Canreef Aquatics Bulletin Board  

Go Back   Canreef Aquatics Bulletin Board > Other > Q&A

Reply
 
Thread Tools Display Modes
  #11  
Old 01-03-2017, 01:16 AM
Coasting's Avatar
Coasting Coasting is offline
Follows the rules!
 
Join Date: Feb 2012
Location: BC - PoCo
Posts: 677
Coasting is on a distinguished road
Default

I could see this being useful. Especially on a site where we constantly exchange addresses and phone numbers and potentially other info in PM

Back in february I got a wicked virus and other issues when I accessed the BCAquaria forum.
I ended up with a crypto virus on my computer. All my login info for various emails and my bank accounts were stolen. I had $1990 removed from my bank through an EMT because of the shit put on my laptop they somehow got my login and password for stuff I dont have my computer remember. My email accounts somehow got hacked and were being caught sending out spam. I actually had gotten a virus or something else from visiting that forum a few years back as well. I will NEVER go back on that site.

Then in the summer I got this email from the company the forum is apart of or whatever.

Quote:
Notice of Data Breach

You may have heard reports recently about a security issue involving VerticalScope. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you. VerticalScope owns and operates a number of community websites. You are receiving this email because you are a registered user of the following community website(s) involved in the data breach:
www.bcaquaria.com

What Happened?

On June 13, 2016, we became aware that February 2016 data stolen from VerticalScope was being made available online.

What Information Was Involved?

Community member usernames, email addresses, hashed passwords, community userIDS, community website, and the IP address the username originally registered with.
Reply With Quote
  #12  
Old 01-03-2017, 01:20 AM
Myka's Avatar
Myka Myka is offline
Moderator
 
Join Date: Mar 2004
Location: Saskatoon, SK.
Posts: 11,268
Myka will become famous soon enough
Default

Quote:
Originally Posted by Coasting View Post
I could see this being useful. Especially on a site where we constantly exchange addresses and phone numbers and potentially other info in PM

Back in february I got a wicked virus and other issues when I accessed the BCAquaria forum.
I ended up with a crypto virus on my computer. All my login info for various emails and my bank accounts were stolen. I had $1990 removed from my bank through an EMT because of the shit put on my laptop they somehow got my login and password for stuff I dont have my computer remember. My email accounts somehow got hacked and were being caught sending out spam. I actually had gotten a virus or something else from visiting that forum a few years back as well. I will NEVER go back on that site.

Then in the summer I got this email from the company the forum is apart of or whatever.
Wow! I've never heard of anything like this! If using https is "a thing", then why are none of the biggest forums using it?
__________________
~ Mindy

SPS fanatic.

Reply With Quote
  #13  
Old 01-03-2017, 02:36 AM
SoloSK71 SoloSK71 is offline
Member
 
Join Date: Oct 2012
Location: Calgary, AB, Canada
Posts: 374
SoloSK71 is on a distinguished road
Default

They have not had an incident yet?

Google, Firefox and Microsoft have not put enough emphasis on it?

It requires a bit more effort (getting an SSL certificate) that a regular implementation.

Charles
__________________
Where did my rum go?!

Success in this hobby does not count how you spend your money, it counts how you spend your time.
Reply With Quote
  #14  
Old 01-03-2017, 03:07 AM
Myka's Avatar
Myka Myka is offline
Moderator
 
Join Date: Mar 2004
Location: Saskatoon, SK.
Posts: 11,268
Myka will become famous soon enough
Default

Quote:
Originally Posted by SoloSK71 View Post
They have not had an incident yet?
No idea. I checked a bunch of forums, and didn't find even one of them using https. I haven't heard of anything like this until this thread.
__________________
~ Mindy

SPS fanatic.

Reply With Quote
  #15  
Old 01-03-2017, 04:17 PM
SoloSK71 SoloSK71 is offline
Member
 
Join Date: Oct 2012
Location: Calgary, AB, Canada
Posts: 374
SoloSK71 is on a distinguished road
Default

Another post - https://www.google.ca/amp/s/www.troy...tin-forum/amp/

The vBulletin forums run on HTTPS as well.

Charles
__________________
Where did my rum go?!

Success in this hobby does not count how you spend your money, it counts how you spend your time.
Reply With Quote
  #16  
Old 01-03-2017, 04:30 PM
Reef Pilot's Avatar
Reef Pilot Reef Pilot is offline
Member
 
Join Date: Nov 2010
Location: Langley BC
Posts: 1,883
Reef Pilot is on a distinguished road
Default

More and more are using https, and for very good reason. I just checked some other forums that I sometimes frequent. Some use it, and some don't.

Can never totally prevent hacking, but in this day and age, with all the bots running, should at least keep the front doors closed.
__________________
Reef Pilot's Undersea Oasis: http://www.canreef.com/vbulletin/sho...d.php?t=102101
Frags FS: http://www.canreef.com/vbulletin/sho...d.php?t=115022
Solutions are easy. The real difficulty lies in discovering the problem.
Reply With Quote
  #17  
Old 01-04-2017, 11:37 PM
warriorcookie's Avatar
warriorcookie warriorcookie is offline
Member
 
Join Date: Jan 2012
Location: Saskatchewan
Posts: 171
warriorcookie is on a distinguished road
Default

The only real benefit https would add is making it more difficult for intruders to intercept username and passwords at the time of login. This adds extra costs for the host because you need to pay to have your ssl certificate signed every year. The effectivness of https is extremly debatable too. Even with https in place, the user database is subject to its own vulnerabilities.

You cannot rely on forums to keep your information secure. They are being run on a shoestring budget which means most of the staff is volunteer, hosting is provided by an economy hosting service on an entry level plan with basic firewall and database offered.

To make things worse, most people use the same username and password for every forum they are a member of. All it takes is for one forum to get their database dumped, and they have access to thousands of usernames and passwords with email addresses that they could use to login to paypall, banks, other forums, etc. all because of the same password being used over and over.

Instead, use a password service like LastPass. You pick one good password for the main app, then it auto generates random 20+ character passwords for all the websites you use. It can do an audit on all the accounts saved in your computer and automatically change alot of them for you. Apps for Android and apple will automatically fill in username and password for all the sites and apps you use. This way if one site is hacked, you only have to change the password for the one site, not all of them. How many times does a forum database get dumped and the admins don't even realize?

If you use a word or any part of a word for a password it can be cracked very quickly. To a dictionary brute force script, the difference between the password "isolated" and "1s0LaTed" is minimal. All my passwords are the maximum characters allowed by the site and look alot like: "gdIj65vj#5)9hKhy6" and i dont have to remember any because my password manager enters it for me.
__________________
Reply With Quote
  #18  
Old 01-04-2017, 11:41 PM
warriorcookie's Avatar
warriorcookie warriorcookie is offline
Member
 
Join Date: Jan 2012
Location: Saskatchewan
Posts: 171
warriorcookie is on a distinguished road
Default

Quote:
Originally Posted by Coasting View Post
I could see this being useful. Especially on a site where we constantly exchange addresses and phone numbers and potentially other info in PM

Back in february I got a wicked virus and other issues when I accessed the BCAquaria forum.
I ended up with a crypto virus on my computer. All my login info for various emails and my bank accounts were stolen. I had $1990 removed from my bank through an EMT because of the shit put on my laptop they somehow got my login and password for stuff I dont have my computer remember. My email accounts somehow got hacked and were being caught sending out spam. I actually had gotten a virus or something else from visiting that forum a few years back as well. I will NEVER go back on that site.

Then in the summer I got this email from the company the forum is apart of or whatever.
While this sucks big time, to be clear, https would NOT have prevented this. This was a database dump.
__________________
Reply With Quote
  #19  
Old 01-05-2017, 01:06 AM
warriorcookie's Avatar
warriorcookie warriorcookie is offline
Member
 
Join Date: Jan 2012
Location: Saskatchewan
Posts: 171
warriorcookie is on a distinguished road
Default

Just wanted to clarify, as my previous responses where typed on a touch screen from an airplane...

Do I think https should be employed: whenever possible, yes! But does this mean you can rest easy that your user names, passwords, birthdates, email address and everything else is safe on this forum and any other: absolutely not!

The reality is that maybe a few of the forums will spend the money and upgrade to https, but the vast majority simply cannot or will not, and it only marginally improves one aspect of the many security vulnerabilities that these forums face. The only thing you can rely on is yourself to follow the latest good security practices when it comes to what info you keep online and how you choose usernames and passwords and how often you change them. My information has been stolen once before, but they only got access to a limited amount of information and there was zero overlap with any other website be it banking info or other.
__________________

Last edited by warriorcookie; 01-05-2017 at 01:15 AM.
Reply With Quote
  #20  
Old 01-05-2017, 02:28 AM
Myka's Avatar
Myka Myka is offline
Moderator
 
Join Date: Mar 2004
Location: Saskatoon, SK.
Posts: 11,268
Myka will become famous soon enough
Default

Very interesting warriorcookie! I use the same username and email address on each forum I use, though I have a different password on each forum, and the email I use is not my main email, and doesn't share a password with anything else. Am I doing it "right"? I like this idea of a password manager, I'll have to look into it.
__________________
~ Mindy

SPS fanatic.

Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 10:41 AM.


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.