STE WILLIAMS

The Australian Broadcasting Corporation (ABC) reports that China has been fingered as the source for a very substantial attack on a supercomputer operated by Australia’s Bureau of Meteorology (BoM).

The BoM is an analog of the UK’s Met Office and the USA’s National Weather Service. Like those agencies, the BoM provides weather data to all sorts of customers, including defence operations.

The ABC’s suggesting that a breach of the BoM is therefore a threat to the nation’s security. The Register is properly paranoid so believes this may be the case, but not because the supercomputer in question sometimes sends some weather feeds to defence agencies. That the super is used for modelling the nation’s climate suggests an economic motive: if an attacker knows what data sets the BoM is crunching, and why, it could prove useful in all sorts of ways.

Vulture South’s team have placed a few calls to folks we know who often know about this kind of thing. One well-placed source told us remote code execution took place at the BoM. Other sources who are often willing to offer background commentary on such matters have said they are unwilling to do so, off or on the record, regarding this incident. Which is interesting in and of itself.

If more substantial information, or commentary, comes to light we’ll be sure to bring it to you.

The allegations come after China and the USA promised not to hack each other. Australia, like the USA, is a member of the five eyes intelligence-sharing alliance. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/02/report_fingers_china_for_assault_on_australian_weather_supercomputer/

If you work for the kind of company that imposes the WebEx experience even on mobile users, it’s update time.

A bug rated medium severity by Cisco has emerged, in which a malicious Android app could borrow the permissions held by WebEx Meetings for Android.

Unfortunately, those permissions are quite extensive (app developers just can’t resist the temptation to “ask for everything,” can they?).

WebEx Meetings for Android asks for access to:

Usually, to get that kind of access, a malware-writer would have to trick users into clicking “okay” on an excessive set of permissions (which all too many people would do anyhow). The WebEx slip, it seems to Vulture South, bypasses the “present a button for someone to click” stage.

Cisco claims more than five million installs for the app on its Google Play page.

The bug, according to the Cisco announcement, is “due to the way custom application permissions are assigned at initialisation.”

It applies to all versions of WebEx Meetings for Android prior to 8.5.1. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/02/cisco_plugs_webex_for_android_bug/

Raspberry Pis running Raspbian – a flavor of Debian GNU/Linux tuned for the credit-card-sized computers – apparently generate weak SSH host keys.

This gives man-in-the-middle attackers a sporting chance of decrypting people’s secure connections.

The November 2015 release of Raspbian does not use a hardware random number generator by default, according to a bug report posted to the Pi forums. Ideally, this generator should pour unpredictable numbers into a so-called entropy pool from which cryptographically secure numbers can be obtained – but this doesn’t happen, and so the operating system’s algorithms end up producing rather predictable “random” numbers.

Crypto keys crafted from this predictable sequence during the machine’s first boot-up can be recreated by eavesdroppers, and used to decrypt intercepted SSH connections to reveal login passwords and snoop on terminals.

If the hardware generator was seeding the pool in the first place, the generated keys would be vastly more secure. Here’s what the bug reporter had to say:

Raspbian (2015-11-21-raspbian-jessie.zip SHA1: ce1654f4b0492b3bcc93b233f431539b3df2f813) doesn’t enable hardware random number generator by default. This causes generation of predictable SSH host keys on the first boot. As soon as the systems starts up systemd-random-seed tries to seed /dev/urandom, but /var/lib/systemd/random-seed is missing, because it hasn’t been created yet. /etc/rc2.d/S01regenerate_ssh_host_keys is executed, but /dev/urandom pool doesn’t have that much entropy at this point and predictable SSH host keys will be created.

The issue is due to be fixed in the next Raspbian image release, we’re told, and users should ensure they upgrade when that’s available. In the meantime, people worried about the security of their SSH servers should regenerate their host keys after seeding /dev/urandom with the hardware random number generator in the Pi’s system-on-chip processor.

The commands to do that, and a hotfix patch to address the issue, are given in the aforementioned forum post.

“This is something that’s easily fixed but then relies on Raspberry Pi users to be aware and update their systems,” said Patrick Hilt, CTO of two-factor authentication biz MIRACL (previously known as CertiVox). “If they don’t, it creates a potential weak spot.”

As one person on the message board notes, this issue is not specific to the Raspberry Pi, nor Raspbian; it’s just that systems like the Pi are more susceptible. Many Linux distributions stockpile random seed data during installation, and then use that to prime the pool during first boot-up, but Raspbian doesn’t work that way – it starts up ready to go straight from the SD card, and thus suffers from low entropy.

As Hilt explained it to us, by the time most Linux systems have finished downloading packages and spinning disks during the install process, they’ve built up enough entropy – enough random numbers from all that noise – to generate secure keys.

“On a server or desktop computer, entropy isn’t needed until later during system startup and use,” he said.

“By then, based on network traffic and/or user input and other hardware events, there is usually plenty of entropy to go around. In embedded systems the situation can be different especially if random numbers are accessed early in the boot process, and that’s what we’re seeing here with Raspbian.

“It’s imperative, especially in the Internet-of-Things era, for embedded systems developers to be security conscious and design systems in such a way that random numbers are not needed until there is enough entropy and/or the Linux kernel entropy pool is seeded from a hardware random number generator if it is present in the system.” ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/02/raspberry_pi_weak_ssh_keys/

As meetings begin in Washington, will ‘are you still hacking us’ be on the list of questions?

Today, China’s Public Security Minister Guo Shengkun, U.S. Secretary of Homeland Security Jeh Johnson, and other Chinese and American officials kicked off meetings to discuss the nations’ cybersecurity relations.

This is an opportunity to renew conversations broken off when China removed itself from a working group after the United States indicted five members of the Chinese People’s Liberation Army for hacking and economic espionage in May 2014.

President Obama and Chinese president Xi Jinping started mending fences Sep. 25 when they came to an agreement that neither nation would engage in cyber espionage for economic gain. (Chinese officials had brokered a similar “no-hack pact” with Russian officials four months earlier).

Yet, there is still a lot of cybercrime deriving from China — state-sponsored or not. Unnamed officials told The Washington Post — in a story published Monday — that the PLA “has not substantially reengaged in commercial cyberespionage” since the arrests made in May 2014. Yet CrowdStrike reported seeing Chinese APT actors targeting American companies even after the pact was made in September. And the Chinese cybercrime underground, as detailed by Trend Micro’s Forward-Looking Threat Team, is exceptionally robust.

The conversations this week are therefore fraught with diplomatic peril. What questions are the ones to have the best or worst response this week?

  

What is ‘cybercrime’?

It sounds like a silly question, but according to Laura Galante, director of threat intelligence at FireEye, the U.S. and China have different ways of defining cybercrime. In a blog piece today, Galante wrote:

“The philosophical difference hinges on whether a country conceives of this issue as cybersecurity (securing networks and systems and associated infrastructure) or as information security (securing information, content, and ideas in addition to networks.)

China, along with Russia, more broadly defines cyber operations and tools in terms of ‘information and communications technology.’ With differences at this conceptual level … more granular terms like ‘cybercrime,’ ‘cyber-enabled data theft’ and ‘cyber espionage’ will also require significant discussion before either side will feel confident that there is a clear, joint understanding of the activity at issue.”

 

Are you holding up your end of the no-hack pact?

If a mere 60 days since the agreement between President Obama and President Jinping was made, the two nations begin discussing how well (or poorly) each side is holding up their side of the bargain, “I think it will be a conversation stopper,” says Galante.

In fact, Galante doubts cyberespionage will be discussed in great detail. She believes the goal will be to renew conversations that had been shut down by avoiding sticking points like IP theft and Internet governance and focusing on areas where there will be more opportunities for alignment and cooperation, like stopping cyberterrorism and apprehending cybercriminals.

 

How can our nations help each other?

The question of helping one another stop cybercrime might be a non-starter, too. Tom Kellerman, chief cybersecurity officer for Trend Micro, says that if he were attending the meetings, he would ask “Why has the regime not dismantled the robust Chinese underground which [Trend Micro] highlighted in our recent report?”

Kellerman also believes that the two nations could collaborate on financial cybercrime. 

“How might the Chinese assist the US with anti-money laundering via cyber like in the use of Alipay and BitCoin?” he says. “When might the Chinese recognize that the US banks that they are heavily invested in are being pilfered by their Russian allies?”

Those might be conversation stoppers, too.

 

What are the rules of engagement?

Among the most important tasks of these meetings is to establish norms, protocols, and procedures, like, as Kellerman says, “What will the redlines be that distinguish when cyberattacks escalate to national security events?”

“What marks escalation,” says Galante, “what triggers a response … and how do you de-escalate?”

Galante says that both parties may also determine what kinds of “confidence-building measures” (CBMs) they may each produce to enhance the relationship. CBMs might come in the form of something as simple as white papers articulating how each party defines terminology. 

She says that exchanging white papers might not sound like much, but there is precedent for it. She mentions that the Cold War was gradually brought to a close because cultures that didn’t understand each other got to know each other better by “engaging on so many fronts.”

“This is diplomacy, at the end of the day.” she says.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/4-conversation--starters-and-stoppers-for-us-china-cybersecurity-talks/d/d-id/1323346?_mc=RSS_DR_EDT

The intruder who says he broke into servers at toymaker VTech last month told Motherboard that the data he* could get at was so sensitive, it made him queasy.

Really? What was in there?

According to the company’s breach notification, the intruder got at general user profile information including names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download histories – personal data pertaining to both customers and their kids.

As Motherboard reported, the tally included names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 children.

But wait, it gets worse.

Motherboard on Monday revealed that the breach also included thousands of pictures of parents and kids, plus a year’s worth of chat logs stored online in a way that the publication reported was “easily accessible to hackers,” as well as audio recordings, some of which are of kids’ voices.

The intruder said that the data comes out of VTech’s Kid Connect, a service that allows parents and kids to chat via a mobile phone app and a VTech tablet.

You can use Kid Connect for more than just text chat: users can also snap headshots and record voice messages, as the company’s online tutorial describes.

So, it appears, images of kids have been accessible to anyone who knew how to get at them.

The same goes for parents’ images: their faces, potentially surrounded with cartoon renditions of, say, a princess, labelled “Mommy,” have been easily accessible to anyone who might have figured out how to get at the data, as the intruder in this case did.

Match that up with home addresses, children’s first names and their birth dates and, well, the intruder’s right: it’s stomach-churning.

In a breach notification updated on Monday, VTech said that customers in the affected database are from the US, Canada, the UK, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.

The company also said that, “as a precautionary measure,” it’s taken down some of its vulnerable portals, such as the Learning Lodge, as well as 13 other websites.

As of Tuesday morning, VTech hadn’t responded to Motherboard’s request for clarifications as to why the company even stored this information on their servers in the first place.

As Naked Security proposed when we first wrote up the breach, VTech’s description made it sound as though the company stored your password in a way that it could recover it, rather than using industry-standard practice (known as salt-hash-stretch) that merely allows passwords to be verified.

The company’s wording made it sound like it could retrieve a password and send it to “you” – or whoever’s using your personal details to appear as if they are you – rather than the more secure method of making passwords so scrambled that the company couldn’t get at them and would instead just reset whatever passwords customers lost.

Unfortunately, compounding this hypothetical scenario (we don’t know enough yet to confirm the premise about password storage) is the fact that there is much more data at stake than seems strictly necessary for the toymaker to do what it needs to do.

There are unintended consequences to storing data.

Why was VTech storing chat logs going back a year, with the oldest chat logs dating back to the end of 2014?

Was the idea to potentially sift through these logs in future for development of some type of feature? Or for marketing purposes?

Was any thought at all given to collecting it, or was it collected and kept simply because it could be collected and stored?

And why in the world would the company store audio files, some featuring kids’ voices?

Such a data point might seem innocuous, but as we’ve noted when analyzing just how anonymous so-called anonymous data really is, the more data points users give up – and which a company collects – the greater the risk if a data set gets breached.

The intruder told Motherboard that he was able to download more than 190GB worth of photos. He shared 3832 image files with Motherboard, which blacked out faces and published a subset.

Thankfully, he said that he doesn’t intend to sell or publish the data.

That makes this a close call, and hopefully an extremely loud wake-up call, for the toymaker.

*He/she asked for anonymity (her has, after all, committed a crime), so I followed Motherboard’s lead in using the male gender.

Follow @NakedSecurity
Follow @LisaVaas

Image of boy courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wvGZVKa9WDo/

Documents released by GCHQ to the Investigatory Powers Tribunal suggest the agency may be allowed to hack multiple computers in the UK under single “thematic” or “class” warrants.

Responding to complaints brought by Privacy International and seven global internet and communication service providers, the British spy agency told the tribunal it was applying for bulk hacking warrants from secretaries of state and then deciding internally whether it was necessary and proportionate to hack the individuals targeted.

The “soft touch” oversight regime for GCHQ’s offensive hacking activities has been revealed during an IPT hearing, which has received two sets of complaints to hear over the course of this week – one from Privacy International, and one from an international coalition of internet and communications service providers which Privacy International assisted.

The complaints regard the offensive hacking, or computer network exploitation (CNE) activities, of GCHQ, which are alleged to have been unlawful under the Computer Misuse Act 1990, as well as in violation of Articles 8 and 10 of the European Convention on Human Rights. The agency denies the allegations.

In a 31-page Amended Statement of Grounds (PDF), the seven ISP and CSP claimants state their proceedings concern “GCHQ’s apparent targeting of internet and communications service providers in order to compromise and gain unauthorised access to their network infrastructures in pursuit of its mass surveillance activities.”

Privacy International’s 25-page Amended Statement of Grounds (PDF) specifically concerns the spooks’ CNE activities, including its development of malware (such as “Warrior Pride”) which may leave devices “more vulnerable to attack by third parties (such as credit card fraudsters), thereby risking the user’s personal data more broadly”, and of doing so without a legal basis. Privacy International said:

Govt hacking isn’t just about laptops phones. Smart watches, cars, televisions, toys… https://t.co/ghfJ5NsnWH pic.twitter.com/yMEr6LDg4J

— PrivacyInternational (@privacyint) December 1, 2015

Privacy International claimed that previously secret documents, and witness statements produced by GCHQ, show that:

• GCHQ confirmed that the Secretary of State does not individually sign off on most hacking operations abroad, but only when “additional sensitivity” or “political risk” are involved [Witness Statement of Ciaran Martin (PDF), paragraphs 65, 72C].
• Overseas hacking does not require authorisations to name or describe a particular piece of equipment, or an individual user of the equipment [56].
• The Commissioner only formally reviewed the individual targets of GCHQ hacks overseas in April 2015 [71I].
• The Intelligence and Security Committee Report in March 2015 called MI5’s and SIS’s failure to keep accurate records of their overseas hacking activities “unacceptable”, [ISC report, p.66] as it makes effective oversight impossible [71L].

Responding to these allegations in his witness statement (PDF), GCHQ’s Director-General for Cybersecurity, accepted that such interference causes additional damage. However, GCHQ merely attempts to “minimise that risk”.

The complaints follow the outing of GCHQ’s “Operation Socialist”, in which the spooks attacked Belgacom, the largest telecommunications company in Belgium, to gain access to its core GRC routers – ultimately for the purpose of running man-in-the-middle attacks against targets roaming with smartphones.

The coalition complaint stated: “It is important to note that the employees of Belgacom were not targeted because they posed any legitimate national security concern. Instead, they were subject to intrusive surveillance because they held positions as administrators of Belgacom’s networks. By hacking the employees, GCHQ could secure access to the customers.”

All of the accusations regarding GCHQ’s conduct were reliant upon on public disclosures made by former NSA contractor Edward Snowden, which have been published in various outlets by the journalists to whom he has entrusted the documents.

The IPT heard the claimants’ submissions this morning and will hear the responses tomorrow. The hearing is set to continue until Friday 4 December. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/gchq_v_privacy_international_bulk_hacking/

The Pentagon has been given formal approval to start an online propaganda campaign against the Islamic State following a recent push by the US Department of Defense (DoD).

Congress approved the National Defense Authorization Act for 2016 last week and included in it a whole section (1056) on “Information operations and engagement technology demonstrations.”

The section states that the Secretary of Defense “should develop creative and agile concepts, technologies, and strategies across all available media to most effectively reach target audiences, and to counter and degrade the ability of adversaries and potential adversaries to persuade, inspire, and recruit inside areas of hostilities or in other areas in direct support of the objectives of commanders.”

In other words: counter the unexpectedly sophisticated and effective propaganda machine that the Islamic State has put into place in Iraq and Syria.

The section authorizes the Pentagon to carry out these operations for seven years – until October 2022 – and notes that it expects funding requests in that time: “The Secretary of Defense should request additional funds in future budgets to carry out military information support operations to support the broader efforts of the Government to counter violent extremism.”

Concerted effort

The inclusion of an online propaganda program is not an accident: the DoD has carried out a carefully coordinated effort for just that in the build-up to the defense act.

At the end of October, senior officials testified to Congress about the need to counter propaganda, which garnered some press attention. Just to make sure, the DoD then put out a press release saying the same thing: that “the United States is facing an unprecedented challenge in countering the propaganda of adversaries who recruit and easily spread misinformation through the Internet.”

A month later and a week before the Act was signed off into law, the Washington Post ran a special report on the Islamic State’s propaganda program as well as a critical review of the (DoD rival) State Department’s efforts thus far at countering it.

The Post was connected to Islamic State defectors by “security officials and counterterrorism experts.” It based its report on the information those defectors and the security officials provided.

Not that the requests and concerns are not justified. Professionally produced and edited videos of the Islamic State’s actions have proved enormously successful, with some being viewed millions of times.

The Islamists have also been successful in using the open nature of social media, including Twitter and Facebook, to spread their message far and wide. Despite significant efforts to shut down user accounts that glorify violence or link to violent imagery, it has largely proved ineffective.

Counter efforts

In Iraq itself, the militia fighting the Islamic State on the ground has also started creating their own videos and propaganda, epitomized in the cult of celebrity being built around “Iraq’s Rambo” Abu Azrael, captured in a recent film by France24.

In response to the recent attacks in Paris, the call to counter what is a seductive message to some has become much louder.

Hacking collective Anonymous recently highlighted the risks of such an approach, however, when its efforts to list Twitter accounts used by the Islamic State proved to be more damaging than useful. It was forced to admit that many of the accounts it flagged up had simply mentioned ISIL/ISIS, or contained Arabic. Twitter itself called the list worthless and journalists noted that the list included such people as Barack Obama, Hillary Clinton, and the BBC.

The Pentagon has, of course, a long history of producing propaganda, although its effectiveness is debatable. Perhaps that’s why the act includes a line about requiring “a process for measuring the performance and effectiveness of the demonstrations.”

Hopefully the DoD has become a little more savvy about how things work in 2015, especially considering that its efforts two years ago to explain why the NSA’s mass surveillance program was actually a good thing and “get the story straight about the National Security Agency’s most criticized foreign intelligence and cybersecurity programs” has the rare distinction of being the most down-voted ever on YouTube: over 20,000 down votes compared to just 450 or so up votes.

And as the kids will tell you, down votes are not going to make you a YouTube star. ®

Sponsored:
Improve app performance in the hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/dod_propaganda_approval/

Risk managers at financial firms rate cyber risk as the number one concern across all risk management activities, not just IT risks.

Risk managers in the financial services industry are skittish about what they perceive as a heightened chance for high-impact event hitting the global financial system hard and they’re naming potential cyber attacks as one of the biggest drivers for that increased risk. 

A new survey out today by the Depository Trust Clearing Corporation (DTCC) shows that 61% of risk managers believe that over the last six months, the probability of an event that turns over the entire global financial system’s applecart just went up. And among them, 70% cited cyber risk as a top five risk for initiating that kind of event. That puts cyberattacks at the top of their global concerns. Meanwhile, the Bank of England’s Financial Policy Committee (FPC) also released its Financial Stability Report today with thoughts along the same lines, warning that cyber risk is a strategic priority rather than a narrow technology issue.

With so much money at stake within financial systems, its little wonder that financial services firms of all types are a huge target for cyber criminals. According to the Websense Security Labs 2015 Industry Drill-Down Report for financial services, financial services encounters security incidents 300 percent more frequently than other industries. And while many financial services firms do spend much more than their brethern in other industries, gaps still remain that threaten the stability of the financial ecosystem and the economic continuity it supports.

The massive attack against JP Morgan in 2014 is a testament to that. In that case, over 83 million customers saw their data stolen, and that incident was just a sliver of the activity perpetrated by the criminals who carried it out, according to indictments made public last month.

“It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate,” Manhattan U.S. Attorney Preet Bharara said in a statement about the JP Morgan attack activity. “This was hacking as a business model.”

Many of these concerns are driving not just more investment, but smarter investments from the financial industry, as many organizations are seeking better means of information-sharing to reduce risk at individual organizations by learning from the pain of others.

“When it comes to fighting cyber risk specifically, we’re seeing a lot of market participants collaborating to a greater degree than in the past,” says Mark Clancy, CEO of Soltra, a joint venture between DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC). “More and more firms are aware of how information sharing can help prevent and minimize incidents while making it more expensive for hackers to be successful. This is one area where resources are being allocated.”

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/cybersecurity-seen-as-top-priority-for-financial-risk-managers/d/d-id/1323371?_mc=RSS_DR_EDT

On Friday, Australian journalist Clementine Ford got one of the thousands of online insults she regularly receives when she pens pro-women thoughts: in this one, Sydney hotel supervisor Michael Nolan called her a sl*t.

Ford grabbed screenshots of his posts.

Then, she pondered – publicly – whether Nolan’s employer was aware of his online behavior, tagging the company to ensure that if it wasn’t already, it would be soon.

He was “removed” from the site of his employer – Meriton Group – on Saturday, the hotel informed Ford.

As of Monday, he was fired.

In short order, a certain online demographic started blaming Ford for ruining a man’s career.

Her response: oh, boo hoo.

From Ford’s Facebook post:

To anyone who suggests I have caused a man to lose his job, I’d like to say this: No. He is responsible for his actions. He is responsible for the things he writes and the attitudes he holds. It is not my responsibility to hold his hand and coddle him when he behaves in an abusive manner just because it might have consequences for him. Women are often told to stay silent about harassment because it’s not fair to ‘ruin a man’s career’. Why is their behaviour our responsibility? Enough. If you enjoy exercising misogyny online, you only have yourself to blame if the people with power over your life – your bosses, friends, family etc – decide that they don’t want to be associated with you anymore. The targets of your abuse are in no way, shape or form responsible for making sure your actions have no recriminations for you.

It’s not like Nolan didn’t know what he was getting into.

Ford is a vocal feminist who speaks out about “men’s violence against women; exclusion of marginalised groups including disabled people, trans and gender queer people, people of color and women; reproductive rights; sexism; movies I like,” as she says.

For his part, Nolan, 22, apparently doesn’t regret his posts, losing his job or being publicly humiliated.

According to the Daily Mail, this is what he posted on his Facebook page after he lost his job:

I don’t give a damn.

This isn’t the first online tormentor Ford’s named and shamed.

According to the Daily Mail, Ford got a message in June from a man who threatened to “rape and bash” her after she posted a topless photograph of herself to protest revenge porn.

Ford called out Ryan Hawkins, from Victor Harbour in South Australia, after he sent the threat via Facebook.

He’s since apologized.

As Ford told the Daily Mail in an interview, most of the harassment she gets comes from young boys, typically 14 or 15 years old.

She has no problem holding abusers responsible for their words, but she chooses not to name and shame children, Ford says.

Follow @NakedSecurity

Follow @LisaVaas

Image courtesy of Clementine Ford/Facebook.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9_Mbo-THbTw/

Passwords. Until there’s another widely-adopted way to verify that we’re who we say we are, we’re sort of stuck with them.

But some people’s approaches to securing their online accounts are leaving us feeling less Buddy the Elf and more Ebenezer Scrooge.

Too many people are still using passwords like ‘123456’, ‘password’ or the name of their pet.

Your login credentials are hot property and you need to make sure you treat them so.

We’ve said it before and we’ll say it again:

One site. One password.

Don’t recycle passwords across multiple sites, and make each password super strong and super long.

If you struggle to remember them all, you could think about using a password manager.

Just make sure you lock down the password manager with a really strong password, and use two-factor authentication for extra security if you can.

If you need help picking passwords, use our video below:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Follow @NakedSecurity

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/neT5Mg7Q7Gw/