WE have arrived at a workable compromise:
Good Afternoon Mel & Tom,
Thank you for your email. See answers below.
· The hacker created an account and uploaded a file to the OJS server.
· Matt Rose, NY State Police Department, Intelligence Analyst, Cyber Analysis Unit reached out to us and told us that our site was compromised.
· We engaged our Cyber Security Group and also had a conference call with Matt Rose from NY State Police Department. They recommended that we immediately disabled registrations to both sites. There recommendations were as follows:
o Remove inactive and suspicious accounts that are registered on the website.
o Prevent the creation of accounts without approval by an administrator.
o Creation of process of which request to create an account is reviewed and approved by an administrator.
Change made to the 2 Sites
After researching, Googling, spending time on forums, we have made the following changes:
Re-enabled “Register” link on both OJS instances.
Users can only register as a “Reader”
To change a registered user’s access to author, you can simply login and change them from “Reader” to “Author”. This will allow the user to upload files
Please only change a user to “Author” once you have verified their identity and are sure that the user is a legitimate user
Doing the above will allow new users to registers, at the same time keeping the sites secure (as Authors will only be granted permission by Mel and Tom). This should also satisfy the recommendation by the Cyber Security Team.