[Wikimedia-l] Information on "Multiple failed attempts to log in" emails

Discussion:

John Bennett

2018-05-04 00:27:16 UTC

Hello,

Many of you may have been receiving emails in the last 24 hours warning you
of "Multiple failed attempts to log in" with your account. I wanted to let
you know that the Wikimedia Foundation's Security team is aware of the
situation, and working with others in the organization on steps to decrease
the success of attacks like these.

The exact source is not yet known, but it is not originating from our
systems. That means it is an external effort to gain unauthorized access to
random accounts. These types of efforts are increasingly common for
websites of our reach. A vast majority of these attempts have been
unsuccessful, and we are reaching out personally to the small number of
accounts which we believe have been compromised.

While we are constantly looking at improvements to our security systems and
processes to offset the impact of malicious efforts such as these, the best
method of prevention continues to be the steps each of you take to
safeguard your accounts. Because of this, we have taken steps in the past
to support things like stronger password requirements,[1] and we continue
to encourage everyone to take some routine steps to maintain a secure
computer and account. That includes regularly changing your passwords,[2]
actively running antivirus software on your systems, and keeping your
system software up to date.

My team will continue to investigate this incident, and report back if we
notice any concerning changes. If you have any questions, please contact
the Support and Safety team (susa{{@}}wikimedia.org).

John Bennett
Director of Security, Wikimedia Foundation

[1] https://meta.wikimedia.org/wiki/Password_strength_requirements
[2] https://meta.wikimedia.org/wiki/Special:ChangePassword

Fæ

2018-05-04 09:40:41 UTC

Permalink

This post might be inappropriate. Click to display it.

Pine W

2018-05-06 05:23:52 UTC

Permalink

Thanks, John.
Fae, I suggest that we let the WMF folks who are working on this issue extinguish the current fire before asking them to write a report about a previous one.
I agree that the report about the previous incident is overdue. Perhaps as the current situation becomes calmer (updated metrics and news would be nice to have on the public Phab tickets) some staff can be moved off of the front line and back to the archives.
Pine
( https://meta.wikimedia.org/wiki/User:Pine )
null

Nathan

2018-05-06 21:24:06 UTC

Permalink

I get hundreds of these a year (my user name, Nathan, seems to be a popular
target). It would nice to be able to use some sort of multi-factor
authentication, which is actually supported by OAUTH. However, it seems
most projects (including en.wp) restrict use to accounts with elevated
rights. Can anyone explain why these tools can't be made more widely
accessible?

Post by Pine W
Thanks, John.
Fae, I suggest that we let the WMF folks who are working on this issue
extinguish the current fire before asking them to write a report about a
previous one.
I agree that the report about the previous incident is overdue. Perhaps as
the current situation becomes calmer (updated metrics and news would be
nice to have on the public Phab tickets) some staff can be moved off of the
front line and back to the archives.
Pine
( https://meta.wikimedia.org/wiki/User:Pine )
null
_______________________________________________
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/wiki/Wikimedia-l
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Shlomi Fish

2018-05-07 11:56:09 UTC

Permalink

On Thu, 3 May 2018 19:27:16 -0500

Post by John Bennett
Hello,
Many of you may have been receiving emails in the last 24 hours warning you
of "Multiple failed attempts to log in" with your account. I wanted to let
you know that the Wikimedia Foundation's Security team is aware of the
situation, and working with others in the organization on steps to decrease
the success of attacks like these.
The exact source is not yet known, but it is not originating from our
systems. That means it is an external effort to gain unauthorized access to
random accounts. These types of efforts are increasingly common for
websites of our reach. A vast majority of these attempts have been
unsuccessful, and we are reaching out personally to the small number of
accounts which we believe have been compromised.
While we are constantly looking at improvements to our security systems and
processes to offset the impact of malicious efforts such as these, the best
method of prevention continues to be the steps each of you take to
safeguard your accounts. Because of this, we have taken steps in the past
to support things like stronger password requirements,[1] and we continue
to encourage everyone to take some routine steps to maintain a secure
computer and account. That includes regularly changing your passwords,[2]
actively running antivirus software on your systems, and keeping your
system software up to date.

From my experience, anti-virus programs usually do more harm than good. For
example, https://en.wikipedia.org/wiki/Norton_AntiVirus recently blocked my
entire shlomifish.org domain because it apparently misclassified an executable
download as problematic (and it was built from source using
https://en.wikipedia.org/wiki/CMake and https://en.wikipedia.org/wiki/AppVeyor
so it is unlikely that that is the case.). MS Windows' poor resistance to
malware and the fact that Windows Update is so dysfunctional (see
http://www.shlomifish.org/humour/bits/facts/Windows-Update/ ) are the reasons
why I cannot recommend running it as a desktop, and instead one should use
https://en.wikipedia.org/wiki/Linux#Desktop - desktop linux or similar.

A little off topic perhaps, but needs to be said.

Post by John Bennett
My team will continue to investigate this incident, and report back if we
notice any concerning changes. If you have any questions, please contact
John Bennett
Director of Security, Wikimedia Foundation
[1] https://meta.wikimedia.org/wiki/Password_strength_requirements
[2] https://meta.wikimedia.org/wiki/Special:ChangePassword
_______________________________________________
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

--
-----------------------------------------------------------------
Shlomi Fish http://www.shlomifish.org/
http://www.shlomifish.org/open-source/projects/fortune-mod/

If a tree falls down in the middle of the forest, and there’s no one there to
hear it… what colour is the tree?
— Monkey Island 2: LeChuck’s Revenge

Please reply to list if it's a mailing list post - http://shlom.in/reply .

Eduardo Testart

2018-05-07 13:20:22 UTC

Permalink

Shlomi,

I believe that the problem is with your particular brand of antivirus,
eventhough they all block a bit more or less to prevent certain risks.

Nevertheless, making an extrapolation to every antivirus from the
experience with only one brand, and concluding "they do more harm than
good" based on that, seems a bit off.

Cheers!

I am also a Linux advocate, and have been so for years (decades?). That
been said, I imagine that there are still more people using Windows XP than
there are people using Linux. Last time I checked (october 2017) it was
something like 5% using XP and less than 1% using linux, all distros
included. We can safely predict that virus outvreaks will be a problem for
linux once it reaches 5% or 10% market share...
Gabe

I have been a Linux advocate for almost a decade now and from 'my past
experience', I can tell you have opened a topic of a huge discussion

about

people should switch to Linux Desktops (which is off-topic here). But I
respectfully disagree with your statement, "anti-virus programs usually

more harm than good".
From a conservative viewpoint, some protection is still better to have

than

no protection at all. And the example you gave here, an anti-virus
mistakenly classified your domain as a potential threat, makes a weaker
point. By a few mistakes, we cannot cancel out a million of other
successes. A false alarm is yet favourable than no alarm at all.
---
Shabab Mustafa
President
Wikimedia Bangladesh

Post by Shlomi Fish
On Thu, 3 May 2018 19:27:16 -0500

Post by John Bennett
Hello,
Many of you may have been receiving emails in the last 24 hours

warning

Post by Shlomi Fish
you

Post by John Bennett
of "Multiple failed attempts to log in" with your account. I wanted

Post by Shlomi Fish
let

Post by John Bennett
you know that the Wikimedia Foundation's Security team is aware of

the