Thread: Wiki 2FA

Wiki 2FA

From
"Joshua D. Drake"
Date:
Hello,

Perhaps we should considering enforcing 2FA for the Wiki?

https://www.mediawiki.org/wiki/Extension:TwoFactorAuthentication

Sincerely,

JD
-- 
Command Prompt, Inc.                  http://the.postgres.company/                     +1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.



Re: Wiki 2FA

From
Magnus Hagander
Date:
On Sat, Jan 23, 2016 at 9:06 PM, Joshua D. Drake <jd@commandprompt.com> wrote:
Hello,

Perhaps we should considering enforcing 2FA for the Wiki?

https://www.mediawiki.org/wiki/Extension:TwoFactorAuthentication


Two factor auth protects you against someone using your account. Have we had any issues with that?

It does not protect against people signing up for multiple accounts. Unless  you were actually planning to send out hardware 2FA tokens to each actual contributor, but I'm pretty sure you didn't mean that?

And as a sidenote, it also doesn't support our version of mediawiki -- but that's only a problem if we actually think it would bring any benefit.

--

Re: Wiki 2FA

From
Greg Stark
Date:
On Sat, Jan 23, 2016 at 8:41 PM, Magnus Hagander <magnus@hagander.net> wrote:
> It does not protect against people signing up for multiple accounts. Unless
> you were actually planning to send out hardware 2FA tokens to each actual
> contributor, but I'm pretty sure you didn't mean that?

We could put a captcha which would at least prevent spammers from
scripting attacks. I'm not sure what type of spamming we've had. I
expect we would still see one-off spam by humans though.

-- 
greg



Re: Wiki 2FA

From
Magnus Hagander
Date:
On Sat, Jan 23, 2016 at 10:43 PM, Greg Stark <stark@mit.edu> wrote:
On Sat, Jan 23, 2016 at 8:41 PM, Magnus Hagander <magnus@hagander.net> wrote:
> It does not protect against people signing up for multiple accounts. Unless
> you were actually planning to send out hardware 2FA tokens to each actual
> contributor, but I'm pretty sure you didn't mean that?

We could put a captcha which would at least prevent spammers from
scripting attacks. I'm not sure what type of spamming we've had. I
expect we would still see one-off spam by humans though.

We have a captcha for account singups already. That increased the signup time by 30-45 seconds on average.

We also have a 7 day grace period, so new accounts could not use the wiki for 7 days. It took *exactly* 7 days before the spam started again. 

To me it's pretty clear that it did not come from scripts. Another hint of that it that a couple of those "scripts" emailed us asking for us to let them bypass the 7 day grace period.


--

Re: Wiki 2FA

From
"Joshua D. Drake"
Date:
On 01/23/2016 12:41 PM, Magnus Hagander wrote:
> On Sat, Jan 23, 2016 at 9:06 PM, Joshua D. Drake <jd@commandprompt.com
> <mailto:jd@commandprompt.com>> wrote:
>
>     Hello,
>
>     Perhaps we should considering enforcing 2FA for the Wiki?
>
>     https://www.mediawiki.org/wiki/Extension:TwoFactorAuthentication
>
>
>
> Two factor auth protects you against someone using your account. Have we
> had any issues with that?
>
> It does not protect against people signing up for multiple accounts.
> Unless  you were actually planning to send out hardware 2FA tokens to
> each actual contributor, but I'm pretty sure you didn't mean that?

No. I meant the idea of having Google Authenticator required (which is 
open source). It works on any Android device as well as others 
(windows). I believe it would help with the autoscripting edits?

JD

-- 
Command Prompt, Inc.                  http://the.postgres.company/                     +1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.



Re: Wiki 2FA

From
Peter Geoghegan
Date:
On Sat, Jan 23, 2016 at 1:50 PM, Magnus Hagander <magnus@hagander.net> wrote:
> We have a captcha for account singups already. That increased the signup
> time by 30-45 seconds on average.

I think that it's now economical for spammers to farm out the
completion of captchas. Real people actually fill them out, with
everything else highly automated. I'm not sure how much of the work
performed by the Amazon Mechanical Turk service is actually filling
out captchas, but it's certainly some proportion. (The whole concept
of Mechanical Turk is downright creepy in my view).


-- 
Peter Geoghegan



Re: Wiki 2FA

From
Tom Lane
Date:
"Joshua D. Drake" <jd@commandprompt.com> writes:
> On 01/23/2016 12:41 PM, Magnus Hagander wrote:
>> It does not protect against people signing up for multiple accounts.
>> Unless  you were actually planning to send out hardware 2FA tokens to
>> each actual contributor, but I'm pretty sure you didn't mean that?

> No. I meant the idea of having Google Authenticator required (which is 
> open source). It works on any Android device as well as others 
> (windows). I believe it would help with the autoscripting edits?

I doubt it would help much unless we required a 2FA auth cycle for
every single edit, which I for one wouldn't stand for.  Reasonably
user-friendly policies like one auth a day would still be plenty
easy for spammers too.  (They've got phones too ya know.)  In fact,
considering it is trivial to have as many GA instances as you want
all sharing the same key, I'm pretty sure that even a 2FA-check-per-edit
policy could be scripted against.  The bots would just need to have
a local token generator running the same key that the mechanical
turks had signed up with.
        regards, tom lane



Re: Wiki 2FA

From
"Joshua D. Drake"
Date:
On 01/23/2016 03:35 PM, Tom Lane wrote:
> "Joshua D. Drake" <jd@commandprompt.com> writes:
>> On 01/23/2016 12:41 PM, Magnus Hagander wrote:
>>> It does not protect against people signing up for multiple accounts.
>>> Unless  you were actually planning to send out hardware 2FA tokens to
>>> each actual contributor, but I'm pretty sure you didn't mean that?
>
>> No. I meant the idea of having Google Authenticator required (which is
>> open source). It works on any Android device as well as others
>> (windows). I believe it would help with the autoscripting edits?
>
> I doubt it would help much unless we required a 2FA auth cycle for
> every single edit, which I for one wouldn't stand for.  Reasonably
> user-friendly policies like one auth a day would still be plenty
> easy for spammers too.  (They've got phones too ya know.)  In fact,
> considering it is trivial to have as many GA instances as you want
> all sharing the same key, I'm pretty sure that even a 2FA-check-per-edit
> policy could be scripted against.  The bots would just need to have
> a local token generator running the same key that the mechanical
> turks had signed up with.

Bummer, o.k. Although it seems that spammers only go after easy targets. 
It was an idea.

Thanks :)

Sincerely,

JD

>
>             regards, tom lane
>


-- 
Command Prompt, Inc.                  http://the.postgres.company/                     +1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.



Re: Wiki 2FA

From
Tom Lane
Date:
"Joshua D. Drake" <jd@commandprompt.com> writes:
> On 01/23/2016 03:35 PM, Tom Lane wrote:
>> I doubt it would help much unless we required a 2FA auth cycle for
>> every single edit, which I for one wouldn't stand for.  Reasonably
>> user-friendly policies like one auth a day would still be plenty
>> easy for spammers too.  (They've got phones too ya know.)

> Bummer, o.k. Although it seems that spammers only go after easy targets. 

I dunno.  I was astonished that they came back a second time after we'd
once thrown them off and cleaned up the mess; you'd think they'd realize
that that would just happen again.  I think it may have been an
intentional attack on the PG project as such, not just drive-by spamming.
(If so, and if the goal was to complicate our lives, they succeeded.)

Or maybe I'm just too paranoid.
        regards, tom lane



Re: Wiki 2FA

From
"Joshua D. Drake"
Date:
On 01/23/2016 03:49 PM, Tom Lane wrote:
> "Joshua D. Drake" <jd@commandprompt.com> writes:
>> On 01/23/2016 03:35 PM, Tom Lane wrote:
>>> I doubt it would help much unless we required a 2FA auth cycle for
>>> every single edit, which I for one wouldn't stand for.  Reasonably
>>> user-friendly policies like one auth a day would still be plenty
>>> easy for spammers too.  (They've got phones too ya know.)
>
>> Bummer, o.k. Although it seems that spammers only go after easy targets.
>
> I dunno.  I was astonished that they came back a second time after we'd
> once thrown them off and cleaned up the mess; you'd think they'd realize
> that that would just happen again.  I think it may have been an
> intentional attack on the PG project as such, not just drive-by spamming.
> (If so, and if the goal was to complicate our lives, they succeeded.)
>
> Or maybe I'm just too paranoid.

Hrm, do we have the IPs that they were coming from? Were they from a 
specific block? Or GEO region? I hate the idea of blocking login from a 
region but it may be an unfortunate reality.

Sincerely,

JD

>
>             regards, tom lane
>


-- 
Command Prompt, Inc.                  http://the.postgres.company/                     +1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.



Re: Wiki 2FA

From
Greg Stark
Date:
On Sat, Jan 23, 2016 at 11:25 PM, Joshua D. Drake <jd@commandprompt.com> wrote:
> No. I meant the idea of having Google Authenticator required (which is open
> source). It works on any Android device as well as others (windows). I
> believe it would help with the autoscripting edits?

Why? It doesn't in any way prevent automated scripted spammers. They
can automatically generate TOTP codes from a script just as easy as
the app can. A SMS-based 2FA scheme might have an impact but even that
can be farmed out easily.

Actually requiring a Google account and OAUTH login would actually
have an impact because Google cares about spammers with Google
accounts and goes after them and shuts them down. On the one hand
Google is going to do a better job of anti-spam, opsec, and dos
mitigation than we every will. But on the other hand I suspect Google
is only concerned by numbers that are significantly larger than our
threshold of pain and it would mean giving away a lot of control over
the process.



-- 
greg



Re: Wiki 2FA

From
"Greg Sabino Mullane"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


> I dunno.  I was astonished that they came back a second time after we'd
> once thrown them off and cleaned up the mess; you'd think they'd realize
> that that would just happen again.  I think it may have been an
> intentional attack on the PG project as such, not just drive-by spamming.
> (If so, and if the goal was to complicate our lives, they succeeded.)

I doubt PG was targeted: MediaWiki was. It's a popular and easy spam vector 
these days, and reminds me of Windows in the old days: you can setup a 
brand new wiki and be guaranteed a spammer before you even start advertising 
your site. And once you are on a list, expect to never be able to fully open 
your wiki again.

The captcha war is absolutely being won by the spammers at the moment, so 
I think our current solution is probably the best tradeoff we can get. 
Although it would be nice to be able to point people the #postgresql 
channel for editor rights too.

- -- 
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 201601231931
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAlakG38ACgkQvJuQZxSWSsj5fgCgz8TYBB7hU+ypTqd8Y69MAFUA
ygAAn3oU74gObKJ9eXqN5QcNNovocMME
=01Yz
-----END PGP SIGNATURE-----





Re: Wiki 2FA

From
Stefan Kaltenbrunner
Date:
On 01/24/2016 01:32 AM, Greg Sabino Mullane wrote:
> 
> 
>> I dunno.  I was astonished that they came back a second time after we'd
>> once thrown them off and cleaned up the mess; you'd think they'd realize
>> that that would just happen again.  I think it may have been an
>> intentional attack on the PG project as such, not just drive-by spamming.
>> (If so, and if the goal was to complicate our lives, they succeeded.)
> 
> I doubt PG was targeted: MediaWiki was. It's a popular and easy spam vector
> these days, and reminds me of Windows in the old days: you can setup a
> brand new wiki and be guaranteed a spammer before you even start advertising
> your site. And once you are on a list, expect to never be able to fully open
> your wiki again.

yeah :(

> 
> The captcha war is absolutely being won by the spammers at the moment, so
> I think our current solution is probably the best tradeoff we can get.
> Although it would be nice to be able to point people the #postgresql
> channel for editor rights too.

well the blurb on the wiki clearly states you can ask in the channel as
well, though it might actually take a bit longer for granting access
there becase not all of us are monitoring the channel that closely.



Stefan



Re: Wiki 2FA

From
Magnus Hagander
Date:


On Sun, Jan 24, 2016 at 1:04 AM, Greg Stark <stark@mit.edu> wrote:
On Sat, Jan 23, 2016 at 11:25 PM, Joshua D. Drake <jd@commandprompt.com> wrote:
> No. I meant the idea of having Google Authenticator required (which is open
> source). It works on any Android device as well as others (windows). I
> believe it would help with the autoscripting edits?

Why? It doesn't in any way prevent automated scripted spammers. They
can automatically generate TOTP codes from a script just as easy as
the app can. A SMS-based 2FA scheme might have an impact but even that
can be farmed out easily.

Actually requiring a Google account and OAUTH login would actually
have an impact because Google cares about spammers with Google
accounts and goes after them and shuts them down. On the one hand
Google is going to do a better job of anti-spam, opsec, and dos
mitigation than we every will. But on the other hand I suspect Google
is only concerned by numbers that are significantly larger than our
threshold of pain and it would mean giving away a lot of control over
the process.

The majority of the spam came from people with freshly signed up @gmail.com or yandex email addresses. So they clearly got through at least one layer of defense there.
 
--

Re: Wiki 2FA

From
Magnus Hagander
Date:


On Sun, Jan 24, 2016 at 12:51 AM, Joshua D. Drake <jd@commandprompt.com> wrote:
On 01/23/2016 03:49 PM, Tom Lane wrote:
"Joshua D. Drake" <jd@commandprompt.com> writes:
On 01/23/2016 03:35 PM, Tom Lane wrote:
I doubt it would help much unless we required a 2FA auth cycle for
every single edit, which I for one wouldn't stand for.  Reasonably
user-friendly policies like one auth a day would still be plenty
easy for spammers too.  (They've got phones too ya know.)

Bummer, o.k. Although it seems that spammers only go after easy targets.

I dunno.  I was astonished that they came back a second time after we'd
once thrown them off and cleaned up the mess; you'd think they'd realize
that that would just happen again.  I think it may have been an
intentional attack on the PG project as such, not just drive-by spamming.
(If so, and if the goal was to complicate our lives, they succeeded.)

Or maybe I'm just too paranoid.

Hrm, do we have the IPs that they were coming from? Were they from a specific block? Or GEO region? I hate the idea of blocking login from a region but it may be an unfortunate reality.



The majority was from India, but not all. Most of it was from what looked like typical residential or small business DSL connections. Some also originated from USA. Those were the only two sources I saw when I looked back then, but we had a limited number of attempts logged at that time.

--

Re: Wiki 2FA

From
Alvaro Herrera
Date:
Stefan Kaltenbrunner wrote:
> On 01/24/2016 01:32 AM, Greg Sabino Mullane wrote:
> > 
> > 
> >> I dunno.  I was astonished that they came back a second time after we'd
> >> once thrown them off and cleaned up the mess; you'd think they'd realize
> >> that that would just happen again.  I think it may have been an
> >> intentional attack on the PG project as such, not just drive-by spamming.
> >> (If so, and if the goal was to complicate our lives, they succeeded.)
> > 
> > I doubt PG was targeted: MediaWiki was. It's a popular and easy spam vector
> > these days, and reminds me of Windows in the old days: you can setup a
> > brand new wiki and be guaranteed a spammer before you even start advertising
> > your site. And once you are on a list, expect to never be able to fully open
> > your wiki again.
> 
> yeah :(

Keep in mind that our own MediaWiki installation has a custom auth
system, using our community auth system.  Which means that this wasn't a
simple attack script for generic Mediawiki installations; if it was a
script at all then it must have been tailored for our system somehow.
Maybe part of it is scripted and the auth part requires a human to
oversee.

Either way, I concur that it's pretty scary.

-- 
Álvaro Herrera                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Re: Wiki 2FA

From
Greg Stark
Date:
On Sun, Jan 24, 2016 at 3:23 PM, Alvaro Herrera
<alvherre@2ndquadrant.com> wrote:
> Keep in mind that our own MediaWiki installation has a custom auth
> system, using our community auth system.  Which means that this wasn't a
> simple attack script for generic Mediawiki installations; if it was a
> script at all then it must have been tailored for our system somehow.
> Maybe part of it is scripted and the auth part requires a human to
> oversee.
>
> Either way, I concur that it's pretty scary.

I would assume it's some kind of affiliate system like the old
clickfraud schemes. Ever wonder what those "make money from home"
scammy ads were about? In the past they used to be pay-to-click
schemes where you got paid to go around clicking on ads. I bet they've
expanded to schemes where random people are paid for each link they
manage to put up somewhere on the internet.

-- 
greg



Re: Wiki 2FA

From
Alvaro Herrera
Date:
Greg Stark wrote:

> I would assume it's some kind of affiliate system like the old
> clickfraud schemes. Ever wonder what those "make money from home"
> scammy ads were about? In the past they used to be pay-to-click
> schemes where you got paid to go around clicking on ads. I bet they've
> expanded to schemes where random people are paid for each link they
> manage to put up somewhere on the internet.

I guess it's possible.

We had a look at the kind of content that was being posted.  One pattern
was that they posted a phone number hundreds or thousands of times in
different pages, with surrouding text stating that the number was the
support line for some home product (a laser printer, scanner, etc).  No
URLs at all.  The phone number was the valid number for some poor sod
who had no relationship at all to the product in question.  (It wasn't a
single phone number, but it was a very limited amount of numbers.  Maybe
a dozen, posted in thousands of fake pages, vandalized valid pages,
posted on user pages, and even on the comments for the wiki changes.)

What could be the profit model for posting such content?  One theory was
that they were simply testing whether such a mass post could be done at
all, with an eye towards doing something more profitable in the future.

Another theory was that the number was for a person with whom someone
had some kind grudge, so they paid the attack group to piss them off.

-- 
Álvaro Herrera                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Re: Wiki 2FA

From
"Joshua D. Drake"
Date:
On 01/24/2016 12:03 AM, Stefan Kaltenbrunner wrote:

> well the blurb on the wiki clearly states you can ask in the channel as
> well, though it might actually take a bit longer for granting access
> there becase not all of us are monitoring the channel that closely.
>

Andrew Gierth (RhodiumToad) was actually complaining about that. He 
refuses to send an email because we said we would watch on channel.

JD


>
>
> Stefan
>
>


-- 
Command Prompt, Inc.                  http://the.postgres.company/                     +1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.



Re: Wiki 2FA

From
Vik Fearing
Date:
On 01/24/2016 06:22 PM, Joshua D. Drake wrote:
> On 01/24/2016 12:03 AM, Stefan Kaltenbrunner wrote:
> 
>> well the blurb on the wiki clearly states you can ask in the channel as
>> well, though it might actually take a bit longer for granting access
>> there becase not all of us are monitoring the channel that closely.
>>
> 
> Andrew Gierth (RhodiumToad) was actually complaining about that. He
> refuses to send an email because we said we would watch on channel.

His request was granted rather quickly.
-- 
Vik Fearing                                          +33 6 46 75 15 36
http://2ndQuadrant.fr     PostgreSQL : Expertise, Formation et Support



Re: Wiki 2FA

From
Alvaro Herrera
Date:
Alvaro Herrera wrote:

> We had a look at the kind of content that was being posted.  One pattern
> was that they posted a phone number hundreds or thousands of times in
> different pages, with surrouding text stating that the number was the
> support line for some home product (a laser printer, scanner, etc).  No
> URLs at all.  The phone number was the valid number for some poor sod
> who had no relationship at all to the product in question.  (It wasn't a
> single phone number, but it was a very limited amount of numbers.  Maybe
> a dozen, posted in thousands of fake pages, vandalized valid pages,
> posted on user pages, and even on the comments for the wiki changes.)

Eh.  Today I just saw that somebody posted the same kind of content (a
number for support service of a well known Windows antivirus software)
in the bug report form.

-- 
Álvaro Herrera                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Re: Wiki 2FA

From
Magnus Hagander
Date:
On Mon, Jan 25, 2016 at 4:55 PM, Alvaro Herrera <alvherre@2ndquadrant.com> wrote:
Alvaro Herrera wrote:

> We had a look at the kind of content that was being posted.  One pattern
> was that they posted a phone number hundreds or thousands of times in
> different pages, with surrouding text stating that the number was the
> support line for some home product (a laser printer, scanner, etc).  No
> URLs at all.  The phone number was the valid number for some poor sod
> who had no relationship at all to the product in question.  (It wasn't a
> single phone number, but it was a very limited amount of numbers.  Maybe
> a dozen, posted in thousands of fake pages, vandalized valid pages,
> posted on user pages, and even on the comments for the wiki changes.)

Eh.  Today I just saw that somebody posted the same kind of content (a
number for support service of a well known Windows antivirus software)
in the bug report form.



We've had them post organizations related to it as well, in the web system. Since the organizations are moderated, and they can't submit news or events until it's approved, they never got any further than creating those. They've also posted doc comments, which are also moderated.

The unique thing about the wiki is that we allowed them to post things without moderation. (even the lists have moderation, depending on subscriptions and spam scores)

--