Attention - Password and Security Update - Page 2 - ehMac.ca
Facebook
Twitter
YouTube
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read Advertise


Reply
 
LinkBack Thread Tools Display Modes
Old Jun 15th, 2016, 06:41 PM   #11
Honourable Citizen
 
heavyall's Avatar
 
Join Date: Nov 2012
Location: Winterpeg
Posts: 1,524
Quote:
Originally Posted by VSAdmin View Post
Right now, I am going to ask you guys to try and be open to this sudden change.
.
Nope. Extra security is LESS secure. If people don't just KNOW their passwords, and have to keep changing them, they then have to start writing them down and storing them in places that are more likely to be compromised.

Again, I use the passwords that I use for a reason. I'm not interested in changing them to some other convoluted scheme. When forced to change my passwords, what I usually end up doing is just not going to the that site anymore, and going over to one that respects that I can be responsible for my own account.
heavyall is offline   Reply With Quote
Sponsored Links
Advertisement
 
Old Jun 17th, 2016, 10:03 AM   #12
Honourable Citizen
 
Join Date: Nov 2006
Posts: 17,037
The rest of the story here, thanks to that competitor whose URL cannot be posted.

Toronto-based VerticalScope gets 45 million records stolen by hackers | MobileSyrup.com

Quote:
According to reports, a hacker has stolen 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company that owns properties like HTCFlyerforums, TopHosts, Galaxy S2Forums, and DigitalHome. On its website, the company boasts 84 million unique visitors monthly and 540 million page views monthly.
Quote:
Breach notification site LeakedSource.com said that the scale of data taken is greater than suggested. Its likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale, the group said.
__________________
Ad links appearing in my posts were not placed there by me. I do not endorse any products which may be linked to my posts. Do not click on those links.

I retain all rights to photo-images I have posted on ehMac. They were posted that other members of the community could enjoy them. They may not be used or sold in any other way without my written consent.

Bill C-51 is an act of Terrorism! It cannot be fixed and should be immediately repealed!
eMacMan is offline   Reply With Quote
Old Jun 17th, 2016, 11:13 AM   #13
Honourable Citizen
 
Join Date: Nov 2006
Posts: 17,037
So if I do the logical thing and change my password now, I will be forced to do it again in a day or three?
__________________
Ad links appearing in my posts were not placed there by me. I do not endorse any products which may be linked to my posts. Do not click on those links.

I retain all rights to photo-images I have posted on ehMac. They were posted that other members of the community could enjoy them. They may not be used or sold in any other way without my written consent.

Bill C-51 is an act of Terrorism! It cannot be fixed and should be immediately repealed!
eMacMan is offline   Reply With Quote
 
Old Jun 18th, 2016, 10:39 AM   #14
New Neighbour
 
Join Date: Mar 2016
Posts: 17
The bigger question here is this, are there any plans to update the forum software? The biggest security issue here is not weak user passwords, it's forum software that's years old and is swiss cheese in terms of known exploits.

The second question is what kind of transparency with all of these security issues can we expect to see from Vertical Scope? ALL of our info was apparently lost to hackers and is out there for sale right now. Are there any assurances that any further information we post is being safeguarded? Or are we just relying on having stronger passwords (which honestly means NOTHING in terms of the security of this database unless you're talking about an admin password). Right now from the information on the VS website the only action that seems to be happening here is enforcing stronger passwords for the users of the approximately 1100 sites and there's no mention of further investigation as to the cause of the breach or how THAT will be resolved. Having some experience in this area I can pretty much guarantee you that it wasn't due to a weak user password ...
mguertin is offline   Reply With Quote
Old Jun 18th, 2016, 11:21 AM   #15
Rob
Honourable Citizen
 
Rob's Avatar
 
Join Date: Sep 2002
Location: Close to Windsor, Ont.
Posts: 1,757
When this thread was started by the admins a few days ago, it seemed a little disingenuous, and a complete overreaction.

It's totally clear now, however, that this site is run by a bunch of incompetent lying assholes. That's all anyone really needs to know.
__________________
Real Macsters don't repair permissions.

Opinions are like toothbrushes. Everybody has one, so there's no need to share. - Red Green
Rob is offline   Reply With Quote
Old Jun 20th, 2016, 12:00 PM   #16
Administrator
 
VSAdmin's Avatar
 
Join Date: Nov 2012
Posts: 374
Quote:
Originally Posted by John Clay View Post
Given the sudden interest in security, why not add SSL/HTTPS to the entire site? It's simple to do, and very affordable.

You could even do 2-factor authentication with support for Google Authenticator!
VBulletin does not support this on the login step, out of the box, but we are looking into adding it. SSL would not have prevented this type of breach though, as it was not a browser-side attack, but is good practice any way.

Quote:
Originally Posted by pm-r View Post
Oh goody, another site wanting more password and new security protection to protect me and my Mac which contains nothing personal other than my name, address and phone number that is readily available in various phone directories anyway. Oh yes, and some photos.

What am I being protected from in this case being an ehmac.ca member???
Many people use the same password and email across multiple sites. The forced password change is to make sure there nothing done on this forum can ripple out to impact you elsewhere, The one that should happen a year from now can be revisited when it comes, and we will revaluate if it still needed on the site.

Quote:
Originally Posted by eMacMan View Post
The rest of the story here, thanks to that competitor whose URL cannot be posted.

Toronto-based VerticalScope gets 45 million records stolen by hackers | MobileSyrup.com
The article fails to mention that the breach was for a third party plugin. This breach is on countless sites across the internet and not just limited to ours.

Their system was compromised and they grabbed user data for us and thousands of others. We cleared our part of the breach and went this route to further security. This is also in place as many members on the internet use the same or similar passwords across all things they use.

These tech blogs don't ever get the full story, there just have hearsay and run with and embellish it.

We cannot go into detail at the moment as it is being dealt with on a legal level.

Quote:
Originally Posted by eMacMan View Post
So if I do the logical thing and change my password now, I will be forced to do it again in a day or three?
An enforced password change is coming. I'd advise against changing your password now, as the site will require you to do it again later.

Quote:
Originally Posted by mguertin View Post
The bigger question here is this, are there any plans to update the forum software? The biggest security issue here is not weak user passwords, it's forum software that's years old and is swiss cheese in terms of known exploits.

The second question is what kind of transparency with all of these security issues can we expect to see from Vertical Scope? ALL of our info was apparently lost to hackers and is out there for sale right now. Are there any assurances that any further information we post is being safeguarded? Or are we just relying on having stronger passwords (which honestly means NOTHING in terms of the security of this database unless you're talking about an admin password). Right now from the information on the VS website the only action that seems to be happening here is enforcing stronger passwords for the users of the approximately 1100 sites and there's no mention of further investigation as to the cause of the breach or how THAT will be resolved. Having some experience in this area I can pretty much guarantee you that it wasn't due to a weak user password ...
The issue was not with vBulletin or its features itself. As explained above and omitted in the article, the issue was with a breach from a third-party plug-in.

However, we are continuing to move forward and update the security features and systems in place.

Again, as noted, information on the investigation cannot be published as we are dealing with it in a legal and law enforcement manner.

Thanks,
- JB
VSAdmin is offline   Reply With Quote
Old Jun 20th, 2016, 12:27 PM   #17
Honourable Citizen
 
pm-r's Avatar
 
Join Date: May 2009
Location: Brentwood Bay BC
Posts: 14,164
Quote:
Many people use the same password and email across multiple sites. The forced password change is to make sure there nothing done on this forum can ripple out to impact you elsewhere, The one that should happen a year from now can be revisited when it comes, and we will revaluate if it still needed on the site.



That's their problem or concern, the passwords I use are site specific and unique for every site.
pm-r is offline   Reply With Quote
Old Jun 21st, 2016, 01:29 PM   #18
Honourable Citizen
 
Join Date: Nov 2006
Posts: 17,037
I am sure a lot of members signed up using an eAddress that has been abandoned. Might be a good idea to check that address and change it to something current, if you don't want to lose the account entirely.
__________________
Ad links appearing in my posts were not placed there by me. I do not endorse any products which may be linked to my posts. Do not click on those links.

I retain all rights to photo-images I have posted on ehMac. They were posted that other members of the community could enjoy them. They may not be used or sold in any other way without my written consent.

Bill C-51 is an act of Terrorism! It cannot be fixed and should be immediately repealed!
eMacMan is offline   Reply With Quote
Old Jun 21st, 2016, 01:46 PM   #19
New Neighbour
 
Join Date: Mar 2016
Posts: 17
So I guess it's "plug the hole that they used" and to hell with the rest of the security on the sites ... I mean this one is still running pre-release RC version of some SEO software that no longer even exists and likely hasn't been updated for at least 4 years on the vBulletin side of things. What could possibly go wrong ... maybe it wasn't the issue this time but maybe next time it will be.

I'm pretty sure I know exactly which 3rd party add-on you're talking about, and if I'm right then the only reason it was still a problem was for not closing that hole way back in Dec 2014 when that one was announced ...

Forum ownership and management requires a good bit of staying on top of those sorts of things and actually following through on doing the cleanup after a mess like this one (or being proactive and fixing things up before it becomes an issue affecting all of your end users).
mguertin is offline   Reply With Quote
Old Jun 22nd, 2016, 11:16 AM   #20
Honourable Citizen
 
Macfury's Avatar
 
Join Date: Feb 2006
Location: Toronto Proper
Posts: 41,140
Each hack counts as a page hit, so they don't want to lose those views.

Quote:
Originally Posted by mguertin View Post
So I guess it's "plug the hole that they used" and to hell with the rest of the security on the sites ... I mean this one is still running pre-release RC version of some SEO software that no longer even exists and likely hasn't been updated for at least 4 years on the vBulletin side of things. What could possibly go wrong ... maybe it wasn't the issue this time but maybe next time it will be.

I'm pretty sure I know exactly which 3rd party add-on you're talking about, and if I'm right then the only reason it was still a problem was for not closing that hole way back in Dec 2014 when that one was announced ...

Forum ownership and management requires a good bit of staying on top of those sorts of things and actually following through on doing the cleanup after a mess like this one (or being proactive and fixing things up before it becomes an issue affecting all of your end users).
__________________
"My life is my own."

Mac Pro 5,1 3.2 GHZ Quad Core; MacBook Pro 1,1; iPhone 4
Macfury is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Password Security Hole Discovered in Certain FileVault Configurations on OS X 10.7.3 Joker Eh Anything Mac 0 May 7th, 2012 11:31 AM
Wii & Airport Express Connection Issue VertiGoGo Anything Mac 7 Dec 28th, 2007 10:04 PM
New Updates Available. macguy.nielsen Anything Mac 6 Mar 2nd, 2006 03:58 PM
Changing root password - Problem William Mac, iPhone, iPad and iPod Help & Troubleshooting 3 May 8th, 2005 03:21 PM
Security Update corrupts iMac..? Lars2 Mac, iPhone, iPad and iPod Help & Troubleshooting 2 Dec 11th, 2003 10:20 AM


All times are GMT -4. The time now is 03:06 PM.



Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
Copyright 1999 - 2012, ehMac.ca All rights reserved. ehMac is not affiliated with Apple Inc. Mac, iPod, iTunes, iPhone, Apple TV are trademarks of Apple Inc. Content Relevant URLs by vBSEO 3.6.0 RC 2

Tribe.ca: Urban living in Toronto!