More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

I don't believe this was a phishing attempt.

I stay logged in on my desktop, and the tab is open, at all times. The tab shows as secure. There are no alternate MN tabs showing in my browser history.

I work on a highly locked down system. I'm an Admin (hence being able to get onto MN!) but have corporate level cyber security. I work for a company that would lose billions if the systems were hacked. It alerts me to any possible phishing attacks, insecure updates, dodgy connections. Nothing.

I don't click links in emails. Infact, I haven't logged into my MN email in months and months. I did check that I still have access to it this morning. It's fine.

The username that they have is very old, and I wouldn't have logged in with it at all recently.

@RepeatAdNauseum

I don't believe this was a phishing attempt.

I stay logged in on my desktop, and the tab is open, at all times. The tab shows as secure. There are no alternate MN tabs showing in my browser history.

I work on a highly locked down system. I'm an Admin (hence being able to get onto MN!) but have corporate level cyber security. I work for a company that would lose billions if the systems were hacked. It alerts me to any possible phishing attacks, insecure updates, dodgy connections. Nothing.

I don't click links in emails. Infact, I haven't logged into my MN email in months and months. I did check that I still have access to it this morning. It's fine.

The username that they have is very old, and I wouldn't have logged in with it at all recently.

There are other possibilities for phishing. We know it wasn't an email based attack. If you are willing, would you please email to [email protected] or PM with the username that is on the list which you've not logged in with recently, together with your best recollection as to when you would have used it. No problem if you're not willing to do so, but it might help add to the overall picture.

someone on another thread has just confirmed using the info on the list they've been able to just now get into someone's mn account and from there accessed their hotmail and facebook or twitter (forget which) account.

this is still possible NOW.

the site needs to come down - please don't say 'well if you don't like it leave'.

you are being told that right now people's information (via this site still being online) can be used in massively compromising ways.

what will it take for you to care about that and take the site offline until this is resolved?

oh and an mnhq person posted a link to the guys page with the still working data on it?!?!

farcical.

I agree - have you had any pissed off interns recently?

Wouldn't employing a penetration tested be the way forward (if not already done so) rather than debating IT security techniques online with technically-literate MN users?

BTW I think this is the technical thread - others are more general. MN users who work in IT are going to ask these questions and be seeking reassurance about their details based on the level of their understanding - I think that's fair enough.

Also hugz, biscuits etc to the tech team - busy few days I imagine.

@DavidTech

It's good to know you're moving towards HTTPS everywhere & CSP. Are there any plans to take the site offline until the source of the attack has been identified & resolved?

It's pretty vulnerable right now, which will only exacerbate the issues.

the site needs to come down

That won't help. The horse has bolted. You don't need MN to access the username/password list, and by extension access accounts using the same usernames and passwords.

someone on another thread has just confirmed using the info on the list they've been able to just now get into someone's mn account and from there accessed their hotmail and facebook or twitter (forget which) account.

Is this the Ashley Madison thread? If so, that's not quite what the poster said.

I've emailed but just in case it gets lost in the flurry, the password for me on the published list is my pre-heartbleed password

I was wondering this, What if apparently users who have passed away on the list, Some of it is old Data surely?

Something I remembered last night and have just checked. Sometime in earlyish August, I acquired a huge number of cookies or low grade malware on the machines I use for internet use. Big enough to make me go 'Huh?' when I saw the scan results and over my standard and established acquisition rate by a factor of 8 or 9. I have no idea whether that has any bearing. (I'm not perusing the detailed logs - life is too short.)

heartbleed was AGES ago.

so either they've been losing data for a very long time and the guy randomly decided to publish it now or THIS IS NOT DATA ACQUIRED BY FISHING.

I just logged out to check some other stuff for which I didn't want to be logged in MN at the same time.

When I came back to MN I assumed I was still logged out but all my posts were coming up green when I found this thread in trending conversations. I had definitely logged out. When I went to post (as I was showing as logged in), it forced me to log in again.

Something odd is going on for sure.

no maud the other official one in site stuff is where it was and that is what the poster just said.

Cripes Why would the poster do that?

Just to add (thought it better to post here than create another email for HQ to have to read), I'm on the list, but I'm not sure how I could link to a false 'phishing' page when I only ever go to mumsnet by clicking a button on my bookmark bar. Sometimes I log in on the ipad, but again, click a button on the favourites page.

Very rarely, I click on a 'news round-up' email to read a thread. I'm almost certain I didn't in the last week.

How could it be phishing in my case? Can they divert a pre-existing bookmark button?

We are now pretty confident it was a phishing attack.

And I'm 100% confident it wasn't.

You need to find the source of this right now MNHQ, if you really think it's Phishing them you're not listening - many of us (me included) appear in the list and are 100% sure we haven't been phished.

And MNHQ, perhaps this question keeps getting lost in the thread, but could you please answer whether you will delete the posting histories of those that would like it?

Unless they diverted mumsnet's login button on the homepage, there is no way this was phishing.

maud i guess so we have some actual facts about the state of security rather than koolaid + if you don't like it leave 'updates'

I am no expert. But I don't think it's impossible that phishing would get a pre heart bleed password - say someone is always logged in, but over the last week's shenanigans has been auto logged out. Their browser auto remembers their old password (because the last time they typed their password was immediately post heartbleed on another computer rather than their iPhone, say) and so that is the one the phishers have.

I'm another one who only logs in after i have typed the address in the address bar, There is no way i would have logged in by any other means than the homepage.
If it was phishing, someone has hacked the homepage.

someone on another thread has just confirmed using the info on the list they've been able to just now get into someone's mn account and from there accessed their hotmail and facebook or twitter (forget which) account.

this is still possible NOW.

the site needs to come down - please don't say 'well if you don't like it leave'.

Surely taking MN down now would be a case of shutting the door once the horse had bolted. The Dadsec page needs to come down - that's where the information about many users (myself included) is being leaked.

MNHQ appear to have done everything they can to shore up MN's defenses - all passwords have been reset; it's up to us users to not put in whatever we had before. Unfortunately MNHQ jurisdiction does not cover facebook or hotmail, and many non it-savvy people weren't aware that it's bad practice to use the same password on all different online accounts. Something that will hopefully be learnt as a result of this breach.

I just don't see how shutting MN now would help anyone. There are still people depending on this community to help them in difficult times; shutting it down just damages the users, it doesn't stop the hacker from doing what he's already done.

many of us don't use mumsnets log in button ever but simply have a bookmark that brings us direct to a thread or to 'threads i'm on'