm very proud of, President of CATESOL.

So today's objectives, I have six of them. Number one, understand the difference between malwares, such as fishing, pharming, and smishing. Number two, learn why it's important to have a web presence. Number three, learn how to craft a good web presence. Number four, discuss the vulnerabilities of Wi-Fi and how to avoid them. Number five, discuss password management systems. And number six, understand your security settings and how to stay safe.

All right. So here's an example of malware. I actually-- this is-- I received this email. It's from the Red Cross. And it has a nice URL, redcross.org, which I checked is-- it's a correct URL. And it said-- it asked me to click on a link to access my certificate. Now, at first, I said to my inner self, oh, I got a certificate certifying me for first aid and CPR. But wait, I never took that class. So I will not click on the link. This is me talking to my inner self.

This is an example of phishing. Just like phishing with an f, you put bait on a hook and hope the receiver bites. I didn't bite this time. But it's easy to think. I mean, like, wow, I got a certificate, but then I had to think, no, I didn't take the class. So no, I shouldn't have a certificate.

So in order for you to understand how to defend yourself, you need to understand what a URL is and how it's made up. So I have divided this URL into all kinds of things for you. So we have the red. The first part in red is called the protocol. This is very familiar to you. I think you've seen this a lot, but you want to make sure that you're always using the HTTPS. S stands for secure. HTTP without the S is OK as long as you're not giving any personal information, like if you're just browsing a web page or reading something, HTTP is fine. But if you're giving any information about yourself, you really want to make sure the S is there.

So that's the protocol. Now the next section in green is-- the whole green thing is called the resource name, and it includes different things. It has the domain name, which in this case is my name. It's my website, susangaer. And the top-level domain, here it is .com You might see .tv, .us, .org, those are all different top-level domain names.

And then we have the sub-domain. Now Melinda and I had a little discussion about this. www isn't actually a sub-domain, but you may have seen calendar.google.com, mail.google.com, blog.google.com. That's what a sub-domain means. It kind of tells you where you're going on that website. So the other common sub-domains are mail, calendar, blog, et cetera.

The last section in blue is the file path. And you need to think of this as your file or your folder on your computer. And that's what that last section is. So we have the protocol, the resource name, and the file path. And with this understanding, you can look at URLs that come to your email and decide whether it's valid or spam. And this is a really good graphic to work with your students because, definitely, they need to understand this, the way a URL is set up.

All right. So let's move on now. So this is another email that came to me, and it looks just like my PayPal account. And this is an example of pharming. I was asked to log into my PayPal to update my password. As a visual, it looks exactly like my real PayPal login page. However, had I done this, I would have given someone the ability to access my PayPal account. I had to look at the URL. The domain is alert.confirmation-manager instead of PayPal. And it's associated with the UK, because under there, it's underscore UK. It is not the PayPal URL. Knowing how a URL is set up saved me this time.

In this case, it's even more misleading because the visual is correct and it causes many people not to investigate the URL. Apple does this-- I mean, it comes-- people do it from Apple, they make a perfect Apple page, they make a perfect Google page, and you see the visual and you connect with it and you don't think to look at the URL. And since we are teaching our students with visuals and getting students to understand how to connect to visuals, it's really important to help your students understand the structure of the URL so they are not a victim of pharming.

All right. Next. So here is a-- you might also get something like this. Look at the email on the left-hand side. Maybe you've already seen this, where you get someone has used your password, you better change it. This is an example of phishing. It looks like it's from Google. But Google, Apple, nobody who's legit will ever ask you to change your password by clicking on a link. And I might do a memorization drill with my students on this. They will never ask you to change your password by clicking on a link. So if they ever see something that says click on this link to change your password, it's never going to be right.

On the right side is a similar email supposedly from Apple. But after a quick analysis of the URL, you can see that this is from ngrok.io and not Apple. Again, this will have given this user or users access to all my Apple information. Never click on a link supplied by email that requires your password login.

So browsers use different ways of showing you what's safe and not safe. And it's always using this red light format, and I like this because this is something students can identify with. So if it's red, of course, it's not good. Something's wrong. But as you can see, we have the Chrome browser here, they have a little lock and they have verified, right? And then the Firefox, going from the bottom up, the Firefox has a verified company as green. I think this is Edge verified company and a green lock. And then I think this is-- I don't know which one. These are different ones, different explorers, that have changed. And then the Safari, which has a little lock and no verified.

So you just need to know how the different browsers indicate that a website is trusted and verified. All of them use the lock icon, and some say verified, and some are verified and green.

OK. So now we're going to talk about smishing. This as an example of smishing. I know you, as a teacher, would never click on a link like this. But your students might. So it's really worth reminding your students that they have never won any money. Just use this graphic to explain it to them by asking your students if they have ever received anything like this before, because the students don't understand that this is not valid.

All right. So now I'm going to talk to you about Wi-Fi. Free Wi-Fi is free, but unfortunately, it isn't also a very open Wi-Fi. Never type in your passwords or fill out a form on a free Wi-Fi hotspot. This includes Starbucks, airports, hotels, et cetera. Anywhere there is this unsecure free Wi-Fi, anyone can hack into your system. It is very easy to do. You don't need to be a techie to know how to do this. I know that this has happened to me at Starbucks many times. So now I no longer log on in Starbucks. I log on in my personal Wi-Fi, and then I hook up to the free Starbucks Wi-Fi after logging in.

So besides that, I'm sure you've seen at the airport, if you take a look at the picture sort of like-- I don't know if you can see my mouse, but with the big red Xs, you've seen those hot spots with a USB charger that you can just plug into a USB port. I would suggest not using those. I actually have bought myself with a green check box a little USB charger port with a plug. Plugs are safe. USB ports are not safe.

So if your phone and computer are logged into a USB port and they're on, anybody in the airport can log into your computer. So it's best to use the one with the red X. It's best to use those with your phone and computer off. If you need to charge them, just keep your phone and computer off. If you want to keep your phone and computer on, please buy one of these charging stations that has an electrical plug. And it's like the picture with a green check mark.

So I've probably scared you a little bit. And so you're probably thinking, isn't it better just to have no web presence at all? The answer is no. If you have no web presence, you are still online. Even if you never go on Facebook, never go on the internet, your information is still online. Much of your information, such as your name, address, phone number, and income are all public information.

So think about this, think about it as a book. If you have nothing on the cover, all your personal information inside your book is available for people to see. The more cover you have, the less people will find out the stuff you don't want them to know. So if you have nothing on the web, these are the only things that people will see about you. They'll see your salary. They'll see your address. They'll see your phone number. When a hacker finds out that someone has no presence, they equate that with no digital literacy and they target you.

This is what happened during the elections for 2016. People on Facebook who had profiles that showed they were politically indifferent were targeted with ads to persuade them to vote in a certain way. So I just want to tell you, it's really dangerous not to have a web presence. So now I'm going to teach you how to make a web presence that will be positive for you.

So let me just take a look at this for your students. I hope that you can see this well. This is infographic I made about employers and social media. And remember, our students need jobs. And if you look at this infographic from 2017, you'll see that 50% of employers would be unlikely to interview someone that has no social media profile. So that means employers want you to have a social media profile. In addition, this survey was also done in 2006, and at that time, only 11% of employees screen candidates with social media. In 2017, it is up to 70%. I wonder what that is now three years later. It's probably close to 90%.

These are real-world statistics on what employers are using for hiring. In this day and age, a social media presence is necessary. So as much as you want people to stay away from Facebook and LinkedIn and Twitter, these are the things that employers are looking to screen students or screen employees.

So what I suggest in order to find out what your web presence is, you need to Google yourself. Before you do this, though-- don't do it now, you need to do it right-- you will need to make sure you are browsing yourself privately. When you just go onto your internet browser and you type in Google and you put your name, you're browsing yourself logged in to Chrome. You need to do it privately.

So every browser has a different way to do it. So if you're on Chrome, you go incognito. If you're on Firefox, you go private. If you're on Safari, you do a new private window. If you're on Edge, you do a new in private window. And I really think you need to do this and Google yourself. If your name is not unique, you will see people who are online more than you. You'll just see all kinds of other people, not yourself. The more you are online, the more you will show up. Google changes its results every three weeks. So if you start online today, you'll see yourself show up in three weeks. So you really need to Google yourself, see what you get. If you only see your salary or your address, that means you have no presence online and you need to start developing one.

So if you don't really enjoy social media and you just need to have a simple web presence, you can go to-- there's a place called about.me. Let me see if I can take us there so you can see this. Yes.

So this is a place called About Me, and you can get just a simple web page here. It's free. And you can have a contact page, an appointment page, or just like some students have a download my paper page. But this is a good place to start where you just start getting an About Me presence.

OK. So I suggest doing this, and this is one that I made just to show you. Here's my picture. Here's my name. Here's my-- where I am. If you click on the button Hire Me, you'll see my resume, and it just tells a little bit about me. That's a good place to start. If you have nothing else, have this with your real photo. And you need to use your real photo to professionalize it. So I suggest using a real photo with your name and information that you want people to know about you.

And by picking a picture that you kind of keep consistent, you're branding yourself by choosing a cover image that fit yourself. So here's a website I did on Wix. Let me take you there. This is also an About Me website, another type that you can do a little bit more complicated than the last one. So in this website, I have my home page. I have my About Me page. It tells you about me. Then I have my Skills page, shows my skills.

And why I'm doing it this way is because when you're on a telephone, you don't want to have different pages. You just want to have one page that has links. So here's my education. And it's just very simple, a little bit more complicated. Here's my project success. Here's my contact information, my email, my phone number, which I don't mind people having. You may not want to put your phone number up there, and then links to my Twitter, Facebook, Google Plus, which is no longer around, and LinkedIn.

So that's another type of simple page that you can use is a little bit more complicated with a little bit more information, also free using Wix. You can decide whether you want to put your email and phone number up there or not. And it really helps you. This kind of website will really help you carve a web presence, which then three weeks will show up with Google.

All right. So now I'm going to tell you to be aware. I don't want to scare you, but I need you to know things that have happened. And this is a story that happened to me and Branca Marceta. We call ourselves techies, and this happened to us. So this is why I'm sharing with you. You have to be very careful when using Google. This is a story that happened to Branca Marceta and myself.

I had logged on to Branca's computer at an OTAN event to do a presentation. I then logged off. But unbeknown to either Branca or myself, we had merged our passwords. We still to this day don't know how we did it, but it did happen. And you see that on the-- you can't see the passwords because we've hidden them all when we took the screenshot. But if you were to click on the eyes, you would actually be able to see all of the passwords. I could see all of Branca's passwords. She could see all of my passwords. So this was very scary.

So I'm going to show you how to make sure this doesn't happen, and in turn, I hope you will teach your students how not to make this happen. Remember, if it happened to Branca and myself, we call ourselves techies, it can easily happen to you and your students. So let's start looking at how to be safe from that.

OK. So the first thing you want to know about is to go to passwords.google.com. This will take you to this password manager, and you'll see there's a little gear icon right there where the arrow is. You'll want to click on that gear icon. And then you'll come to this page here. And you want to make sure that your offer-- it says offer to save passwords, turn it off. And turn off auto sign in because these are the things where they'll save your passwords and your user names, and that's possible to merge. So you just want to turn them all off.

OK. So these steps apply only to Firefox for Windows, Linux, which probably none of you are working-- using, and the Mac OS X. You want to make sure in Firefox that you go to the-- in Firefox, select the menu button located at the upper right corner of the window and then choose Options. Then you have to select Security on the left pane. Select the Save Logins, and select the website you wish to remove in the list. So anything that you have saved as a login, you need to remove it from Firefox. And you need to check it using these steps right here.

So step one in Firefox, select the menu button located at the upper right corner of the window. Then choose Options. Two, select Security on the left pane. Step three, select the Saved Logins. Step four, select the website you wish to remove in the list. And don't worry because the original link that I sent you has this PowerPoint presentation, so you can go through it to follow all the instructions.

Safari is a little bit different, so I have a special slide for it. In Safari, you can do this with your iPhone and your iPad as well. You want to select Settings and then go to Safari. And there, click on Passwords. Number two, make sure they're locked. And number three, on the iPhone and iPad, click on Settings, Passwords, and Accounts, and turn off Autofill Passwords. You have to physically do this on your phone.

So I know we're teachers and we get on a lot of computers during our day, and so this is just a little tip for you so that you can get-- in case you have signed on to your Google account more than one time and more than one computer during your teaching day, if you just go to the bottom of your email, you go into mail.google.com, sign into your email account, go down to the very bottom, you'll see the little word, Details. You click on Details on the bottom of your computer. Then you'll see this wacky screen.

And so, actually, number one here is just showing you all the places you are logged on and what time you are logged on and all the different places. Number two is where you click to sign out of all your other web sessions. This is going to sign you out of every computer you are on every day. I would suggest that you do this daily so that you make sure you log off of computers. And number three, you'll get this note saying that you successfully signed out of all other sessions, and then you're good to go. However, the computer you're on that you signed out on, you're still signed in there, so you do need to sign out of that computer. Hopefully, that makes sense.

You will also want to check your security checkup point. It's always good to check your security settings on myaccount.google.com, myaccount.google.com. On this slide, you can see that I have a security issue. It has an exclamation-- security issues found, and there's an exclamation point there. I can click on the link and see what the security issue is to fix it. In this case, I had just sold my old MacBook Air, and it asked me if I wanted to sign out of the device because I was still signed in. So I agreed immediately. So you want to make sure that you have this-- there is no security issues found.

OK. We're going to go a few minutes over. I hope that's OK because I really need to talk to you about this. This is really important. It's called 2-step authentication. And 2-step authentication, or 2FA as it's commonly abbreviated, adds an extra step to your basic login procedure. Without 2FA, you enter in your username and password, and you're done. This is called single factor of authentication.

So how old is 2-step authentication? Well, it's been around probably longer than we have. No, not really, just kidding. Some examples from the past. Using your credit card and then showing your ID. Your ID is your second step. Using your credit card and knowing the zip code assigned to it. When we used to go to Costco, I don't think it's true anymore, we had to put in our zip code before we got gas. And writing a check and showing IDs. These are all cases of 2-step authentication. So we need to do this for ourselves on the internet. And it's kind of not easy to do. It's a bit annoying.

So, usually, it will ask you-- there are three different ways. If you're on Microsoft, you click on that link. If you're on Apple, you click on that link. And here's the instructions for Yahoo. But, basically, it adds a second layer of validation, minimizing security breaches. Usually, it requires your user name, password, and then a text message to your phone with a code that you put in to prove that it is you. It is kind of annoying because if you don't have your phone, you won't be able to log in. But at least this way, you'll be safe and sure if somebody got your password, they won't be able to log into your account, unless they have your phone number-- they have your phone and they have your code for your phone, then you're in trouble. It's not perfect, but it will help you stay safer.

So you can go ahead and use-- if you have Apple products, you can click on this link here for Apple. If you're on a PC, you click on Microsoft Authenticator. And if you're on Yahoo, you follow the three steps that are there.

You want to change your passwords often. And you can look at this, at myaccount.google.com/security. You'll notice that I last changed it at 11:23 AM today. That's great. You should change your password at least monthly so that it's impossible for someone to track you down even with 2-step authentication. And you'll see that my 2-step verification, which is 2-step authentication, is on.

And we don't have a lot of time. So I'm going to just tell you, this is the-- Facebook is kind of hard. You have to go through a bunch of settings to get 2-step on-- for your Facebook account. But, really, I would go back to the slide and follow these instructions. I have two slides on the instructions because it's a little complicated. Facebook doesn't make it easy. But I hope that you'll follow these instructions to the key and get your 2-step on Facebook because Facebook is something that's easy to hack into.

So how to make a password safe. It has to be at least eight characters long. It must not contain easily guessed information, such as your birth date, phone number, spouse's name, pet's name, kid's name, log on name, et cetera, et cetera. It shouldn't contain words found in the dictionary. That's hard. And it should contain special characters, such as those that are up there and numbers, the @ sign, the # sign, the $ sign, the % sign. And it should also use a variation of upper and lower case letters. So this is something you can actually teach your students have to do. And it also-- even at the lowest levels of ESL, you can do it because uppercase and lowercase, these are things students really need to know in the world we live in right now.

So people have asked me about LastPass and other programs. So I just-- I put a link here for password managers for 2020, you can go through the link in this and read all the different managing programs there are and the prices. It's not flawless, though. I want you to understand that even LastPass can be broken into.

You can keep-- your brain is the best place for your password. So if you can figure out a system like tell a story unique to you-- Fido8mywolsox! Play around with vowels-- IL0v3sch00l. Reverse words. If you look backwards, this is my name, Susan Gaer. Add spaces or underscore, or you can use a password manager. But remember, they are not as flawless as your brain if your brain is good.

So I think that's all I have to share with you today. So thank you very much for being here.

Thanks, Susan. That was a lot of good information. OTAN would also like to thank the audience for joining this OTAN tech talk. Remember, if you would like to present a tool or have some tips to share with your colleagues in adult education, submit your idea at bit.ly/OTTsignup.

We'd also like to encourage everyone to subscribe to the OTAN YouTube channel where archived OTAN tech talks as well as other OTAN videos can be found. All of this information and more is available on the OTAN website at www.otan.us. We hope to see you all in future OTAN tech talks.