More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

@SouthAmericanCuisine

Akkakk. My concern isn't the hacker, I couldn't give a toss what s/he reads.

My worry is the my anonymity of the posts I made under the username that has been publicly linked to my IP address. Can someone who knows my IP address (my boss, my DC, my spouse) work out which is my username by linking it to an IP address they already know from the list?

It seems that the answer is possibly. That doesn't sit well with me.

Are MNHQ going to make provision for the complete posting histories of those usernames to be deleted if they wish?

Hi SouthAmericanCuisine - please do email [email protected] and explain your situation and what you'd like done.

@LaurieJuspeczyk

I really don't think anyone should be worried about IP addresses - as previous posters have said the chances that most people will be identified from that alone are virtually zero. My only worry would be that if they have people's email addresses, it's not impossible that those might be published alongside usernames at a later date. Again, though, as BertieBotts says, someone would have to know about the hack, find the list, search for your email specifically, trawl through all your posts looking for anything interesting... It's way too much effort for the average nosy person, I'd only be worried if you already have a stalker/vindictive ex etc or if you've posted anything that might completely ruin your life it if came to light.

Question for MNHQ/tech - as you (presumably!) don't own the phishing site the answer is probably no, but having found the problem, do you have any idea how many users are likely to have been affected?

Hi LaurieJuspeczyk - no sorry there isn't. We know it was likely to be running for a while hence we have to assume it's everyone who logged in. Therefore everyone should change passwords anywhere they used them.

Have all other possibilities apart from phishing definitely been excluded ?

There's an extra 'sticky' on active convo's page. Are we back to normal as I thought MNHQ had removed them all to highlight the hacker ones?

I asked elsewhwre, but it got missed. If we were definitely logged out, went to log in page, filled in details and it did log us in, could that info have been phished? Or would it have to not work? Basically, could a phishing page actually log you in?

@boatsgoby

Please could MNHQ ask all users to delete PMs from their inbox? Many of us use the PM function to exchange addresses, tel. nos, more personal details, etc. We can delete our own PMs but the recipients need to delete theirs too.

Hi boatsgoby - there will be a response on your Site Stuff thread shortly.

@SmallLegsOrSmallEggs

Is therexany sign of the delete all for PMs?

I need to delete not only all my received, but sent also.

Hi SmallLegsOrSmallEggs - yes this function is now available.

LurkingHusband All we know is that there was probably a combination of things:

• getting a member of MNHQ staff to click on a link to load software onto her machine
• attacking a script weakness
• setting up a phishing page / outside or within MN
• possible info from a previous hack
• ????

it is possibly one of those situations where not everything can be known...

His twitter feed today is talking about washing hardware (and that some more documents are going to be released shortly). Usual pinch of salt rule applies...

@iamaboveandBeyond

I asked elsewhwre, but it got missed. If we were definitely logged out, went to log in page, filled in details and it did log us in, could that info have been phished? Or would it have to not work? Basically, could a phishing page actually log you in?

Hi iamaboveandBeyond - once 'log in' is clicked on the phishing page, you would've been sent back to the original page you were on, which will have seemed like you got logged in.

How do I see if I'm on the list thanks.

There's a thread containing it just beneath on this very board Emmalbae. The passwords etc have been removed.

As far as I can see you're not there but react as if you were because no-one knows at the moment what other information they may have.

He has carried out his threats, see the sticky thread.

Apologies if this has been discussed elsewhere but I can't see it.
Screenshot comparison attached.

The sealed enveloped icon which denotes your messages, the one that gets a red dot for an unread message, has anyone noticed a change in theirs at all?
Earlier this afternoon mine looked like a ripped piece of paper. The top image shows what I mean and the bottom one is the usual image for comparison. It was only like the ripped paper for a brief moment and then changed back.

tinypic.com/r/2r2lwmt/8

NewKeks that's usually what you get when the graphic has failed to load - I think it is most often the stylesheet for the page just not loading fast enough. Sometimes it happens if the page/site is very busy, or if your connection is slow for some reason, sometimes it just happens for other reasons.

Thanks Easy I've never come across it before so it made me wonder.
Appreciate the info

Just looked at Jeffery's twitter and I'm red flagging PLEASE READ IT MNHQ

yesileft which Twitter are you talking about?

Just tell me if I need to put ice cubes in the freezer for the booze, YesI. (I can't get into the twitter feed on this machine.)

Bastard - do you mean the teach the media swat threat? Everyone assumes he is going to swat Deborah Orr or the Guardian as she wrote a piece in the guardian today which suggested he was somewhat inadequate.

I presume the police know.

Since this is the tech thread - can tech answer why there are so many doubts about the 3000+ users data being obtained via phishing? Disproportionate numbers of replies seem certain they can't have been phished.

bitta
I have had dealings with tech and did some of my own research - I have now created a fresh identity as I'm unconvinced about MN's response to all this.

However, it seems the mismatch between people like me who were 100% we hadn't been phished and MN and other's responses is because someone technical with a very poor grasp of language (IMHO) has redefined phisihing from being something you did inadvisedly - like click on a link in an mail, to being something that happened entirely without your knowledge or intervention due to hacks/phishing at the destination site, that resulted in your password being discovered.

That (something that happened at MN towers that I couldn't possibly have known about) wasn't defined as phishing in my lexicon - but it apparently (and in my view entirely misleadingly) is understood in rarefied IT techy circles.

I think that many of us thought we couldn't be phished because we'd taken appropriate precautions, but that was because we thought phishing relied on us doing something unwise - it seems it doesn't.

I've been following this discussion for a couple of days. I don't believe the data loss has been as a result of a phishing attempt (which would be targeted directly at an end user), but as a result of multiple un-patched XSS vulnerabilities in the MN site, some of which have been present for some time and may still be so.