[Wikitech-l] Update on WMF account compromises

Florence Devouard fdevouard at gmail.com
Mon Nov 21 12:24:19 UTC 2016 

Ya, well
I was a good girl and I did as I was told to do.

Now... I changed my password to a VERY simple one so that it takes less 
time to relogin each time.

And most of my edits are anonymous... which creates a problem to me 
because I keep being asked to fill up the captcha thing and of course I 
miss all the nice user features... but it also creates a problem to my 
peers who have to keep a watch on my anonymous edits.

So, I do not know what is the extent of the current security issue, but 
I tell you that from a user perspective, the 2 factor authentification 
system is absolutely not ok :)

I do not know how many people switched and I dunno if all meet the same 
problem than I.

If others are facing the same consequences... I believe you should stop 
to push people to implement the 2 steps.

If I am alone in this situation.... please someone remove the 2 factors 
identification system from my account. Please. Please.

Anthere





Le 21/11/2016 à 11:15, John Mark Vandenberg a écrit :
> Ya, this is why I haven't done it.
>
> Also, I should be able to set it up such that TFA is not necessary
> until my account attempts to do an admin action.
>
> On Mon, Nov 21, 2016 at 4:37 PM, Florence Devouard <fdevouard at gmail.com> wrote:
>> Hello
>>
>> I had the super bad idea of implementing the two-factor authentication and
>> now I need help :)
>>
>> The system is not "recording" me as registered. Which means that I am
>> disconnected every once in a while. Roughly every 15 minutes... and every
>> time I change project (from Wikipedia to Commons etc.)
>>
>> Which means that every 15 minutes, I need to relogin... retype login and
>> password... grab my phone... wake it up... launch the app... get the
>> number... enter it... validate... OK, good to go for 15 minutes...
>>
>> So... how do I fix that ?
>>
>> Thanks
>>
>> Florence
>>
>>
>> Le 16/11/2016 à 10:57, Tim Starling a écrit :
>>>
>>> Since Friday, we've had a slow but steady stream of admin account
>>> compromises on WMF projects. The hacker group OurMine has taken credit
>>> for these compromises.
>>>
>>> We're fairly sure now that their mode of operation involves searching
>>> for target admins in previous user/password dumps published by other
>>> hackers, such as the 2013 Adobe hack. They're not doing an online
>>> brute force attack against WMF. For each target, they try one or two
>>> passwords, and if those don't work, they go on to the next target.
>>> Their success rate is maybe 10%.
>>>
>>> When they compromise an account, they usually do a main page
>>> defacement or similar, get blocked, and then move on to the next target.
>>>
>>> Today, they compromised the account of a www.mediawiki.org admin, did
>>> a main page defacement there, and then (presumably) used the same
>>> password to log in to Gerrit. They took a screenshot, sent it to us,
>>> but took no other action.
>>>
>>> So, I don't think they are truly malicious -- I think they are doing
>>> it for fun, fame, perhaps also for their stated goal of bringing
>>> attention to poor password security.
>>>
>>> Indications are that they are familiarising themselves with MediaWiki
>>> and with our community. They probably plan on continuing to do this
>>> for some time.
>>>
>>> We're doing what we can to slow them down, but admins and other users
>>> with privileged access also need to take some responsibility for the
>>> security of their accounts. Specifically:
>>>
>>> * If you're an admin, please enable two-factor authentication.
>>> <https://meta.wikimedia.org/wiki/H:2FA>
>>> * Please change your password, if you haven't already changed it in
>>> the last week. Use a new password that is not used on any other site.
>>> * Please do not share passwords across different WMF services, for
>>> example, between the wikis and Gerrit.
>>>
>>> (Cross-posted to wikitech-l and wikimedia-l, please copy/link
>>> elsewhere as appropriate.)
>>>
>>> -- Tim Starling
>>>
>>>
>>> _______________________________________________
>>> Wikitech-l mailing list
>>> Wikitech-l at lists.wikimedia.org
>>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>>
>>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> Wikitech-l at lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
>

More information about the Wikitech-l mailing list