Home PageFacebookRSS News Feed
PocketGPS
Web
SatNav,GPS,Navigation
SurfShark Antivirus
Pocket GPS World - SatNavs | GPS | Speed Cameras: Forums

Pocket GPS World :: View topic - Important Customer Security Announcement
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in for private messagesLog in for private messages   Log inLog in 

Important Customer Security Announcement
Goto page Previous  1, 2, 3, 4  Next
 
Post new topic   Reply to topic    Pocket GPS World Forum Index -> News And Latest Information
View previous topic :: View next topic  
Author Message
pillboxman
Lifetime Member


Joined: Oct 15, 2005
Posts: 123
Location: Somerset, England

PostPosted: Fri Nov 15, 2013 1:32 pm    Post subject: Re: Badly handled ? Reply with quote

molerat wrote:
I am appalled with the lax way you have handled this serious breach of your security. Why have you not informed ALL of your subscribers with a personal e-mail. Many will not receive or read the news letter or go to the main page. Why do you not have a bold banner on all of the forums and the download pages so there is a chance that ALL of your subscribers stand a chance of receiving this information. 1/10 for your handling of this serious situation I am afraid.


Sorry molerat but in the real world that would be impossible. Email servers have severe limits to the numbers from one source (in case you are wondering how spam gets past these limits, spam is transmitted by hundreds and sometimes thousands of different email accounts)

PGPSW did their best under very hard circumstances.

Thanks guys. 10/10

John
PS, I've changed my password!
Back to top
View user's profile Send private message Send e-mail
Criosdean
Occasional Visitor


Joined: Aug 08, 2006
Posts: 1

PostPosted: Fri Nov 15, 2013 2:15 pm    Post subject: Reply with quote

Thanks for letting us know and I hope the matter is resolved quickly.

One area you can improve on is the use of HTTPS protocol(http://en.wikipedia.org/wiki/HTTP_Secure) for logging in! The link in your newsletter for changing your user password is not secure. I know the HTTPS protocol is not perfect but it's better than nothing.
Back to top
View user's profile Send private message
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Fri Nov 15, 2013 2:29 pm    Post subject: Reply with quote

Criosdean wrote:
One area you can improve on is the use of HTTPS protocol(http://en.wikipedia.org/wiki/HTTP_Secure) for logging in! The link in your newsletter for changing your user password is not secure. I know the HTTPS protocol is not perfect but it's better than nothing.


I believe that's on the cards...

In-transit encryption can only do so much however... it's as (if not more) important to ensure the at-rest security (currently MD5) is secure.

If you don't require insurance, you can obtain an entirely free SSL certificate from StartSSL.com.
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
oldfogy
Frequent Visitor


Joined: May 08, 2006
Posts: 252
Location: West Midlands. UK

PostPosted: Fri Nov 15, 2013 3:01 pm    Post subject: Reply with quote

Yes thanks for the notification, I did mean to reply last week but got distracted.

And yes I do believe these things happen quite often with various sites but they do not bother notifying their members as you have done.
_________________
(If it ain't broke, I can soon fix it)
Back to top
View user's profile Send private message
philipe
Occasional Visitor


Joined: Oct 17, 2006
Posts: 40
Location: Newtownards

PostPosted: Fri Nov 15, 2013 3:53 pm    Post subject: Thanks everyone. Reply with quote

Thanks for letting us know about this. Evil or Very Mad
Back to top
View user's profile Send private message
253
Lifetime Member


Joined: Mar 05, 2007
Posts: 1058
Location: The green bit between the M40, M4 and M25.

PostPosted: Fri Nov 15, 2013 5:05 pm    Post subject: Reply with quote

Thanks for letting us know and for doing a great job.

I've got no complaints.
_________________
Triumph Tbird 1700. And now a Bonnie T100.
Back to top
View user's profile Send private message
stuartb
Occasional Visitor


Joined: Oct 25, 2005
Posts: 43

PostPosted: Sun Nov 17, 2013 6:54 pm    Post subject: Reply with quote

As a suggestion - might be worth at least changing the newslettter subject line to make it obvious there is important information within if you have a similar situation again.

I read the newsletter but at busy times, it sits in my inbox for a while before I open it (I opened the newsletter with the information about the breach on Sunday evening).

Thanks
Stuart
Back to top
View user's profile Send private message
Darren
Frequent Visitor


Joined: 11/07/2002 14:36:40
Posts: 23848
Location: Hampshire, UK

PostPosted: Sun Nov 17, 2013 6:57 pm    Post subject: Reply with quote

stuartb wrote:
As a suggestion - might be worth at least changing the newslettter subject line to make it obvious there is important information within if you have a similar situation again.

I read the newsletter but at busy times, it sits in my inbox for a while before I open it (I opened the newsletter with the information about the breach on Sunday evening).

Thanks
Stuart

The issue that was sent out on the Friday following the breach was entitled as follows:

PocketGPSWorld Newsletter - Important Customer Security Announcement - November 8th 2013

In this weeks issue we chose to repeat the announcement but did not change the title.
_________________
Darren Griffin
Back to top
View user's profile Send private message Send e-mail Visit poster's website
MaFt
Pocket GPS Staff
Pocket GPS Staff


Joined: Aug 31, 2005
Posts: 15311
Location: Bradford, West Yorkshire

PostPosted: Sun Nov 17, 2013 7:14 pm    Post subject: Reply with quote

Can you repeat it in next week's newsletter in case people haven't read the last two newsletters or the website or the forum or the twitter feed or the facebook page?

MaFt
Back to top
View user's profile Send private message Visit poster's website
M8TJT
The Other Tired Old Man
The Other Tired Old Man


Joined: Apr 04, 2006
Posts: 10118
Location: Bexhill, South Sussex, UK

PostPosted: Sun Nov 17, 2013 7:46 pm    Post subject: Reply with quote

Shame you don't have phone numbers. You could phone us all individually. That would prevent the server being marked as a spammer Stupid

It should not have been necessary to change anything else if the same password/username was not used on other sites. Supreme Angel I had shedloads where I had used my 'utility' password, but not on any that really mattered though.
Back to top
View user's profile Send private message
pcaouolte
Frequent Visitor


Joined: Dec 27, 2006
Posts: 998
Location: South Lincs, UK.

PostPosted: Tue Nov 19, 2013 8:51 am    Post subject: Reply with quote

Even though I don't get the time to visit here as often as I would like, I don't do twitter and I don't do facebook, I still became aware of the problem without any significant delay.

Thank you for your honesty and for keeping us informed. Well done!
_________________
Paul
Back to top
View user's profile Send private message
SteveMPS
Occasional Visitor


Joined: Jan 30, 2010
Posts: 57

PostPosted: Thu Nov 21, 2013 4:39 pm    Post subject: Reply with quote

253 wrote:
Thanks for letting us know and for doing a great job.

I've got no complaints.

Says it for me too Thumbs Up

There is always a basic weakness in each and every security system. Only one person designs the key part to a finite timescale and you have millions of people with loads of time trying to defeat it. Ultimately it's an unequal battle as the designer will never have been able to think of every possible attack. All you can do is buy time and use the age old householders defence of making your site less tempting than the site next door.

Oh and interesting article and posts by Paul Moore Thumbs Up.
Back to top
View user's profile Send private message
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Thu Nov 21, 2013 4:45 pm    Post subject: Reply with quote

Cheers Steve Wink
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
DennisN
Tired Old Man
Tired Old Man


Joined: Feb 27, 2006
Posts: 14902
Location: Keynsham

PostPosted: Thu Nov 21, 2013 8:48 pm    Post subject: Reply with quote

At the risk of sounding exactly what I am (dumb, plonker, you name it), I saw the warning very promptly and have not done anything about it. By fortunate coincidence, I applied my new domain name and password to pgpsw at a time when I had the brilliant idea of using different email addresses for everybody so that I could tell when one (or one group) of my relatives or friends had been hacked and was trying to send me nasties. Trouble was, I never did remember who I had for which of the 17 addresses!! Plus which, one of my relatives decided to inform everybody on her address book of my new email address which was exclusively for her, and all her contacts were covered by 15 different ones! But at least I know I didn't use my pgpsw email address for many other places.

Reading this thread has persuaded me that perhaps I should. So.... it seems that 1password is worth using, so I looked at the link and all I got was that it costs $49 and is wonderful. The cost is nothing if it can save me the hassle of passwords, but how the hell do I use it?

Can somebody please give me a rundown on how to use it - I have iMac, two MacBook Pros, iPhone and iPad (and a crappy old Win laptop) and I'm damnned if I have the faintest idea how to sync them all - sometimes they seem to do it, sometimes they don't and I never know how or which (except of course the Win laptop which doesn't do anything except take hours to boot up and run, so I don't). How do I get 1password to work for everything please? If you tell me all I need do is buy the thing and it'll do the business for me, fine. But I have a sneaking feeling I have to buy it, install it on all my devices, then go to every site I belong to and so on and so forth for a long time? Which, given my inbuilt ability to cockup many things, makes me shudder. Incidentally, would this thing work for my online banking - that has my unique ID, a pin number and password - it asks for numbers from my pin for every login and letters from my password too (e.g. pin 3 4 2 1 and password 2 4 6 8).
_________________
Dennis

If it tastes good - it's fattening.

Two of them are obesiting!!
Back to top
View user's profile Send private message
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Thu Nov 21, 2013 11:23 pm    Post subject: Reply with quote

Hello Dennis

I'm presuming you mean this link?: http://ramblingrant.co.uk/2013/07/16/1password-forgot-your-password-youre-doing-it-wrong/

The setup process is daunting... and there's no viable way to simplify it. It is however, well worth the effort.

TL;DR - Think of a strong master password, buy and install 1Password and go round every site you use to change the password to something stronger. Job done.

Basic steps are...

1. Think of a long, strong master password. The longer and stronger, the better. Mine is over 50 chars, but that's extreme and probably not recommended (if you forget it, you're in serious trouble). Wait a few days... try to remember it. Now give it a week... if you can still remember it, you're probably safe. Sounds daft but trust me, picking a secure master password is crucial.
2. Buy 1Password for your devices (note iOS and Windows are purchased separately)
3. Decide on your method of storage. On the device only, a file on a USB stick, DropBox/cloud sync etc
4. Install 1Password and any appropriate additions (Dropbox for example)
5. Install free 1Password browser plugins.

#6 can be done in two ways...

Make a list of every site you use (favourites/bookmarks etc) and visit them all, changing the passwords as you go (recommended). You'll quickly learn which sites take security seriously during this step. If passwords are stored securely, there is never, ever a reason to restrict length or which characters you can use.

or...

As and when you next login to a site, click "Save" when prompted by 1Password. Then, regularly open the 1Password application and view the strength bar of your password. If it's low, go back and change it.

From this point on... the next time you need to login anywhere, just hit CTRL + \ (Windows) or Control/Cloverleaf Key + \ (Mac) and you're done.

Syncing...

With Dropbox, your data is seamlessly and almost instantly uploaded. Depending on the speed of your connection & app configuration, subsequent downloads of those updates to your other devices can take anywhere from 10 seconds to a minute. Desktop applications & associated plugins update automatically. On mobile devices (certainly where Android is concerned, not sure about iPhone) it's a manual process. Go into settings and hit "Sync". It will connect to Dropbox, download a copy of your keychain and update 1Password. If you're 3G, it will be slow to update... taking several minutes. HSDPA/7.2Mbps connections will be similar to that of a normal connection (30 seconds to a minute).

Banking...

I use Halifax. The first screen (username & password) are handled by 1Password. The next page requires random chars from a memorable word, as you described. 1Password doesn't handle these natively, as it can only determine field names... not their respective values. However, I use the secure notes feature to store this information for quick reference. It's subjected to the same encryption as normal usernames/passwords, so it's no more/less secure than the rest of the application.

Last quick point relates to memorable information. Many sites (even supposedly secure ones) ask for mothers maiden name, first pet's name, DOB or similar. Never enter real information here... they are inherently insecure. Instead, generate a random password as you would any other password field... and store it in 1Password.

Consider this...

Your bank asks you for your mothers maiden name and DOB in order to reset your password, should you ever forget your ultra secure password. You then register with a seemingly innocuous-looking forum to chat about the latest GPS update... which also asks for your mother's maiden name and DOB. Hackers look for common denominators in data... and email addresses and answers to personal questions are a goldmine. If you've used the same email address with your bank and the forum (which is likely), they now have anything necessary to gain access to your account. The Halifax refer to it as a "memorable word" rather than anything specific like "first pet's name", so it's marginally safer... but not much.

I'm yet to come across anything which 1Password can't accommodate in some form or another. I'm led to believe the Apple version v4 is a huge leap forward compared to v3 on Windows, so they may well have addressed a lot of what I've mentioned.
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger







Posted: Today    Post subject: Pocket GPS Advertising

Back to top
Display posts from previous:   
Post new topic   Reply to topic    Pocket GPS World Forum Index -> News And Latest Information All times are GMT + 1 Hour
Goto page Previous  1, 2, 3, 4  Next
Page 3 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Make a Donation



CamerAlert Database

Click here for the PocketGPSWorld.com Speed Camera Database

Download Speed Camera Database
22.123 (18 Dec 24)



WORLDWIDE SPEED CAMERA SPOTTERS WANTED!

Click here to submit camera positions to the PocketGPSWorld.com Speed Camera Database


12mth Subscriber memberships awarded every week for verified new camera reports!

Submit Speed Camera Locations Now


CamerAlert Apps



iOS QR Code






Android QR Code







© Terms & Privacy


GPS Shopping