Feeds

Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker

Natter-board tells middle-class Britain to purée its passwords

Build a business case: developing custom apps

Twee UK parenting website Mumsnet is the second high-profile organisation to claim it has fallen victim to the infamous Heartbleed OpenSSL vulnerability.

Hackers boasted they accessed Mumsnet users’ data via the password-leaking bug – which is present in HTTPS servers and other services and software running a OpenSSL 1.0.1 to 1.0.1f. We only have really have the word of what looks like mischief-making attackers for this.

The website's founder Justine Roberts told the BBC that she only realised a breach had taken place on Friday after her own username and password were used to post an online message.

Mumsnet has admitted it suffered a breach but said it had no way of knowing if it was down to Heartbleed or some other unrelated vulnerability.

The outcome is, in any case the same: 1.5 million Mumsnet user passwords are being reset. "Following the recent security breach related to Heartbleed we are reseting the passwords of all users," site administrators said in an official notice.

The security flap follows hot on the heels of news that Canada's tax agency had also been hacked, resulting in the spillage of 900 social security numbers. Heartbleed is a serious flaw in the OpenSSL cryptographic library that trivially exposes blocks of memory in at-risk servers, computers, phones, tablets and more. That memory can include passwords, session cookies and private crypto-keys.

Fred Kost, VP of security solutions at security tools firm Ixia, commented: "Since the initial news of Heartbleed last week, the big question that remained was around the ease of exploiting this vulnerability. With the latest news, the Heartbleed vulnerability went from being theoretical to very real, as attackers have been able to extract a private key from memory, further putting 1.5 million users at risk.

"As many have speculated, this is a very dangerous vulnerability in a widely deployed SSL implementation and when a hacker steals the organisation’s private key, this type of infiltration is not easily detected."

"In order to protect themselves from becoming the next victim, enterprises should first deploy the patch and then begin changing their private key to help protect against man-in-the middle attacks that might use the stolen private key. Although this can be a complex process and will take organisations a while to complete, not as simple as just applying the patch, organisations can move in the right direction by taking action now," he added. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?