More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

Hello,

Really pleased to confirm that next week, Graham Cluley will be joining us for a webchat on cybersecurity.

We'll post a link to the webchat thread once live, but for now, please put next Wednesday 2 September, 1pm-2pm in your diary.

Thanks

MNHQ

@00100001

4) when MNHQ said We believe the hacker has used a password from the old hack to gain access to another system (external to Mumsnet) on which we store client information does that mean you didn't change the password on other systems?

Apologies for not updating you on this. We've since found out that the hacker did NOT gain access to another system. We realised that the list of client emails was in fact a very old one, from several years ago - i.e. the point when we moved all our client information on to an external system. After a dig around we found that the old list was in fact stored on our own system, and the hacker had picked it up from there. Obviously this is good news, in that the hacker didn't get access to anywhere else - but nevertheless, we changed all passwords across all systems to make sure that security wasn't compromised anywhere. HTH

'Conversations have been had'.....

I'll bet they have!

Thanks for that, Sarah. I assume that you'll shortly be notifying everyone of the ground rules for the webchat?

@Simurgh

'Conversations have been had'.....

I'll bet they have!

Thanks for that, Sarah. I assume that you'll shortly be notifying everyone of the ground rules for the webchat?

Several conversations, Simurgh ...

I'll defer to JaneMumsnet on the webchat rules, as she's set it up; it was only finalised this morning, but we'll update you with more information asap.

One more thing: people have been asking on Twitter and elsewhere about the security of the Mumsnet app, because it uses http, rather than https.

We're going to take the app offline, as we can't be sure it's secure. We'll be launching a new one using https in a few weeks, and in the meantime, we'd encourage everyone to use our mobile site instead. Sorry to all the app users for the inconvenience.

Wouldn't it be worth getting a better certificate than a GoDaddy wildcard? If you had an EV certificate (which in the context of a site of MN's size is a trivial cost) it would provide much better verification and people would get used to the green toolbar.

Did anyone ever answer my question as to how long Mumsnet stores our addresses for in regards to product tests and such

Can I make a polite suggestion that you advertise everywhere that the app is being taken down or people are going to panic and think you have been hacked again when they can't get online (well, it's what I would have assumed if I hadn't seen this anyway!)

@twirlypoo

Can I make a polite suggestion that you advertise everywhere that the app is being taken down or people are going to panic and think you have been hacked again when they can't get online (well, it's what I would have assumed if I hadn't seen this anyway!)

absolutely twirlypoo - in fact I'm just in the middle of starting an OP in site stuff, which we'll sticky in active/chat/aibu etc. We'll also put up a message on the front page of the current app, explaining that it's been taken down.

@tigerscameatnight

Did anyone ever answer my question as to how long Mumsnet stores our addresses for in regards to product tests and such

I'll pass this on to the insight team, tigerscameatnight, and get an answer for you.

@Simurgh

'Conversations have been had'.....

I'll bet they have!

Thanks for that, Sarah. I assume that you'll shortly be notifying everyone of the ground rules for the webchat?

Hello Simurgh,

We're ironing out the details now. If there's anything that differs from our usual webchat guidelines, we'll make it clear on the thread.

Thanks
MNHQ

Has the App already gone, I was reading this, switched out of the App to desktop. Went to go back onto the App on my phone and can't - am locked out.

I think it may have, wigglesrock. I suddenly can't get in to it.

Thank you Jane. Given that the problems have potentially affected so much, I was wondering in particular whether you're considering helping posters with the topics they want to discuss - at this particular event. I'm sure you'll cover that though.

Hey all, just to make sure everyone sees this: Justine has posted over here to say that we're taking down our app, effective immediately. I've pasted what she says below, but better to post app-y questions on the other thread, to keep all responses in one place.

Afternoon all,

In the wake of the recent hacking and DDoS attacks, we've been considering the security of the entry points to Mumsnet. Because the current Talk app uses http, rather than https we can't guarantee that it is 100% secure, so we've taken it offline.

We've been developing a new ios app using https for a while and we'll be launching it in a few weeks' time; obviously we'll let you know as soon as it's out. We hope to follow it up with an Android app in due course. In the meantime, though, we'd suggest app users move over to our mobile site. Sorry for the inconvenience; hope to see you on the new one very soon.

Thanks,
MNHQ

@TheHoneyBadger

in light of this, and ongoing attacks and reassurances that prove false (re: they have no email addresses - well of course they do if they phished from the log in page and many people use their email address to log in) i am not happy about the lack of proper response to people asking about names and addresses stored by mn for prize winners, survey takers etc. saying 'they're stored separately and we change passwords frequently' is not enough. i for one would like any such data deleted and am shocked that it has ever been 'held on file' when there is clearly no need for it to be. can we have it deleted? a yes or no is a sufficient answer to that really - though if it is no i'd like to understand why we don't have the right to ask you to delete info on us that we didn't even knowingly agree to being stored.

Hi TheHoneyBadger

We routinely delete the data we collect for Insight, competitions and so on. None of that personal information (addresses etc) is ever stored on site.

We also keep address details in spreadsheets for up to three months after a product test ends. We keep hold of this info for this time period just in case there is a problem with the product, and we need to sort something out. The addresses are deleted after the three months are up.

If you’re part of the Insight Panel, we do store your details - but on a secure site, completely separate from Mumsnet. If you ask to be removed from the Insight Panel, we will delete your details from there.

Obviously, if at any time you want us to remove your information, just drop us a line and we’ll sort it out for you.

@TheHoneyBadger

i DO feel sorry for mumsnet, i do attribute the blame on the perpetrator but i am not impressed that there were hacks made in july, moderator accounts accessed back in july and the attacks reported to mnhq back then by tumblr users without us being warned allowing this situation to go forward and for many of us to have our data stolen and published. when we found the pages on which the discussion from the july attacks had taken place and reported to mnhq they said they had become aware of those pages the same day we'd reported them - yet tumblr users (a group offended by the way the hackers had been representing a particular sub-culture on the boards here as part of their trolling whilst using accounts to report posts and use their profile ((once the mod went to it)) to phish the mods powers and access) reported it to mn with links to the site the hackers had been chatting on back in july.

Just to reiterate what SarahMumsnet said upthread - we were not aware of any breach on the site in July. We don’t think we’re aware of this tumblr activity, are you able to send us a link or point us towards the reports?

My ipad was saying it couldn't verify server id. I'm not very technically minded so apologies in advance if this is all entirely normal but I've attached photos of what came up, is it OK?

Sugar
The app has security problems so they've stopped its use.

Thank you Jason . I used the desktop site for ages on the ipad and forgot I'd switched to the app.

So is what came the pictures something to do with the mobile app then ? I've cleared cookies and changed password just in case.

Just having had a cuppa and had a look at my ipad I was on the mobile site not the App when whatever that was popped up.

Ah, then it might be the address of an advert banner throwing up the error. I've seen that mentioned on another thread.

There we go banner flow does the banner adverts : www.bannerflow.com/

Thank you Jason , much appreciated.