A call for action with regards to security

Discussion in 'Site and Forum Feedback' started by rmwebs, Nov 19, 2013.

Thread Status:
Not open for further replies.
  1. rmwebs, Nov 19, 2013
    Last edited by a moderator: Nov 23, 2013

    rmwebs macrumors 68040

    Apr 6, 2007
    I'm putting this into it's own thread as the other security threads really aren't the place for this.

    Given the recent issues both MacRumors and vBulleting forums in general have experienced, I think it's only fair that we're at least kept in the loop as to just what exactly MacRumors will be doing to ensure an issue like the recent one does not happen again.

    Could you confirm if you are now actively looking into moving away from vBulletin, if so, what sort of timeframe you're expecting.

    Failing that, I'd like to request, nay demand that the following basic security measures are put into place - these are not difficult to add (even if it means modifying vB3 manually) and are vital for the protection of member details:

    - 2-phase authentication as an option on accounts (this is a must in this day and age)
    - Complete elimination of MD5 password hashing in favour of bcrypt
    - Enforced minimum length of 8 characters on all passwords
    - No maximum length on passwords
    - Enforced password resets at least once a year (at least 4 times a year for moderators and admins)
    - A server, and software audit by a reputable 3rd party security auditor
    - A dedicated security management service on your forum server(s).
    - A written plan of action that should be followed in the event such an issue was to occur again.

    The reason behind the last three, without meaning to sound like an ass, is that the MacRumors management came across as pretty much having very little in the way of knowledge as to what to actually do to investigate the issue, and instead focused on simply getting the system back up and running again.

    This may all seem like overkill, and it would be if we were talking about a forum with a few thousand members, but the fact is that MacRumors is one of the biggest targets out there with 800k members, and ignoring this fact is gross negligence. At this point it shouldn't be a case of "oh its all good...it was only caused by a bad password on a moderator account, we don't need to do anything".

    Edit: Screw it, everyone completely missed the point and the lack of response from management makes it clear they dont give a damn.
  2. Xerotech macrumors 6502

    Jul 22, 2011
    The actual head vBulletin site was hacked and it so happen that the moderator used the same pass on vBulletin as MR. ;)

    Xenforo FTW.
  3. iDuel macrumors 6502a


    Jul 20, 2011
    I don't think two step authentication is all that necessary for a site like Macrumors. If your user account is compromised, there's really nothing anyone can do with it other than post as you.
  4. roadbloc macrumors G3


    Aug 24, 2009
    What are they gonna do with my MacRumors username and password? Troll people under my username? I do that already. And I've changed my password. So basically, until next time, there is nothing to worry about.

    That is, unless, you're a muppet and you've used the same password that you use to access your online banking or amazon account or apple account. But that isn't a problem for MacRumors. That is a problem for you. And your stupidity.
  5. splatula macrumors newbie

    May 5, 2009
    What they'll do is use a bot to troll any other sites for your username. Once they find another site with the same username they will try your password, and if that doesn't work, then guess at it using info from the compromised forum info and/or brute force it. They will then use it to gain access and attempt to glean more and more info about you, until they can get into things that will hurt you.
    That is why they do what they do, not to gain access to a forum so they can post as you.

    Where I work, some guy was using our webmail admin tools to reset the passwords of women's Facebook/photobucket or whatever accounts so he could look at their private pictures and dirty secrets. All you need is one account to lead you to others.
  6. Intell macrumors P6


    Jan 24, 2010
    Hey now, don't be making fun of Muppets. We're a bright bunch of stuff.
  7. Astroboy907 macrumors 65816


    May 6, 2012
    Spaceball One
    The simple fact that no forum I visit currently does this makes me a bit wary of it. Yeah, sure for banking or educational accounts, sure, force the password to be reset. But for a forum? Not so much. The worst someone could do with my MR username and password is troll so much they get me banned. It's not a high security thing, its a forum... people talk. Thats pretty much it.
  8. Peace macrumors Core


    Apr 1, 2005
    Space--The ONLY Frontier
    This is nothing..Be glad the info wasn't stored in plain text like Cupid Media did in January when 40 million were hacked. IN plain text format.

    "An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity."

  9. alphaod macrumors Core


    Feb 9, 2008
    So is does he serve a "boyfriend" while completing a sentence for a couple years now?
  10. annk Administrator


    Staff Member

    Apr 18, 2004
    Somewhere over the rainbow
    There's an important aspect that's missing from the OP in this thread: the part about the responsibility for each individual for his or her own password behavior.

    1. Use only strong passwords. There are free strong password generators on the web.
    2. Do not ever use the same password for more than one site.
    3. Consider using a password manager, such as LastPass or 1Password.

    The first two points are absolutely necessary. The third is very wise.

    If you aren't doing the first two things on the list, you need to look in the mirror before placing blame. It's a fact that any website can be hacked. That's not an excuse for any site to have shoddy security, but it's a fact.

    Ultimately, security is a two-way street. It's up to you how much damage a hacked site means for you personally.
  11. Kissaragi macrumors 68020

    Nov 16, 2006
    What!? Personal responsibility!? How can you ask such a thing of us!
  12. Airforcekid macrumors 65816


    Sep 29, 2008
    United States of America
    I can kind of see optional 2nd authentication and better encryption of passwords but beyond that what does someone gain by getting into my account? Keep these sites simple and don't reuse passwords. My bank on the other hand should be doing all that if not more.
  13. rhett7660 macrumors G4


    Jan 9, 2008
    Sunny, Southern California
    Easy now, common sense like this is not welcome here..... :D
  14. LostSoul80 macrumors 68020


    Jan 25, 2009
    Is it possible to add fingerprint verification?
    I'd also like a voice verification, along with texts exchange on my phone in order to log in.

    You could also avoid storing passwords and opening dedicated offices for users to log in. The process would require the user to provide personal documents to the "logger", and a fee that would be returned when logging out.
  15. BigPrince macrumors 68020

    Dec 27, 2006
  16. SandboxGeneral Moderator emeritus


    Sep 8, 2010
Thread Status:
Not open for further replies.

Share This Page