Fwd: [Wikitech-l] Update on WMF account compromises

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: [Wikitech-l] Update on WMF account compromises

David Gerard-2
For those of you with admin powers who don't read wikimedia-l or wikitech-l
- please switch on two-factor authentication, it's important.

I also wrote a blog post:
http://davidgerard.co.uk/notes/2016/11/12/two-factor-authentication-on-wikipedia-for-admins-and-up/

Remember when we got Tubgirl in the site notice in 2007? This is like that
except more so.


- d.




---------- Forwarded message ----------
From: Tim Starling <[hidden email]>
Date: 16 November 2016 at 09:57
Subject: [Wikitech-l] Update on WMF account compromises
To: [hidden email]
Cc: [hidden email]


Since Friday, we've had a slow but steady stream of admin account
compromises on WMF projects. The hacker group OurMine has taken credit
for these compromises.

We're fairly sure now that their mode of operation involves searching
for target admins in previous user/password dumps published by other
hackers, such as the 2013 Adobe hack. They're not doing an online
brute force attack against WMF. For each target, they try one or two
passwords, and if those don't work, they go on to the next target.
Their success rate is maybe 10%.

When they compromise an account, they usually do a main page
defacement or similar, get blocked, and then move on to the next target.

Today, they compromised the account of a www.mediawiki.org admin, did
a main page defacement there, and then (presumably) used the same
password to log in to Gerrit. They took a screenshot, sent it to us,
but took no other action.

So, I don't think they are truly malicious -- I think they are doing
it for fun, fame, perhaps also for their stated goal of bringing
attention to poor password security.

Indications are that they are familiarising themselves with MediaWiki
and with our community. They probably plan on continuing to do this
for some time.

We're doing what we can to slow them down, but admins and other users
with privileged access also need to take some responsibility for the
security of their accounts. Specifically:

* If you're an admin, please enable two-factor authentication.
<https://meta.wikimedia.org/wiki/H:2FA>
* Please change your password, if you haven't already changed it in
the last week. Use a new password that is not used on any other site.
* Please do not share passwords across different WMF services, for
example, between the wikis and Gerrit.

(Cross-posted to wikitech-l and wikimedia-l, please copy/link
elsewhere as appropriate.)

-- Tim Starling


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
WikiEN-l mailing list
[hidden email]
To unsubscribe from this mailing list, visit:
https://lists.wikimedia.org/mailman/listinfo/wikien-l
Loading...