Check out this article from Massively

[VADM Kor]

The author's Fleet was literally destroyed because of a security breach. Food for thought.

http://massively.joystiq.com/2013/04/08/captains-log-the-day-my-star-trek-online-fleet-died/

[Morgan Shackelford]

This should be required reading for command staff. I might also suggest the 7th reach out to Caspian Rising and she if they could use any further assistance.

I think for the most part we safeguard our assets well; permissions are fairly limited and we do a good job of keeping the roster clean.

[CAPT Huckabee]

Ouch. I'm thankful that we have the measures we do in place.

[Ryo Himura]

sparrow794 wrote:

This should be required reading for command staff. I might also suggest the 7th reach out to Caspian Rising and she if they could use any further assistance. I think for the most part we safeguard our assets well; permissions are fairly limited and we do a good job of keeping the roster clean.

I agree that the 7th should send relief supplies to CR. Of course, I'll help out as well whenever time permits, no matter how scarce it seems to be lately.

[Edward Hau]

indeed, send the ambassador out and see what we can do to help...

[VADM JT Kerry]

Commodore, thanks for the link, and as Shack said, it should be required reading.

I appreciate my rank, and see it as more or less going with the position, but, if Command said I'm a Captain tomorrow, I wouldn't stop doing the job of trying to keep us all in game and playing. Rank and position wasn't the reason for doing what I was and am doing.

I offered my services and years of tech experience as a way of giving something to the group. I can't imagine playing with any other fleet or group - I see all of you as friends; friends that I would miss if you all were to suddenly disappear.

I agree with Shack, we probably are fairly well safeguarded under the present system and by the structure of our fleet, but Cryptic could generally improve the fleet module of the game by maybe introducing Self-Destruct Sequence that could only be initiated through a number of Verified members for a fleet. What happened here shouldn't be possible. One individual shut them down.

I think Shack's idea of reaching out to Caspian Rising to see if they still need assistance is a good one. We should try to do this sooner rather than later.

[Jason32]

I am highly tempted to write a detailed post because I want our fleet members to know we have restrictions in place to protect the time, effort and money you all have invested in the 7th Fleet. Also, to provide you with some transparency and security that we have taken steps to protect the assets of the Fleet. However, I do not want to post, in this publicly accessible forum, what our actual security measures are. Feel free to ask in vent at anytime. I would be glad to give you a run down.

Suffice to say, there are only 3 people within the fleet that are fleet leaders in-game, and I am fairly certain you know who those people are (if not, ask me sometime).

I routinely change my passwords (and I work for the government, so my basis for passwords are 16 characters, 2 upper, 2 lower, 2 special, 2 numbers with no common names in them). I highly suggest you all do the same and not only on your STO accounts, but your email, banking and other, more important, accounts.

I protect networks and do other IT stuff for a living...take it from a guy on the cyber front lines, there are thousands of lazy bastards out there that would love to steal your entire life, not just a video game. Take steps to protect yourselves and your family.

[Elthiar]

I only started playing STO last November and am still incredibly new to the 7th, but I believe I would be physically ill if something like that happened to us.

[VADM JT Kerry]

Jason is right in what he is saying. Although a 16 character password is combersome, with all the variation in it, it is the safest. You should also have more that one between accounts. I rotate a number of them and do my best to keep track of which I use where. Another thing that should be changed at least quarterly are those 4 digit PINs especially for your bank accounts/debit cards.

[T-Jericho]

While I certainly respect the rules of 7th Fleet and will comply with them, "strong passwords" are not the answer nor were they the downfall of Caspian Rising. When accounts are truly hacked, it is often the result of key logging malware, not cumbersome brute force hacking. Here's a section of an article on computer security which relates to this:

Myth #1: Complex passwords provide the best security

Many organizations have long lists of rules governing the content of passwords: they must be a certain minimum length, must not contain words found in various dictionaries, must contain non-alphanumeric characters, etc. The myth of the complex password stems from the need to thwart "exhaustive search" password cracking, in which every possible password is attempted until the correct one is found (also known as the "brute force" approach). By making the password as long and complex as possible, the time necessary to execute an exhaustive search is made prohibitive.

Yet exhaustive search attacks continue to succeed regularly. Rapid advancement in computing power and failure of many organizations to adequately monitor for failed login attempts erodes the value of the password as a single line of defense.

Complex passwords have an additional weakness: because they are difficult to remember, their owners are more likely to write them down. This substantially increases the risk of unauthorized password use. Another price to be paid is the expense of generating suitable passwords, enforcing the password rules, and supporting users who have forgotten their password. Furthermore, users develop a disdain toward a system that imposes so many rules and regulations, and that they perceive as a burden and difficult to use.

Designers of access control systems should take a lesson from the banking industry. Automated Teller Machine (ATM) cards are able to use simple 4-digit numeric passwords (known as PINs) because ATMs will disable a particular card if an incorrect PIN is given three times in succession. A computer access control system could perform a similar function. If an account registers three successive failed login attempts, the system should automatically lock out that account. To prevent denial-of-service attacks that would lock out legitimate users, the system should automatically remove the lock-out after some period of time, such as 15 minutes. Thus the temporary lock-out would be of only a minor inconvenience to a forgetful or sloppy-typing user, but enough to make exhaustive search attacks impractical. Thus a system of simple, easy-to-remember passwords combined with temporary lockouts would be able to defend against exhaustive search attacks, while at the same time eliminating the cost and usability problems of complex passwords.

Myth #2: Mandatory password changes improves security

A frequent companion to the rules governing password content is a rule requiring mandatory password changes. Some organizations even specify minimum password ages (to prevent users from immediately switching back to the previous password), password histories to prevent re-use of passwords, and minimum number of characters to change to assure that a new password is "different enough" from a previous one. All of these elaborate rules conspire to prevent mere mortal humans from accessing the systems they need, while driving up administrative and support costs for implementing and enforcing the rules.

The desire for mandatory password changes stems from belief that passwords to "leak out" over time. But mandatory password changes address only a symptom, not the underlying cause of these leaks. Eliminating account sharing, prompt account closing when users depart, regular auditing of all accounts, and educating users not divulge passwords under any circumstances would be far more effective for addressing the source of the leaks.

[Jason32]

Sir,

You are correct, passwords were not the issue this fleet had. It was sharing those passwords that caused the issue. However, the event did bring up the need to remind everyone of good cyber security steps each of us should take to protect ourselves and our families.

While I do agree with some of your arguments, I wholeheartedly disagree with your premise that complex passwords do not work. It has been proven time and time again that complex passwords are far more superior to simple passwords. I can crack a user's password called "password1" in about 35 seconds with John the Ripper. However, a user with a password of "64f8e%q7tP5wbmq" is impossible to crack with today's technologies. I am sure there will be a point in the future when there will be freeware tools that can crack sophisticated passwords, but not today. All of the major security organizations, ISC(2), EC-Council, DHS, DoD, and many others, all recommend using strong passwords if 2 or 3 factor authentication is not possible. DoD moved away from passwords because people were having a hard time remembering them, so we use tokens, called Common Access Cards, for login into unclassified machines. However, most of us do not possess that ability at home today, so complex passwords are the best security most of us can achieve at home. Bottom line = if your password for your accounts is "password1", do yourself a favor and change it to something more complex.

If you are having trouble remembering all your complex passwords, I suggest a tool like LastPass. It allows you to store all your password and access them with a complex master password. it uses AES encryption for all your password traffic and I have found it to be invaluable. It is free and easy to use.

https://lastpass.com/