Page MenuHomePhabricator
Create Task
Maniphest T150853

Create a burn-down list of administrator accounts without 2FA or password changes since 11 November 2016
Closed, DeclinedPublic
Actions

Description

Based on the WMF update of 16 November, https://lists.wikimedia.org/pipermail/wikitech-l/2016-November/087008.html, it makes sense for all administrator accounts to change their passwords and be strongly encouraged to adopt two-factor authentication (2FA).

This is a request to create a maintained list on Meta of all Wikimedia accounts with sysop rights, showing which have adopted 2FA and which accounts have not changed their passwords since 11th November, this being the date of the first identified OurMine related compromised account. The act of publishing this list will help the community contact administrator accounts that remain at risk of getting misused, and for the community to have a discussion of future options, such as forcing password changes on dormant administrator accounts.

Event Timeline

Fae created this task.Nov 16 2016, 1:50 PM
Thibaut120094 added a comment.EditedNov 16 2016, 1:52 PM

That would be a great gift for potential hackers.

BethNaught subscribed.Nov 16 2016, 1:56 PM
matmarex added a comment.EditedNov 16 2016, 2:00 PM

Indeed, I don't think it would be desirable to publish such a list. But it could still be generated and the users could be contacted privately. If deemed necessary, it's also possible to force privileged accounts to enable 2FA or to change their password on next login.

Reedy awarded a token.Nov 16 2016, 2:07 PM
In T150853#2799024, @matmarex wrote:

Indeed, I don't think it would be desirable to publish such a list. But it could still be generated and the users could be contacted privately. If deemed necessary, it's also possible to force privileged accounts to enable 2FA or to change their password on next login.

Yeah, posting it publicly is just saying "hey, these are the accounts that are worth trying"

Keeping it private, and having a way to send emails/echo notifications to tell these admins to enable it, seems more sensible

Aklapper removed a parent task: T150605: Publish an analysis of the OurMine hack.Nov 16 2016, 2:11 PM

[This task does not block publishing an analysis of the OurMine hack, hence I've removed that parent task.]

Fae added a comment.Nov 16 2016, 2:24 PM

It may be that publishing dates of password changes would be more than can be queried from the public database, however a table of admins showing which had adopted 2FA is the type of thing that I would struggle to imagine as any significant extra risk and has good value as part of the community agreeing new policies for trusted accounts. In terms of targeting, this is probably a lot less significant than sharing user_properties or analysing edit patterns, which are available to anyone.

I agree that sharing account password metadata may assist targeting vulnerable sysop accounts, however we already have lots of public reports on-wiki which list out recently inactive admin accounts. I suspect that even moderately smart hackers are targeting accounts using that type of information in addition to prioritizing staff accounts and 'high profile' users for the extra lolz. It's not giving too much away to speculate that if I were a hacker I'd quietly target some of these dormant accounts to keep a backlog of hacked accounts, perhaps registering for 2FA. It's an unfortunate truth that there are many dormant sysop accounts where the user may never return, and odd edits may not get noticed, especially on non-English Wikipedia projects.

If making public a list of sysop accounts with old passwords is not sensible, it still would be a useful list for WMF staff to examine and share with 'crats or stewards who could make good use of it, such as making contact with vulnerable accounts in confidence. I'd actually expect such a user list being used already within the WMF security team.

Srittau unsubscribed.Nov 16 2016, 2:24 PM
MarcoAurelio subscribed.Nov 16 2016, 4:00 PM
Schnark unsubscribed.Nov 17 2016, 9:20 AM
K6ka unsubscribed.Nov 17 2016, 10:05 PM
Platonides subscribed.Feb 6 2017, 10:48 PM
OldUser02 subscribed.Feb 19 2018, 1:14 PM
Aklapper renamed this task from Create a burn-down list of administrator accounts without 2FA or password changes since 11 November to Create a burn-down list of administrator accounts without 2FA or password changes since 11 November 2016.Jun 29 2018, 2:42 PM
Bawolff closed this task as Declined.Sep 4 2018, 4:05 PM

I'm going to decline this:

  • A public list of anything password related is a bad idea
  • If instead of a public list, we just privately contact people, I still think its a bad idea. Research on forcing password changes has shown it has bad outcomes. I'm not sure what the research says on nagging people but not forcing people. However, the date of the ourmine attack is very arbitrary. If we did something like this it might make sense on regular intervals, but there's nothing special in the OurMine attack that suggests it makes a good cut off date.
chasemp edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 4:10 PM
Bawolff added a comment.Sep 4 2018, 4:10 PM
In T150853#2799161, @Fae wrote:

It may be that publishing dates of password changes would be more than can be queried from the public database, however a table of admins showing which had adopted 2FA is the type of thing that I would struggle to imagine as any significant extra risk and has good value as part of the community agreeing new policies for trusted accounts. In terms of targeting, this is probably a lot less significant than sharing user_properties or analysing edit patterns, which are available to anyone.

The counterargument is, if the attacker knows who has 2FA enabled, then they will avoid those accounts, and thus their failures are less likely to show up in logs or otherwise be noticed. In certain (very unlikely scenario) where they have to crack hard hashes and are CPU limited, knowing who to target (e.g. who does not have 2FA) can be very valuable to the attacker.

I agree that sharing account password metadata may assist targeting vulnerable sysop accounts, however we already have lots of public reports on-wiki which list out recently inactive admin accounts. I suspect that even moderately smart hackers are targeting accounts using that type of information in addition to prioritizing staff accounts and 'high profile' users for the extra lolz. It's not giving too much away to speculate that if I were a hacker I'd quietly target some of these dormant accounts to keep a backlog of hacked accounts, perhaps registering for 2FA. It's an unfortunate truth that there are many dormant sysop accounts where the user may never return, and odd edits may not get noticed, especially on non-English Wikipedia projects.

Sure. Just because some info is (fairly unavoidably) public, doesn't mean we should expose all info.

If making public a list of sysop accounts with old passwords is not sensible, it still would be a useful list for WMF staff to examine and share with 'crats or stewards who could make good use of it, such as making contact with vulnerable accounts in confidence. I'd actually expect such a user list being used already within the WMF security team.

If we wanted to do some nag campaign, it would make more sense to do it in an automated fashion (e.g. When you log in, or a security email), then giving a list of people to stewards so they can shame them.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL