More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

@DavidTech

[quote ItsAllGoingToBeFine] There have been some posts suggesting deceased users were on the list, or very old usernames no longer in use - how does this tally with a recent phishing attack?

It has been suggested by the hacker that this was an "inside job" - have you investigated this possibility?

If people have firm details of instances of this please send them to [email protected] for the attention of tech.

The "inside job" accusation is very recent. I'll leave Justine to comment on that, but we are certainly not aware of it being the case.[/quote]

We have no reason to believe it was an inside job - Mumsnet staff don't have access to passwords and haven't for some time. The list included passwords from some newer HQ members - so it's definitely not just an old list from pre-encryption times.

davidTech I use the app over the mumsnet site and I can't be 100% certain but I am at least 95% ish that I haven't logged in for months until yesterday when I couldn't get access to the site as you had reset the passwords.

Could this be connected to the app rather than online?

None of the details would work after yesterday's forced reset, unless the user then goes in and resets their password to be the same as it used to be.

That's a pretty basic error from your part isn't it - passwords shouldn't be able to be changed to the previous one - everyone should have been forced to have a new password

@TheHoneyBadger

this is not recent anyway - this is a week long i'm told attack. including an individual's home being targeted for her association with mn (regardless of whether the address was directly lifted from here or found elsewhere as a result of being targeted due to this situation on here).

We've been working around the clock since Tuesday evening last week. The recent part is the publishing of passwords, which happened late last night and has been worked on ever since.

akkakk Thanks. I thought it changed when you re-connected to the internet. I checked mine earlier and it is different today than the published one.

But good to know about the router.

Might be a good thing for Tech to sticky as it's another worry for posters.

Twirly is your password on the list the new one or one pre yesterday?

is it strange that all the onus to trawl lists, check whether data published is up to date or old, whether members are active (re: they can't have been phished if they haven't been on here for months etc is on individuals not the org that has been hacked?

is there no way for mn to test their hypothesis that it's just info gotten by phishing by checking that all the users on that list are actually active?

i'm genuinely surprised how little responsibility seems to fall to the data holder. baffled that you're still online waiting for us to provide evidence to you that it's not secure rather than taking it offline until you can verify it.

not trying to be offensive just to understand and to register that i for one find this totally unacceptable.

I flagged up on the original thread about this his that my email account was compromised last week - everyone in my address book received a spam link. RebeccaMumsnet said they'd look into this in case it was connected and another user said the same had happened to her.

I know it's possibly a coincidence but it's worth mentioning as it might be connected. It's certainly never happened to me before now.

DavidTech I've sent you a PM on something related that might be of interest, it's too personal to post publicly but let me know if it helps.

None of the details would work after yesterday's forced reset, unless the user then goes in and resets their password to be the same as it used to be.

That's a pretty basic error from your part isn't it - passwords shouldn't be able to be changed to the previous one - everyone should have been forced to have a new password

Especially as people weren't aware that this reset was for security reasons (the emails hadn't gone out/arrived yet) so would just assume that reusing their existing one would be okay

no because the password reset page didn't even tell them there'd been a breach of security.

Right - I have to go and do some work :)
if you are concerned about what is listed - do PM me and I will try and reply

list of all names & lots of comments advising on what you need to do / worry about is on this thread: www.mumsnet.com/Talk/_chat/2451977-Am-I-on-the-list

i'd still love to here what rational you are using to decide to keep the site up and what it would take for you to take it offline.

sylvanian the password listed is my post heartbleed whotsit one, but I changed it at the forced reset yesterday so not new in the last 24 hours!

Whilst there is any confusion left regarding the nature of the attack and who has had their security breached (and to what extent), can we please have access to old threads removed?

People have written all sorts of stuff about themselves on here on the understanding that it was anonymous. No-one can be absolutely certain about how anonymous it is now because the details of the attack aren't clear yet.

Can't you just turn off all old threads and allow new ones and ones about the attack only?

The reset happened regardless of user action - i.e. it's NOT the case that we ask people to reset and then they have to go and do it. The reset happened anyway and people then can only access by requesting a link via email.

You may have reset everyone's passwords, but you should have forced everyone to log out too.

@TheHoneyBadger

it really isn't i agree.

also can we have confirmation that it is just a 'coincidence' that maryz finds herself blocked from mn? i really hope it is that rather than some kind of punishment for speaking, quite rightly as it turns out, about the inadequacy of the response to this security breach.

Definitely not been blocked.

Tbh if you're forced to change a password it's common sense not to use the same one again,

Just to add my two cents: I am quite cross about this. I am on that list. I have spent all morning signing up to a password app and changing my passwords on my whole life. Hours and hours wasted.

honeybadger I hear what you're saying - I was on the list (de-regged, re-regged) and I am thinking through possible repercussions for having the info on that list available along with my posting history, should anyone have a particular interest in cross-referencing. And for that reason yes I'm a bit nervy about the existence of the mumsnet archive, at the mo.

However, with the number of people this affects I would imagine that taking MN offline right now would leave an awful lot of people very much in the dark about what's going on and with no way other than emailing mumsnet to find out. And with the best will in the world, even if only 1/3 of that list wanted more info, that's 1000 email correspondences for MN towers to enter into with possibly very frightened posters wanting detailed information, at the same time as dealing with everything else.

With the 'asking us to prove' thing - I don't think MN are doing nothing. I think they are saying that info from users could be helpful - and they're right to do so. We're all best placed to say what's happening to us as individuals, and the scale of research - looking into every posters activity and password history, I think that would have to be manually done? It's doable, and they may be doing it - but I don't think it'd be doable within 24 hours, and in this case reports may be helpful to indicate places for tech to start looking.

Agree that this is unfortunate as it's been going on too long. But also - I'm not an internet dummy. I saw the initial hack, I saw the homepage be changed and consider it partly on me that I didn't consider that if the homepage can change to dadsec, it could also change to a false login, or any other number of things could happen. I wasn't vigilant enough. I also wasn't vigilant enough to have my MN password be unique to the site. That is also my fault, as it contravenes all advice about best online practises.

One of the things that I do to try and make things a little more secure is to have an email address that I only use for Mumsnet and nowhere else, that way if a phishing attempt works they only get my email address and password for this site and no other. Email addresses like hotmail, yahoo and gmail are easily obtained - and changed - at will.

To be honest, as there was nothing posted on reset password or login pages a lot if people probably didn't realise what was going in and just kept using the same password somewhere until it worked again.

yes, but common sense seems to be lacking in a lot of people wannabe!

You'd THINK it was common sense not to use the same pw, but apparently not!

@TheHoneyBadger

so why is the site still up? have you read that people have been using details on that list to successfully access other people's accounts?

please explain the rational of leaving the site up KNOWING THIS.

is it money?

No it's not money. The site is also still being used by people with genuine issues and problems - there was a thread going on last night exactly the same time as the hacker was here started by someone's looking for support because her dh had committed suicide.

We believe we have taken reasonable steps to ensure data security given what we know and when we knew it. If we shut the site down then the hacker has succeeded in shutting down a very useful site that is predominantly a space for women. And no site can guarantee complete security but ultimately if you feel compromised or worried then you can and should leave because we're here to make folks easier, not the reverse.