Security question re password resets and Spectre

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Security question re password resets and Spectre

Denny Vrandečić-2
I often get emails that someone is trying to get into my accounts. I guess
there are just some trolls, trying to login into my Wikipedia account. So
far, these have been unsuccessful.

Now I got an email that someone asked for a temporary password for my
account.

So far so good. What I am wondering is whether that password reset trial is
actually even more dangerous now given Spectre / Meltdown?

Thoughts?

(I probably should set up 2FA right now. Have been too lazy so far)

Happy new year,
Denny
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security question re password resets and Spectre

Brian Wolff
No, spectre/meltdown wouldnt apply to that situation.

The meltdown/spectre vulnerabilities is all about computer programs having
access to data they should not. In order to exploit the attacker must be
able to run computer programs on the victims computer.

--
brian

On Thursday, January 4, 2018, Denny Vrandečić <[hidden email]> wrote:
> I often get emails that someone is trying to get into my accounts. I guess
> there are just some trolls, trying to login into my Wikipedia account. So
> far, these have been unsuccessful.
>
> Now I got an email that someone asked for a temporary password for my
> account.
>
> So far so good. What I am wondering is whether that password reset trial
is

> actually even more dangerous now given Spectre / Meltdown?
>
> Thoughts?
>
> (I probably should set up 2FA right now. Have been too lazy so far)
>
> Happy new year,
> Denny
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security question re password resets and Spectre

Stas Malyshev
In reply to this post by Denny Vrandečić-2
Hi!

> So far so good. What I am wondering is whether that password reset trial is
> actually even more dangerous now given Spectre / Meltdown?

I think for those you need local code execution access? In which case,
if somebody gained one on MW servers, they could just change your
password I think. Spectre/Meltdown from what I read are local privilege
escalation attacks (local user -> root or local user -> another local
user) but I haven't heard anything about crossing the server access barrier.

> (I probably should set up 2FA right now. Have been too lazy so far)

Might be a good idea anyway :)

--
Stas Malyshev
[hidden email]

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security question re password resets and Spectre

Cyken Zeraux
Spectre can be exploited in just only javascript.


https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

Browsers are making changes to mitigate this.

http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html

The actual extents of the attack that are realistically possible in this
scenario, I do not know. But as stated in the article google suggests:
"Where possible, prevent cookies from entering the renderer process' memory
by using the SameSite and HTTPOnly cookie attributes, and by avoiding
reading from document.cookie."

I would take that to mean that cookies could be accessed, at the least.

On Thu, Jan 4, 2018 at 12:16 PM, Stas Malyshev <[hidden email]>
wrote:

> Hi!
>
> > So far so good. What I am wondering is whether that password reset trial
> is
> > actually even more dangerous now given Spectre / Meltdown?
>
> I think for those you need local code execution access? In which case,
> if somebody gained one on MW servers, they could just change your
> password I think. Spectre/Meltdown from what I read are local privilege
> escalation attacks (local user -> root or local user -> another local
> user) but I haven't heard anything about crossing the server access
> barrier.
>
> > (I probably should set up 2FA right now. Have been too lazy so far)
>
> Might be a good idea anyway :)
>
> --
> Stas Malyshev
> [hidden email]
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security question re password resets and Spectre

Denny Vrandečić-2
Ah, that sounds good. I was thinking of a scenario where someone runs code
in, say labs, and gains access to memory while that machine generates my
temporary code to send it to me, and thus gains access to that code.

Or, alternatively, just attack my browser through a compromised site
running a JS exploit and gaining access to anything in my memory. But
that's on my side to fix (or, rather, on the browser developers).

One way or the other, I have set up 2FA for now.

Use more lynx!



On Thu, Jan 4, 2018 at 10:18 AM Cyken Zeraux <[hidden email]> wrote:

> Spectre can be exploited in just only javascript.
>
>
>
> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
>
> Browsers are making changes to mitigate this.
>
>
> http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html
>
> The actual extents of the attack that are realistically possible in this
> scenario, I do not know. But as stated in the article google suggests:
> "Where possible, prevent cookies from entering the renderer process' memory
> by using the SameSite and HTTPOnly cookie attributes, and by avoiding
> reading from document.cookie."
>
> I would take that to mean that cookies could be accessed, at the least.
>
> On Thu, Jan 4, 2018 at 12:16 PM, Stas Malyshev <[hidden email]>
> wrote:
>
> > Hi!
> >
> > > So far so good. What I am wondering is whether that password reset
> trial
> > is
> > > actually even more dangerous now given Spectre / Meltdown?
> >
> > I think for those you need local code execution access? In which case,
> > if somebody gained one on MW servers, they could just change your
> > password I think. Spectre/Meltdown from what I read are local privilege
> > escalation attacks (local user -> root or local user -> another local
> > user) but I haven't heard anything about crossing the server access
> > barrier.
> >
> > > (I probably should set up 2FA right now. Have been too lazy so far)
> >
> > Might be a good idea anyway :)
> >
> > --
> > Stas Malyshev
> > [hidden email]
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security question re password resets and Spectre

Brian Wolff
Labs and production machines are separate machines. An attack on labs in
the worst case would only be able to attack other labs users.

As Cyken said, one of the very scary scenarios is js getting access to data
it should not have access to (e.g. if your inputting your password in one
tab and a malicious site is in a different tab). The Spectre paper has a
proof of concept they say worked to extract private memory against (a now
outdated) version of google chrome.

All this is to say, you should update your browser ASAP or ensure  that
autoupdates are enabled. Similarlarly for your OS as updates become
available.

--
bawolff


On Thursday, January 4, 2018, Denny Vrandečić <[hidden email]> wrote:

> Ah, that sounds good. I was thinking of a scenario where someone runs code
> in, say labs, and gains access to memory while that machine generates my
> temporary code to send it to me, and thus gains access to that code.
>
> Or, alternatively, just attack my browser through a compromised site
> running a JS exploit and gaining access to anything in my memory. But
> that's on my side to fix (or, rather, on the browser developers).
>
> One way or the other, I have set up 2FA for now.
>
> Use more lynx!
>
>
>
> On Thu, Jan 4, 2018 at 10:18 AM Cyken Zeraux <[hidden email]>
wrote:
>
>> Spectre can be exploited in just only javascript.
>>
>>
>>
>>
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
>>
>> Browsers are making changes to mitigate this.
>>
>>
>>
http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html
>>
>> The actual extents of the attack that are realistically possible in this
>> scenario, I do not know. But as stated in the article google suggests:
>> "Where possible, prevent cookies from entering the renderer process'
memory

>> by using the SameSite and HTTPOnly cookie attributes, and by avoiding
>> reading from document.cookie."
>>
>> I would take that to mean that cookies could be accessed, at the least.
>>
>> On Thu, Jan 4, 2018 at 12:16 PM, Stas Malyshev <[hidden email]>
>> wrote:
>>
>> > Hi!
>> >
>> > > So far so good. What I am wondering is whether that password reset
>> trial
>> > is
>> > > actually even more dangerous now given Spectre / Meltdown?
>> >
>> > I think for those you need local code execution access? In which case,
>> > if somebody gained one on MW servers, they could just change your
>> > password I think. Spectre/Meltdown from what I read are local privilege
>> > escalation attacks (local user -> root or local user -> another local
>> > user) but I haven't heard anything about crossing the server access
>> > barrier.
>> >
>> > > (I probably should set up 2FA right now. Have been too lazy so far)
>> >
>> > Might be a good idea anyway :)
>> >
>> > --
>> > Stas Malyshev
>> > [hidden email]
>> >
>> > _______________________________________________
>> > Wikitech-l mailing list
>> > [hidden email]
>> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>> >
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security question re password resets and Spectre

Gergo Tisza
In reply to this post by Denny Vrandečić-2
On Thu, Jan 4, 2018 at 9:29 AM, Denny Vrandečić <[hidden email]> wrote:

> I often get emails that someone is trying to get into my accounts. I guess
> there are just some trolls, trying to login into my Wikipedia account. So
> far, these have been unsuccessful.
>
> Now I got an email that someone asked for a temporary password for my
> account.
>

User:Denny is generic enough that people might be using it on other sites
and getting confused about their Wikimedia user name. I wouldn't be too
worried.
(That, or they already hacked your email account and are now using that to
take over your wiki account :)
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security question re password resets and Spectre

Dan Bolser-3
In reply to this post by Denny Vrandečić-2
My favorite solution to the password problem is BitAuth2017. I believe
that Spectre / Meltdown can't beat PoW, but I'm not 100% sure of the
details.

On 4 January 2018 at 17:29, Denny Vrandečić <[hidden email]> wrote:

> I often get emails that someone is trying to get into my accounts. I guess
> there are just some trolls, trying to login into my Wikipedia account. So
> far, these have been unsuccessful.
>
> Now I got an email that someone asked for a temporary password for my
> account.
>
> So far so good. What I am wondering is whether that password reset trial is
> actually even more dangerous now given Spectre / Meltdown?
>
> Thoughts?
>
> (I probably should set up 2FA right now. Have been too lazy so far)
>
> Happy new year,
> Denny
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Security question re password resets and Spectre

Brian Wolff
[This is kind of getting far afield of mediawiki, but...] Spectre can
potentially be used to read your private (bitcoin) keys, so bitauth is just
as vulnerable to it as anything else (assuming keys on your computer and
not some hardware token setup). The only benefit i see is that bitauth
would probably happen in a separate process and the cross process variants
of spectre look more difficult to pull off.

As far as different/exotic authentication technologies go, I think U2F
would be the way to go. But its all pretty irrelevent to this attack as if
you had an unpatched browser and someone did this attack against you, they
would probably target your session cookie. (Assuming its available in the
process. I dont know enough about different browser architectures to say if
thats always true)

--
bawolff

On Friday, January 5, 2018, Dan Bolser <[hidden email]> wrote:
> My favorite solution to the password problem is BitAuth2017. I believe
> that Spectre / Meltdown can't beat PoW, but I'm not 100% sure of the
> details.
>
> On 4 January 2018 at 17:29, Denny Vrandečić <[hidden email]> wrote:
>
>> I often get emails that someone is trying to get into my accounts. I
guess
>> there are just some trolls, trying to login into my Wikipedia account. So
>> far, these have been unsuccessful.
>>
>> Now I got an email that someone asked for a temporary password for my
>> account.
>>
>> So far so good. What I am wondering is whether that password reset trial
is

>> actually even more dangerous now given Spectre / Meltdown?
>>
>> Thoughts?
>>
>> (I probably should set up 2FA right now. Have been too lazy so far)
>>
>> Happy new year,
>> Denny
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l