More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

[SkullyCat]

some people have said that they have not been force-ably logged out and that their old password still works.

Why is that? If you created a forced reset, shouldn't it have logged everyone out of everything?

[BishopBrennansArse]

Hi Justine. I don't know if this is relevant, and I have mailed Becca, but someone has tried to access an email account today. It's not the one I use here now though, it's a very old one I used when I first joined MN back in the age where all this was just fields.

Might just be co incidence but thought I'd make you aware. I'm having an internet security day today (oh joy!)

[TheHoneyBadger]

this is still not up to date. data has been accessed that hasn't been used as log in data for a long time so that didn't come from phishing.

also some accounts are still accessible using the log in details on that list that has been published as people have informed mnhq and the log in page is still not secure.

what would it take for you to shut the site down?

[Powaqa]

I see that a couple of people have posted that a couple of those names on the list are sadly deceased - how does that tie in with phished log ins?

[RoosterCogburn]

As passwords of mumsnet admins were on the list does that mean they too fell foul of the phishing page?

[ItsAllGoingToBeFine]

There have been some posts suggesting deceased users were on the list, or very old usernames no longer in use - how does this tally with a recent phishing attack?

It has been suggested by the hacker that this was an "inside job" - have you investigated this possibility?

[TheHoneyBadger]

it doesn't powaqa - exactly. same as people who've had email addresses published they haven't used as log ins for a long time.

[Powaqa]

Rooster - including Tech !!

[PoppyBlossom]

Do you believe your site is absolutely safe and secure today? Because unless you can categorically state it is, what the hell are you doing online making users provide you with even more data?

[wannaBe]

Can you sticky this thread?

[headlesslambrini]

Can you centrally delete identifying information from user accounts or blank it out? Until you have all of your security in place, this would be a cautious move to protect all users who are not tech savvy, away on holiday and unaware this is going on, vulnerable in other ways etc. Post codes, email addresses etc.

I cannot delete or change my children's details in my account, can this be looked at as a matter of priority?

[TheWildRumpyPumpus]

I wondered about people who have given MNHQ their address as part of product tests or competition winners - is this information stored anywhere?

[Hulababy]

PoppyBlossom Wed 19-Aug-15 11:30:19
Do you believe your site is absolutely safe and secure today?


I am not ANY site can ever totally 100% declare that, do you?

[howtorebuild]

What was the gift he sent and why did you choose when you did to reset passwords?

I don't blame you mnhq.

[tribpot]

Thank you for the update. These are my questions, although you don't need to answer any here that you feel might give Jeffrey any more ideas.

Are the general login problems that have dogged the site for weeks completely separate from this attack? How could you be sure?

Jeffrey was able to modify posts, was this by phishing MNHQ account details?

Have you reported yourselves to the ICO?

Why not disable non-social account logins?

I find the fact that you can't put a stronger password solution in place quickly very concerning - I've been assuming the Tech team were as aware of how archaic most of the site is and it was 'the management' who failed to understand the need to invest in IT. Thus you would have proposed better pwd management in the past and be in a position to move.

Is the site shut to new registrations? If not, why not?

[OhYouBadBadKitten]

Please can you consider temporarily removing the pm database. that would go a long way to alleviate peoples concerns.

[MeetMeInTheMorning]

I have checked my history on all my phones, tablets, PC and can't see any evidence of being re-directed to a phishing site but peerhaps I am not getting how it it done.

the following is a very good question

"As passwords of mumsnet admins were on the list does that mean they too fell foul of the phishing page?"

how come all the admin/mods and some Tech were taken in by the phishing page too?

[Saymwa]

Thanks for the update on the info. I feel confident that you take and have taken the quality of our code very seriously.

Also, whilst it's important that we take reponsibilty for our own information and don't keep the same id and passwords for all our internet connections, I am happy that you've reminded us that:

the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

Puts things in perspective a bit :)

[ScrambledSmegs]

I'm really annoyed about the whole phishing angle actually. I've supposedly got anti-phishing software on my laptop and fraudulent website warnings activated on my phone, so how on earth was it not flagged up as a problem?!

I'm on the list twice so something somewhere has failed quite badly.

[ItsAllGoingToBeFine]

I am not ANY site can ever totally 100% declare that, do you?

No, but the fact that they don't know how the passwords were harvested suggests that they can't even say that they think things are locked down now...

[TheHoneyBadger]

yes but the user doesn't put their password and IP address and email with that info they put on talk do they? they do it with confidence in fact that those things are not, and cannot be connected.