More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

@MardyBra

Hope you and your family are ok Justine

Thanks Mardy - family all fine - if somewhat neglected.

@Altinkum

*davidtech*

when posters are being forced to password change, can you put an alert message on stating it has to be a new password? not the old one!

many posters as have many said, still do not the the site is under attack.

Yes we can and will add extra messaging in the next little while. Thanks.

@TheHoneyBadger

is it strange that all the onus to trawl lists, check whether data published is up to date or old, whether members are active (re: they can't have been phished if they haven't been on here for months etc is on individuals not the org that has been hacked?

is there no way for mn to test their hypothesis that it's just info gotten by phishing by checking that all the users on that list are actually active?

i'm genuinely surprised how little responsibility seems to fall to the data holder. baffled that you're still online waiting for us to provide evidence to you that it's not secure rather than taking it offline until you can verify it.

not trying to be offensive just to understand and to register that i for one find this totally unacceptable.

The onus is not on you to do anything other than set a good strong password (which we will enforce, very soon). We have been analysing this situation for a week and continue to do so. There is a huge amount of data involved and it takes time. Some of the tech team are very experienced, and we're using external help, but we don't, of course, have infinite resources. If people can provide extra information that's really great and we're appreciative of it. That's why I've suggested that if you do have something that you think might be useful, like finding account details for an account that hasn't been used for a long time, it would be really kind of you to let us know. Thanks.

I had no idea what was going on until I logged in by coincidence late last night at almost exactly the same time that the list was tweeted. I was away in a place with no signal all weekend.

I am sure I am not alone in this. I also didn't log in to mumsnet between 6th and 11th as far as I can see so any phishing during that time wouldn't have got me. I am on the list though.

People with those sort of sensitive threads could re-start them if you wiped all old threads. Those already reading their threads would look for them again...

People in the throws of something awful will not be thinking about a data breach and may be the most likely not to deal with passwords etc properly. All the more reason to wipe old threads surely!

There has always been a requirement for at least 8 characters, which is actually the OWASP's recommendation.

They may have been recommendations, but it's established good practice that admin passwords should be more complex, regardless of whether you have enforced complexity rules. It's a bit like having the best safe money can buy, with a lock combo of 00000000 because the recommendation is a code of 8 numbers. It's valid, but bonkers.

Hey ho!

I originally thought that the site should be shut too while they figured out what is going on - but you know what? Fuck him! He has all my info already, if he shuts the site too (because of the resulting panic) then he has succeeded. I was nervous this morning, but now I am just pissed off that this bully has targeted women with a voice. The taunting / swatting / gradual release of info is just plain old bullying by someone hiding behind his keyboard, and I'll be fucked if he will win. So there. Right, I'm off my soap box now!

@LivinLaVidaLoki

This did not happen this time, I have been happily mooching about on MN using the login/password that has been shared using the app, non the wiser about anything that has gone on until I happen to check an old email address (purely by fluke) and noticed the reset password email (about 8.30 thos morning), so that is when I changed my password.

Up until then I had just been continually logged in on my app, not shut out, no 'fail to login' just me, pissing about looking at the "Threads Im on" on the app.

Existing login sessions were maintained. Passwords were definitely reset.

@Queenbean

None of the details would work after yesterday's forced reset, unless the user then goes in and resets their password to be the same as it used to be.

That's a pretty basic error from your part isn't it - passwords shouldn't be able to be changed to the previous one - everyone should have been forced to have a new password

It was an urgency thing. That is being implemented now.

@ItsAllGoingToBeFine

The reset happened regardless of user action - i.e. it's NOT the case that we ask people to reset and then they have to go and do it. The reset happened anyway and people then can only access by requesting a link via email.

You may have reset everyone's passwords, but you should have forced everyone to log out too.

For good reasons I'm not going to go into we elected not to do this. We may yet.

I've just logged in, and noticed the warning on the log-in page to make sure that the browser address has in front of the www.mumsnet.com. So I pasted in the https bit, but it defaulted back straight away to www.mumsnet.com

Have I been phished?

There was no requirement for passwords to be 8 characters until recently.

I used to have a 6 character all letters for ages.

Does seam like a mixture of very outdated custom technology, and a real lack of any planning of what to do after a data leak and very bad communication. Failing on many sides but does sound at least like the passwords were decently incripted so these probably haven't been stolen.

Pretty shocking failings considering the popularity.

tbh this should be more of a wakeup call to individuals to A, not have the same passwords for things such as email/social media/your bank account, and B, never to share more of yourself anywhere online that you wouldn't want to be discovered. For me the issue is more that mn hq haven't stayed in communication with users rather than the fact that this happened in the first place.

I realise that people are concerned re e.g. people with a history of dv giving their address out in a PM, but in truth if someone is vulnerable giving their pm to an unknown stranger on the internet was never a good idea anyway, and mn hq have always been clear that users are responsible for what information they give to people online and how close they allow themselves to get to people. After all, for all we know Jeffrey could be a well known mn'er masquerading as a supportive woman helping people out on e.g. relationships or legal, so when people give their address to someone be that via pm or otherwise they are already compromising their safety on the basis you never know who someone is online.

mn hq do need to be communicating more over what they're doing, and I am still of the view that the site should be taken down in the meantime, but ultimately we are all responsible for how much identifyable information we put out there about ourselves.

I only found out about this via a (completely unrelated!) Facebook group. I only use one or two of the talk sections and there are probably many more like me. I think you need to pin something everywhere that people can see.

I was forced logged out yesterday, was somewhat confused when my 'remembered' password wouldn't work. So hit the reset link and set it back to what i thought it was. I now need to change that again (!) but there was no mention of any hacking.

I'm on 'a' list. It's a bit unsettling to be honest.

Why is he still posting on the site outage thread?

"That's why I've suggested that if you do have something that you think might be useful, like finding account details for an account that hasn't been used for a long time, it would be really kind of you to let us know. Thanks."

I am checking some and the furthest back one I have found so far (For posting) is Potatoqueen who posted in June but not in August. of course she may have logged in after that but not posted.

I don't know if it's of any help, but my password on the list was definitely the one I used before the forced change.

Also DavidTech I know you've got a million and one things to do, but is there any chance of giving us a 'delete all' button for PMs?

I've just had to delete PMs (both sent and received) individually and some of them dated back to 2011.

It took ages to check all the boxes.

@WorraLiberty

I don't know if it's of any help, but my password on the list was definitely the one I used before the forced change.

Also DavidTech I know you've got a million and one things to do, but is there any chance of giving us a 'delete all' button for PMs?

I've just had to delete PMs (both sent and received) individually and some of them dated back to 2011.

It took ages to check all the boxes.

Will look into this - ie how long would take - and report back pronto

Honey sorry, threads are moving too fast and DC demanding lunch (so needy!) - yes those things are concerning however they are available whether the site is up or not. Google and various board reader apps/sites have caches of various pages. Conversely threads in chat, 30 days and the other place are not google indexed.

Most people's abusive exes already know their real names which is all you need for a 192 search.

I think it's more valuable for the site to be up so that HQ can reassure people live and folk can ask questions and have a place to flail, plus other ongoing support threads which are unrelated can continue.

nadine1980x - not posted all year.

@MaudGonneMad

I've just logged in, and noticed the warning on the log-in page to make sure that the browser address has in front of the www.mumsnet.com. So I pasted in the https bit, but it defaulted back straight away to www.mumsnet.com

Have I been phished?

No. If you manually type in HTTPS and visit a page other than the login ones you'll be redirected to HTTP.

I had a 7 character password until heartbleed.