[GWMPT]

Ok... before it was ubuntu forums.. now it was ovh.. ok, great.
I wasn't registered in ubuntu forums, but ovh... I am a client there... like a few of you are.
This is getting worst.. now we just need to wait to see the ****** database to be compromised...

Anyways, information:

Код:

Hello,

A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they were able to compromise the access of one of the system administrators who handles the the internal backoffice.

Until then, internal security was based on 2 levels of verification:
- Geographical: required to be in the office or to use the VPN, i.e.: the IP source
- Personal: password

Measures taken following this incident
---------------------------------------

Immediately following this hack, we changed the internal security rules:
- Passwords of all employees were regenerated for all types of access.
- We set up a new VPN in a secure PCI-DSS room with highly restricted access
- Consulting internal emails is now only possible from the office / VPN
- All those who have critical access now have 3 verification levels:
- Ip source
- Password
- Staff's USB security token (YubiKey)


Findings
-------

After our internal investigation, we assume that the hacker exploited the access to achieve two objectives:
- Recover the database of our customers in Europe
- Gain access to the installation server system in Canada

The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password.
No credit card information is stored at OVH. Credit card information was not viewed or copied.

As for the server delivery system in Canada, the risk we have identified is that if the client had not withdrawn our SSH key from the server, the hacker could connect from your system and retrieve the password stored in the .p file. The SSH key is not usable from another server, only from our backoffice in Canada . Therefore, where the client has not removed our SSH key and has not changed their root password, we immediately changed the password of the servers in the BHS DC to eliminate an risk there. An email will be sent today with the new password. The SSH key will be systematically deleted at the end of the server delivery process in both Canada and Europe. If the client needs OVH for support, a new SSH key will need to be reinstalled.

Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a
specific hack on specific individuals will have no impact on our databases. In short, we were not paranoid enough so now we're switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH.

We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions.

Please accept our sincere apologies for this incident. Thank you for your understanding.

Regards,

Octave

Source: Ovh Portugal status website. *

*Content in english.

[linuxthefish]

Just fucking great. I don't have any more OVH server due to their crap support, but I would assume they still have my details...

[playbox12]

Yeah, likewise. (luckily not mine but from a close friend I work with).

Let's see when it shows up on pastebin.

[[HiC]TheKiller]

Quote:

The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly

Gotta love it. Would take anyone with a decent GPU quite a small amount of time to go through the hashes. I wouldn't be surprised if the hacker had already cracked half of the DB with a GPU cluster.

One thing we always have to remember is that anything can be hacked.

[Spooky]

What is OVH lol?

And WTF, THE ONLY COMPANY I TRUST IS ******

[DiDok]

Quote:

Originally Posted by [HiC]TheKiller Gotta love it. Would take anyone with a decent GPU quite a small amount of time to go through the hashes. I wouldn't be surprised if the hacker had already cracked half of the DB with a GPU cluster.

How high are you right now?

[playbox12]

Quote:

Originally Posted by DiDok How high are you right now?

You do know that a GPU can crack at a rate of a few billion guesses per second. We don't know how they salted it, maybe a central salt. (which would significantly speed up the process), if they have individual salts but in the same database that would also make it easy, if they have the DB dump they can easily create a program that combines the password with the salts.

Obviously it also depends on how often they hashed the password. Now GPU cracking is faster but it doesn't give too much of a boost with SHA512 due to how its made (but a few thousand per second is certainly achievable), but it's still significantly fast, he can easily have cracked a few dozen passwords already.

[[HiC]TheKiller]

Quote:

Originally Posted by playbox12 Obviously it also depends on how often they hashed the password. Now GPU cracking is faster but it doesn't give too much of a boost with SHA512 due to how its made (but a few thousand per second is certainly achievable), but it's still significantly fast, he can easily have cracked a few dozen passwords already.

Regardless of how a hash is designed, GPU cracking is going to be far faster. Even with CPU cracking, you're looking at in the million SHA512 hashes / sec. With a really good GPU, you're looking at figures in the 100 millions, it's really not as secure as it sounds.

[jamesbond007]

Quote:

Originally Posted by [HiC]TheKiller Gotta love it. Would take anyone with a decent GPU quite a small amount of time to go through the hashes. I wouldn't be surprised if the hacker had already cracked half of the DB with a GPU cluster. One thing we always have to remember is that anything can be hacked.

how the hell can u bruteforce 1000000 salted hashes ? how many gpus will u need .. i dont think ur exact right

ok. i just looked up computer cluster.. jeez thats a lot of computers

[SlashPT]

Quote:

Originally Posted by [HiC]TheKiller Regardless of how a hash is designed, GPU cracking is going to be far faster. Even with CPU cracking, you're looking at in the million SHA512 hashes / sec. With a really good GPU, you're looking at figures in the 100 millions, it's really not as secure as it sounds.

You do know that at a rate of 650 Million hashes per second it would take a year minimum even with a monster GPU cluster using 8x7990 ( in other means 16x7970 and yes it's possible by watercooling those eight cards and putting in them a single slot IO bracket ). It's NOT at all easy to crack SHA512 passwords salted and if you include all chars ( When I mean all chars it's numbers, lowers, capitals and punctuation) , a max lenght for passwords of 16 characters it would take some years

And yeah SHA512 is one of the most dificult .. for example a single 7970 can make 76 million hashes per second while cracking MD5 it can make over 5400 million hashes..