On December 12, 2012, Quantopian.com was attacked. Our monitoring software alerted us while the attack was still in progress. We quickly assessed the situation, and just before 10 p.m. EST., took the site offline.
This locked everyone - including the attacker – out of the site. After carefully reviewing the event logs, we know the attacker was able to see certain portions of our file system, which processes were running and other similar information. We also know the attacker did not gain access to our database or any member information. The review also exposed the vector used to access the site (an exploit of I/O functions of the scientific libraries we support). The attacker was exploring those functions and “seeing what he could see” when we shut him down.
Once we were certain of the attack’s extent, we updated our site to share what information we had. We then began addressing the security hole. The Quantopian team has worked together to understand and address the vulnerability, review and improve our security measures and test the changes.
The fix required that we modify how we evaluate algorithms before running them. Part of that evaluation includes a “blacklist.” We now more aggressively reject potentially dangerous code based on a more comprehensive blacklist. The expanded blacklist was only one of our changes.
We improved our intrusion monitoring, increased the sensitivity of our alerting mechanisms and implemented a more secure method of launching new servers. We also changed the account that accesses our codebase, changed the permission levels of the account; pre-emptively rotated the passwords on our databases, services, etc.; and made several adjustments to our code and processes.
This attack also forced a change to the Quantopian API: data.open and data.close have been replaced by data.open_price and data.close_price.
The site was brought back up only when we were fully confident that we could provide a secure experience for our community.
When we launched Quantopian, we knew the site would be a target for hackers. Because Quantopian includes the ability to run visitor-authored Python code, we are a particularly tempting target. From the beginning, we have continuously maintained and regularly upgraded our security measures. We were able to detect and react to this attack as quickly as we did because of the protections already in place. We regularly re-evaluate our security plans and will continue to harden our security measures. With this attack in mind, we have accelerated our plans and will significantly strengthen our security in the coming weeks.
The protection of our members’ intellectual property is one of our core promises and one we take very seriously. We want you, our members, to trust us with your intellectual property. Trust is earned, and it is earned in part by being transparent. We are sharing the information about this attack – and our reaction - to meet our promise of transparency. In the coming days, we also will provide a more detailed postmortem of the event.
We know that members share our concern and commitment to security. If you have any advice, information, questions or criticisms regarding our security measures we welcome them through our forums or via email at firstname.lastname@example.org.
Thank you for your patience, understanding and continued trust. You are always welcome to reach me personally at email@example.com.
CEO and Founder