More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

I agree, MN are handling this beautifully.

For those who say the XSS vulnerability shouldn't have been there - on today's interweb, they are almost inevitable. The problem is that dynamic web pages - those that contain lots of different responsive stuff, rather than just a page of writing - load content in from masses of different places, by no means all of them under the owner's control. All this content can & should be double-checked before loading, however there's always a balance to be struck between time to serve and security. Explanation here.

Luckily, most malicious content will do no worse than install some annoying ad toolbar on your browser but that is not guaranteed. It can't be.

What sites can do correctly is implement rock-solid security at their end. This must include everything from changing staff passwords frequently, to updating the back-end code each and every time anything at all changes. The latter is a massive job, seriously. You pretty much have to rely on security bulletins about new vulnerabilites - by and large, those bulletins come after hackers have discovered them, so somebody suffered.

As an internet user - Get a password manager (Google now does a free one, if you don't mind using Chrome all the time) and change your passwords frequently. If you can remember your password, someone can guess it.

And finally - look away now if you're paranoid about privacy! - GCHQ intercepts every single thing you send over the internet or by phone. There's some device recording you more than 80% of the time. The only way to have a truly private conversation would be to meet down an undiscovered pothole! MN just wouldn't be the same that way Though I guess it might be fun.

I'd modify your statement, Garrick, to say that GSHQ have the capability to intercept all your internet activity, but they aren't capturing 80% of everything we do on MN

I think MN have stepped up their game significantly since the initial hacking - well done and thank you

Sorry, by 80% I meant including all the CCTV, other people's phones, hacked wifi points and so on. All our comms are intercepted, but nothing's done with them unless we've been supposedly identified as a security threat. Mine were for a couple of weeks 4 or 5 years ago, probably because I was engaged in some heated arguments about Palestine (not on MN.) All my emails were coming in late and I found out why. I'm sure the heuristics are a lot more sophisticated now.

Fed up of the point scoring here, which is a shame because I find the whole Web stuff fascinating and have learnt a lot of the last few days.

MNet is a huge community, a business hence Justine as a CEO, but foremost a community, hence the updating which is superb in comparison to other websites that have been compromised.

1. I don't think explaining all the ins and outs of security as pertaining to MNet here is appropriate, the hackers read this, others learn etc etc.

1. If you don't like it, leave it. It is not Law that you have to give information to MNet, binary! If you are not sure about it right now, leave and considering returning at some point in the future.

1. I reckon there are some tired and stressed people, if posts are not totally clear or information changes can't we just accept that's what happens? It is fast moving and exhausting fielding security issues. Few companies would add to their lists of tasks to communicate with clients and try and maintain services as do MNet.

Right now that is off my chest I am going to check out what is making my last pass account unreliable, I have a suspicion that has been a user error somewhere along the way ????

Garrick you and Sadwidow write about the most exciting of adventures.

How did you find out GCHQ had intercepted your emails?

lots most of this is way over my head.

do remember though that it is not just usernames and passwords that have been taken as many people sign in with their email address - i'm not trying to be pedantic but to ensure people don't forget that just because their email wasn't published doesn't mean it isn't out there with people trying to hack it and you should consider what you use that particular email account for and probably change and strengthen your password even if it isn't the same password as you used here.

the other thing that was interesting was to read about what happened in april - i was traveling and doubt i was on much or at all during heartbleed but i certainly never had to change my password then or since until these recent events so possibly the 'force log out/password change' (whatever that entails tech wise) has never been 100% effective. i know this time there were still people saying they hadn't been logged out or forced to change password and had to do it voluntarily instead.

thanks justine for more answers. very much hope it's over with now.

'twas ever thus, Garrick.

Let's not forget that in 2014, the NSA recycled - actually dealt with (in recorded fashion) in one year alone - 108,000 pounds of ceiling tiles. I respectfully submit that that doesn't sound like a One Man and His Dog outfit living in the shed at the bottom of the garden.

Mistakes happen but if Mumsnet and its users learn from this one, I'll be a little happier.

'I have a suspicion that has been a user error somewhere along the way'

Good luck.

I have to agree with Garrick, I use a password manager to store all my passwords, so every time I register on a new site I can generate a very long complex password that no one would guess, and I never even need to remember it. And if that password ever is compromised, I only need to change that one password, as I'm not using it for everything. You only need to remember one password, the one that unlocks your database and everyone can do that.

How did you find out GCHQ had intercepted your emails?

Some quite tedious checking, pinging and googling. I got an expert pal to check my work before politely contacting someone to ask them to desist. My request probably made no difference, tbh, but it did stop a few days later. I was quite proud of having tracked it, but found it hard work. I learned my character isn't suited to doing network stuff for a living!

I respectfully submit that [the NSA] doesn't sound like a One Man and His Dog outfit - I don't understand where this came from?

Goodness Garrick. Just a dropping in of an idle piece of information. No more than that.

Oh, OK. I thought you'd misinterpreted something :)

Thanks Simurgh.
Will delete App and be patient.
Thanks to all, especially MNHQ.

In light of hackergate, would those of you in the know please advise whether, when logging in to the mobile site it's safe or not to tick the 'keep me logged in option '

Thank you

Strict answer - it is never safe and you should trash all your cookies after any logged-in session anywhere.

Normal answer - yes, it makes hardly any difference. Always be more paranoid if connected to a public network, like an airport or coffee shop. Your mobile network ought to be about as safe as using your home wifi.

Thank you Garrick.

:)

MNHQ is there any way to be alerted if MNHQ post? I'd like to know if there is a new post about the hacker/site security etc, but don't really need to be alerted to other posters' musings/technical speculation etc!

Morning everyone,
We wanted to let you know that we have a webchat with Graham Cluley, an award-winning computer security blogger, at 1pm today.

You may want to hop onto this thread and ask him a question.

Absolutely you can look on the FAQ thread which is updated with anything major.