Active discussions

Meet the Other Phone. A phone that grows with your child.

Meet the Other Phone.
A phone that grows with your child.

Buy now

Please or to access all these features

Talk

Back to thread
MNHQ

More about the Technical side of the attacks on Mumsnet

77 replies

JustineMumsnet · 19/08/2015 11:17

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

Go to post
MNHQ

JustineMumsnet · 19/08/2015 11:47

Ok so lots of further questions here - I'm going to defer to tech team rather than give you a layman's response so I've asked them to take a look.

MNHQ

DavidTech · 19/08/2015 12:01

@TheHoneyBadger

this is still not up to date. data has been accessed that hasn't been used as log in data for a long time so that didn't come from phishing.

also some accounts are still accessible using the log in details on that list that has been published as people have informed mnhq and the log in page is still not secure.

what would it take for you to shut the site down?

This is a pretty fast moving situation. The hacking has been going for a while of course, but the list was only published last night and the information from users about the contents of the list is still coming thick and fast. I apologise if it's not completely up to date. People are working around the clock on this.

There are a few possibilities. We need quite firm evidence of the data being old. If anybody has any information about that, e.g. it's a password that you've not used for more than several weeks, then please send that information to [email protected].

If people have reset their password to the same as it was, perhaps because they've not yet received the email about the hack, then they (or anyone) would be able to login using the details on that list. We are working on enhancing the password requirements and when that's ready there will likely be another password reset. We will also check against that list to make sure that people aren't reusing those passwords.

The login page is secure. There is a small problem whereby some of the things on the page are being served using HTTP, rather than HTTPS, which is why the padlock is yellow rather than green.

MNHQ

DavidTech · 19/08/2015 12:05

@ItsAllGoingToBeFine

There have been some posts suggesting deceased users were on the list, or very old usernames no longer in use - how does this tally with a recent phishing attack?

It has been suggested by the hacker that this was an "inside job" - have you investigated this possibility?

If people have firm details of instances of this please send them to [email protected] for the attention of tech.

The "inside job" accusation is very recent. I'll leave Justine to comment on that, but we are certainly not aware of it being the case.

MNHQ

DavidTech · 19/08/2015 12:11

@UnbelievableBollocks

The published list has shown that you appear not to have password complexity rules for users with administrative rights within your systems.

What will you do to address this, and how was it allowed when IT security 101 is decent password complexity.

There has always been a requirement for at least 8 characters, which is actually the OWASP's recommendation. We added complexity requirements for admin staff last week and that will be added for users very soon.

MNHQ

DavidTech · 19/08/2015 12:14

@ifigoup

Someone on another thread said that they are on the list, but never log in through a login page: they are permanently logged on and access MN via an old tab they've had open for months and months. It therefore seems very unlikely that the hacker could have accessed their info via a recent phishing expedition, yet there it is on the list.

Please send any such information, with as much detail as possible, to [email protected] and they'll forward it on. To be honest this sounds very unlikely, given the number of people complaining about constantly being logged out.

MNHQ

DavidTech · 19/08/2015 12:18

@TheHoneyBadger

i'm another who never logs in through a log in page but a bookmark to a thread and only changed my password when logged out by mn and did a reset password (which i did without re-entering my old one). yet my name is on that list with my old password.

Have you never been logged out in recent weeks - lots of people have complained about being logged out?

MNHQ

DavidTech · 19/08/2015 12:20

@MeetMeInTheMorning

"the list was only published last night and the information from users about the contents of the list is still coming thick and fast."

but I thought by forcing a reset then NONE of the details would work? It doesn't make sense for MNHQ to say none of teh passwords will work but others to say that some of them still do.

By forced re-set do you mean that the onus is still on people to re-set and so if people are away or unaware of the situation their accounts are still vulnerable?

None of the details would work after yesterday's forced reset, unless the user then goes in and resets their password to be the same as it used to be.

The reset happened regardless of user action - i.e. it's NOT the case that we ask people to reset and then they have to go and do it. The reset happened anyway and people then can only access by requesting a link via email.

MNHQ

JustineMumsnet · 19/08/2015 12:20

@DavidTech

[quote ItsAllGoingToBeFine] There have been some posts suggesting deceased users were on the list, or very old usernames no longer in use - how does this tally with a recent phishing attack?

It has been suggested by the hacker that this was an "inside job" - have you investigated this possibility?

If people have firm details of instances of this please send them to [email protected] for the attention of tech.

The "inside job" accusation is very recent. I'll leave Justine to comment on that, but we are certainly not aware of it being the case.[/quote]

We have no reason to believe it was an inside job - Mumsnet staff don't have access to passwords and haven't for some time. The list included passwords from some newer HQ members - so it's definitely not just an old list from pre-encryption times.

MNHQ

DavidTech · 19/08/2015 12:22

@TheHoneyBadger

this is not recent anyway - this is a week long i'm told attack. including an individual's home being targeted for her association with mn (regardless of whether the address was directly lifted from here or found elsewhere as a result of being targeted due to this situation on here).

We've been working around the clock since Tuesday evening last week. The recent part is the publishing of passwords, which happened late last night and has been worked on ever since.

MNHQ

JustineMumsnet · 19/08/2015 12:32

@TheHoneyBadger

it really isn't i agree.

also can we have confirmation that it is just a 'coincidence' that maryz finds herself blocked from mn? i really hope it is that rather than some kind of punishment for speaking, quite rightly as it turns out, about the inadequacy of the response to this security breach.

Definitely not been blocked.

MNHQ

JustineMumsnet · 19/08/2015 12:40

@TheHoneyBadger

so why is the site still up? have you read that people have been using details on that list to successfully access other people's accounts?

please explain the rational of leaving the site up KNOWING THIS.

is it money?

No it's not money. The site is also still being used by people with genuine issues and problems - there was a thread going on last night exactly the same time as the hacker was here started by someone's looking for support because her dh had committed suicide.

We believe we have taken reasonable steps to ensure data security given what we know and when we knew it. If we shut the site down then the hacker has succeeded in shutting down a very useful site that is predominantly a space for women. And no site can guarantee complete security but ultimately if you feel compromised or worried then you can and should leave because we're here to make folks easier, not the reverse.

MNHQ

JustineMumsnet · 19/08/2015 12:41

@MardyBra

Hope you and your family are ok Justine Flowers

Thanks Mardy - family all fine - if somewhat neglected.

MNHQ

JustineMumsnet · 19/08/2015 12:42

@Altinkum

*davidtech*

when posters are being forced to password change, can you put an alert message on stating it has to be a new password? not the old one!

many posters as have many said, still do not the the site is under attack.

Yes we can and will add extra messaging in the next little while. Thanks.

MNHQ

DavidTech · 19/08/2015 12:44

@TheHoneyBadger

is it strange that all the onus to trawl lists, check whether data published is up to date or old, whether members are active (re: they can't have been phished if they haven't been on here for months etc is on individuals not the org that has been hacked?

is there no way for mn to test their hypothesis that it's just info gotten by phishing by checking that all the users on that list are actually active?

i'm genuinely surprised how little responsibility seems to fall to the data holder. baffled that you're still online waiting for us to provide evidence to you that it's not secure rather than taking it offline until you can verify it.

not trying to be offensive just to understand and to register that i for one find this totally unacceptable.

The onus is not on you to do anything other than set a good strong password (which we will enforce, very soon). We have been analysing this situation for a week and continue to do so. There is a huge amount of data involved and it takes time. Some of the tech team are very experienced, and we're using external help, but we don't, of course, have infinite resources. If people can provide extra information that's really great and we're appreciative of it. That's why I've suggested that if you do have something that you think might be useful, like finding account details for an account that hasn't been used for a long time, it would be really kind of you to let us know. Thanks.

MNHQ

DavidTech · 19/08/2015 12:49

@LivinLaVidaLoki

This did not happen this time, I have been happily mooching about on MN using the login/password that has been shared using the app, non the wiser about anything that has gone on until I happen to check an old email address (purely by fluke) and noticed the reset password email (about 8.30 thos morning), so that is when I changed my password.

Up until then I had just been continually logged in on my app, not shut out, no 'fail to login' just me, pissing about looking at the "Threads Im on" on the app.

Existing login sessions were maintained. Passwords were definitely reset.

MNHQ

DavidTech · 19/08/2015 12:50

@Queenbean

None of the details would work after yesterday's forced reset, unless the user then goes in and resets their password to be the same as it used to be.

That's a pretty basic error from your part isn't it - passwords shouldn't be able to be changed to the previous one - everyone should have been forced to have a new password

It was an urgency thing. That is being implemented now.

MNHQ

DavidTech · 19/08/2015 12:51

@ItsAllGoingToBeFine

The reset happened regardless of user action - i.e. it's NOT the case that we ask people to reset and then they have to go and do it. The reset happened anyway and people then can only access by requesting a link via email.

You may have reset everyone's passwords, but you should have forced everyone to log out too.

For good reasons I'm not going to go into we elected not to do this. We may yet.

MNHQ

JustineMumsnet · 19/08/2015 13:01

@WorraLiberty

I don't know if it's of any help, but my password on the list was definitely the one I used before the forced change.

Also DavidTech I know you've got a million and one things to do, but is there any chance of giving us a 'delete all' button for PMs?

I've just had to delete PMs (both sent and received) individually and some of them dated back to 2011.

It took ages to check all the boxes.

Will look into this - ie how long would take - and report back pronto

MNHQ

DavidTech · 19/08/2015 13:01

@MaudGonneMad

I've just logged in, and noticed the warning on the log-in page to make sure that the browser address has in front of the www.mumsnet.com. So I pasted in the https bit, but it defaulted back straight away to www.mumsnet.com

Have I been phished?

No. If you manually type in HTTPS and visit a page other than the login ones you'll be redirected to HTTP.

MNHQ

DavidTech · 19/08/2015 13:03

@Altinkum

*davidtech*

when posters are being forced to password change, can you put an alert message on stating it has to be a new password? not the old one!

many posters as have many said, still do not the the site is under attack.

Yes, we are doing that. It's not ready yet but it will be in our next update.

@UnbelievableBollocks

There has always been a requirement for at least 8 characters, which is actually the OWASP's recommendation.

They may have been recommendations, but it's established good practice that admin passwords should be more complex, regardless of whether you have enforced complexity rules. It's a bit like having the best safe money can buy, with a lock combo of 00000000 because the recommendation is a code of 8 numbers. It's valid, but bonkers.

Hey ho!

Absolutely. Some of those passwords were woefully inadequate. Again, without giving away too much, for what it's worth, MNHQ did recently do a whole-company session on data security.

MNHQ

JustineMumsnet · 19/08/2015 13:03

@Thisisbonkers

I only found out about this via a (completely unrelated!) Facebook group. I only use one or two of the talk sections and there are probably many more like me. I think you need to pin something everywhere that people can see.

I was forced logged out yesterday, was somewhat confused when my 'remembered' password wouldn't work. So hit the reset link and set it back to what i thought it was. I now need to change that again (!) but there was no mention of any hacking.

I'm on 'a' list. It's a bit unsettling to be honest.

It has been pinned on active conversations, top of chat and aibu threads (most trafficked parts of site) plus home page and site stuff. Plus we've emailed reg users. But will check all still in place as original thread maxed out.

MNHQ

JustineMumsnet · 19/08/2015 13:06

@LauraGrooves

There was no requirement for passwords to be 8 characters until recently.

I used to have a 6 character all letters for ages.

Does seam like a mixture of very outdated custom technology, and a real lack of any planning of what to do after a data leak and very bad communication. Failing on many sides but does sound at least like the passwords were decently incripted so these probably haven't been stolen.

Pretty shocking failings considering the popularity.

With hindsight we do wish we'd enforced stronger password protocol for sure but then hindsight is a wonderful thing. Not sure we could have done more with communication given what we knew when.

MNHQ

DavidTech · 19/08/2015 13:07

@MaudGonneMad

Sorry DavidTech, I don't understand.

Have I logged in securely or not? Why the notice to log in via https if we are redirected to http?

You are redirected to HTTP after you've logged in, or if you put HTTPS in a URL which isn't a login one.

MNHQ

JustineMumsnet · 19/08/2015 13:18

@ItsAllGoingToBeFine

There should be a live blog style post. Would save having all these confusing threads and save email being clogged up with the same questions.

Agree. If you haven't been following to this since the beginning, and aren't following the several threads you miss information and people are asking stuff over and over again.

Can MNHQ sticky one thread to the top of all pages, lock the thread so it can't be posted in, and C&P all MNHQ posts on the issues into one post, and keep editing and updating the one post, newest information at the top.

Yes we'll get on this.

MNHQ

DavidTech · 19/08/2015 13:23

@Skullyton

Can i bring this to peoples attention again!

""To be honest this sounds very unlikely, given the number of people complaining about constantly being logged out."

But were they actually being logged out?

I can name at least one occasion in the last week or two where in the middle of a thread i refreshed and suddenly got 'logged out' i clicked the log in page, and then changed my mind and just refreshed MN altogether, and lo and behold, was still logged in."

This has to have been a phishing redirect, right?

Clicking logout really did log you out, but some of the "Oh hold on, I've been logged out" were cases where you hadn't been. This was a bug which related to people appearing to be logged out when they were on a CONTENT page (i.e. the home page, or say, /babies) not a TALK page. So there were two things going on here - that bug, plus another whereby the "remember me" option wasn't working properly.

Watch this thread for updates

Tap "Watch" to get all the latest updates