More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

I'm scared if I change my username o won't get selected for product tests anymore. Ia this true?

Why did it take you so long to inform the users?

How can so many users have been phished to enter their usernames and passwords to mn? Standard scatter gun approach through email? Not highly likely, I would have known of such a wave of random emails asking people to log on to mn (I work in email security) - Scattergun approach from social media sites? Has anyone reported weird social media posts that requires logging in to mn when clicking?

Or, did somebody manage to get into your list of user emails, and send phishing emails directly to users based on emails purporting to be from mnhq? Any fake mnhq emails in circulation?

Have you analyzed what the selected users have in common? Are they all on the panel? Have they been contacted in relation to Secret Santa?

Or, did one of the mnhq staff fall victim to a spear phishing attack?

How can so many users have been phished to enter their usernames and passwords to mn?

Hackers used a weakness with the userprofile pages to run their own script and steal the already logged in cookies from MNHQ members.
Then, as they were signed in as Tech or what ever, redirected the login page with one that took your login details.

Quint, I thought it had been established that the hacker managed to redirect logins to a spoof page.

It would be interesting to know whether the published users had anything in common - I thought they had all physically typed in their passwords, but apparently some were auto-filled. Ultimately, though, the safest assumption is that ALL users had their passwords captured.

I can understand MNHQ not wanting to reveal exact details of how it was done.

Assuming Jeffrey would have published users' contact info if s/he had it, they don't seem to have extracted any sensitive information beyond a mailing list of ad agencies & so on.

Ah, thanks Jason :)

Quint. www.mumsnet.com/info/mumsnet-site-attacks-faqs-and-updates

Bore - The last update was at 3pm on Friday - it would be good if MNHQ updated us with what is going on now & if all is now OK or not.

Well yes, magi , but I thought it might help answer some of Quint's questions.

Sorry, Bore - I was in no way getting at you!

Agree that it does indeed answer a lot of questions, but it would be nice to hear something from HQ.

Magi

I might give them a prod.

Hi everyone. I'm pleased to say that all was reasonably quiet at the weekend so happily very little has changed since the end of last week. We've no evidence of further attacks on Mumsnet, or indeed further swatting attacks.

As you know we patched the hole used to access user login details in the middle of last week and forced a password update. The site is currently undergoing stress testing via an external security firm which should be completed this week. Meanwhile, the tech team are reviewing every bit of code to make sure it's as robust as can be.

Obviously we can't be complacent though - please do report anything that looks at all dodgy, and we'll investigate straight away.

I know some users are still awaiting for replies to mails you sent us last week. Thanks so much for your patience, if that applies to you - we're very much hoping to get through the backlog in the next couple of days. For those with new queries it's worth checking our FAQs page before mailing in case your question's answered there (we'll keep it updated).

The police taking these attacks seriously and are conducting a full investigation. We will, of course, update you with any news on that front as soon as we have any.

Once again, many thanks for you support and virtual (and in one case, actual ) provision of gin and many apologies, again, for any undue stress/ anxiety caused.

Hallo

As one of 'the 3,000' just to say thanks for dealing with my emails promptly (my bank account was defrauded on the same day - bank thinks it's a coincidence). This has been a wake-up call for me as I used the same password (or variation of it) across other sites. So I've changed everything everywhere...

I hope the gin - virtual and actual - was nice. Keep on keeping on!

You've all had a seriously rough few weeks, haven't you?!

What happened last night?

Did Justine speak too soon or did the external stress testers do their job a bit too well?

Yesterday's 'all is now well' update was a bit 'sods law' wasn't it?

Site got attacked again what, an hour or two later.

Bloody hell. Hackertwat has some serious issues against Mumsnet. im assuming it was a complete lockdown again? Or another breach?

You're back! Wasn't the website down for nearly 24 hours?

Can we please have an update since they managed to bring it down for a whole day ?

Can you confirm how safe things are now, HQ? (I'm wondering whether your security consultants have secured against the possibility of an infiltration under cover of the DOS attack.)

Are we going to have to re-password up etc?

PS - well done to all working away up there.

And now - the most important technical issue of them all.

When are we going to get that emoticon?

It's a bit worrying that the site has been attacked again but we've had no word from MNHQ to say whether passwords etc are safe.

Could we please have an update? Thank you

Hello again,
Here's the latest update on what's occurred.

Yesterday evening we were hit by another denial of service attack which meant we offline until this morning; as soon as we got back up we were attacked again. This attack was double the size of the previous one and was distributed across many servers but we have no reason to believe that any security breaches occurred, the intention was to take the site offline rather than to hack into it.

We are contracting external DDoS protection providers to help deal with future issues. Many thanks for your understanding - apologies again for the interruption to normal service.

The police are continuing their investigation.

[even more gin]

To mnhq.

To Jeffrey.
[Chicken]

Thanks for the update Justine.

Thank you for the update.

We shall overcome.