Update on WMF account compromises

classic Classic list List threaded Threaded
41 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Stas Malyshev
Hi!

> By using an online testing tool, you are effectively breaking the very
> first rule:
>
>  DO NOT GIVE OUT YOUR PASSWORD.  EVER.

That's why I suggested having internal bot that would use the same
techniques intruders use to test passwords (without knowing them),
instead of having people to send their pwds to unknown site and trust
them not to do anything wrong with it :)

--
Stas Malyshev
[hidden email]

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Vi to
In reply to this post by Chad
So are you telling me that tool "test if your credit card was cloned" is a
fraud? But its test included my ccv2 too! :p

Vito

2016-11-17 9:33 GMT+01:00 Chad <[hidden email]>:

> On Thu, Nov 17, 2016 at 12:18 AM Antoine Musso <[hidden email]> wrote:
>
> > Le 16/11/2016 à 19:19, Pine W a écrit :
> > >
> > > (0) Consider testing your password strength with a tool like
> > > http://www.testyourpassword.com/; be sure that the tool you use does
> not
> > > send your chosen password over the Internet and instead tests it
> locally.
> >
> > By using an online testing tool, you are effectively breaking the very
> > first rule:
> >
> >  DO NOT GIVE OUT YOUR PASSWORD.  EVER.
> >
> > Using that site is exactly like sharing your password with a random
> > stranger in the world.  Even if you trusted that website, and audited
> > the code at a given point in time, you have no guarantee the site hasn't
> > changed or that it is not collecting passwords.
> >
> >
> Not to mention, it's plain-old-insecure HTTP, so of course anyone and
> their mother's uncle could be sniffing the traffic ;-)
>
> Same rule goes for a "generate a random password" site. Don't use
> them.
>
> -Chad
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Dmitry Brant
Don't give your wallet to anyone claiming to be a Wallet Inspector.

On Nov 17, 2016 4:48 AM, "Vi to" <[hidden email]> wrote:

So are you telling me that tool "test if your credit card was cloned" is a
fraud? But its test included my ccv2 too! :p

Vito

2016-11-17 9:33 GMT+01:00 Chad <[hidden email]>:

> On Thu, Nov 17, 2016 at 12:18 AM Antoine Musso <[hidden email]> wrote:
>
> > Le 16/11/2016 à 19:19, Pine W a écrit :
> > >
> > > (0) Consider testing your password strength with a tool like
> > > http://www.testyourpassword.com/; be sure that the tool you use does
> not
> > > send your chosen password over the Internet and instead tests it
> locally.
> >
> > By using an online testing tool, you are effectively breaking the very
> > first rule:
> >
> >  DO NOT GIVE OUT YOUR PASSWORD.  EVER.
> >
> > Using that site is exactly like sharing your password with a random
> > stranger in the world.  Even if you trusted that website, and audited
> > the code at a given point in time, you have no guarantee the site hasn't
> > changed or that it is not collecting passwords.
> >
> >
> Not to mention, it's plain-old-insecure HTTP, so of course anyone and
> their mother's uncle could be sniffing the traffic ;-)
>
> Same rule goes for a "generate a random password" site. Don't use
> them.
>
> -Chad
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Vi to
That's obvious, anybody knows only bag inspectors are allowed to inspect
wallets.

Coming back to be serious, imho, Wikimedia should apply the "phabricator
model" to a 2FA open source app: collaborating in development and making it
perfectly fit with our needs

Vito

2016-11-17 13:06 GMT+01:00 Dmitry Brant <[hidden email]>:

> Don't give your wallet to anyone claiming to be a Wallet Inspector.
>
> On Nov 17, 2016 4:48 AM, "Vi to" <[hidden email]> wrote:
>
> So are you telling me that tool "test if your credit card was cloned" is a
> fraud? But its test included my ccv2 too! :p
>
> Vito
>
> 2016-11-17 9:33 GMT+01:00 Chad <[hidden email]>:
>
> > On Thu, Nov 17, 2016 at 12:18 AM Antoine Musso <[hidden email]>
> wrote:
> >
> > > Le 16/11/2016 à 19:19, Pine W a écrit :
> > > >
> > > > (0) Consider testing your password strength with a tool like
> > > > http://www.testyourpassword.com/; be sure that the tool you use does
> > not
> > > > send your chosen password over the Internet and instead tests it
> > locally.
> > >
> > > By using an online testing tool, you are effectively breaking the very
> > > first rule:
> > >
> > >  DO NOT GIVE OUT YOUR PASSWORD.  EVER.
> > >
> > > Using that site is exactly like sharing your password with a random
> > > stranger in the world.  Even if you trusted that website, and audited
> > > the code at a given point in time, you have no guarantee the site
> hasn't
> > > changed or that it is not collecting passwords.
> > >
> > >
> > Not to mention, it's plain-old-insecure HTTP, so of course anyone and
> > their mother's uncle could be sniffing the traffic ;-)
> >
> > Same rule goes for a "generate a random password" site. Don't use
> > them.
> >
> > -Chad
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Alex Monk-3
The 'phabricator model' is far from perfectly fitting our needs though:
https://secure.phabricator.com/maniphest/query/qWbzSK1NVwb0/

On 17 Nov 2016 1:07 pm, "Vi to" <[hidden email]> wrote:

That's obvious, anybody knows only bag inspectors are allowed to inspect
wallets.

Coming back to be serious, imho, Wikimedia should apply the "phabricator
model" to a 2FA open source app: collaborating in development and making it
perfectly fit with our needs

Vito

2016-11-17 13:06 GMT+01:00 Dmitry Brant <[hidden email]>:

> Don't give your wallet to anyone claiming to be a Wallet Inspector.
>
> On Nov 17, 2016 4:48 AM, "Vi to" <[hidden email]> wrote:
>
> So are you telling me that tool "test if your credit card was cloned" is a
> fraud? But its test included my ccv2 too! :p
>
> Vito
>
> 2016-11-17 9:33 GMT+01:00 Chad <[hidden email]>:
>
> > On Thu, Nov 17, 2016 at 12:18 AM Antoine Musso <[hidden email]>
> wrote:
> >
> > > Le 16/11/2016 à 19:19, Pine W a écrit :
> > > >
> > > > (0) Consider testing your password strength with a tool like
> > > > http://www.testyourpassword.com/; be sure that the tool you use does
> > not
> > > > send your chosen password over the Internet and instead tests it
> > locally.
> > >
> > > By using an online testing tool, you are effectively breaking the very
> > > first rule:
> > >
> > >  DO NOT GIVE OUT YOUR PASSWORD.  EVER.
> > >
> > > Using that site is exactly like sharing your password with a random
> > > stranger in the world.  Even if you trusted that website, and audited
> > > the code at a given point in time, you have no guarantee the site
> hasn't
> > > changed or that it is not collecting passwords.
> > >
> > >
> > Not to mention, it's plain-old-insecure HTTP, so of course anyone and
> > their mother's uncle could be sniffing the traffic ;-)
> >
> > Same rule goes for a "generate a random password" site. Don't use
> > them.
> >
> > -Chad
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Pine W
In reply to this post by Antoine Musso-3
I'm not sure that I agree with that assessment *of password strength
testing tools* (not humans), for a couple of reasons.

0. Weak passwords are a huge problem, and may be closely related to the
weakness that the attackers are currently using to compromise Wikimedia
accounts. As far as I know, Wikimedia currently has no internal way to deal
with that problem. We *should* have a way to deal with that problem, but it
seems to me that using a tool that I recommended is the lesser of two evils
at the moment. In the long run, it would be much better if Wikimedia had an
internal tool to validate the strength of users' passwords and block
passwords that fall below a certain strength level.

1. If you don't trust that strength testing site (which is fine), choose
another. I did a couple of quick checks on that site; while it's entirely
possible that I missed something, it appeared to me that the site was not
sending passwords over the Internet, whether in the clear or encrypted. The
use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
the first place.

Do you have a better solution in mind to deal with the immediate problem of
weak passwords, besides 2FA which is not available to everyone?



Pine


On Thu, Nov 17, 2016 at 12:08 AM, Antoine Musso <[hidden email]> wrote:

> Le 16/11/2016 à 19:19, Pine W a écrit :
> >
> > (0) Consider testing your password strength with a tool like
> > http://www.testyourpassword.com/; be sure that the tool you use does not
> > send your chosen password over the Internet and instead tests it locally.
>
> By using an online testing tool, you are effectively breaking the very
> first rule:
>
>  DO NOT GIVE OUT YOUR PASSWORD.  EVER.
>
> Using that site is exactly like sharing your password with a random
> stranger in the world.  Even if you trusted that website, and audited
> the code at a given point in time, you have no guarantee the site hasn't
> changed or that it is not collecting passwords.
>
>
>
>
> --
> Antoine "hashar" Musso
>
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Daniel Friesen-2
On 2016-11-17 9:28 AM, Pine W wrote:
> 1. If you don't trust that strength testing site (which is fine), choose
> another. I did a couple of quick checks on that site; while it's entirely
> possible that I missed something, it appeared to me that the site was not
> sending passwords over the Internet, whether in the clear or encrypted. The
> use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
> the first place.
Using HTTP means that a man in the middle could inject a script into
these sites that would extract any password entered into them.

~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Daniel Friesen-5
In reply to this post by Pine W
On 2016-11-17 9:28 AM, Pine W wrote:
> 1. If you don't trust that strength testing site (which is fine), choose
> another. I did a couple of quick checks on that site; while it's entirely
> possible that I missed something, it appeared to me that the site was not
> sending passwords over the Internet, whether in the clear or encrypted. The
> use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
> the first place.

Using HTTP means that a man in the middle could inject a script into
these sites that would extract any password entered into them.

~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Tyler Romeo
In reply to this post by Pine W
On Thu, Nov 17, 2016 at 12:28 PM, Pine W <[hidden email]> wrote:

> 1. If you don't trust that strength testing site (which is fine), choose
> another. I did a couple of quick checks on that site; while it's entirely
> possible that I missed something, it appeared to me that the site was not
> sending passwords over the Internet, whether in the clear or encrypted. The
> use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
> the first place.
>

Or use a password manager that has a local built-in password strength tool,
that way you don't risk being MiTMed by an HTTP site.

In general, as mentioned, you should simply not enter your password on any
website that is not the site the password belongs to. For my full-time job,
employees have a Chrome extension where accidentally type your password on
any website (even if it's not in a text box) you're required to reset it.

*-- *
Regards,

*Tyler Romeo*
0x405d34a7c86b42df
https://parent5446.nyc
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Pine W
Good point about MITM doing script injection, which I hadn't fully
considered. I'm not sure that going to HTTPS would solve everything (e.g.
that alone wouldn't prevent the origin site from reading passwords that
someone enters into the tool, and HTTPS is not foolproof) but it would
indeed be a big step in the right direction to avoid MITM.

I wonder (looking at the WMF people in the room) how quickly could WMF
deploy a password strength checking tool to the Wikimedia sites? That won't
solve all of the problems but it would be a step in the right direction.



Pine


On Thu, Nov 17, 2016 at 10:00 AM, Tyler Romeo <[hidden email]> wrote:

> On Thu, Nov 17, 2016 at 12:28 PM, Pine W <[hidden email]> wrote:
>
> > 1. If you don't trust that strength testing site (which is fine), choose
> > another. I did a couple of quick checks on that site; while it's entirely
> > possible that I missed something, it appeared to me that the site was not
> > sending passwords over the Internet, whether in the clear or encrypted.
> The
> > use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
> > the first place.
> >
>
> Or use a password manager that has a local built-in password strength tool,
> that way you don't risk being MiTMed by an HTTP site.
>
> In general, as mentioned, you should simply not enter your password on any
> website that is not the site the password belongs to. For my full-time job,
> employees have a Chrome extension where accidentally type your password on
> any website (even if it's not in a text box) you're required to reset it.
>
> *-- *
> Regards,
>
> *Tyler Romeo*
> 0x405d34a7c86b42df
> https://parent5446.nyc
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Brian Wolff
In reply to this post by Tyler Romeo
Tyler wrote:
> In general, as mentioned, you should simply not enter your password on any
> website that is not the site the password belongs to. For my full-time
job,
> employees have a Chrome extension where accidentally type your password on
> any website (even if it's not in a text box) you're required to reset it.
>

[Slightly off topic]
That is an interesting approach. Obviously not applicable to us, but in a
corporate setting I imagine it could be quite effective.

One thing I would worry about is the potential for timing attacks as you
are now doing password comparisons against untrusted input from all over
the internet with no rate limitting. I suppose that is taken into account
when writing the extension though and precautions are taken.

--
bawolff
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Sylvain Boissel
In reply to this post by Brad Jorsch (Anomie)
>
> If you want to increase the entropy, use a larger word list rather than a
> "harder" one. The XKCD comic seems to have used a 2048-word list for its
> 44-bit estimate. Using a list with 8836 words gets the same entropy (about
> 52.44 bits) as a completely-random 8-character password using any of the 94
> characters I can easily type on my keyboard (e.g. "'>hZ|=S\*").
>
>
If we want to go this way, we have the largest conceivable word list at
hand with the Wiktionary.

A tool inspired by https://tools.wmflabs.org/anagrimes/hasard.php?langue=en
could give 4 words from all those we have in English, and we can even get
words in the same language as the registration form (So it would suggest
French words when registering on the French Wikipedia, Swedish words on the
Swedish Wikisource, etc.


Sylvain


--
*Sylvain Boissel*
ADMINISTRATEUR SYSTÈME ET RÉSEAUX
*WIKIMÉDIA FRANCE*


*Tél +33 1 42 36 97 72*

*Mobile : +33 7 84 37 91 03*
*www.wikimedia.fr <http://www.wikimedia.fr/>*
*40 rue de Cléry, **75002 Paris*
<http://www.openstreetmap.org/node/691082430#map=19/48.86814/2.34683>

*Imaginez un monde où chaque personne sur la planète aurait librement accès
à la totalité du savoir humain. C'est notre engagement. Aidez Wikimedia
France à en faire une réalité <https://dons.wikimedia.fr>.*
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Trey Jones
On Thu, Nov 17, 2016 at 1:19 PM, Sylvain Boissel <
[hidden email]> wrote:

> >
> > If you want to increase the entropy, use a larger word list rather than a
> > "harder" one. The XKCD comic seems to have used a 2048-word list for its
> > 44-bit estimate. Using a list with 8836 words gets the same entropy
> (about
> > 52.44 bits) as a completely-random 8-character password using any of the
> 94
> > characters I can easily type on my keyboard (e.g. "'>hZ|=S\*").
> >
> >
> If we want to go this way, we have the largest conceivable word list at
> hand with the Wiktionary.
>
> A tool inspired by https://tools.wmflabs.org/
> anagrimes/hasard.php?langue=en
> could give 4 words from all those we have in English, and we can even get
> words in the same language as the registration form (So it would suggest
> French words when registering on the French Wikipedia, Swedish words on the
> Swedish Wikisource, etc.
>

You want to go with relatively frequent words of reasonable length so the
combination is reasonably memorable and easy enough to type, or you are
back to random gibberish strings.

While not likely, choosing four random English words from Wiktionary *could
*give you this combo

aavakaayaabaciscusesæolotropicpneumonoultramicroscopicsilicovolcanoconiosis




Trey Jones
Software Engineer, Discovery
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Sylvain Boissel
A button to suggest another combo would help in this case (and anyway, we
should not force the user to use the suggested password.)

I tried a couple times, I got this:
YMCKO-jackpotting-mental disorder-hulk
BCMS-Myspace angle-colloquium-charley horse
extendible-milkiness-contemplate-marron

While I don't know all of these words (English is not my first language),
it does look usable.

Sylvain

2016-11-17 19:32 GMT+01:00 Trey Jones <[hidden email]>:

> On Thu, Nov 17, 2016 at 1:19 PM, Sylvain Boissel <
> [hidden email]> wrote:
>
> > >
> > > If you want to increase the entropy, use a larger word list rather
> than a
> > > "harder" one. The XKCD comic seems to have used a 2048-word list for
> its
> > > 44-bit estimate. Using a list with 8836 words gets the same entropy
> > (about
> > > 52.44 bits) as a completely-random 8-character password using any of
> the
> > 94
> > > characters I can easily type on my keyboard (e.g. "'>hZ|=S\*").
> > >
> > >
> > If we want to go this way, we have the largest conceivable word list at
> > hand with the Wiktionary.
> >
> > A tool inspired by https://tools.wmflabs.org/
> > anagrimes/hasard.php?langue=en
> > could give 4 words from all those we have in English, and we can even get
> > words in the same language as the registration form (So it would suggest
> > French words when registering on the French Wikipedia, Swedish words on
> the
> > Swedish Wikisource, etc.
> >
>
> You want to go with relatively frequent words of reasonable length so the
> combination is reasonably memorable and easy enough to type, or you are
> back to random gibberish strings.
>
> While not likely, choosing four random English words from Wiktionary *could
> *give you this combo
>
> aavakaayaabaciscusesæolotropicpneumonoultramicroscopicsilico
> volcanoconiosis
>
>
>
>
> Trey Jones
> Software Engineer, Discovery
> Wikimedia Foundation
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>



--
*Sylvain Boissel*
ADMINISTRATEUR SYSTÈME ET RÉSEAUX
*WIKIMÉDIA FRANCE*


*Tél +33 1 42 36 97 72*

*Mobile : +33 7 84 37 91 03*
*www.wikimedia.fr <http://www.wikimedia.fr/>*
*40 rue de Cléry, **75002 Paris*
<http://www.openstreetmap.org/node/691082430#map=19/48.86814/2.34683>

*Imaginez un monde où chaque personne sur la planète aurait librement accès
à la totalité du savoir humain. C'est notre engagement. Aidez Wikimedia
France à en faire une réalité <https://dons.wikimedia.fr>.*
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Florence Devouard-6
In reply to this post by Tim Starling-2
Hello

I had the super bad idea of implementing the two-factor authentication
and now I need help :)

The system is not "recording" me as registered. Which means that I am
disconnected every once in a while. Roughly every 15 minutes... and
every time I change project (from Wikipedia to Commons etc.)

Which means that every 15 minutes, I need to relogin... retype login and
password... grab my phone... wake it up... launch the app... get the
number... enter it... validate... OK, good to go for 15 minutes...

So... how do I fix that ?

Thanks

Florence


Le 16/11/2016 à 10:57, Tim Starling a écrit :

> Since Friday, we've had a slow but steady stream of admin account
> compromises on WMF projects. The hacker group OurMine has taken credit
> for these compromises.
>
> We're fairly sure now that their mode of operation involves searching
> for target admins in previous user/password dumps published by other
> hackers, such as the 2013 Adobe hack. They're not doing an online
> brute force attack against WMF. For each target, they try one or two
> passwords, and if those don't work, they go on to the next target.
> Their success rate is maybe 10%.
>
> When they compromise an account, they usually do a main page
> defacement or similar, get blocked, and then move on to the next target.
>
> Today, they compromised the account of a www.mediawiki.org admin, did
> a main page defacement there, and then (presumably) used the same
> password to log in to Gerrit. They took a screenshot, sent it to us,
> but took no other action.
>
> So, I don't think they are truly malicious -- I think they are doing
> it for fun, fame, perhaps also for their stated goal of bringing
> attention to poor password security.
>
> Indications are that they are familiarising themselves with MediaWiki
> and with our community. They probably plan on continuing to do this
> for some time.
>
> We're doing what we can to slow them down, but admins and other users
> with privileged access also need to take some responsibility for the
> security of their accounts. Specifically:
>
> * If you're an admin, please enable two-factor authentication.
> <https://meta.wikimedia.org/wiki/H:2FA>
> * Please change your password, if you haven't already changed it in
> the last week. Use a new password that is not used on any other site.
> * Please do not share passwords across different WMF services, for
> example, between the wikis and Gerrit.
>
> (Cross-posted to wikitech-l and wikimedia-l, please copy/link
> elsewhere as appropriate.)
>
> -- Tim Starling
>
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

John Mark Vandenberg
Ya, this is why I haven't done it.

Also, I should be able to set it up such that TFA is not necessary
until my account attempts to do an admin action.

On Mon, Nov 21, 2016 at 4:37 PM, Florence Devouard <[hidden email]> wrote:

> Hello
>
> I had the super bad idea of implementing the two-factor authentication and
> now I need help :)
>
> The system is not "recording" me as registered. Which means that I am
> disconnected every once in a while. Roughly every 15 minutes... and every
> time I change project (from Wikipedia to Commons etc.)
>
> Which means that every 15 minutes, I need to relogin... retype login and
> password... grab my phone... wake it up... launch the app... get the
> number... enter it... validate... OK, good to go for 15 minutes...
>
> So... how do I fix that ?
>
> Thanks
>
> Florence
>
>
> Le 16/11/2016 à 10:57, Tim Starling a écrit :
>>
>> Since Friday, we've had a slow but steady stream of admin account
>> compromises on WMF projects. The hacker group OurMine has taken credit
>> for these compromises.
>>
>> We're fairly sure now that their mode of operation involves searching
>> for target admins in previous user/password dumps published by other
>> hackers, such as the 2013 Adobe hack. They're not doing an online
>> brute force attack against WMF. For each target, they try one or two
>> passwords, and if those don't work, they go on to the next target.
>> Their success rate is maybe 10%.
>>
>> When they compromise an account, they usually do a main page
>> defacement or similar, get blocked, and then move on to the next target.
>>
>> Today, they compromised the account of a www.mediawiki.org admin, did
>> a main page defacement there, and then (presumably) used the same
>> password to log in to Gerrit. They took a screenshot, sent it to us,
>> but took no other action.
>>
>> So, I don't think they are truly malicious -- I think they are doing
>> it for fun, fame, perhaps also for their stated goal of bringing
>> attention to poor password security.
>>
>> Indications are that they are familiarising themselves with MediaWiki
>> and with our community. They probably plan on continuing to do this
>> for some time.
>>
>> We're doing what we can to slow them down, but admins and other users
>> with privileged access also need to take some responsibility for the
>> security of their accounts. Specifically:
>>
>> * If you're an admin, please enable two-factor authentication.
>> <https://meta.wikimedia.org/wiki/H:2FA>
>> * Please change your password, if you haven't already changed it in
>> the last week. Use a new password that is not used on any other site.
>> * Please do not share passwords across different WMF services, for
>> example, between the wikis and Gerrit.
>>
>> (Cross-posted to wikitech-l and wikimedia-l, please copy/link
>> elsewhere as appropriate.)
>>
>> -- Tim Starling
>>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
>
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



--
John Vandenberg

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Florence Devouard-6
Ya, well
I was a good girl and I did as I was told to do.

Now... I changed my password to a VERY simple one so that it takes less
time to relogin each time.

And most of my edits are anonymous... which creates a problem to me
because I keep being asked to fill up the captcha thing and of course I
miss all the nice user features... but it also creates a problem to my
peers who have to keep a watch on my anonymous edits.

So, I do not know what is the extent of the current security issue, but
I tell you that from a user perspective, the 2 factor authentification
system is absolutely not ok :)

I do not know how many people switched and I dunno if all meet the same
problem than I.

If others are facing the same consequences... I believe you should stop
to push people to implement the 2 steps.

If I am alone in this situation.... please someone remove the 2 factors
identification system from my account. Please. Please.

Anthere





Le 21/11/2016 à 11:15, John Mark Vandenberg a écrit :

> Ya, this is why I haven't done it.
>
> Also, I should be able to set it up such that TFA is not necessary
> until my account attempts to do an admin action.
>
> On Mon, Nov 21, 2016 at 4:37 PM, Florence Devouard <[hidden email]> wrote:
>> Hello
>>
>> I had the super bad idea of implementing the two-factor authentication and
>> now I need help :)
>>
>> The system is not "recording" me as registered. Which means that I am
>> disconnected every once in a while. Roughly every 15 minutes... and every
>> time I change project (from Wikipedia to Commons etc.)
>>
>> Which means that every 15 minutes, I need to relogin... retype login and
>> password... grab my phone... wake it up... launch the app... get the
>> number... enter it... validate... OK, good to go for 15 minutes...
>>
>> So... how do I fix that ?
>>
>> Thanks
>>
>> Florence
>>
>>
>> Le 16/11/2016 à 10:57, Tim Starling a écrit :
>>>
>>> Since Friday, we've had a slow but steady stream of admin account
>>> compromises on WMF projects. The hacker group OurMine has taken credit
>>> for these compromises.
>>>
>>> We're fairly sure now that their mode of operation involves searching
>>> for target admins in previous user/password dumps published by other
>>> hackers, such as the 2013 Adobe hack. They're not doing an online
>>> brute force attack against WMF. For each target, they try one or two
>>> passwords, and if those don't work, they go on to the next target.
>>> Their success rate is maybe 10%.
>>>
>>> When they compromise an account, they usually do a main page
>>> defacement or similar, get blocked, and then move on to the next target.
>>>
>>> Today, they compromised the account of a www.mediawiki.org admin, did
>>> a main page defacement there, and then (presumably) used the same
>>> password to log in to Gerrit. They took a screenshot, sent it to us,
>>> but took no other action.
>>>
>>> So, I don't think they are truly malicious -- I think they are doing
>>> it for fun, fame, perhaps also for their stated goal of bringing
>>> attention to poor password security.
>>>
>>> Indications are that they are familiarising themselves with MediaWiki
>>> and with our community. They probably plan on continuing to do this
>>> for some time.
>>>
>>> We're doing what we can to slow them down, but admins and other users
>>> with privileged access also need to take some responsibility for the
>>> security of their accounts. Specifically:
>>>
>>> * If you're an admin, please enable two-factor authentication.
>>> <https://meta.wikimedia.org/wiki/H:2FA>
>>> * Please change your password, if you haven't already changed it in
>>> the last week. Use a new password that is not used on any other site.
>>> * Please do not share passwords across different WMF services, for
>>> example, between the wikis and Gerrit.
>>>
>>> (Cross-posted to wikitech-l and wikimedia-l, please copy/link
>>> elsewhere as appropriate.)
>>>
>>> -- Tim Starling
>>>
>>>
>>> _______________________________________________
>>> Wikitech-l mailing list
>>> [hidden email]
>>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>>
>>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
>



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Bartosz Dziewoński
Just for the record, I'm not having such problems, so it might be in
some way specific to you. I've heard someone else recently complaining
about getting logged in often, I don't think this is related to 2FA.

If you need to disable it, you can do it yourself (visit Preferences,
click "Disable two-factor authentication" and follow the steps).

--
Bartosz Dziewoński

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Magnus Manske-2
Using 2FA, no issues. Sounds more like a problem with cookies?

On Mon, Nov 21, 2016 at 3:44 PM Bartosz Dziewoński <[hidden email]>
wrote:

> Just for the record, I'm not having such problems, so it might be in
> some way specific to you. I've heard someone else recently complaining
> about getting logged in often, I don't think this is related to 2FA.
>
> If you need to disable it, you can do it yourself (visit Preferences,
> click "Disable two-factor authentication" and follow the steps).
>
> --
> Bartosz Dziewoński
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Update on WMF account compromises

Florence Devouard-6
I know not. But it may be it, because the system did not seem to
"remember" my password anymore either.

Anyway... BIG THANKS to Dereckson, who gave me the trick to remove the 2FA.

I am back on regular system and I set up a strong and unique password.

Anthere



Le 21/11/2016 à 17:09, Magnus Manske a écrit :

> Using 2FA, no issues. Sounds more like a problem with cookies?
>
> On Mon, Nov 21, 2016 at 3:44 PM Bartosz Dziewoński <[hidden email]>
> wrote:
>
>> Just for the record, I'm not having such problems, so it might be in
>> some way specific to you. I've heard someone else recently complaining
>> about getting logged in often, I don't think this is related to 2FA.
>>
>> If you need to disable it, you can do it yourself (visit Preferences,
>> click "Disable two-factor authentication" and follow the steps).
>>
>> --
>> Bartosz Dziewoński
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
123