Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Status
Not open for further replies.

rmwebs

macrumors 68040
Original poster
Apr 6, 2007
3,140
0
I'm putting this into it's own thread as the other security threads really aren't the place for this.

Given the recent issues both MacRumors and vBulleting forums in general have experienced, I think it's only fair that we're at least kept in the loop as to just what exactly MacRumors will be doing to ensure an issue like the recent one does not happen again.

Could you confirm if you are now actively looking into moving away from vBulletin, if so, what sort of timeframe you're expecting.

Failing that, I'd like to request, nay demand that the following basic security measures are put into place - these are not difficult to add (even if it means modifying vB3 manually) and are vital for the protection of member details:

- 2-phase authentication as an option on accounts (this is a must in this day and age)
- Complete elimination of MD5 password hashing in favour of bcrypt
- Enforced minimum length of 8 characters on all passwords
- No maximum length on passwords
- Enforced password resets at least once a year (at least 4 times a year for moderators and admins)
- A server, and software audit by a reputable 3rd party security auditor
- A dedicated security management service on your forum server(s).
- A written plan of action that should be followed in the event such an issue was to occur again.

The reason behind the last three, without meaning to sound like an ass, is that the MacRumors management came across as pretty much having very little in the way of knowledge as to what to actually do to investigate the issue, and instead focused on simply getting the system back up and running again.

This may all seem like overkill, and it would be if we were talking about a forum with a few thousand members, but the fact is that MacRumors is one of the biggest targets out there with 800k members, and ignoring this fact is gross negligence. At this point it shouldn't be a case of "oh its all good...it was only caused by a bad password on a moderator account, we don't need to do anything".

Edit: Screw it, everyone completely missed the point and the lack of response from management makes it clear they dont give a damn.
 
Last edited by a moderator:
The actual head vBulletin site was hacked and it so happen that the moderator used the same pass on vBulletin as MR. ;)

Xenforo FTW.
 
I don't think two step authentication is all that necessary for a site like Macrumors. If your user account is compromised, there's really nothing anyone can do with it other than post as you.
 
What are they gonna do with my MacRumors username and password? Troll people under my username? I do that already. And I've changed my password. So basically, until next time, there is nothing to worry about.

That is, unless, you're a muppet and you've used the same password that you use to access your online banking or amazon account or apple account. But that isn't a problem for MacRumors. That is a problem for you. And your stupidity.
 
What they'll do is use a bot to troll any other sites for your username. Once they find another site with the same username they will try your password, and if that doesn't work, then guess at it using info from the compromised forum info and/or brute force it. They will then use it to gain access and attempt to glean more and more info about you, until they can get into things that will hurt you.
That is why they do what they do, not to gain access to a forum so they can post as you.

Where I work, some guy was using our webmail admin tools to reset the passwords of women's Facebook/photobucket or whatever accounts so he could look at their private pictures and dirty secrets. All you need is one account to lead you to others.
 
That is, unless, you're a muppet and you've used the same password that you use to access your online banking or amazon account or apple account. But that isn't a problem for MacRumors. That is a problem for you. And your stupidity.

Hey now, don't be making fun of Muppets. We're a bright bunch of stuff.
 
- Enforced password resets at least once a year (at least 4 times a year for moderators and admins)

The simple fact that no forum I visit currently does this makes me a bit wary of it. Yeah, sure for banking or educational accounts, sure, force the password to be reset. But for a forum? Not so much. The worst someone could do with my MR username and password is troll so much they get me banned. It's not a high security thing, its a forum... people talk. Thats pretty much it.
 
This is nothing..Be glad the info wasn't stored in plain text like Cupid Media did in January when 40 million were hacked. IN plain text format.

"An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity."

http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/
 
Where I work, some guy was using our webmail admin tools to reset the passwords of women's Facebook/photobucket or whatever accounts so he could look at their private pictures and dirty secrets. All you need is one account to lead you to others.

So is does he serve a "boyfriend" while completing a sentence for a couple years now?
 
There's an important aspect that's missing from the OP in this thread: the part about the responsibility for each individual for his or her own password behavior.

  1. Use only strong passwords. There are free strong password generators on the web.
  2. Do not ever use the same password for more than one site.
  3. Consider using a password manager, such as LastPass or 1Password.

The first two points are absolutely necessary. The third is very wise.

If you aren't doing the first two things on the list, you need to look in the mirror before placing blame. It's a fact that any website can be hacked. That's not an excuse for any site to have shoddy security, but it's a fact.

Ultimately, security is a two-way street. It's up to you how much damage a hacked site means for you personally.
 
There's an important aspect that's missing from the OP in this thread: the part about the responsibility for each individual for his or her own password behavior.

  1. Use only strong passwords. There are free strong password generators on the web.
  2. Do not ever use the same password for more than one site.
  3. Consider using a password manager, such as LastPass or 1Password.

The first two points are absolutely necessary. The third is very wise.

If you aren't doing the first two things on the list, you need to look in the mirror before placing blame. It's a fact that any website can be hacked. That's not an excuse for any site to have shoddy security, but it's a fact.

Ultimately, security is a two-way street. It's up to you how much damage a hacked site means for you personally.

What!? Personal responsibility!? How can you ask such a thing of us!
 
I can kind of see optional 2nd authentication and better encryption of passwords but beyond that what does someone gain by getting into my account? Keep these sites simple and don't reuse passwords. My bank on the other hand should be doing all that if not more.
 
There's an important aspect that's missing from the OP in this thread: the part about the responsibility for each individual for his or her own password behavior.

  1. Use only strong passwords. There are free strong password generators on the web.
  2. Do not ever use the same password for more than one site.
  3. Consider using a password manager, such as LastPass or 1Password.

The first two points are absolutely necessary. The third is very wise.

If you aren't doing the first two things on the list, you need to look in the mirror before placing blame. It's a fact that any website can be hacked. That's not an excuse for any site to have shoddy security, but it's a fact.

Ultimately, security is a two-way street. It's up to you how much damage a hacked site means for you personally.

Easy now, common sense like this is not welcome here..... :D
 
Is it possible to add fingerprint verification?
I'd also like a voice verification, along with texts exchange on my phone in order to log in.

You could also avoid storing passwords and opening dedicated offices for users to log in. The process would require the user to provide personal documents to the "logger", and a fee that would be returned when logging out.
 
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.