Re: [Wikitech-l] Security question re password resets and Spectre
[This is kind of getting far afield of mediawiki, but...] Spectre can potentially be used to read your private (bitcoin) keys, so bitauth is just as vulnerable to it as anything else (assuming keys on your computer and not some hardware token setup). The only benefit i see is that bitauth would probably happen in a separate process and the cross process variants of spectre look more difficult to pull off. As far as different/exotic authentication technologies go, I think U2F would be the way to go. But its all pretty irrelevent to this attack as if you had an unpatched browser and someone did this attack against you, they would probably target your session cookie. (Assuming its available in the process. I dont know enough about different browser architectures to say if thats always true) -- bawolff On Friday, January 5, 2018, Dan Bolser wrote: > My favorite solution to the password problem is BitAuth2017. I believe > that Spectre / Meltdown can't beat PoW, but I'm not 100% sure of the > details. > > On 4 January 2018 at 17:29, Denny Vrandečić wrote: > >> I often get emails that someone is trying to get into my accounts. I guess >> there are just some trolls, trying to login into my Wikipedia account. So >> far, these have been unsuccessful. >> >> Now I got an email that someone asked for a temporary password for my >> account. >> >> So far so good. What I am wondering is whether that password reset trial is >> actually even more dangerous now given Spectre / Meltdown? >> >> Thoughts? >> >> (I probably should set up 2FA right now. Have been too lazy so far) >> >> Happy new year, >> Denny >> ___ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Security question re password resets and Spectre
My favorite solution to the password problem is BitAuth2017. I believe that Spectre / Meltdown can't beat PoW, but I'm not 100% sure of the details. On 4 January 2018 at 17:29, Denny Vrandečić wrote: > I often get emails that someone is trying to get into my accounts. I guess > there are just some trolls, trying to login into my Wikipedia account. So > far, these have been unsuccessful. > > Now I got an email that someone asked for a temporary password for my > account. > > So far so good. What I am wondering is whether that password reset trial is > actually even more dangerous now given Spectre / Meltdown? > > Thoughts? > > (I probably should set up 2FA right now. Have been too lazy so far) > > Happy new year, > Denny > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Security question re password resets and Spectre
On Thu, Jan 4, 2018 at 9:29 AM, Denny Vrandečić wrote: > I often get emails that someone is trying to get into my accounts. I guess > there are just some trolls, trying to login into my Wikipedia account. So > far, these have been unsuccessful. > > Now I got an email that someone asked for a temporary password for my > account. > User:Denny is generic enough that people might be using it on other sites and getting confused about their Wikimedia user name. I wouldn't be too worried. (That, or they already hacked your email account and are now using that to take over your wiki account :) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Security question re password resets and Spectre
Labs and production machines are separate machines. An attack on labs in the worst case would only be able to attack other labs users. As Cyken said, one of the very scary scenarios is js getting access to data it should not have access to (e.g. if your inputting your password in one tab and a malicious site is in a different tab). The Spectre paper has a proof of concept they say worked to extract private memory against (a now outdated) version of google chrome. All this is to say, you should update your browser ASAP or ensure that autoupdates are enabled. Similarlarly for your OS as updates become available. -- bawolff On Thursday, January 4, 2018, Denny Vrandečić wrote: > Ah, that sounds good. I was thinking of a scenario where someone runs code > in, say labs, and gains access to memory while that machine generates my > temporary code to send it to me, and thus gains access to that code. > > Or, alternatively, just attack my browser through a compromised site > running a JS exploit and gaining access to anything in my memory. But > that's on my side to fix (or, rather, on the browser developers). > > One way or the other, I have set up 2FA for now. > > Use more lynx! > > > > On Thu, Jan 4, 2018 at 10:18 AM Cyken Zeraux wrote: > >> Spectre can be exploited in just only javascript. >> >> >> >> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ >> >> Browsers are making changes to mitigate this. >> >> >> http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html >> >> The actual extents of the attack that are realistically possible in this >> scenario, I do not know. But as stated in the article google suggests: >> "Where possible, prevent cookies from entering the renderer process' memory >> by using the SameSite and HTTPOnly cookie attributes, and by avoiding >> reading from document.cookie." >> >> I would take that to mean that cookies could be accessed, at the least. >> >> On Thu, Jan 4, 2018 at 12:16 PM, Stas Malyshev >> wrote: >> >> > Hi! >> > >> > > So far so good. What I am wondering is whether that password reset >> trial >> > is >> > > actually even more dangerous now given Spectre / Meltdown? >> > >> > I think for those you need local code execution access? In which case, >> > if somebody gained one on MW servers, they could just change your >> > password I think. Spectre/Meltdown from what I read are local privilege >> > escalation attacks (local user -> root or local user -> another local >> > user) but I haven't heard anything about crossing the server access >> > barrier. >> > >> > > (I probably should set up 2FA right now. Have been too lazy so far) >> > >> > Might be a good idea anyway :) >> > >> > -- >> > Stas Malyshev >> > smalys...@wikimedia.org >> > >> > ___ >> > Wikitech-l mailing list >> > Wikitech-l@lists.wikimedia.org >> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> > >> ___ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Security question re password resets and Spectre
Ah, that sounds good. I was thinking of a scenario where someone runs code in, say labs, and gains access to memory while that machine generates my temporary code to send it to me, and thus gains access to that code. Or, alternatively, just attack my browser through a compromised site running a JS exploit and gaining access to anything in my memory. But that's on my side to fix (or, rather, on the browser developers). One way or the other, I have set up 2FA for now. Use more lynx! On Thu, Jan 4, 2018 at 10:18 AM Cyken Zeraux wrote: > Spectre can be exploited in just only javascript. > > > > https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ > > Browsers are making changes to mitigate this. > > > http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html > > The actual extents of the attack that are realistically possible in this > scenario, I do not know. But as stated in the article google suggests: > "Where possible, prevent cookies from entering the renderer process' memory > by using the SameSite and HTTPOnly cookie attributes, and by avoiding > reading from document.cookie." > > I would take that to mean that cookies could be accessed, at the least. > > On Thu, Jan 4, 2018 at 12:16 PM, Stas Malyshev > wrote: > > > Hi! > > > > > So far so good. What I am wondering is whether that password reset > trial > > is > > > actually even more dangerous now given Spectre / Meltdown? > > > > I think for those you need local code execution access? In which case, > > if somebody gained one on MW servers, they could just change your > > password I think. Spectre/Meltdown from what I read are local privilege > > escalation attacks (local user -> root or local user -> another local > > user) but I haven't heard anything about crossing the server access > > barrier. > > > > > (I probably should set up 2FA right now. Have been too lazy so far) > > > > Might be a good idea anyway :) > > > > -- > > Stas Malyshev > > smalys...@wikimedia.org > > > > ___ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Security question re password resets and Spectre
Spectre can be exploited in just only javascript. https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ Browsers are making changes to mitigate this. http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html The actual extents of the attack that are realistically possible in this scenario, I do not know. But as stated in the article google suggests: "Where possible, prevent cookies from entering the renderer process' memory by using the SameSite and HTTPOnly cookie attributes, and by avoiding reading from document.cookie." I would take that to mean that cookies could be accessed, at the least. On Thu, Jan 4, 2018 at 12:16 PM, Stas Malyshev wrote: > Hi! > > > So far so good. What I am wondering is whether that password reset trial > is > > actually even more dangerous now given Spectre / Meltdown? > > I think for those you need local code execution access? In which case, > if somebody gained one on MW servers, they could just change your > password I think. Spectre/Meltdown from what I read are local privilege > escalation attacks (local user -> root or local user -> another local > user) but I haven't heard anything about crossing the server access > barrier. > > > (I probably should set up 2FA right now. Have been too lazy so far) > > Might be a good idea anyway :) > > -- > Stas Malyshev > smalys...@wikimedia.org > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Security question re password resets and Spectre
Hi! > So far so good. What I am wondering is whether that password reset trial is > actually even more dangerous now given Spectre / Meltdown? I think for those you need local code execution access? In which case, if somebody gained one on MW servers, they could just change your password I think. Spectre/Meltdown from what I read are local privilege escalation attacks (local user -> root or local user -> another local user) but I haven't heard anything about crossing the server access barrier. > (I probably should set up 2FA right now. Have been too lazy so far) Might be a good idea anyway :) -- Stas Malyshev smalys...@wikimedia.org ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Security question re password resets and Spectre
No, spectre/meltdown wouldnt apply to that situation. The meltdown/spectre vulnerabilities is all about computer programs having access to data they should not. In order to exploit the attacker must be able to run computer programs on the victims computer. -- brian On Thursday, January 4, 2018, Denny Vrandečić wrote: > I often get emails that someone is trying to get into my accounts. I guess > there are just some trolls, trying to login into my Wikipedia account. So > far, these have been unsuccessful. > > Now I got an email that someone asked for a temporary password for my > account. > > So far so good. What I am wondering is whether that password reset trial is > actually even more dangerous now given Spectre / Meltdown? > > Thoughts? > > (I probably should set up 2FA right now. Have been too lazy so far) > > Happy new year, > Denny > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] Security question re password resets and Spectre
I often get emails that someone is trying to get into my accounts. I guess there are just some trolls, trying to login into my Wikipedia account. So far, these have been unsuccessful. Now I got an email that someone asked for a temporary password for my account. So far so good. What I am wondering is whether that password reset trial is actually even more dangerous now given Spectre / Meltdown? Thoughts? (I probably should set up 2FA right now. Have been too lazy so far) Happy new year, Denny ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l