Recent Account hijacking activities

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Recent Account hijacking activities

John Bennett
*On 8 May 2018, account hijacking activities were discovered on Wikiviajes
- Spanish Wikivoyage (es.wikivoyage.org <http://es.wikivoyage.org>). It was
identified by community stewards and communicated to the Trust and Safety,
Legal, and Security teams who responded to the event.  At this time the
event is still under investigation and we are unable to share more about
what is being done without risking additional hijacking of accounts.
However, we feel it is important to share what details we can and inform
the community of what happened.  Similar to past security incidents, we
continue to encourage everyone to take some routine steps to maintain a
secure computer and account - including regularly changing your passwords,
actively running antivirus software on your systems, and keeping your
system software up to date. The Wikimedia Foundation's Security team and
others are investigating this incident as well as potential improvements to
prevent future incidents. We are also working with our colleagues in other
departments to develop plans for how to best share future status updates on
each of these incidents. However, we are currently focused on resolving the
issues identified. If you have any questions, please contact the Trust and
Safety team (ca{{@}}wikimedia.org <http://wikimedia.org>). John
BennettDirector of Security, Wikimedia Foundation*
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Recent Account hijacking activities

Leon Ziemba
I'm no security expert, so bear with me! Just looking for some
clarification.

> regularly changing your passwords

It was my understanding studies have shown regularly changing passwords can
be adverse, no? [1][2] Not sure if we have a stance on that, because this
is the first time I've heard it come up.

I don't know if this is relevant to this particular incident of account
hijacking, but I've also been told it's important to ensure your
password is unique
to Wikimedia, and to turn on two-factor authentication, if possible and you
are willing to do so.[3][4]

[1]
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
[2]
https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach
[3]
https://meta.wikimedia.org/wiki/Password_strength_requirements/en#So_that's_it,_my_account_is_secure
?
[4] https://office.wikimedia.org/wiki/Security_Basics#Passwords (staff only)

~Leon

On Wed, May 16, 2018 at 8:10 AM John Bennett <[hidden email]> wrote:

> *On 8 May 2018, account hijacking activities were discovered on Wikiviajes
> - Spanish Wikivoyage (es.wikivoyage.org <http://es.wikivoyage.org>). It
> was
> identified by community stewards and communicated to the Trust and Safety,
> Legal, and Security teams who responded to the event.  At this time the
> event is still under investigation and we are unable to share more about
> what is being done without risking additional hijacking of accounts.
> However, we feel it is important to share what details we can and inform
> the community of what happened.  Similar to past security incidents, we
> continue to encourage everyone to take some routine steps to maintain a
> secure computer and account - including regularly changing your passwords,
> actively running antivirus software on your systems, and keeping your
> system software up to date. The Wikimedia Foundation's Security team and
> others are investigating this incident as well as potential improvements to
> prevent future incidents. We are also working with our colleagues in other
> departments to develop plans for how to best share future status updates on
> each of these incidents. However, we are currently focused on resolving the
> issues identified. If you have any questions, please contact the Trust and
> Safety team (ca{{@}}wikimedia.org <http://wikimedia.org>). John
> BennettDirector of Security, Wikimedia Foundation*
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Recent Account hijacking activities

Brian Wolff
Forcing people to change passwords regularly does tend to reduce overall
password security because people tend to get very tired of the process and
will start to pick really poor passwords. That doesn't mean you should
never change your password - changing your password from time to time, as
long as its a strong password that you do not use anywhere else - does
improve your security. That said, in terms of user security, the most
important factor is not using the same password on multiple websites. After
that, comes using a strong password (for example using a password manager
so your password is randomly generated). Then comes 2FA if available for
your account. I would rank changing your password from time to time a
distant fourth - still a good idea - but the first two things are much more
important in my mind.

(I can't comment on ongoing investigations so this should only be taken as
a comment about general password security and not about this particular
incident)
--
Brian
Wikimedia Security Team

On Wednesday, May 16, 2018, Leon Ziemba <[hidden email]> wrote:
> I'm no security expert, so bear with me! Just looking for some
> clarification.
>
>> regularly changing your passwords
>
> It was my understanding studies have shown regularly changing passwords
can
> be adverse, no? [1][2] Not sure if we have a stance on that, because this
> is the first time I've heard it come up.
>
> I don't know if this is relevant to this particular incident of account
> hijacking, but I've also been told it's important to ensure your
> password is unique
> to Wikimedia, and to turn on two-factor authentication, if possible and
you
> are willing to do so.[3][4]
>
> [1]
>
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
> [2]
>
https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach
> [3]
>
https://meta.wikimedia.org/wiki/Password_strength_requirements/en#So_that's_it,_my_account_is_secure
> ?
> [4] https://office.wikimedia.org/wiki/Security_Basics#Passwords (staff
only)
>
> ~Leon
>
> On Wed, May 16, 2018 at 8:10 AM John Bennett <[hidden email]>
wrote:
>
>> *On 8 May 2018, account hijacking activities were discovered on
Wikiviajes
>> - Spanish Wikivoyage (es.wikivoyage.org <http://es.wikivoyage.org>). It
>> was
>> identified by community stewards and communicated to the Trust and
Safety,
>> Legal, and Security teams who responded to the event.  At this time the
>> event is still under investigation and we are unable to share more about
>> what is being done without risking additional hijacking of accounts.
>> However, we feel it is important to share what details we can and inform
>> the community of what happened.  Similar to past security incidents, we
>> continue to encourage everyone to take some routine steps to maintain a
>> secure computer and account - including regularly changing your
passwords,
>> actively running antivirus software on your systems, and keeping your
>> system software up to date. The Wikimedia Foundation's Security team and
>> others are investigating this incident as well as potential improvements
to
>> prevent future incidents. We are also working with our colleagues in
other
>> departments to develop plans for how to best share future status updates
on
>> each of these incidents. However, we are currently focused on resolving
the
>> issues identified. If you have any questions, please contact the Trust
and

>> Safety team (ca{{@}}wikimedia.org <http://wikimedia.org>). John
>> BennettDirector of Security, Wikimedia Foundation*
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l