More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

It seems some members are making a right meal out of the hacking for no other reason than to let people see how tech savvy they think they are. Perhaps its time to leave it to MNHQ and move on to other things.

No people aren't showing off, They are intrested and worried about how and WHEN this happened, When mumsnet were informed and so on. Peopel are asking Very Valid question which people ask when their personal data has been posted online.

Sans MN is a Community essentially.
Maybe you should check its definition?
I'm a techno-idiot but am regularly checking for news on how we can all improve security. There are many experts in our community and I for one, am interested in all input.
Don't stick the knife in to those trying to help.

Can I please ask:
I cannot access MN on my iPhone but all is well on my iPad.
No biggie but am interested in how to resolve this.

Hex - I'm on an iPhone and haven't got a problem.

Are you accessing them in the same way on each device, HexBramble? (eg Old App versus Safari/New App etc.)

I think people are responding in different ways.
Some are meh about their details being obtained in password & username format but interested in the ins/out of how it happened.

Then there's the ones that their details being put there poses an actual risk to them as a result of dv or whatever.

There's also the fact they have potential had access to admin accounts since July.

@00100001

errr sans no, I think people are genuinely interested in how this happened, especially since it's happened before and on the surface, it didn't look like any lessons had been learned.

It will die down, but if people want reassurance and answers, why can't they have them?

Hiya, sorry not quite sure what you mean by happened before? Can you explain a bit further?

I suspect that Binary meant Heartbleed - they'll doubtless correct me if I'm wrong.

Don't stick the knife in to those trying to help.

And there I was thinking it was the MN equivalent of locker room 'my willy is bigger than your willy'.

@Simurgh

I suspect that Binary meant Heartbleed - they'll doubtless correct me if I'm wrong.

Oh I see. Well heartbleed was internet-wide vulnerability, so not sure what lessons we could have learned that might have helped us with this situation?

yes, there you were MISTAKEN in your thinking sansoora. when we are mistaken we like to know surely?

My willy is very small Sans so there has never been any boasting about it.

We got hacked by furries??

Here it is.

If the reference was to Heartbleed, I'm sure Binary will respond to that, Justine. My own view, however, is that any impact - personal to your system or not - should act as a 'wake-up' moment for any organisation. That refers to anything and not just IT but given that IT is critical to your functioning, I think that that should take a very high priority on the organisation's list.

This is an opportunity for MN to really assess where it stands and become a leader in its field. (That may necessitate some changes to the financial plans but so be it; others will have to catch up at some point.)

You said 'so not sure what lessons we could have learned that might have helped us with this situation?' and I can't advise you on that. It's still fairly clear that there were some, though. Jeffrey's fanclub were making some pretty disparaging remarks about the robustness of MN systems; and whether that is or is not true, it still speaks to 'public' perceptions I think. You could do with altering those.

willy free zone here.

Oh I see. Well heartbleed was internet-wide vulnerability, so not sure what lessons we could have learned that might have helped us with this situation?

From here: www.mumsnet.com/features/mumsnet-and-heartbleed-as-it-happened

The heartbleed bug was disclosed and fix made available on 7th April. You patched Heartbleed hole on 9th April. You assumed that this hole had not been exploited prior to this date and, as I recall, told users their data was safe. This was shown to be incorrect on the 11th April, users were informed and passwords reset on the 12th April. One might suggest that fix could have been applied faster, and that passwords should have been reset immediately after the fix had been applied.

In the current hack some fairly unskilled hackers attacked using an XSS vulnerability - I think one of the Tech's said in an earlier thread that this was listed as.third.most common vulnerability, it has been known about for decades, yet it would appear.MN did not proof the site in any way against this.

I think a big issue is that MNHQ is using custom software with a small tech team -this makes it very hard for them to keep abreast of and counter against the latest threats in a timely fashion.

There are also issues, shown during Heartbleed and during the current attack with communication with users, and there appears to be no.system or.procedure in place to deal with the prevention of attacks, during an attack, and after an attack.

We got hacked by furries??

No, one of the troll threads written by the hackers to be was disparaging to the furry community.. A furry went on to the troll hackers 8chan thread and said he was deeply offended and was going to tell Mumsnet so there. He also made some extravagant threats against the troll hackers. He was called Simon and had a Facebook page.

They all seem to talk a lot of shit though, and it is very hard to identify which if any of the characters on the 8chan thread are genuine.

"Hiya, sorry not quite sure what you mean by happened before? Can you explain a bit further?"

We believe the hacker has used a password from the old hack to gain access to another system (external to Mumsnet) on which we store client information

I'm talking about the time MN was affected by Heartbleed. So, whilst not the same as this phishing hack. Vulnerabilities were exposed. Data lost. Admin at the time had no idea about what was taken etc. All serious stuff.

So, my concern is/was that apparently nothing seems to have been learned Admin passwords were still ridiculously weak...ridiculously (see this example : [email protected]:LisaMumsnet)

The MN website still had vulnerabilities in it, allowing the phishing to happen. Despite being victim to previous attacks. Why was the code not robust enough?

I feel bad for MN, I feel extremely bad for Justine and those attacked. MN isn't a big and obvious target for a hit. Not everyone needs to know the in and outs of finite tech details and even the biggest make mistakes. So personally I like to know my data is safe, but I'm not shocked it could happen. Vulnerabilities are discovered daily. Big companies can jump on them and patch ad hoc. I doubt MN can. That's the nature of IT

I think if you work in tech it's very interesting, not at "look I know better". I had security training a while back. I was a bit surprised I learnt a lot of new things, I have then also learned a lot from this.

IT doesn't stand still. Hackers lead this field and security follow.

Pointless post but I value MN. So thanks Justine. Your site means a lot to me. Mistakes happen. Bad people do shit things. You didn't deserve such a crap thing.

I don't work in tech, but DH does and it is very interesting. I don't consider someone talking from a position of knowledge about stuff to be showing off, and you certainly don't have to have a penis attached to your groin to know about these things.

Incidentally, DH has been working on plans for improving his own employer's website security, this week. He went onto a perfectly legitimate (ie not dark web) site, yesterday and managed to find the means to brute force passwords held for the site. It's not a big site like mumsnet, but he still unearthed dozens of them in his lunchbreak just by using a tool which guessed lots of combinations for each account.

No you dont need to be a man to work in IT despite comments like "you can't be a programmer - your a woman!"

I don't know if it's the mindset of this field but most people love to learn more or find themselves unemployable.

I read about the AM hack and it really sparked interest in me. The comments from the hackers to AM coders to the playing AC/DC on logging on on the day of the hack.

Anyway without the SN boards here my family life and kids outlook would be a whole lot bleaker. So no lasting bad feeling from me. I know I'm a lot more relaxed with my data than I should be. I should know better

And yes we are all here because we need / have needed the support of this website, I think it's brilliant but that doesn't mean we shouldn't ask questions about our own and other users saftey.

Nobody is attacking the site or the people who work here, but they are rasing valid questions regarding security, it's not a personal attack to question when accounts and info do not match up.

No Jason I'm not saying it's a personal attack, not at all.

I just don't think it was on purpose or blatant flippeness ( unless like in the AM case where email history shows that they had the balls to show prolong hack interest into a rival site but check their own)

Anyhoo it does show up to me that I am rather feckless with my own security. I should know better. So from that standpoint I have to hold my hands up.

I really would want to be outed from what I post, but if I was, I would have been party to my data breach too.

Would? Wouldn't!! I mean. Dyslexia,