More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

just seen a pop up for a thread saying mumsnet hacks or some such 'what happened and what to do next'

they don't KNOW what happened. how is this responsible?

@CaptainKit

The site is still vulnerable. Changing passwords and internal processes is entirely pointless until the breach point has been identified and patched. To do so (safely), the site has to go offline.

@DavidTech or @Justine

I'm trying to reach you by email. Can you please send some contact info to [email protected] ?

the list can't be taken down instantly as it's all over the place potentially altinkum - mumsnet however could be taken down meaning the list didn't allow them to gain further info on people from their accounts here.

but ???

Just to let you know, I was just logged out in the middle of reading this thread (got an error occurred so page needed reloading message). This and other things makes me believe that THE SITE IS NOT CURRENTLY SECURE.

Also, I will ask again Mumsnet: WHAT ABOUT THE CENSUS DATA?

I was redirected earlier from here to another site, when logged out.

Yep, solitaire there is currently something funny going on with logging on and off.

MN need to shut down. It's all very well saying vulnerable people are using it to get support etc, but what about their data being compromised? That won't help them will it?! It's a silly reason.

i've had that as well playing. are you on the list?

if mumsnet would close the site down whilst they got on top of this i would feel much safer. currently personal data is still being accessed.

I too am worried about the census data. I filled it in as a favour to mumsnet - I get a lot of enjoyment from these forums, but it did have a lot of personal info about me which is now potentially "out there."

HoneyBadger I'm not we can be too preoccupied with 'the list'. Not on it doesn't mean not hacked, just that dadsec haven't told the world about it.

that's easier to say if you're not on it i suspect. those who are are sitting here worrying that potentially this minute people are matching up their email address with username and being able to search the site for their whole posting history. for those whose accounts are still accessible (as we've discovered some are) by using the info on that list there may be people in their accounts reading their pms, trawling through their namechanges etc right now.

though of course NOT being on the list doesn't mean your data hasn't been compromised it hasn't been shared with the www yet at least.

So were MNHQ also victims of the phishing attack? If not, how come their login details are on the list?

Can I just check - some users have mentioned that passwords required a minimum of 8 digits for some time now - is this correct?

Does MNHQ have comment on DadSec's statement that the information was required from a member of their group who works for mumsnet? Seems very plausible due to the MNHQ details and deceased users on the list.

What is being done at HQ to ensure that the staff are not involved?

for ease of use the list is here all on its own :)
www.mumsnet.com/Talk/_chat/2452283--THE-LIST-please-dont-post

I agree, I dont think I have been phished and my username (only) was on there. Please tell me you are looking at internal security too.

The MN staff passwords are worrying ...

@tech:

I notice the username Flaperon on the list - I would wager that this username isn't older than a month or so. No fecker knew what a flaperon was before that

If that adds anything into the timescale equation.

So were MNHQ also victims of the phishing attack? If not, how come their login details are on the list?

Because it wasn't obtained through phishing, regardless of what the Techs say.

I didn't mean that to minimise the concern of those on the list, having your name on the list is definitely hugely concerning.

I just think ALL of MN users need to be hugely concerned, and not focus on a 'off the list = safe" mentality. Who knows if there's another list posted somewhere else where or if dadsec have more user details they are working through themselves or about to post.

Can I just check - some users have mentioned that passwords required a minimum of 8 digits for some time now - is this correct?

Yep, mine was 6 digits for years and then I dereged (again) a couple of years ago and found the requirements had changed so I needed an 8 digit one.

I wasn't pleased. But I can see why they did it now.

Thanks - the reason I ask is that my password published on 'the list' is 7 digits and I am 99% sure it is over a year since I changed it from that

pirate I asked that question right at the start of the thread (post 5) and it hasn't been answered.

If many of MNHQ including tech's log ins are on the list were they phished ro hacked?

or leaked

Indeed the official reason is phishing, so about 500 Mumsnet users fell for a phishing scam, including the Techs and other staff?

pirate

Thanks. MNHQ are saying it is because they were caught out too:

 JustineMumsnet (MNHQ)	Wed 19-Aug-15 14:56:58

UnsolvedMystery

If this was purely a phishing attack, why were 22 mumsnet staff accounts also on the list?

Well, assuming it is, they also were phished when loging in. Admins have to login too.