More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

I've had similar, annoyed, except mine is just Beyond. I've never been just Beyond...!

That's so weird iamabove.

I have just reported my post to MNHQ. I know they are mega busy at present and may take a while to look into it but I was concerned that my account had been hacked in some way...

Or maybe I am just being paranoid... but it is strange and has never happened before to my knowledge.

" those who are are sitting here worrying that potentially this minute people are matching up their email address with username and being able to search the site for their whole posting history"

Since the email addresses weren't on the LIST, how could the above be done without someone going into account details one by one and looking up email addresses? Surely it would take a lot of work, and luck, as an interested party (eg a vengeful ex, but who wasn't part of the Jeffrey Saddos Club) to find the details of the person you were after?

Tis true tendon but there are a lot of people on t'interweb with an awful lot of time on their hands.

@ColdSancerre

It's a bit too complex to post here. Here's an article I published a month ago regarding Vivian Gabb, a lady who lost £50,000 life savings during a sophisticated phishing scam.

paul.reviews/phishing-attacks-are-evolving-the-vivian-gabb-story

In short, frequent & forced password changes promote bad practice (re-use, adding a "1" to the end etc) and only decreases security by leaking metadata about how you choose passwords.

It sounds counterintuitive, I know... but I assure you, it's sound advice.

OK, based on this thread, on the lack of meaningful answers and couple of other things, I am taking what for me is the unusual step of deregistering altogether.

Whilst I accept that MN isn't to blame (apart possibly from lax security - and that's sort of victim blaming), based on what I've been reading here and elsewhere I have personally have ZERO faith that anyone running MN has the slightest clue what's happened or what to do about it.

My password categorically was not harvested in a phishing attack in the way 99% people (and sources like wikipedia) would define it (in other words, clicking on a dodgy link due to my lack of attention to detail about where I was).

@DadfromUncle

There's a lot of misinformation and misunderstanding throughout this thread, not to mention the unduly harsh criticism of management.

Let's not forget, the owners have gone through an extremely difficult & stressful time. Wikipedia is great for some things... but security advice is not one of them. Phishing attacks come in many shapes & sizes; even security professionals fall for them occasionally.

I wouldn't be so quick to write Mumsnet off... a show of support might help while they work to resolve everything.

A poster has been reading a thread on 8 chan or whatever it's called - she has C&P various parts of it that seem relevant.

Can anyone assist as she doesn't know how to screenshot and we're worried (or I am anyway) that it might be deleted before anyone else sees it.

Hackergate third thread

Thanks

I thought the phishing attack wasn't from a dodgy link. I thought the idea was that hackers had redirected the mumsnet login page to one which sent your NN and PW to Jeffrey. So I don't know why everyone keeps insisting that they never clicked any links?

Tendon We know that email wasn't published but if the data was taken it could be being used by anyone anywhere, it could be just that no mnetter has found the email dump so we don't know it.

4chan have been laughing about it all day. The sheer level of panic will have attracted them.

But I've not seen any Anon claiming it (which they are usually proud to do).

Some mnetters found the hackers, on the third hacking thread.

Cross Site Scripting (XSS). If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page

You have sporadically run advertisements containing malicious code. I hope you're looking into this as a possible source.

Since Mumsnet's security's generally quite good, wouldn't the hack likely be either an inside job or some easy means of adding code externally? Advertisements provide the latter.

As to DOS attacks: any fule can mount one, and all the target can do is block it as quickly as possible.

Plus if it is on 4chan you won't really get too far - it's called anonymous for a reason.

@SacredHeart

Truly anonymous browsing is a myth.

Agreed but bearing in mind the difficulty and hard work involved to find collective members involved in the Lufthansa DDOS attacks and the Egyptian revolution support I think the mumsnet DDOS attack would not warrant the resource.

Where is the list? How do I know if I'm on it or not?

you can find it on chat Allisgood1

Well said PaulMoore @ 20:35.

Wtf is going on now. This is on his website now...

This is all the companies Mumsnet shares your private data with -DadSec

With a list of names and email addresses of 'mumsnet partners' .

Perhaps someone can explain.

If this person has admitted to the attack and swatting, and is on Twitter, WHY can't the police track him down? Or MI5? Or is he so clever that he's covered all his tracks? And what is his website?

MI5? Really?

I very much doubt the police will do anything apart from mount a cursory investigation followed by a statement that they have no further evidence.

Yes MI5. This person sent swat teams to 2 people's homes, wasting serious police time and resources. He could potentially have personal information, including home addresses of everyone registered with MN. How do we know the swat attacks were the end of it?