More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

I was on the list and have name changed today. If it helps, I regularly change usernames, think I've at least nearly 50. I've checked and the only name that appeared on the list was the name/password I was using up until yesterday, so no old data for me, and it have been made to re-log in recently. No idea when, thought it was strange at the time but just thought it was a hiccup.
I think you've dealt with it well, I was emailed promptly, and would rather time was taken to make things safe than change the website. I also think the website should stay running.

Some of the stuff cited on Twitter by this twat has turned out to be accurate. (not sure about the bit where he said he had my password in plain text - I'm not on the published list so far) but anyway, the fact he is alluding to a member of MNHQ being in on it is worth taking seriously IMO. Not sure what he would gain from posting that whether it is true or not, but even so.

MN has gotten so big over the last few years and required so many more staff to cope. Could it be someone who used to work there?

Sorry, Sofie Grabol hat on today - no offence

doesnt explain why their emails (only) were collected too does it? do admins have to supply email address?

@RoosterCogburn

pirate I asked that question right at the start of the thread (post 5) and it hasn't been answered.

If many of MNHQ including tech's log ins are on the list were they phished ro hacked?

MNHQ passwords aren't stored in plain text but encrypted - no one, not even admins can see them - so a hack wouldn't reveal passwords.

MNHQ passwords aren't stored in plain text but encrypted - no one, not even admins can see them - so a hack wouldn't reveal passwords.

Uh...unless said hacker had an encryption key with which to decode the code?

I'm using the app to post. I can't check the https setting, so do I need to worry about security? I did have to reset password yday. Thanks for any info re this

Thanks Justine.
So in effect they also fell for the phishing page.
LisaMumsnet really needs a lesson in password setting

@SusanMichelson

Hashes cannot be "decoded". Ignore the phrase "encryption", it's a misnomer. Passwords go through a 1-way algorithm which cannot be reversed.

Thanks Paul. Ok can forget about that then.

Generally speaking the list is entirely unsorted - except that all the Mumsnet addresses are at the top. If this is a direct dump of a file that has been created somehow, does the ordering give any insight? Also the MNHQ details don't have an IP address...?

@RoosterCogburn

Thanks Justine. So in effect they also fell for the phishing page. LisaMumsnet really needs a lesson in password setting

Yes this is a good point - we do have regular security sessions but we will be enforcing stronger passwords both for users and mnhqers - that update coming soon.

rooster maybe Heather could give her a lesson, hers is awesome

Didn't they say the encrypted passwords are also stored as well as the hashes?

Everyone should be aware that, per this thread, although there was supposed to have been a site-wide password reset, some users are still able to log in with their old passwords, AND it's still possible to log in to the accounts of some of those whose username + pw combinations are on The List: www.mumsnet.com/Talk/site_stuff/2452268-CAN-YOU-CONFIRM-THERE-HAS-BEEN-A-FORCED-PASSWORD-CHANGE?pg=1&order=

@Justine - is there anything really useful that MNers can do right now to help you and Tech?

I notice the username Flaperon on the list - I would wager that this username isn't older than a month or so. No fecker knew what a flaperon was before that.

You are correct. I changed to that just a couple of weeks ago. :) Shame, I rather liked the word.

I have never bookmarked MN, I go to it by typing in the url or clicking on the history dropdown in my browser bar.

The only link I would have clicked on would have been within MN itself in a thread.

About the password reset - I was being lazy and couldn't be bothered - without realising the problem - and so clicked on log in with FB which worked. I only changed my password this morning when I realised what was going on.

[quote ChristineDePisan]@Justine - is there anything really useful that MNers can do right now to help you and Tech?[/quote]

Thanks Christine for the question.
First, anyone who saw their password on the list and it was an old one that they hadn't used recently should get in touch with us via email please. The best email address for this is [email protected]

We're inundated with mails to [email protected] - please only send if you really need to and bear with us - we're not going to get back to you as quickly as usual but we will get to every query in time.

Don't panic! - we are doing a FAQs page now and will keep it updated and publicise it widely, so do check that for latest info.

Either via here or the Twitter link, a phone has gone now. I know someone who has been locked out of mn, their email for a week and has now had their phone hacked. They were on the thread when the hacker first came on. They could view mn, just not login. They looked at the link to the list on Twitter.

Flip - and a great name it was too!

Talking of which, this whole debacle has kept me off the PPRuNe today, I haven't been on it once.

Some- where someone posted about good Password Keepers - I thought it was a techy bod from MN and on this thread but I've searched this and every other hacker type thread and can't find it... can anyone remember?

howtorebuild can you elaborate what you mean when you say 'a phone has gone'. What has actually happened? There are presumably lots of non mumsnetters who have looked at the list via Twitter. It has been referenced by many news outlets.

LastPass generally comes up top in reviews (but was hacked recently, probably still up there though)

Suddenly a guy in a suit appeared, then loads of popups and links to remove a virus.

MNHQ passwords aren't stored in plain text but encrypted - no one, not even admins can see them - so a hack wouldn't reveal passwords.

Hang on - I thought the story was that NO-ONES password was stored in plain text?

You haven't answered the question about how the MNHQ passwords were obtained - presumably you think via Phishing, since this was how all of ours are supposed to have been obtained (which BTW many of us 100% doubt). Or if not by Phising - how?

Are MNHQ passwords stored differently? Why?