More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

And no site can guarantee complete security but ultimately if you feel compromised or worried then you can and should leave because we're here to make folks easier, not the reverse

I would imagine that some folks do want to leave, but would like to ensure their posting history leaves with them before they do so.

MNHQ, can you please say whether you will be deleting posting histories of those that want it?

I also have not had a generic email yet. I don't need one but is a bit suspect as I should have had one?

Oh okay scratch that. I received mine at 2.50am but it wasn't in my inbox - was in the folder where my normal MN emails go.

bintohellandback thank you! i found that a deeply unhelpful reply that was either willfully ignoring the basis of concerns or ???? i don't know what.

the people attempting to de-reg seem to be under the illusion doing so will protect them in some way - it won't.

shit Maryzz. any theories why this happened?

@PaulMoore

The tech team have made some curiously bizarre decisions/comments.

Passwords & encryption don't mix. They're either using the incorrect term or incorrect method, neither reflect well on their ability to protect users. There is no single "recommended algorithm"; each case is different. It doesn't mean a great deal unless you know where these recommendations came from. A Google search, for example, is festooned with recommendations like "use SHA256", "MD5" and "Base64"; none of which are appropriate.

Likewise your use of HTTPS/SSL/TLS. Sadly, the current implementation is virtually useless. It is not sufficient to "secure" login/registration pages, as the cookies which maintain the session are subsequently sent over an insecure protocol.

Had the team implemented CSP, it's highly likely that any XSS/rogue dependencies would have been identified before any breach had taken effect. As it happens, there's no CSP whatsoever.

Can they clarify exactly how passwords are stored? Revealing the storage algorithm won't adversely affect security at all... but it will help put minds at rest.

Thanks.

We use a bcrypt hash with a modular crypt, salt of course, and a high cost to minimize the likelihood of rainbow table attacks. If you're aware of a more suitable mechanism for doing this please let us know by emailing [email protected]

It's true that the session data is passed in HTTP, but nothing about this attack whatsoever suggests that it involved compromised session data. We are planning to move to all HTTPS, all the time, very soon.

We do not implement a CSP that's true, but we are expected to support a very wide range of browsers, including old ones, and they don't support CSP as far as I know.

Following

Maryz, I know you're ace and all but why would they single you out? I'm so confused by all this. Are you saying this dadsec person actively stopped you accessing MN by using your IP address or something? Or other info they found on MN.

PaulMoore

sorry that is not all accurate...
passwords are normally stored in a database encrypted, when someone logs in the clear text password is encrypted using the same method and then matched as 2 x encrypted versions - however it is one-way encryption, so you can't de-encrypt the original... I don't think that password encryption is an issue here...

you are correct that sending a cookie out of https is no longer as secure, however:

• you can choose whether your cookies are encrypted or not separately, so you can send non-encrypted ones over https, you can't send encrypted ones over http
• http / https is only of relevance to people sniffing over wifi etc. keyloggers / phishers / hackers will not care
• when a cookie is sent, even if unencrypted communication (i.e. http not https) the password itself will be encrypted and then matched
• yes, it would allow someone sniffing to pick up your cookie and use it to pretned to be you - however they still couldn't de-encrypt the password

it used to be thought that https slowed down use of a website, hence only using it on some pages... some would now argue for full https - google I think now use https everywhere - however it can have a slight overhead and is something websites need to move to...

there are many other issues which probably need to be tackled before teh question of http / https

bCrypt is more than adequate, assuming it's implemented properly.

CSP has pretty broad coverage now, but that doesn't preclude you from using it... as UAs which don't understand CSP headers will simply ignore them. Likewise HSTS.

I've just had a chance to check my emails and have received an email from MNHQ telling me that I'm on the list (I know, but thanks) and information on security etc.

The problem is that I changed my MN email address, admittedly late yesterday, and this email has been sent to the old one. Is this just a timing issue or is my old address somehow still visible on my account?

The VERY weird thing is a I got an email from MN about a post I'd reported precisely a minute earlier, and that went to my new email account .

right finally got my email informing me my details have been published - this is what you get:

Dear Mumsnetter,

As you may know by now, the person behind last week's attacks on Mumsnet - you can read about that here - has created a website on which he's posted the passwords of 3000 Mumsnet users and staff. We're very sorry to have to tell you that yours is one of them.

In order to keep you as secure as possible, there are a couple of practical things that we'd advise you to do as a matter of urgency.

Firstly, if you haven't done so yet, please change your Mumsnet password. You can do so here www.mumsnet.com/password-reset/reset Please be sure when you change it that you choose a BRAND NEW password rather than reusing an old one. The list of passwords the hacker posted is from at least a week ago as far as we can see, so we're hopeful that he won’t have access to any new password you create.

Secondly, if you use your Mumsnet password to log into any other website, please do change it there, too, as soon as possible.

We're very sorry to have to send an email like this, and for any alarm it may cause. We're working very hard to make the site as secure as it possibly can be. If you have any questions at all, please do get in touch on the [email protected], and we'll get back to you as quickly as possible.

Thanks very much

MNHQ

Concerned about the use of 'as far as we can see' and 'hopefully' in para 3 - if 'hopeful' and 'as far as you can see' is as confident as you can get you shouldn't in my opinion be online and encouraging people to change passwords and use log in pages and you shouldn't be taking new registrations.

Secondly the generic contact us email? for people being informed their data has been hacked and placed online? you could have at least set up a line of contact that was just for that to give the appearance of taking it seriously and being ready to help/advise people. not everyone on here is tech savvy, a generic swamped email address isn't an appropriate thing to give them imo.

Also how about a warning NOT to follow any links from emails claiming to be from MNHQ or provide any personal details in response to that or unexpected pages encountered when trying to log in?

"The problem is that I changed my MN email address, admittedly late yesterday, and this email has been sent to the old one. Is this just a timing issue or is my old address somehow still visible on my account?

The VERY weird thing is a I got an email from MN about a post I'd reported precisely a minute earlier, and that went to my new email account"

is it definitely from Mumsnet?

Another thought:

I got the Mumsnet Census email on 7th August. This was right in the middle of all This. I didn't actually have time to complete it (too busy in the summer hols), but for those who did there was MASSES of very sensitive information asked for on there. Where is this held and is it vunerable?

You need to check out the poster mnpostingbot on this thread - asap, please.

www.mumsnet.com/Talk/am_i_being_unreasonable/2452175-To-ask-if-anyone-has-checked-the-leaked-Ashley-Madison-info?msgid=56204231

He's threatening to hack stuff.

I have had the same email by the way.

we are expected to support a very wide range of browsers, including old ones

Are you? WHY?

I know of public sector systems which are required to support everything practically back to the browser Tim Berners-Lee invented to see his first web page, but why would MN not take a harder line on what they will and won't support?

Maryz Wed 19-Aug-15 13:43:44
I'm not particularly impressed by Justine's wording:

"no site can guarantee complete security but ultimately if you feel compromised or worried then you can and should leave because we're here to make folks easier, not the reverse."

What about "I'm really sorry that this has happened. We hope you won't leave but we will understand if you no longer trust us".

I am very cynical at this stage.

^^i'm not impressed either given that it was in response to me and my information has been accessed. no apology, no admission of any mistakes just if you don't like it go oh but we'll still have your data kept insecurely we just won't have to listen to you complain about it.

@akkakk

That's hashing, not encryption. Encryption implies decryption, which is 2-way. It also implies there's a key to decrypt, which isn't the case here.

Your session ID (which persists the session across each request) is sent over HTTP. Anyone in possession of the ID (by XSS, MiTM etc) can duplicate your session... hence why if you require a persistent session, every page beyond login should over TLS.

yes the census! on top of the secret santa, competition winters, survey entrants etc.

MeetMeInTheMorning yes I'm pretty sure it is. It's exactly the same as HoneyBadger's, I've not clicked on any links though just to be sure.

I think it's just a timing issue tbh. That email account is v old anyway, I've been meaning to dump it for ages as I'm sick of sifting through the crap in it.

PaulMoore

understand the technical details - but we are posting here for an audience which is primarily non-technical :)

hashing might be though to be something dodgy undertaken in a dive downtown

encryption is fully understood by that audience... it also in normal use would cover exactly this scenario - hashing being seen as a subset of encryption...

ultimately we don't want to overthink this - MN is not a bank / the government. - users should be cautious where personal information is shared, and the internet is not the ideal place...

also, we don't want people panicking about things they don't need to worry about :) because they have been confused... I accept that it is a discussion that MN tech might be interested in, though he seems to already understand what is needed... but it is possibly not one needed in the public discussion - as far as the user is concerned, passwords are encrypted and can't be reversed :)

@PaulMoore

bCrypt is more than adequate, assuming it's implemented properly.

CSP has pretty broad coverage now, but that doesn't preclude you from using it... as UAs which don't understand CSP headers will simply ignore them. Likewise HSTS.

We haven't implemented it ourselves, we've used one of the standard libraries.

IE9 doesn't support CSP as far as I know and we have a large number of users on that. However, it's something we'll be looking at implementing in the near future I am sure.