More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

Hi wasonthelist.

I do realise that a lot of people think of phishing as (solely) "getting an email with a dodgy link which takes you to a fake login page" and indeed, that is one kind. But it's not the only kind, it wasn't the kind we suffered and as far as I know we didn't say that it was.

Keep in mind that at the point I was discussing it with you, or others like you if you're not the PMer I am guessing you are, we didn't necessarily want to give away too much information because there aspects of it we still needed to pin down. We knew the data was captured by phishing (in the sense of a fake login page) but there was more work to be done to ascertain precisely how people were arriving at that page. So it was deliberately a touch vague. Sorry if that was frustrating, but I do believe it was necessary at the time.

I can see the confusion quite clearly now - if you were saying "I am 100% sure it's not phishing [I never click links in emails]" and we were saying "it absolutely was phishing [because someone used a webpage that was masquerading as an MN page when in fact it wasn't]" then clearly there was, as you say, a mismatch. It was phishing, but not the kind you thought we meant. I don't know if it really is a case of [only] being defined this way in rarefied techy circles, but this was a technical thread. I agree though, maybe the low-tech message to the wider audience should use different words, though I am not sure how else one should describe it. Perhaps "a fake login page that you wouldn't have known was fake and didn't require you to do anything unwise" would be better; it is accurate but a bit of a mouthful!

I hope that adds a bit more clarity, though from the sounds of your post you'd pretty much figured all this out yourself.

Thanks DaveTech I can see what you are saying. Can you also answer whether this was likely to have started in mid July? That's when I started noticing weird stuff (in hindsight!). PS your admin highlight wasn't on for that post.

It was a pretty good fake log in page. I was on the list and got phished (twice it appears), probably because of using multiple devices, including mobiles so am used to having to reset connections when trains go through tunnels etc.

I certainly dont think I did anything stupid, I have a PhD in computer science so am probably more aware than most in this regard . I had noticed MN being particularly flaky so should perhaps have been more alert . Hacking didn't occur to me because IMO MN doesn't hold any secure data about me that a hacker would want. no address, no credit card details. It didn't occur to me that attacking MN itself would be the aim. That was naive of me.

Given the overall flakiness of the site, catsrus, it was extremely easy to assume it was business as usual 'site on its arse' and not anything more sinister.

DavidTech

If you're speaking for MNHQ, go and do so when you can have a blue post? What you said seemed unexceptionable but I think that blue is more reassuring at the moment given the possibility of...... interlopers.

Thanks for the information anyway.

Is it more likely that when he accessed MN Rebecca's account, he forced all users to logout, which is why so many were then fished?

Sim, hq posts can be white depending on where they log in, it isnt massively unusual. Iirc, normal people cant use "tech" or "mnhq" in their names anyway?

It may not be massively unusual iamaboveandbeyond but in a situation such as this, I don't think it's advisable. I've been on other boards where Blues (or their equivalent) could log on remotely and it was understood that if they were talking for the organisation, they would do so from that position but with technology afforded to them to enable remote yet official access.

(I have no idea whether you can set up a name without certain elements in it - I've certainly never tried to.)

DavidTech

Since we are trading what people did and didn't say :) I never said I think of phishing as (solely) "getting an email with a dodgy link which takes you to a fake login page". I offered that as an example.

What I never thought of as phishing was "logging into a site entirely normally using a stored userid and password with ZERO signs of anything odd resulting in my password being harvested and published" I think we've established that now, but that's why people thought it couldn't be a phishing attack as we understood it.

As a matter of interest - how could I have prevented being phished in this way?

As a matter of interest - how could I have prevented being phished in this way?

I'm not sure that you could... Am interested to see what others say

Presumably looking for the https thingy in the url would help?

Must admit I never would have thought of doing so before all this - I try to now but is v difficult to get into the habit of doing so.

Normally you look at the first part of the URL to make sure your still on the original site, then the https secure sign. But I don't know in this case if they created a new page on the site, so maybe the first part of the URL was correct?

It's amazing how many people use the same passwords across accounts. It's also surprising how easy some sites are to hack into. Not saying anything re mumsnet security as I'm not privy to that, but generally.

Probably, I imagine there are people out their who are trying every name and password they pulled on all the main Sites until they get something.

BlueWashiTape check the activity as well as the location. A number is service providers will put an ISP locality somewhere other than where the user is. You might find that today you are living in france, tomo scottland, monday london etc.... So check location and activity. if it is def not you than make sure you change passwords and force every device to have to re log in during that process.

@Simurgh

DavidTech

If you're speaking for MNHQ, go and do so when you can have a blue post? What you said seemed unexceptionable but I think that blue is more reassuring at the moment given the possibility of...... interlopers.

Thanks for the information anyway.

Hi all,

We've had a few queries about this. Don't worry, there's nothing sinister going on. We'll tweak things to make sure all of DavidTech's post show up in (reassuring) blue.

As a matter of interest - how could I have prevented being phished in this way?

It's true there is no 100% secure system. There are some things Mumsnet could have done but, along with millions of other sites that don't process payments, didn't. This site has always been really shabby on security certificates. That in itself is pretty commonplace but, now we know some people think facilitating women's conversation merits sustained attack, MN will have to beef it up.

Installing financial-grade security while 3rd parties probably still have access would be a waste of time, however. Let the security consultants finish their stuff first; I'm sure MNHQ will implement all their recommendations.

I've just had a message from Facebook saying that I have been having problems logging in. I haven't been trying to.

As a precaution, in case it's the hacker, I've deactivated my account. Don't really like Facebook much anyway, so is no loss :o

If it was the hacker then he wouldn't have found out anything much about me on there, and even less now.

In fact that's leaving you open to exploitation Duchess. I knew somebody who deactivated their FB and then their ex reactivated it and gained access to absolutely everything therein including private messages.

You need to change your password and then deactivate. Or delete everything from your profile and remove all friends. Because facebook make it so bloody difficult to properly delete your account.

Tbh there was hardly anything on there, so am not concerned that they would be able to get any personal information about me. But thanks for the advice, Bertie :)

OK fair enough :)

Justines info has been rereleased, presumably as they got paste bin deleted?

I think the Ashley Madison hackers have released a third information dump today so Jeffrey's re-release may have been caused by that.

Has anyone else got pages that are very slow to load? Also the text comes seconds after I've typed.