Feeds

Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker

Natter-board tells middle-class Britain to purée its passwords

Boost IT visibility and business value

Twee UK parenting website Mumsnet is the second high-profile organisation to claim it has fallen victim to the infamous Heartbleed OpenSSL vulnerability.

Hackers boasted they accessed Mumsnet users’ data via the password-leaking bug – which is present in HTTPS servers and other services and software running a OpenSSL 1.0.1 to 1.0.1f. We only have really have the word of what looks like mischief-making attackers for this.

The website's founder Justine Roberts told the BBC that she only realised a breach had taken place on Friday after her own username and password were used to post an online message.

Mumsnet has admitted it suffered a breach but said it had no way of knowing if it was down to Heartbleed or some other unrelated vulnerability.

The outcome is, in any case the same: 1.5 million Mumsnet user passwords are being reset. "Following the recent security breach related to Heartbleed we are reseting the passwords of all users," site administrators said in an official notice.

The security flap follows hot on the heels of news that Canada's tax agency had also been hacked, resulting in the spillage of 900 social security numbers. Heartbleed is a serious flaw in the OpenSSL cryptographic library that trivially exposes blocks of memory in at-risk servers, computers, phones, tablets and more. That memory can include passwords, session cookies and private crypto-keys.

Fred Kost, VP of security solutions at security tools firm Ixia, commented: "Since the initial news of Heartbleed last week, the big question that remained was around the ease of exploiting this vulnerability. With the latest news, the Heartbleed vulnerability went from being theoretical to very real, as attackers have been able to extract a private key from memory, further putting 1.5 million users at risk.

"As many have speculated, this is a very dangerous vulnerability in a widely deployed SSL implementation and when a hacker steals the organisation’s private key, this type of infiltration is not easily detected."

"In order to protect themselves from becoming the next victim, enterprises should first deploy the patch and then begin changing their private key to help protect against man-in-the middle attacks that might use the stolen private key. Although this can be a complex process and will take organisations a while to complete, not as simple as just applying the patch, organisations can move in the right direction by taking action now," he added. ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?