Just a heads up guys.


We recently had a member's account hacked, and the hackers then began spamming from that account. The member hasn't been active for a while, and we weren't able to contact him to change his password before we had to delete the account to stop the hackers from spamming.


I, myself, have just received notification from google security that I had a password breach. On investigation, I found it was my IIS password, so I've now changed my IIS password.


Please be aware, that it appears hackers are attacking the site trying to find a way in. It's not an issue if you have a secure password, but if you have a simple password it might be worth changing it to something harder to crack.


Please keep an eye out for any unusual activity, and spam posts, and report them ASAP.


Al.

Thanks for this Al,

The site is Not Secure, so I am left wondering does this make it more attractive to hackers? I don't know so maybe someone in the know can explain to members just exactly what the potential issues might be?
If IceMan has no intention of making it secure then what does that mean for IIS long term? Well someone had to ask the question.....

Actually, Website feedback has a very good discussion on this.... my simple take from that is... It's 2021, not 2005 and to make the site secure is fairly straightforward, if the owner wants to.

Hey Mike hows about a comment?

I’ve just changed mine to Al’s old one.
Can never be too careful.

:lol:

It is quite poor that this site hasn't been updated to be secure. It's been asked for before and will probably be asked for again. Unfortunately it probably will eventually be hacked and ruined. :(

I would recommend for your own safety that you use a password manager and get it to generate a decent password for this site completely different to everything else.

Help me...
How does making the forum “secure” prevent password theft and disruption???

:lol::lol::lol: Taking one for the team.

It's got to be a good move, RB. The hackers know its no longer valid so no one else would use it would they?


:P


Al.

Yep!
You can do your bit too Marc, swap with Lewis.
:lol:

i

:thumbsup:
Did you get that from the Snowden documentary I sent you Al?
It was very informative wasnt it.

:lol:

the URL for this site is - https://www.iceinspace.com.au/



Hypertext Transfer Protocol Secure (HTTPS) or “HTTP Secure,” is an application specific implementation that is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL/TLS. HTTPS is used to provide encrypted communication and secure identification of a server, so that no middle man can intercept the data easily.


This still does not stop a determined hacker


A password containing upper & lower case alpha, numbers and a special character being 10 characters or more in length has around 3,051,925,477,389,360 combinations whereas a simple password of 5 characters with alpha numeric such may only have around 1 million combinations, so the more complex the password the harder to hack.

Hi Peter,

When you see the "Not Secure" message and an open padlock icon
next to the URL field on your browser, it means you accessed it
via a URL of the form http://www.iceinspace.com.au

If you have an existing bookmark, you might want to edit it to
be of the form https://www.iceinspace.com.au

As TrevorW pointed out, HTTPS stands for HTTP Secure.

So, what, you may ask, does accessing the site using https do?

Unfortunately, not all the magic you may have been hoping.
The browser's use of the term "Not Secure" and its implied opposite,
"Secure", are somewhat of a misnomer.

And this applies to all web sites, not just IceInSpace.

Back at the server there is a digital certificate that has been signed by a
"trusted" certification authority (CA).

In a nutshell, when you enter https://www.iceinspace.com, your browser
requests the certificate and it checks that, indeed, the certificate
corresponds to https://www.iceinspace.com and not some other web site.

In a similar vain, if you intentionally go to a hypothetical web site called
https://nastywebsite.com that exploits a security flaw in the browser,
if that web site also has a valid certificate for https://nastywebsite.com
that is signed by a "trusted" CA, then your browser will show it too
is "Secure".

So beware.

When running the https protocol, the communications between you
and the web site are encrypted to try and prevent a "man-in-the-middle"
attack.

However, if, for example, someone has installed a key logger on your
computer through some other piece of malware, encryption isn't
going to do you much good, because they are logging the key presses
before they are encrypted.

Additionally, if a web site itself has a security flaw, for example some
way to access the member database and edit the passwords, then
whether you run http or https matters not.

I like to think of those browser padlock icons like the "Sanitised For
Your Protection" paper bands they leave on hotel toilet seats.
From a professional computer science perspective, they don't mean s**t. :lol:

I, for one, have a strong password which cannot be forgotten.
It is: Wrong password, please try again. ;):lol:

Most account hacking issues stem from already released datasets, so they have a big list of all the existing leaks, poke around for where on the internet shares the same usernames / emails / phone numbers, and then tries all the known passwords against those accounts, +- some common variations if a site is too relaxed about its number of attempts,

Well you have lost me with all that, but it doesn't take much when it comes to this sort of stuff. :help:
And my password is that short and easy the hackers would just say, "that cant be right, who would have such and easy password, this must be a trick: :P

Leon :thumbsup:

Well thank you indeed Gary this gives me way better understanding than I had before. Sincerely appreciated. So new password it is. I guess changing passwords and making them more complex is more 2021 than 2005.

What Gary said. :thumbsup:

Why the hell do I want the password "VertVertVertVertVertVertFroggy"?

Isn’t it obvious???
He can then lower the price on any of your icetrade ads.

:lol:

Nefarious.


Typical Frenchman

You’re lucky he’s French and not Greek...
You’d never see your money,

:lol:

You have a point.


Or pointy ears.


Either eether

Now you're Putin me on....

:P

It's possible the unwelcome guest simply got a username/email + password combo from the many data breaches out there.


You can check whether you were victim of such a (known) breach and what was leaked here;
https://haveibeenpwned.com/

Well, shucks! I just updated a couple of hundred old bookmarks from HTTP to HTTPS and 95% of the sites accept a secure connection now. It's just goes to show, you can't be complacent online - it's always changing.

So, tip of the week: check your old bookmarks. :thumbsup:

As others have said, encrypting a web connection is not a guarantee of safety, but locking the door is at least an improvement over leaving it open (with all the qualifying statements that would go with that analogy ...).

As for stronger passwords: entropy is what you want. The more entropy in your password, the stronger it is. Here's an explanation or two:

https://explainxkcd.com/wiki/index.php/936:_Password_Strength

https://www.itdojo.com/a-somewhat-brief-explanation-of-password-entropy/

Except for all the sites that don't, such as ~90% of the ones I tested today. So thanks for that, but the advice was, in fact, pretty useless. Just sayin'.

More useful advice would be to install a browser extension called HTTPS Everywhere (available for most popular browsers), which forces use of HTTPS if available, regardless of whether you used HTTP or HTTPS in your address bar/bookmark:



But if you like your browser with minimal extensions - like me - you can edit your bookmarks.

Ok, point taken. I’ve deleted my post since you found it so useless.
Not sure why you felt the need to be rude about it, - I guess you
felt you had a point to make.

That was an awesome link with the comic. Never would have thought that as we've always been told by the network security people to do the hard to remember stuff.

Thanks for posting.

Only issue now is they won't let me use a really good easy to remember password and I have to have letters, numbers,characters and have to press the keys whilst standing on my head. Lol.😏

Cheers,
Damien

Use a password manager. Let it generate and remember the passwords for you. As an added bonus you can have stupendously large passwords (40, 50, 60+ characters, etc) with symbols, letters, different case, numbers, etc. Then, all you need to remember is one password to access the password manager - make this decent, but memorable and you're in a much better position overall.

You're missing one "vert". It's a recursive pwd based on the Russian dolls design. Uncrackable. :bashcomp:

Any advice on the 'free' password manager such as say Nordpass free? I use their paid VPN service.. so, any catches with a free password manager that you know of?

If you're already using Nord for VPN, then that's probably a good enough option. The hassle will be if you leave Nord and need to transfer your passwords to a new manager.

I am using Lastpass right now, but recently they changed things to make it less useful. I'm probably going to change to Keepass for my requirements, but it's a bit more stuffing around to manage it properly and I haven't summoned the will to get it done yet. :)

Thankyou... I'm actually looking at the Nord Family Premium now with it's extra functionality of password sharing which, would be useful between the wife & I for shared accounts (Amazon, bank, creditcards, etc)...

Cost seems reasonable... I am struggling to convince my wife of the need though which is a little frustrating...

Yeah, I guess that was overly blunt - believe it or not, offense not intended. But there is an awful lot of 'lukewarm' advice out there that doesn't actually help people and that really ought to be set straight.

Thanks for the tip, I had a http bookmark not a https one so I updated it :thumbsup:

Adding those lines to the .htacess file would redirect everything to https automatically and address the current indexing in Google as well.



Having said that there is nothing of value on IIS. It is public domain. Storm in a teacup. :)