OVH Community, your new community space.

Security incident


devil
10-11-2014, 17:39
Quote Originally Posted by LawsHosting
Never received an email.... oh, tell a lie, I did..... but not about this incident, it was your "Service Renew Reminder"!

Or do we expect it tomorrow?
Ha ha. As they say. We are getting what we paid for.
macole111
24-07-2013, 12:29
Quote Originally Posted by Andy
It's been mentioned on El Reg too http://www.theregister.co.uk/2013/07...acking_attack/
I saw that, it was on the top stories at one point. Lots of hacking attacks these days.

-macole111
Andy
24-07-2013, 12:20
It's been mentioned on El Reg too http://www.theregister.co.uk/2013/07...acking_attack/
rickyday
24-07-2013, 11:59
Quote Originally Posted by Myatu
That's just taking a piss, of course. It's not that OVH has a link on their home page in big, bold red letters: "DOWNLOAD OUR CUSTOMER DATA"?!

OVH has taken reasonable precautions to ensure that this would not happen, more so than other companies I know of. But thanks to a weak spot -- in other words, a human being using a weak password -- their security measures were circumvented.

Regarding legal responsibility, of course it is theirs. But you will have to be able to proof in court that this incident was *directly* responsible for any damages caused *and* that OVH was negligent, which would obviously be the opposite of the reasonable precautions they've taken. And since there's no legal definition of 'reasonable', this is solely down to the judge.

Don't go all gung-ho about your name and postal address becoming "known", as with a little effort, it can be found by other means. Had it been actual credit card details or a clear-text password, then yeah...
Well said as always Myatu
incipient
24-07-2013, 11:56
Quote Originally Posted by Neil
OVH Manager, Administration, My Settings and Password, then tick expert mode for SOAP settings.
But it requires a current SOAP password, which I do not have.
rickyday
24-07-2013, 11:54
A security breach is concerning, but OVH have been completely transparent with regards to this and have explained what happened and what extra security measures they are implementing and how this will hopefully prevent any further security breaches.

A security breach like this can actually be a good thing, can give companies a kick up the pants with regards to the security policies and procedures!
Neil
24-07-2013, 10:17
Quote Originally Posted by incipient
How do you change the SOAP password? the current password isnt the same as my master pass.
OVH Manager, Administration, My Settings and Password, then tick expert mode for SOAP settings.
incipient
23-07-2013, 23:49
Quote Originally Posted by K.Kode
Just a note, when changing your manager password make sure you click expert mode and change your SOAP password too otherwise a leaked password will allow access via all the remote software (MoM, Android etc)
How do you change the SOAP password? the current password isnt the same as my master pass.
K.Kode
23-07-2013, 22:38
Just a note, when changing your manager password make sure you click expert mode and change your SOAP password too otherwise a leaked password will allow access via all the remote software (MoM, Android etc)
JakeMS
23-07-2013, 22:30
Quote Originally Posted by DigitalDaz
So what would you have done if you'd known a few days ago? Changed your name, moved house?
Yup, That's exactly what I will be doing tomorrow

But in all seriousness, there's no such thing as a "100% secure" network. From the sounds of things OVH did what they could to secure the network but someone got in through an employee not having a decent password (Quite common actually)

Granted OVH did not notify us the same day, but the delay most likely was due to OVH having to firstly detect the intrusion, find it's point of origin, verify it's not a false alarm, assess the damage, and verify the attacker is no longer in the system, and finally ensure that it does not happen again.

If OVH had posted up a message saying "Hey, we've been hacked, we don't know how, why when or what has been done, but we thought we'd let you know" most likely would of just sparked millions of "Did you loose any data" and "Do you even know what you're doing" messages and potentially alerted the attacker his been detected so he could clean up what was left (If he hadn't already).

Personally, I think OVH did okay on timing. At least they admitted it happened, some don't even do that.

The delay on emails could just be due to the sheer number of emails needing to be sent out, could be being sent in batches.
DigitalDaz
23-07-2013, 22:03
Quote Originally Posted by incipient
" few days ago, we discovered that the security of our internal network"

This is ridiculous. Our personal information has been lead days ago, and I only find out now? This is awful, you cannot wiat days before informing your customers their data is possibly leaked!

So the hacker has our name, address, private phone numbers and server info. That's just brilliant.
Then you pass password compromised. Is this the server password, the ovh manager password? what?

I'm regretting using OVH more and more with how I've been treated recently. Especially after the P19 incident.
So what would you have done if you'd known a few days ago? Changed your name, moved house?
incipient
23-07-2013, 21:01
" few days ago, we discovered that the security of our internal network"

This is ridiculous. Our personal information has been leaked days ago, and I only find out now? This is awful, you cannot wiat days before informing your customers their data is possibly leaked!

So the hacker has our name, address, private phone numbers and server info. That's just brilliant.
Then you pass password compromised. Is this the server password, the ovh manager password? what?

I'm regretting using OVH more and more with how I've been treated recently. Especially after the P19 incident.
LawsHosting
23-07-2013, 17:59
Quote Originally Posted by Myatu
Don't go all gung-ho about your name and postal address becoming "known", as with a little effort, it can be found by other means
.....like in torrents.....

Even so, it's a bit daunting to know your details are out there by a "hack".
Myatu
23-07-2013, 17:35
Quote Originally Posted by alex
legally the OVH should take blame for loss of personal data.

in my opinion if can't run business properly simply don't run it otherwise it's mess.
That's just taking a piss, of course. It's not that OVH has a link on their home page in big, bold red letters: "DOWNLOAD OUR CUSTOMER DATA"?!

OVH has taken reasonable precautions to ensure that this would not happen, more so than other companies I know of. But thanks to a weak spot -- in other words, a human being using a weak password -- their security measures were circumvented.

Regarding legal responsibility, of course it is theirs. But you will have to be able to proof in court that this incident was *directly* responsible for any damages caused *and* that OVH was negligent, which would obviously be the opposite of the reasonable precautions they've taken. And since there's no legal definition of 'reasonable', this is solely down to the judge.

Don't go all gung-ho about your name and postal address becoming "known", as with a little effort, it can be found by other means. Had it been actual credit card details or a clear-text password, then yeah...
macole111
23-07-2013, 15:57
Quote Originally Posted by RikT
Well no because you have been informed and you should be changing passwords for things thats is of course if you are silly enough to use the same password for everything
I think he is talking about the Passport and bank statement scans you have to send in for VOIP and a few others things, I would also be interested in this info.

-macole111
RikT
23-07-2013, 15:46
Quote Originally Posted by alex
How exactly they are doing? If I get fraud using my ID, I can send the bill/issue to OVH or what?
Well no because you have been informed and you should be changing passwords for things thats is of course if you are silly enough to use the same password for everything
alex
23-07-2013, 15:39
Quote Originally Posted by Mark1978
They should and they are doing? However it's easy to point the finger, some very big names have been affected in this way.
How exactly they are doing? If I get fraud using my ID, I can send the bill/issue to OVH or what?
alex
23-07-2013, 15:37
Forgot to check, what about our scanned ID, did the hackers managed to copy this information?
cartwright118
23-07-2013, 15:26
Quote Originally Posted by mark1978
they should and they are doing? However it's easy to point the finger, some very big names have been affected in this way.
+1

.
Mark1978
23-07-2013, 15:25
Quote Originally Posted by alex
legally the OVH should take blame for loss of personal data.

in my opinion if can't run business properly simply don't run it otherwise it's mess.
They should and they are doing? However it's easy to point the finger, some very big names have been affected in this way.
alex
23-07-2013, 15:16
legally the OVH should take blame for loss of personal data.

in my opinion if can't run business properly simply don't run it otherwise it's mess.
cartwright118
23-07-2013, 14:40
I've had two...I guess it was a mistake. Did you have more than two?
LawsHosting
23-07-2013, 14:34
This is off-topic, but can you let us configure how many "Reminder" emails we receive, just had another within a 24hr period..... It's a joke...
cartwright118
23-07-2013, 14:18
I received the email...

Hello,

Recently, we have discovered a security incident on our internal network at OVH's headquarter.
We have immediately secured the infrastructure and started an investigation.
We discovered that the database holding European customers's data could have been illegally copied.
This database includes the following information:
first and last name, NIC, address, city, country, telephone and fax number, and the encrypted password.
Credit card information are not stored by OVH and have not been accessed.

Even if your password encryption is very strong, we encourage you to change it as soon as possible.

To learn more on the security incident:

http://status.ovh.net/?do=details&id=5070

Regards,

Yours faithfully,

OVH LTD
3 Southwark street
London
SE1 1RQ
Tel: 020 7357 6616
Fax: 020 7378 7703
Registered company 5519821
E-mail: customersupport@ovh.co.uk

OVH - Customer support
Mon-Fri from 9am to 6pm

Join the OVH Community at forum.ovh.co.uk

Check our services status at http://status.ovh.co.uk/
alex
23-07-2013, 11:36
how difficult to encrypt the whole database, asI almost completed one of the project where every part of customer data is encrypted and impossible to decrypt without key and decrypt script.

Example of database data how it should be stored in database:
Company Name: kQcvJh9juuPPbkhslfMDprnAehhfq7E3CdvIrjL70+k=
jonlewi5
23-07-2013, 11:23
Quote Originally Posted by LawsHosting
That's the least of our worries

Is more important... ID fraud sticks out..... and if Joe Bloggs calls up, gives the nic, etc, who's to say another Apple-like incident won't happen - they have all our details, easy to get by security.

Only good thing, he didn't mention email addresses - an oversight?
personally id assume email addresses was taken aswell, judging by the amount of data taken/accessed.
macole111
23-07-2013, 11:09
No email here...

-macole111
LawsHosting
23-07-2013, 10:32
Quote Originally Posted by Chris4
I have a question - was the forum database compromised too?
That's the least of our worries
The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
Is more important... ID fraud sticks out..... and if Joe Bloggs calls up, gives the nic, etc, who's to say another Apple-like incident won't happen - they have all our details, easy to get by security.

Only good thing, he didn't mention email addresses - an oversight?
LawsHosting
23-07-2013, 10:20
Quote Originally Posted by Chris4
I received the email at around 2am, as I presume everyone else did now.
Maybe mine is still in the queue!
Chris4
23-07-2013, 10:08
I received the email at around 2am, as I presume everyone else did now.

I have a question - was the forum database compromised too?
alex
22-07-2013, 22:51
Quote Originally Posted by LawsHosting
Never received an email.... oh, tell a lie, I did..... but not about this incident, it was your "Service Renew Reminder"!
the same
LawsHosting
22-07-2013, 19:52
Never received an email.... oh, tell a lie, I did..... but not about this incident, it was your "Service Renew Reminder"!

Or do we expect it tomorrow?
Kacotet
22-07-2013, 17:29
Apple, Ubuntu forums & OVH!
cartwright118
22-07-2013, 15:28
Deleted Google Translation
oles@ovh.net
22-07-2013, 15:22
http://status.ovh.net/?do=details&id=5070
Hello,

A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they were able to gain access to the internal VPN of another employee. Then with this VPN access, they were able to compromise the access of one of the system administrators who handles the the internal backoffice.

Until then, internal security was based on 2 levels of verification:
- Geographical: required to be in the office or to use the VPN, i.e.: the IP source
- Personal: password

Measures taken following this incident
---------------------------------------

Immediately following this hack, we changed the internal security rules:
- Passwords of all employees were regenerated for all types of access.
- We set up a new VPN in a secure PCI-DSS room with highly restricted access
- Consulting internal emails is now only possible from the office / VPN
- All those who have critical access now have 3 verification levels:
- Ip source
- Password
- Staff's USB security token (YubiKey)


Findings
-------

After our internal investigation, we assume that the hacker exploited the access to achieve two objectives:
- Recover the database of our customers in Europe
- Gain access to the installation server system in Canada

The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password.
No credit card information is stored at OVH. Credit card information was not viewed or copied.

As for the server delivery system in Canada, the risk we have identified is that if the client had not withdrawn our SSH key from the server, the hacker could connect from your system and retrieve the password stored in the .p file. The SSH key is not usable from another server, only from our backoffice in Canada . Therefore, where the client has not removed our SSH key and has not changed their root password, we immediately changed the password of the servers in the BHS DC to eliminate an risk there. An email will be sent today with the new password. The SSH key will be systematically deleted at the end of the server delivery process in both Canada and Europe. If the client needs OVH for support, a new SSH key will need to be reinstalled.

Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a
specific hack on specific individuals will have no impact on our databases. In short, we were not paranoid enough so now we're switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH.

We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions.

Please accept our sincere apologies for this incident. Thank you for your understanding.

Regards,

Octave