More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

The published list has shown that you appear not to have password complexity rules for users with administrative rights within your systems.

What will you do to address this, and how was it allowed when IT security 101 is decent password complexity.

No Hula I understand that. But the update seems to be saying that hackers have gained access, and mumsnet aren't really sure how they gained access, but they'd appreciate it if we all entered new data information in the form of password/email changes when they can't categorically state they aren't continuing to be hacked. How do we know the new passwords that have been reset in the last 24 hours are any different to the data the hacker had before? Is mumsnet being online and active to all users really the best for now?

Disable advanced search?

No old threads can be accessed by anyone then, so no anon stuff gets revealed

Or delete the entire mumsnet website and we can all start again!

Disabling advanced search doesn't work as you can use google or another search engine to find posts.

Ok so lots of further questions here - I'm going to defer to tech team rather than give you a layman's response so I've asked them to take a look.

As poppy asks are the password from the last 24 hours safe

How can those who would like to go about getting their accounts deleted and all previous posts removed, given the breach of security?

Even those whose details haven't been posted can't be sure they weren't hacked as (even though it's likely they did) it would be foolish to assume that all passwords etc obtained have been published.

Even with password resets, I'm sure many will now feel uneasy about the information that they have previously posted publicly. When usernames have been posted with ISP addresses (even without passwords) it is no longer as anonymous as it once was...

I phoned the ICO. They say it's a police matter.

So if it was phishing through the website, I'm guessing those of us using the app would not be affected? I use the app exclusively and my name is not on the list.

I clicked the internet switch on and off, apparently this gives you a new ip address.

Does what you know so far imply this was a sophisticated attack, as in high levels of tech ability/gubbins, manpower and funding... or was it something that some "geek with the hump" could pull off by themselves ?

Given not so distant history on here I would feel a lot less twitchy if the latter could be confirmed as the more likely probability.

howtorebuild, I assume the police are already involved this morning, given it's an ongoing attack following last week's events.

"Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere. *

But sadly people do use the same password elsewhere.

People don't care about MN account being compromised, but they do for their email or any online bank or retail site with address and payment info

I think MN are being very LF about it. People comprised neee to change every password on everysite where they share email password.

Ah, realise I've slightly cross-posted. Deleting all old threads would work or removing any usernames names linked to them. A fresh new Mumsnet!

Can't see how disabling advanced search would help as the usernames etc can still be googled.

Someone on another thread said that they are on the list, but never log in through a login page: they are permanently logged on and access MN via an old tab they've had open for months and months. It therefore seems very unlikely that the hacker could have accessed their info via a recent phishing expedition, yet there it is on the list.

What's the best email address to contact tech about concerns on? I've sent messages via the report facility but understandably they may be wading through hundreds of messages!

yet there it is on the list.

Where would one find this list ?

Ahh I think it's fathers4justice doing this

Interesting dadsec is only following them on Twitter

list is hee without confidential info on it. Scroll up/down or if you are on pages its about page 11.

Justine, I hope you're ok after your frightening experience.

Tech, any chance of tracing this boring bastard? No doubt he's snigger snorting in his mum's house somewhere.

It's at www.mumsnet.com/Talk/_chat/2451977-Am-I-on-the-list?pg=11

www.ibtimes.co.uk/mumsnet-hackers-publish-3000-passwords-call-armed-police-ceo-justine-roberts-house-1516092

@TheHoneyBadger

this is still not up to date. data has been accessed that hasn't been used as log in data for a long time so that didn't come from phishing.

also some accounts are still accessible using the log in details on that list that has been published as people have informed mnhq and the log in page is still not secure.

what would it take for you to shut the site down?

This is a pretty fast moving situation. The hacking has been going for a while of course, but the list was only published last night and the information from users about the contents of the list is still coming thick and fast. I apologise if it's not completely up to date. People are working around the clock on this.

There are a few possibilities. We need quite firm evidence of the data being old. If anybody has any information about that, e.g. it's a password that you've not used for more than several weeks, then please send that information to [email protected].

If people have reset their password to the same as it was, perhaps because they've not yet received the email about the hack, then they (or anyone) would be able to login using the details on that list. We are working on enhancing the password requirements and when that's ready there will likely be another password reset. We will also check against that list to make sure that people aren't reusing those passwords.

The login page is secure. There is a small problem whereby some of the things on the page are being served using HTTP, rather than HTTPS, which is why the padlock is yellow rather than green.