Topic: About the recent OVH hack (that affected bitcoin-central, instawallet, slush') (Read 1652 times)
December 23, 2020, 01:25:24 AM
Life’s basics became luxuries, more expensive by the year, instead of necessities — right down to the most basic of things human beings live for at all. But that is the exact opposite of what happened elsewhere in the world. Not iPhones and Facebook. But the fundamentals of a decent life. Retirement, healthcare, education, income, savings, safety, stability, marriage, families, trust itself. All these things are simply now unaffordable for the average American. And worse, they are skyrocking in price every year. 66% of Americans choose between food and healthcare. Do you see what I mean?
December 23, 2020, 01:59:53 AM
Thank you for reading my post. I hope you will get to use this approach for your supervised learning projects. If you are interested, here are links to some of my posts:
◼️ Organise your Jupyter Notebook with these tips
◼️ Exploratory data analysis guide
◼️ Exploratory text analysis in Python
◼️️ 5 tips for pandas users
◼️️ 5 tips for data aggregation in pandas
◼️️ Writing 5 common SQL queries in pandas
◼️️ Writing advanced SQL queries in pandas
◼️ Organise your Jupyter Notebook with these tips
◼️ Exploratory data analysis guide
◼️ Exploratory text analysis in Python
◼️️ 5 tips for pandas users
◼️️ 5 tips for data aggregation in pandas
◼️️ Writing 5 common SQL queries in pandas
◼️️ Writing advanced SQL queries in pandas
December 26, 2020, 11:32:45 AM
April 30, 2013, 06:20:32 PM
This is the official update from ovh: http://forum.ovh.co.uk/showthread.php?t=6592
If you still have 7 characters of entropy, that's 60^7 combinations. If the attacker hacked the account in one hour (as they claim), how did the attacker sent 777600000 requests per second for one hour without them noticing? One billion requests per second, that's not something you usually handle. Nor your servers, you would crash anytime.
Something is missing from this story, or i'm blinded and i'm missing something myself.
Quote
On April 26th, we detected an internal problem with the generation of the 21 characters. 2 out of the 3 random functions that we use in the code were not generating an authentic random sequence. It was possible to request a password change for a customer ID,
and then find the "unique" URL emailed to the customer by brute force. The problem was found by an internal developer on April 26th at 11:03:14 and it was fixed at 12:54:13. The cause of the problem was linked to the rand function used in this part of the code. It was not patched to the same extent as the rest of the code at the time of activating the script execution cache. We have replaced the old function of 3 sequences to generate 21 characters with 2 authentic random functions to generate 64 characters.
We then ran searches on our databases to verify whether the loophole had been exploited and if so, when. We tracked the log of password changes for your IDs for the last 3 years. We actually have authorisation from the CNIL (the French data protection authority) to archive and exploit all our back office logs for the last 10 years, precisely for this type of situation.
We detected three password changes carried out by brute force on 3 customers IDs with active services. These 3 cases involved an attack aimed at the "bitcoin" community that uses OVH services. The hacker seems to have found the loophole on April 23rd at
22:00 and ran a significant number of tests to develop their tactics over a period of 1 hour. At 23:00 it had been perfected and the 1st ID was hacked, followed by the other 2 the next day (all from the "bitcoin community"). We have been in contact with these customers but the quality of the exchanges prevented us from obtaining sufficient information to identify this loophole. Thanks to our internal developers, we have fixed the problem in a totally independent manner. Only then did we begin to make the connection between the loophole that we had just fixed annd these 3 customers. We have certainly learnt a lesson on how to communicate with clients in this type of situation.
and then find the "unique" URL emailed to the customer by brute force. The problem was found by an internal developer on April 26th at 11:03:14 and it was fixed at 12:54:13. The cause of the problem was linked to the rand function used in this part of the code. It was not patched to the same extent as the rest of the code at the time of activating the script execution cache. We have replaced the old function of 3 sequences to generate 21 characters with 2 authentic random functions to generate 64 characters.
We then ran searches on our databases to verify whether the loophole had been exploited and if so, when. We tracked the log of password changes for your IDs for the last 3 years. We actually have authorisation from the CNIL (the French data protection authority) to archive and exploit all our back office logs for the last 10 years, precisely for this type of situation.
We detected three password changes carried out by brute force on 3 customers IDs with active services. These 3 cases involved an attack aimed at the "bitcoin" community that uses OVH services. The hacker seems to have found the loophole on April 23rd at
22:00 and ran a significant number of tests to develop their tactics over a period of 1 hour. At 23:00 it had been perfected and the 1st ID was hacked, followed by the other 2 the next day (all from the "bitcoin community"). We have been in contact with these customers but the quality of the exchanges prevented us from obtaining sufficient information to identify this loophole. Thanks to our internal developers, we have fixed the problem in a totally independent manner. Only then did we begin to make the connection between the loophole that we had just fixed annd these 3 customers. We have certainly learnt a lesson on how to communicate with clients in this type of situation.
If you still have 7 characters of entropy, that's 60^7 combinations. If the attacker hacked the account in one hour (as they claim), how did the attacker sent 777600000 requests per second for one hour without them noticing? One billion requests per second, that's not something you usually handle. Nor your servers, you would crash anytime.
Something is missing from this story, or i'm blinded and i'm missing something myself.
Jump to: