Feeds

Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker

Natter-board tells middle-class Britain to purée its passwords

The Essential Guide to IT Transformation

Twee UK parenting website Mumsnet is the second high-profile organisation to claim it has fallen victim to the infamous Heartbleed OpenSSL vulnerability.

Hackers boasted they accessed Mumsnet users’ data via the password-leaking bug – which is present in HTTPS servers and other services and software running a OpenSSL 1.0.1 to 1.0.1f. We only have really have the word of what looks like mischief-making attackers for this.

The website's founder Justine Roberts told the BBC that she only realised a breach had taken place on Friday after her own username and password were used to post an online message.

Mumsnet has admitted it suffered a breach but said it had no way of knowing if it was down to Heartbleed or some other unrelated vulnerability.

The outcome is, in any case the same: 1.5 million Mumsnet user passwords are being reset. "Following the recent security breach related to Heartbleed we are reseting the passwords of all users," site administrators said in an official notice.

The security flap follows hot on the heels of news that Canada's tax agency had also been hacked, resulting in the spillage of 900 social security numbers. Heartbleed is a serious flaw in the OpenSSL cryptographic library that trivially exposes blocks of memory in at-risk servers, computers, phones, tablets and more. That memory can include passwords, session cookies and private crypto-keys.

Fred Kost, VP of security solutions at security tools firm Ixia, commented: "Since the initial news of Heartbleed last week, the big question that remained was around the ease of exploiting this vulnerability. With the latest news, the Heartbleed vulnerability went from being theoretical to very real, as attackers have been able to extract a private key from memory, further putting 1.5 million users at risk.

"As many have speculated, this is a very dangerous vulnerability in a widely deployed SSL implementation and when a hacker steals the organisation’s private key, this type of infiltration is not easily detected."

"In order to protect themselves from becoming the next victim, enterprises should first deploy the patch and then begin changing their private key to help protect against man-in-the middle attacks that might use the stolen private key. Although this can be a complex process and will take organisations a while to complete, not as simple as just applying the patch, organisations can move in the right direction by taking action now," he added. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.