Account login Security change - Page 2 - Escape Trailer Owners Community

Go Back   Escape Trailer Owners Community > Escape Community > Forum Help | Announcements | Suggestion Box
Click Here to Login
Reply
 
Thread Tools Display Modes
 
Old 01-04-2017, 10:54 AM   #11
Senior Member
 
rbryan4's Avatar
 
Join Date: Jun 2014
Location: San Antonio, Texas
Trailer: 2015 19 "Past Tents", 2015 F150 Ecoboost
Posts: 7,060
Quote:
Originally Posted by Donna D. View Post
Yes, someone did hack in and the FBI were involved. They found out a general area (a university!), but no one was ever prosecuted, nor were we able to get back the data or pictures.
The fact that a university may have been involved doesn't surprise me. Many IT students attack websites to see if they can be breached. It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.
__________________

__________________
"You can't buy happiness, but you can buy an RV. And that is pretty close."
rbryan4 is offline   Reply With Quote
Old 01-04-2017, 10:59 AM   #12
Site Team
 
Donna D.'s Avatar
 
Join Date: Nov 2008
Location: Portland, Oregon
Trailer: 2014 Escape 5.0 TA
Posts: 6,505
Quote:
Originally Posted by rbryan4 View Post
The fact that a university may have been involved doesn't surprise me. Many IT students attack websites to see if they can be breached. It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.
Too, the hack happened more than 11 years ago. 11/11/2005. Site security wasn't nearly the concern as it is now. In fact, there wasn't a whole lot of info on the web like now. But the loss of the data and pictures was heartbreaking. So much good stuff, just gone.
__________________

__________________
Donna D.
Ten Forward
2014 Escape 5.0TA
Donna D. is offline   Reply With Quote
Old 01-04-2017, 11:11 AM   #13
Senior Member
 
thoer's Avatar
 
Join Date: Oct 2009
Location: Galesville, Wisconsin
Trailer: 2017 21 "Blue II" (previously 17B "Blue") 2016 Highlander XLE (previously 2008 Tacoma)
Posts: 3,635
Unfortunately there are hackers who do damage just for the fun of it and/or just to test their abilities. To me, it just another form of senseless vandalism - something I could never understand.
__________________
Eric (and Mary who is in no way responsible for anything stupid I post)
thoer is offline   Reply With Quote
Old 01-04-2017, 11:44 AM   #14
Site Team
 
Janet H's Avatar
 
Join Date: Sep 2012
Location: Pacific NW, Washington
Trailer: 1964 Globetrotter
Posts: 425
Quote:
Originally Posted by rbryan4 View Post
.... It's even encouraged by some unscrupulous teachers as a learning experience. I deal with this frequently. Using HTTPS to encrypt and secure login sessions offers at least a basic step in securing site logins.
This is the same reason that sessions are disconnected now after a period of inactivity. While it is occasionally an inconvenience for posters who may step away mid-post, it's an important security step.

Quote:
Originally Posted by Donna D. View Post
Too, the hack happened more than 11 years ago. 11/11/2005. Site security wasn't nearly the concern as it is now. In fact, there wasn't a whole lot of info on the web like now. But the loss of the data and pictures was heartbreaking. So much good stuff, just gone.
The site is now fully backed up every 24 hours now so that it could be restored if needed.
__________________
.
You have brains in your head. You have feet in your shoes.
You can steer yourself any direction you choose | Dr. Seuss


Escape Forum Custom Google Search
Janet H is offline   Reply With Quote
Old 01-04-2017, 11:51 AM   #15
Senior Member
 
Join Date: Jan 2014
Location: North Van., British Columbia
Trailer: 2014 Escape 19
Posts: 2,974
Quote:
Originally Posted by Janet H View Post
This is the same reason that sessions are disconnected now after a period of inactivity. While it is occasionally an inconvenience for posters who may step away mid-post, it's an important security step.

.
Is there a ballpark number involved? I frequently post photos with my posts and sometimes go through my photos mid-post looking for suitable photos. Are we talking something like 10 minutes or an hour or more?

Ron
Ron in BC is online now   Reply With Quote
Old 01-04-2017, 11:54 AM   #16
Site Team
 
Janet H's Avatar
 
Join Date: Sep 2012
Location: Pacific NW, Washington
Trailer: 1964 Globetrotter
Posts: 425
I would have to double check but believe it's about 25 minutes... this has been in place for several years so if you have not experienced a problem I would not be concerned.

It's also worth noting that many browsers will save your content via caching. You can sometimes recover unposted content in a reply editor by using the back arrow on your browser judiciously. How well this works for you depends entirely on your own systems settings and is not related to site function.
__________________
.
You have brains in your head. You have feet in your shoes.
You can steer yourself any direction you choose | Dr. Seuss


Escape Forum Custom Google Search
Janet H is offline   Reply With Quote
Old 01-04-2017, 03:44 PM   #17
Senior Member
 
Join Date: Dec 2012
Location: Edmonton, Alberta
Trailer: 1979 Boler B1700
Posts: 8,579
Quote:
Originally Posted by J Mac View Post
Someone or something hacked into FiberglassRV and stole photos? It wasn't just a glitch in the system? What did the authorities (Police) say? This is very interesting!
Of course you can't "steal" a virtual object and take it away from the owner, and there would have been no theft report. What happened in FiberglassRV was that someone hacked into the forum and deleted content. This was before the forum was sold to Social Knowledge, and the forum administrators of the time didn't have effective backups; they were only able to restore some older posts (without photos or account information) from an old backup, and were not able to recover anything at all from a substantial period of activity.

That hacker then posted some random offensive material for a while.

Securing website traffic which contains account credentials is pretty fundamental to reducing this sort of problem. As is was (until today), anyone monitoring an administrator's session could intercept their username and password and use those to delete forum content (posts, images, documents, account profiles...).
Brian B-P is online now   Reply With Quote
Old 01-04-2017, 04:03 PM   #18
Senior Member
 
Join Date: Dec 2012
Location: Edmonton, Alberta
Trailer: 1979 Boler B1700
Posts: 8,579
The new secure login page is back, or perhaps is just now active on the server that I'm currently hitting and was only on some servers yesterday. However, the login challenge page (presented to a user who tries to post after being timed out, or to a user who simply has not logged in and tries something requiring a logged-in session) is still not secure; I doubt this is what the forum's administrators would intend.

The "i" in a circle beside the URL is Chrome's indication that there is information about the page security, and that info shows that the page is still presented via HTTP (not HTTPS)... and that the many other bits of content on the page are from a mix of secure and insecure sources.
Attached Images
File Type: jpg ReLogin-insecure.JPG (85.6 KB, 16 views)
Brian B-P is online now   Reply With Quote
Old 01-04-2017, 08:18 PM   #19
Member
 
Join Date: Apr 2016
Location: Austin, Texas
Trailer: 2017 5.0 TA (April '17)
Posts: 47
Another reason to use HTTPS is to protect the users of the website. A hacked website could attempt to hack the user's device (computer, phone, tablet, etc.) and inject malicious code onto their device. This code could be used to gather information from the user (logins, bank accounts, etc.) or use the device to attack other systems on the internet (along with thousands of other similarly hacked devices). There may be not be any outward signs the website or the user's device was hacked in this situation. The website has to use HTTPS everywhere to provide this type of protection (not just at login). Fortunately, setting up HTTPS is now free thanks to the Let's Encrypt project (https://letsencrypt.org/) and other similar services. HTTPS should not inconvenience the user unless they are using a very old web browser or operating system. Current accepted good security practice dictates that all websites, regardless or the content, should use HTTPS all the time.
__________________
Thomas G.
2017 5.0 TA
2017 F-150 5.0L SuperCrew 6.5' bed 4x2, B&W Turnover Ball, Andersen Ultimate Aluminum Gooseneck, Fold-a-cover w/caddy
ThomasG is online now   Reply With Quote
Old 01-05-2017, 01:21 AM   #20
Member
 
Join Date: Sep 2016
Location: Redwood City, California
Trailer: 2017 Escape 19 (future)
Posts: 31
Good to see it's going to https for the login page. Is there any reason not to just go to HTTPS for all pages? That seems like it would be both easier and more secure.
__________________

Defenestrator is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off






» Virginia Campgrounds

Reviews provided by



All times are GMT -5. The time now is 10:55 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 2012 Social Knowledge, LLC All Rights Reserved.