More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

i'm another who never logs in through a log in page but a bookmark to a thread and only changed my password when logged out by mn and did a reset password (which i did without re-entering my old one). yet my name is on that list with my old password.

i do hope tech won't just come and give us the same 'theory' of phishing without addressing the fact that so much falls outside of that theory.

i also wish for clarification about the law re: leaving a site up and online when you know that people's data can still be accessed. people have used info on that list to test and have been able to still even today log into people's accounts with that data. it is clearly therefore not secure.

if mnhq won't answer are there any experts in law in this area on this thread? i feel shocked that the site is being left up knowing this security breach is still in full swing. it shows total disregard for users data and privacy surely?

@ItsAllGoingToBeFine

There have been some posts suggesting deceased users were on the list, or very old usernames no longer in use - how does this tally with a recent phishing attack?

It has been suggested by the hacker that this was an "inside job" - have you investigated this possibility?

If people have firm details of instances of this please send them to [email protected] for the attention of tech.

The "inside job" accusation is very recent. I'll leave Justine to comment on that, but we are certainly not aware of it being the case.

"the list was only published last night and the information from users about the contents of the list is still coming thick and fast."

but I thought by forcing a reset then NONE of the details would work? It doesn't make sense for MNHQ to say none of teh passwords will work but others to say that some of them still do.

By forced re-set do you mean that the onus is still on people to re-set and so if people are away or unaware of the situation their accounts are still vulnerable?

"The "inside job" accusation is very recent. I'll leave Justine to comment on that, but we are certainly not aware of it being the case."

very recent as in last night.

How does logging in via FB / Twitter work and is it really more secure? Does MN save people's twitter and FB account names? If someone logged in to MN via social media on a phishing page, would this wankstain then be able to link people's MN username with their Twitter or FB account?

so why is the site still up? have you read that people have been using details on that list to successfully access other people's accounts?

please explain the rational of leaving the site up KNOWING THIS.

is it money?

this is not recent anyway - this is a week long i'm told attack. including an individual's home being targeted for her association with mn (regardless of whether the address was directly lifted from here or found elsewhere as a result of being targeted due to this situation on here).

I strongly believe right now that the only safe course of action is to take the site offline with only an official information update page viewable, which you guys can update at regular intervals.

While people old pw are still usable, for whatever reason, its NOT SAFE to keep it online, it really isn't

Hope you and your family are ok Justine

YY Bin plus there are other websites which track talk forums. Like that one where everyone was seeing who was the most active poster etc.

Laura they have advised this repeatedly, plus it's written on every sign up page for every bank, paypal, ebay, any website where money changes hands that passwords should not be shared. MN can't gain entry to your bank in order to force you to change your password there; that's your responsibility.

@UnbelievableBollocks

The published list has shown that you appear not to have password complexity rules for users with administrative rights within your systems.

What will you do to address this, and how was it allowed when IT security 101 is decent password complexity.

There has always been a requirement for at least 8 characters, which is actually the OWASP's recommendation. We added complexity requirements for admin staff last week and that will be added for users very soon.

Skully, what do you think hackers have access to that they don't with the site offline?

it really isn't i agree.

also can we have confirmation that it is just a 'coincidence' that maryz finds herself blocked from mn? i really hope it is that rather than some kind of punishment for speaking, quite rightly as it turns out, about the inadequacy of the response to this security breach.

TheHoneyBadger

ref. the law - the only potential breaches of law will be around data protection and a) such laws are rarely enforced and b) if a company is seen to be doing what they can then it is unlikely that they would be prosecuted and c) if prosecuted it is usually only a small fine

more to the point is PR / reputation - I know that my instinctive reaction would have been to take MN offline / put it up on a test server and done all my testing there, I wouldn't have left the site live

note, this is nothing to do with whether or not it is more secure, but simply to reassure people - the customer's comfort in using a site is commercially very valuable and it seems silly to mess with that... so your points are valid...

however the balancing point is that leaving it up allows communication to take place within the MN family walls which is good - I am surprised that some can still log in using the released passwords - the random tests I have done have all failed to login...

there are undoubtedly further things that MN can do, and perhaps they will reassure users that those things will happen

Why are you still online? Do you believe it to be in the best interest of your users? Or your revenues?

bertiebots - how about seeing the email address of an ex on that list and with it her username and being able to enter her account, search her namechanges and every old post and pms to try and piece together her whereabouts? a namechange where she talked about his dv for example and then on her usual name using chat local or talking about visiting her cousin or whatever.

all sorts of things.

@ifigoup

Someone on another thread said that they are on the list, but never log in through a login page: they are permanently logged on and access MN via an old tab they've had open for months and months. It therefore seems very unlikely that the hacker could have accessed their info via a recent phishing expedition, yet there it is on the list.

Please send any such information, with as much detail as possible, to [email protected] and they'll forward it on. To be honest this sounds very unlikely, given the number of people complaining about constantly being logged out.

Question for Tech please Is it correct that if you have a dynamic IP address then the published one will be of no use to hackers?

or the lists of feminist mn'ers who were put on shitlists on the internet by mra groups - quite handy to have their email address and access their account no? trawl through all of their history under various namechanges.

or just vindictive people with grudges who'd like to find out stuff to use against people.

you post, including under with the assumption it is not linked to your email address and you post under namechanges with the assumption it can't be linked to your normal name etc. email addresses have been published by the way but removed in some places to protect those people - not on the kind of places this guy is likely to be posting them though.

@TheHoneyBadger

i'm another who never logs in through a log in page but a bookmark to a thread and only changed my password when logged out by mn and did a reset password (which i did without re-entering my old one). yet my name is on that list with my old password.

Have you never been logged out in recent weeks - lots of people have complained about being logged out?

Fiderer

I have posted about this

• basically IP is of no use to any one anyway :) other than to work out roughly which country you are in and sell to you!
• those for whom it is important will have a fixed IP / VPN / etc. with additional firewalls and security, so not really an issue
• a dynamic IP is usually only changed when you reconnect to broadband - with the common use of ADSL this can be months at a time as it is always on - it is not dynamic day to day
• simply turn off your router, wait 10-15 seconds and turn back on - you will probably get a different IP address

use this website: ip-lookup.net/ to check before and after

This seems to have coincided with me being asked to change my password on a couple of other sites including Facebook. Anyone else?

"To be honest this sounds very unlikely, given the number of people complaining about constantly being logged out."

But were they actually being logged out?

I can name at least one occasion in the last week or two where in the middle of a thread i refreshed and suddenly got 'logged out' i clicked the log in page, and then changed my mind and just refreshed MN altogether, and lo and behold, was still logged in.

@MeetMeInTheMorning

"the list was only published last night and the information from users about the contents of the list is still coming thick and fast."

but I thought by forcing a reset then NONE of the details would work? It doesn't make sense for MNHQ to say none of teh passwords will work but others to say that some of them still do.

By forced re-set do you mean that the onus is still on people to re-set and so if people are away or unaware of the situation their accounts are still vulnerable?

None of the details would work after yesterday's forced reset, unless the user then goes in and resets their password to be the same as it used to be.

The reset happened regardless of user action - i.e. it's NOT the case that we ask people to reset and then they have to go and do it. The reset happened anyway and people then can only access by requesting a link via email.

Fiderer the ip is pretty much useless to a hacker anyway unless they can get you to install something.