The Chinese Posting Attack

My apologies to all OGR Forum members for the trouble that
was caused on May 18, 2017 with the Chinese poster attack.



On May 18, 2017, this site was subjected to a series of automated posts made by 6 Chinese "members." I also understand that many of you also got emails related to these posts.

We have taken steps to eliminate the potential for this to ever happen again.

  1. Two-Factor Authentication
    We have initiated the Two-Factor Authentication (2FA) process on this forum. 2FA provides an extra layer of security by allowing you to associate a mobile device with your account.

    If you choose to enable 2FA on your account, you will need to have your mobile device in your possession to sign in. Sign ins are verified through the Google Authenticator App, which presents time-based, verifiable security codes. The Google Authenticator App is available for iOS and Android.

  2. New Member Review
    From now on, someone on the OGR staff will review each new membership application to this forum. A new member will not be able to post anything until we look at the member's profile to make sure it is complete and legitimate. Spammers rarely put accurate name and address information in their applications. Such was the case on the 18th when all of the spammers involved had bogus information in their name and address fields. If we had been manually reviewing and approving new members, they would not have been approved in the first place.

Again, my apologies to those of you that were inconvenienced by this attack. We will do everything we can to make sure it never happens again.

Original Post

I did not see any of this or suffer any ill affects. It DOES make me thankful I am no longer a IT Senior System Analyst!!  Even though I today myself do not often deal with it....I see it everyday. My buddy in So Cal got a bug on his PC I have been trying to fix for a week, long distance.  And now my friends at OGR have to spend time and money fighting and fixing destructive behavior by faceless idiots.  This will only get worse as we depend more and more on  the web. My only wish is that someday I get to see these people get what they deserve. 

OGR staff....thanks for all you do. 

____________________________

Read about my Amtrak travel in words and pics www.currtail.com

20,000 miles by Rail!

Rich thanks for the quick action this morning. I discovered it at 600 am on my phone. I was smart enough not to open but posted warning on the face book .   Only damage done for me was the Yahoo app would not delete them from the Trash folder. and had to uninstall app. I had the same issue last weekend with that App but since I never look into my spam folder and just delete anything in it I will never know what was in my spam folder and my security system would not let me reload the app until Tuesday night. Lap top before I opened any of my emails I made sure all updates and patches were installed and insured I had the latest security updates from Norton before I went to Face book and then to yahoo where I deleted everything in my spam folder and then all that arrived after 100 am in my inbox. about 1500 emails in al,l over 1400 from those six or 7... So why am I posting this.  Rich and other companies are doing their best but it is a two way street. We have to do our part too.

Don't open anything in your spam folder. 

Don't open any attachment from unknown sources. 

If you don't recognize the sender delete and don't open.

Delete any emails that don't have a subject line.

If it dont have .com, .org, .gov stay away and do not open.

The bluf is use common sense.   That helps us and Rich keeping this forum safe.

US Army retired

HAZMAT SME(RID,DOD,IATA,ADR,CFR 49) 

 

StPaul posted:

so there is no place in our profile to enable a 2 step verification am I correct?

and that we download a google app to phone instead to accomplish this? or did I miss something in reading your post Rich?

thanks for clarity on this

StPaul, since we just implemented 2FA, I am climbing a learning curve here, just as you are. I am checking with Hoopla Tech Support for the answers to your questions.

Rich,

It is much appreciated how quickly and well you and the OGR team have responded.  The web is a constantly evolving landscape, barriers are put up, the illegitimate find new ways around them.  We all do what we can, it's the nature of the beast, take the good with the bad.   The internet is like the weather, never get comfortable with it, appreciate it for the good it brings, never fully trust it and never turn your back on it.

 

TexasSP posted:

Rich,

 The internet is like the weather, never get comfortable with it, appreciate it for the good it brings, never fully trust it and never turn your back on it.

 

That is truly sage advice. There is NOTHING that is 100% secure in the digital world. It is important that everyone who embarks on the digital journey into cyberspace understand and fully accept that.

Rich,

I'm very sorry you had to deal with this, but such is today's world, I guess. The OGR Forum is a tremendous resource and source of knowledge and entertainment for a large modeling community. You have my respect and are to be commended for what you do.

MELGAR

Thanks for dealing with this and for the ongoing vigilance. I know that new-member screening is a real pain. The effort is appreciated. 

I do have one question:

Does the new authentication scheme finally eliminate your previous policy of storing (and sometimes emailing) unencrypted user passwords? I know you got angry at me last time I brought this up (a number of years ago) and I do not desire to reopen old wounds, but I am only trying to be helpful and to assess whether I still have to treat the forum as a special case WRT password management. Please do not take offense at the question, but this is important information.

Thanks again.

--pete

 

 

My heart is warm with the friends I make, 

And better friends I'll not be knowing;

Yet there isn't a train I wouldn't take,

No matter where it's going.

                        Edna St. Vincent Millay

 

Rich: Thanks and a job Well Done. Any time I sign into my iCloud account or any of my Apple devices I also have the 2FA and folks it is a piece of cake. The trick is don't sign out and you won't have to deal with it. Making this Forum your Home Page also helps.

Rick

PRRT&HS

"Riding that carpet made of steel"

 "This trains got the disappearing railroad blues

 

 

 

I got several. Things like this do happen in both home and business environment. I immediately delete these emails and all members should never ...I stress never ....should open any emails that look suspicious...most came in to my inbox at around 5:00 AM EST...Looks like the problem has been  solved for now...but I have seen these things come back again in a day or two....TY Rich for addressing this with the changes that have been made...Unfortunately we can never know what might come next... 

Member of TCA

Railway and Locomotive Historical Society

Model RR Club Inc.

New York Central System Historical Society

Kind of puts OGR right in the trend of the news, doesn't it?! Maybe a CNN headline, "Rich Melvin beats back Chinese Hackers". Well, look on the bright side, at least the Russians are off the hook. I think they LIKE trains.

TCA - 10 - 64769

Active Ferroequinologist

Collector of 40' scale boxcars

Collector of NYC steam in all gauges

Yes, my I-Pad was showing Chinese/Korean writing in Listings and I thought it was do to my Computer set up to write either English or Korean, my wife being Korean. I tried to re-boot my system to no avail so this thread really surprised me. I am not good with this neat technology...Thank You Rich and the OGR STAFF for fixing this issue. You all are the Best...IMG_2221IMG_8262

Attachments

Photos (2)

Pete wrote:

Does the new authentication scheme finally eliminate your previous policy of storing (and sometimes emailing) unencrypted user passwords?

According to my profile page:

Your account information is always private. No one, not even site admins, can view your password. Admins can view your email address, however.

My question: Is using the Google two step authentication package going to be required or optional?

C.W. Burfle

I thought it was compliments from Chinese members, directed towards Barry on the occasion of his book release, and asking when the translation would be available.

"2FA provides an extra layer of security by allowing you to associate a mobile device with your account.  If you choose to enable 2FA on your account, you will need to have your mobile device in your possession to sign in."

If I understand the above, if I want to be able to access the Forum from a mobile device, then when trying to access it from my home computer I have to have the mobile device handy.  Is that correct?

RJR posted:

"2FA provides an extra layer of security by allowing you to associate a mobile device with your account.  If you choose to enable 2FA on your account, you will need to have your mobile device in your possession to sign in."

If I understand the above, if I want to be able to access the Forum from a mobile device, then when trying to access it from my home computer I have to have the mobile device handy.  Is that correct?

Yes...IF you choose to implement 2FA on your account. It is not required; it's optional and up to you.

The hidden message for me reading this thread is: Thank goodness that I'm not a morning person!  :-). Rich and the folks at OGR had it all under control by the time I logged in.  

But seriously, I'm sorry about the hassle for those who did have problems, and job well done OGR.  It's an important reminder to be vigilant as others have written.

TRRR



OGR Publishing, Inc.
33 Sheridan Road, Poland, OH 44514
330-757-3020

www.ogaugerr.com
×
×
×
×
×