All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OVH Customer Database Compromised
A few days ago, we discovered that the internal security of our offices in Roubaix had been compromised...
During the internal investigation into the security incident, we have discovered that hackers have probably gained privileged access for two actions:
- Recover the database of our customers in Europe
- Gain access to the installation server system in Quebec
The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password....
An email will be sent today to all our customers explaining the security incident and inviting them to change their password. Information on credit cards have not been consulted or copied. Today we do not store this on our infrastructure....
On the Quebec server system installation, the risk we have identified is that if the client had not withdrawn our SSH server key, the hacker could connect from your system and retrieve the password stored in the .p file....
full announcement: http://status.ovh.co.uk/?do=details&id=5070
Comments
Wonder how long till the first page of LET is all notices about "Hacked", "Compromised", "Breached", "Down"
Sounds like some good social engineering by the look of it.
"We no paranoid. We more paranoid now."
How many "plz do the needful" complaints will they get?
Hey, we even skipped yesterday's "Apple's Developer Portal Hacked" news
And we also missed this bigtime hacking done on opera web browser, it happened at the same time with the solusvm fiasco.
I think this calls for a dedicated domain... lowendhacks.com - your discussion group for all the latest hacks and exploits on today's popular providers/companies
Yeah more hacks and shit all over the internet world
No where is safe not even 127.0.0.1
127.0.01 is the safest. Shh.
changed passwords for server and panel, did a chkrootkit scan, removed stuff keys,
any more precautions ?
They still have time to limit the damage, the OVH network is so slow they are probably still trying to get the first 500 records downloaded.
I wonder if the hacker was able to get at those scanned copies of ids that they require people to send to them.
Boy, am I glad I didnt...
But, seriously, when will people learn that nothing is bullet-proof ? If a serious hacker is after something, they will manage it sooner or later.
Latest hack I came across ? SIM-cards: http://www.forbes.com/sites/parmyolson/2013/07/21/sim-cards-have-finally-been-hacked-and-the-flaw-could-affect-millions-of-phones/
That's what some random Joe person watching TV would believe, but surprising to hear this from someone who's supposedly tech-savvy like you. It is very much possible to make a properly designed secure system that will not get penetrated. No need to just roll over and sheepishly accept that if any "serious hacker" comes by, you're automatically done for.
Hmm, i'm going to have to disagree with you on that. Plenty of companies use 3rd party software, take SolusVM or even WHMCS for example. We can't edit their code, it's up to the 3rd party to make sure there aren't any backdoors in their code. Plus, lets not forget we're human. We do make mistakes, it's what we do. No one is perfect and no ones code is perfect as much as I hate to admit it.
So don't use proprietary software, obvious isn't it? By definition, any software the source of which you can't see and modify, can not be possibly considered for inclusion into a 'properly designed secure system' that I mentioned above.
You can have 100% secure systems and software but you can never have 100% secure humans. It is almost always possible to bribe / buy someone who has the necessary access to steal the information.
Yes, of course you can go build everything yourself! But, not every company has time nor the resources to go and build flawless panels. Look at the FBI even, they've been hacked think they use 3rd party software? Nope! They build everything themselves and yet they were hacked. There is no way everything can be perfect, there will always be a back hole you will forget about. No matter how hard you try.
Plus, let's not forget here. No matter how hard you try on the panel, you are always relying on someones elses software. Whether it be Linux (ubuntu, centos etc) or a certain driver. If you're that scared of a hack or someones getting into your server, I hear carrier pigeons are on sale
Their website is built entirely with 3rd party software, starting with the Plone CMS they use.
This. With bells on. Plus a cherry.
I'm not overly talking about their website here (even though I believe it has been defaced before in the past). I'm talking about the internals of the FBI itself, the panels and servers they use. They've all been compromised and data has been leaked, i'm looking at you Wikileaks.
Welcome to OVH where they give your info to hackers, But to be honest with all the money they make from their customers they could/should at least hire a Security Consultant.
Wikileaks weren't taken from servers, they were physical documents, with that being said the all government entities are built around 3rd party software. They hire the cheapest contractors available(usually). They're not anymore special then the average security company, the only difference is the degree of jail time you get for hacking into them.
Bureaucracy also means most government agencies (and Fortune 500 companies as well) are very slow to implement security patches and update their systems. We use a live chat system on some of our sites that shows the OS and browser info of visitors and we have customers from the Justice Department, Homeland Security (as well as defense contractors and major financial institutions) who are still using Windows XP and IE8 (or IE7). If you allow your employees to surf the web with outdated OS's, browsers you're introducing a potential security problem into your systems..
Using scripts with obfuscated source code is a bad long term plan for 2 reasons: 1) you don't know what's in the code which introduces a security risk into your systems, and 2) if the company stops developing the script or goes out of business you're screwed.
If you're running a production system it is ultimately up to you not the 3rd party developers to make sure there aren't any backdoors in the software you're using. Avoiding 3rd party software with obfuscated code is one way to do this.
It does not matter how secure your system is. If someone wants in, they will get in.
Social Engineering can be a pain in the neck for even the most security savvy folks.
Read Kevin Mitnick's auto-biography. Great info on how he managed to Wiesel and social engineer his way into some pretty secure areas.
While I agree with proprietary software part, the linux kernel is open source, apache is open source, nginx or ftp also. They are 3rd party, you cant seriously suggest you are writing your own os to avoid being hacked and doing a better job than Linus, are you ?
So, yes, you can avoid (at a serious cost and a risk probably bigger since one programmer or a few can make more mistakes than a company, at least in principle) using proprietary software by writing your own code in places, but you cannot avoid using 3rd party software.
From the kernel itself to xen, kvm, ovz, apache, php, and scripts, all open source, all have or had vulnerabilities.
The hackers are doing incredibly sophisticated attacks, even if you follow the book on secure code, chances are some combination of factors will allow for some sort of intrusion.
That being said, of course, nobody should rely entirely on the security of somebody else's code, some basic security can be done even if you are not a coder, but we cannot be all over-the-top security experts, not to mention expert programmers, while even if you are the best combination the two, you can still make mistakes.
We was told when we clearly approached them to give them details of employee who was selling certain data.
"yes, I understand your points. Unfortunately, I won't be able to confirm that this is the case.
There was no internal employee that leaked that, it was a hack into the email and VPN access of one of our employees.
And this information has been disclosed by our managing director in an attempt to be transparent about it. We believe it's good practise.
Kind regards
Marc
OVH Customer Support Adviser"
So it was down to no internal employee yet Employee's vpn was used?
Read what you must into this; we simply present OVH with the information being posted around underground forums an that is response we got.
Why do i feel like its when a house burns down a fireman says "Nope; nothing happened here move along"
huh? and your point is?
The guy that got hacked has not intended that it happens, he was simply exploited as it happens daily everywhere.
OVH was breached by using a employee's VPN connection to have access to local network. As breach was only possible with an authorised IP hense having to use employees vpn,
We notified them 2 months ago of a few security issues, One of them being staff postinig on a forum offering information on OVH internal network. Ovh response initally sums up to "We dont care" Then this security breach we updated ticket with them an asked if was related an they refused to comment if it was.