More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

I'm on the list also and didn't have to type in my password in the last 10 days. The page said Log In but the info was already there.

I just got Fiderer / password ........ and then clicked log in.

Is that also phishing?

@Skullyton

Can i bring this to peoples attention again!

""To be honest this sounds very unlikely, given the number of people complaining about constantly being logged out."

But were they actually being logged out?

I can name at least one occasion in the last week or two where in the middle of a thread i refreshed and suddenly got 'logged out' i clicked the log in page, and then changed my mind and just refreshed MN altogether, and lo and behold, was still logged in."

This has to have been a phishing redirect, right?

Clicking logout really did log you out, but some of the "Oh hold on, I've been logged out" were cases where you hadn't been. This was a bug which related to people appearing to be logged out when they were on a CONTENT page (i.e. the home page, or say, /babies) not a TALK page. So there were two things going on here - that bug, plus another whereby the "remember me" option wasn't working properly.

Why are the passwords on his website clear text if they were encrypted in your database?

Why was my username and an IP address on the list only but no password or email address?

I don't know if this is relevant, but posting anyway.

I log out frequently and sometimes don't bother to log back in unless I want to post (don't want my teenagers using my ipad and finding out my MN name). I sometimes forget to log out though.

However, I've noticed recently that I've been able to bookmark a thread even when I've not been logged in.

Why are the passwords on his website clear text if they were encrypted in your database?

Because when you login you use plain text

Why was my username and an IP address on the list only but no password or email address?

No email addresses are on the list. You must have not entered your password and hit enter.

Maud simple version: Don't worry. What you've said sounds fine and as it should be :)

Playing I'm getting the whole site intermittently loading a low-bandwidth version of pages so would put it down to excess load on the site due to many people refreshing and posting on these threads about this issue.

Hello David, Justine,

I would like to ask whether you are aware of the two (at least) 'dad sec' accounts on twitter, in terms of trying to track down the person who is using them (and in some instances has hacked them)?

Are the police aware of them?

Thank you.

Thanks Bertie

"Clicking logout really did log you out, but some of the "Oh hold on, I've been logged out" were cases where you hadn't been. This was a bug which related to people appearing to be logged out when they were on a CONTENT page (i.e. the home page, or say, /babies) not a TALK page. So there were two things going on here - that bug, plus another whereby the "remember me" option wasn't working properly."

1)I did not click log out.

2. I was not on a content page, but a talk page.

I was reading a thread i had previously posted on, refreshed to see if anyone else had posted and went to add another reply, but it wouldn't let me.
It was telling me i was no longer logged in.
So i clicked 'log in' at the top of the page.
I then decided something didn't seem right, closed the page, reopened it and was still logged in.

DAVIDTECH....

I have searched my history as someone has posted in anotehr thread about porn popping up. I remembered that I had something and checking my history I can see it was late on 12th August and the site was an Escort site called 'Vivastreet' which popped up and then disappeared. However, I don't seem to have logged into Mumsnet that day.

I am on the list, under another user name, not sure if this is relevant.

Mardy that might be stored using cookies rather than a user log in. Does the bookmark then work or not? If it's cookies you'd expect it to work on that device but if you accessed on a different device (or using private browsing) then it would no longer work.

Whereas logged-in bookmarks work across devices.

The tech team have made some curiously bizarre decisions/comments.

Passwords & encryption don't mix. They're either using the incorrect term or incorrect method, neither reflect well on their ability to protect users. There is no single "recommended algorithm"; each case is different. It doesn't mean a great deal unless you know where these recommendations came from. A Google search, for example, is festooned with recommendations like "use SHA256", "MD5" and "Base64"; none of which are appropriate.

Likewise your use of HTTPS/SSL/TLS. Sadly, the current implementation is virtually useless. It is not sufficient to "secure" login/registration pages, as the cookies which maintain the session are subsequently sent over an insecure protocol.

Had the team implemented CSP, it's highly likely that any XSS/rogue dependencies would have been identified before any breach had taken effect. As it happens, there's no CSP whatsoever.

Can they clarify exactly how passwords are stored? Revealing the storage algorithm won't adversely affect security at all... but it will help put minds at rest.

Thanks.

justine: And no site can guarantee complete security but ultimately if you feel compromised or worried then you can and should leave because we're here to make folks easier, not the reverse

that reads quite PA tbh (if you don't like it leave) and solves nothing - how will me leaving secure my data? are you now saying you will delete all data held on and all posting history of all the posters who de-reg?

i don't understand you telling me that if i feel compromised or worried by my data having been taken from here and posted on the web i should leave - is it not normal to be worried and feel compromised by that?

btw i still wouldn't even know i'd been compromised if i hadn't happened to be told by another mn'er.

@Fiderer

I'm on the list also and didn't have to type in my password in the last 10 days. The page said Log In but the info was already there.

I just got Fiderer / password ........ and then clicked log in.

Is that also phishing?

Not typing the password doesn't mean it wasn't phished. Your browser still processes the password, even if it was remembered by it or by a password manager plug-in, and thus it could still have been captured.

*Why are the passwords on his website clear text if they were encrypted in your database?

Because when you login you use plain text

Why was my username and an IP address on the list only but no password or email address?

No email addresses are on the list. You must have not entered your password and hit enter.*

There are email addresses on the list but only @mumsnet.com ones i.e staff (=insider, surely, like he says on his twitter account)

So this was just phishing pure and simple? No actual hack of the backend database? I definitely haven't done:

"You must have not entered your password and hit enter."

TECH

the following username is on the list but has never posted

TheGirlAtTheRockSow

Obviously they may be a lurker who logs in regularly but never posts but perhaps you could use this as one example to check. Maybe see if they have logged in at all during the time frame. If not then clearly they have not been Phished?

DavidTech OK, thanks. Think I've got a lot to learn

yes i'd also like clear info on how my address (which has been given, and i'm told stored 'elsewhere') is stored and how i can legally request it be removed given the security breach.

thanks Bertie. I suspect I was still logged in even though it looked like I was logged out as per Skully's post above. Normally I can't bookmark MN when I'm not logged in.

RE my previous post - looks like this was a mis-spelling. The poster left an S out when trying to log in as there is an active member with that name + the missed out S. So this person was Phished but because they mis-spelled their username the hacker got duff info?

maybe contact that person and see if they still have their browser history?

Is anything I am posting in any way useful, or shall I just stop?

Can someone give me a rough idea of when I SHOULD have received the MN email by? I still haven't received one. I understand it takes a while for 1,000s emails to be sent out, but there must be a kind of timeframe of when emails should be received by: 24 hours, 48 hours, a week??

Ah right, that is definitely possible. I was thinking perhaps they had added bookmarking for logged out users like they added OP highlighting.

Yes - some people mentioned browser history. I can't see anything dodgy in mine. Worth a try?