Attention - Password and Security Update - Page 3 - ehMac.ca
Facebook
Twitter
YouTube
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read Advertise


Reply
 
LinkBack Thread Tools Display Modes
Old Jun 23rd, 2016, 03:33 PM   #21
Administrator
 
VSAdmin's Avatar
 
Join Date: Nov 2012
Posts: 374
Quote:
Originally Posted by mguertin View Post
So I guess it's "plug the hole that they used" and to hell with the rest of the security on the sites ... I mean this one is still running pre-release RC version of some SEO software that no longer even exists and likely hasn't been updated for at least 4 years on the vBulletin side of things. What could possibly go wrong ... maybe it wasn't the issue this time but maybe next time it will be.

I'm pretty sure I know exactly which 3rd party add-on you're talking about, and if I'm right then the only reason it was still a problem was for not closing that hole way back in Dec 2014 when that one was announced ...

Forum ownership and management requires a good bit of staying on top of those sorts of things and actually following through on doing the cleanup after a mess like this one (or being proactive and fixing things up before it becomes an issue affecting all of your end users).
We are running a customized VBSEO (not the "pre-release" you're referring to). VBSeo was discontinued a while ago and we maintain it now with internal staff, with all those vulnerabilities patched. The holes we suspect were potentially used were not public/in the wild. Since our announcement to sites, VBulletin, for example, released an SQL injection patch for VB4 that wasn't previously announced until this past weekend At this stage, because we are looped in with legal and law enforcement, we cannot share much more info.

Helena
VSAdmin is offline   Reply With Quote
Sponsored Links
Advertisement
 
Old Jun 25th, 2016, 10:50 AM   #22
New Neighbour
 
Join Date: Mar 2016
Posts: 17
Ok so wow ... my password was forcibly reset and emailed to me in clear text, I suspect every single user's password here was forcibly reset the same way. Security at it's finest. Wonder how that's going to work out for the 43,400 members that don't come here anymore and the squatters that bought up all the old domain names they don't use anymore. You just emailed free usernames and passwords to all of them. You don't even need to validate via an email to change it.

It's just so wrong on so many counts, but I guess that's what happens when you are running self-updated antiquated forum software that's not capable of anything else. (Real forum software would simply allow you to enforce a password change requiring email confirmation on the next login).

Awesome job.
mguertin is offline   Reply With Quote
Old Jun 25th, 2016, 09:10 PM   #23
Honourable Citizen
 
hexdiy's Avatar
 
Join Date: Dec 2011
Posts: 1,397
Yeah, plain text eh? I had already rotated my password immediately after the security breach, tonight I had to do it again.
But where is the security if even that gets sent in plain text?

And what's more: something destroyed the auto-save function. Lost me a very long post tonight because this INsecurity chopped off my connection!

Thanks but no thanks. Should I come to Ehmac via a TOR connection in the future?
__________________
Recycle the planet!
hexdiy is offline   Reply With Quote
 
Old Jun 26th, 2016, 03:22 PM   #24
Honourable Citizen
 
Join Date: Nov 2006
Posts: 17,037
Quote:
Originally Posted by hexdiy View Post
And what's more: something destroyed the auto-save function. Lost me a very long post tonight because this INsecurity chopped off my connection!

Thanks but no thanks. Should I come to Ehmac via a TOR connection in the future?
Since I only log-in if I have something to say, and toss cookies upon exit, I do not use the auto-save function at all. That said I have been timed out so often that I am now in the habit of copying posts to TextEdit, before clicking on the submit button.
__________________
Ad links appearing in my posts were not placed there by me. I do not endorse any products which may be linked to my posts. Do not click on those links.

I retain all rights to photo-images I have posted on ehMac. They were posted that other members of the community could enjoy them. They may not be used or sold in any other way without my written consent.

Bill C-51 is an act of Terrorism! It cannot be fixed and should be immediately repealed!
eMacMan is offline   Reply With Quote
Old Jun 26th, 2016, 04:14 PM   #25
Honourable Citizen
 
pm-r's Avatar
 
Join Date: May 2009
Location: Brentwood Bay BC
Posts: 14,164
Quote:
That said I have been timed out so often that I am now in the habit of copying posts to TextEdit, before clicking on the submit button.


OT, but have a look at and try using ClipMenu, a Clipboard Manager for Mac OS X. Saves pasting stuff to TextEdit for saving… I couldn't work without using it… and it's Free and even still works with El Cap'n OS X 10.11.x!!!

ClipMenu.com: A clipboard manager for Mac OS X - ClipMenu.com
pm-r is offline   Reply With Quote
Old Jul 2nd, 2016, 01:50 PM   #26
Honourable Citizen
 
Join Date: Nov 2006
Posts: 17,037
While there is a fair bit of speculation that Tapatalk was used to cause the breach, I am wondering about Flash Player.

Even if it was not the culprit, this load of crap is pretty much a sieve when it comes to security, yet this site still embeds videos using Flash Player. Since there is absolutely no reason to continue using FP, I have to wonder why it has not been given the heave ho!
__________________
Ad links appearing in my posts were not placed there by me. I do not endorse any products which may be linked to my posts. Do not click on those links.

I retain all rights to photo-images I have posted on ehMac. They were posted that other members of the community could enjoy them. They may not be used or sold in any other way without my written consent.

Bill C-51 is an act of Terrorism! It cannot be fixed and should be immediately repealed!
eMacMan is offline   Reply With Quote
Old Jul 12th, 2016, 04:59 PM   #27
Administrator
 
VSAdmin's Avatar
 
Join Date: Nov 2012
Posts: 374
We're not too certain what was the direct cause of the breach and again, we are working with investigators and our legal team therefore nothing can be announced until after.

Lee
VSAdmin is offline   Reply With Quote
Old Aug 16th, 2016, 12:28 PM   #28
Full Citizen
 
Join Date: Feb 2007
Posts: 420
How can I get my previous account working again?

I had to create this new account to ask the question. It was my fault that I forgot to change my contact email with my previous account when I switched ISP. I don't log in when I check ehMac daily. I only log in when I want to ask a question or provide input to a discussion.

Since my previous account had a defunct email address, I had no way of knowing that there was a mandatory password reset for every ehMac member. I used the "Contact Us" link at the bottom of the site three times to try to reach an admin but all attempts went unanswered.

So admin, is it possible for me to reset the password for my previous account so I can continue to use it?
yeeeha is offline   Reply With Quote
Old Aug 17th, 2016, 11:54 AM   #29
Administrator
 
VSAdmin's Avatar
 
Join Date: Nov 2012
Posts: 374
Quote:
Originally Posted by SS433 View Post
How can I get my previous account working again?

I had to create this new account to ask the question. It was my fault that I forgot to change my contact email with my previous account when I switched ISP. I don't log in when I check ehMac daily. I only log in when I want to ask a question or provide input to a discussion.

Since my previous account had a defunct email address, I had no way of knowing that there was a mandatory password reset for every ehMac member. I used the "Contact Us" link at the bottom of the site three times to try to reach an admin but all attempts went unanswered.

So admin, is it possible for me to reset the password for my previous account so I can continue to use it?
Can you send me a PM with your previous username and the email address that you used? I need to verify the account.

Lee
VSAdmin is offline   Reply With Quote
Old Sep 21st, 2016, 02:12 PM   #30
Honourable Citizen
 
Macfury's Avatar
 
Join Date: Feb 2006
Location: Toronto Proper
Posts: 41,140
Please dispose of all spam posts, threads and accounts held by this user:

Viagra - ehMac.ca
__________________
"My life is my own."

Mac Pro 5,1 3.2 GHZ Quad Core; MacBook Pro 1,1; iPhone 4
Macfury is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Password Security Hole Discovered in Certain FileVault Configurations on OS X 10.7.3 Joker Eh Anything Mac 0 May 7th, 2012 11:31 AM
Wii & Airport Express Connection Issue VertiGoGo Anything Mac 7 Dec 28th, 2007 10:04 PM
New Updates Available. macguy.nielsen Anything Mac 6 Mar 2nd, 2006 03:58 PM
Changing root password - Problem William Mac, iPhone, iPad and iPod Help & Troubleshooting 3 May 8th, 2005 03:21 PM
Security Update corrupts iMac..? Lars2 Mac, iPhone, iPad and iPod Help & Troubleshooting 2 Dec 11th, 2003 10:20 AM


All times are GMT -4. The time now is 02:52 PM.



Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
Copyright © 1999 - 2012, ehMac.ca All rights reserved. ehMac is not affiliated with Apple Inc. Mac, iPod, iTunes, iPhone, Apple TV are trademarks of Apple Inc. Content Relevant URLs by vBSEO 3.6.0 RC 2

Tribe.ca: Urban living in Toronto!