Feeds

Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker

Natter-board tells middle-class Britain to purée its passwords

Protecting against web application threats using SSL

Twee UK parenting website Mumsnet is the second high-profile organisation to claim it has fallen victim to the infamous Heartbleed OpenSSL vulnerability.

Hackers boasted they accessed Mumsnet users’ data via the password-leaking bug – which is present in HTTPS servers and other services and software running a OpenSSL 1.0.1 to 1.0.1f. We only have really have the word of what looks like mischief-making attackers for this.

The website's founder Justine Roberts told the BBC that she only realised a breach had taken place on Friday after her own username and password were used to post an online message.

Mumsnet has admitted it suffered a breach but said it had no way of knowing if it was down to Heartbleed or some other unrelated vulnerability.

The outcome is, in any case the same: 1.5 million Mumsnet user passwords are being reset. "Following the recent security breach related to Heartbleed we are reseting the passwords of all users," site administrators said in an official notice.

The security flap follows hot on the heels of news that Canada's tax agency had also been hacked, resulting in the spillage of 900 social security numbers. Heartbleed is a serious flaw in the OpenSSL cryptographic library that trivially exposes blocks of memory in at-risk servers, computers, phones, tablets and more. That memory can include passwords, session cookies and private crypto-keys.

Fred Kost, VP of security solutions at security tools firm Ixia, commented: "Since the initial news of Heartbleed last week, the big question that remained was around the ease of exploiting this vulnerability. With the latest news, the Heartbleed vulnerability went from being theoretical to very real, as attackers have been able to extract a private key from memory, further putting 1.5 million users at risk.

"As many have speculated, this is a very dangerous vulnerability in a widely deployed SSL implementation and when a hacker steals the organisation’s private key, this type of infiltration is not easily detected."

"In order to protect themselves from becoming the next victim, enterprises should first deploy the patch and then begin changing their private key to help protect against man-in-the middle attacks that might use the stolen private key. Although this can be a complex process and will take organisations a while to complete, not as simple as just applying the patch, organisations can move in the right direction by taking action now," he added. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.