NVIDIA Breached 59
jones_supa writes: Another day, another corporate network intrusion. NVIDIA has reportedly been breached in the first week of December, with the attack compromising personal information of the employees. There is no indication that other data has been compromised. This is according to an email sent out by the company's privacy office and Nvidia's SVP and CIO Bob Worwall on December 17th. It took NVIDIA a couple of weeks to pick up all the pieces and assess the incident. It appears that the issue was pinned down by an employee or several employees getting their personal data compromised outside of the company network. After that, the information was used to gain unauthorized access to the internal corporate network. NVIDIA's IT team has taken extensive measures since then to enhance the security of the network against similar attacks in the future.
Re: (Score:1)
Two California-based corporations suffer a big breach within a month of one another? Pelosi and Feinstein must be getting as wet as their old crotchety selves possibly can>
*vomits*
Re: (Score:2)
Damn you Kim Jong, when will your terrorist activities be stopped. I beseech the military industrial complex and congress to provide whatever resources NSA needs to do what ever they want to do... for the children
Re: And here we go. (Score:1)
Troll
"extensive measures" taken... (Score:4, Informative)
I wonder what that means, exactly.
My hopes are that it means ensuring anyone on the outside is coming in via 2FA, internal and DMZ networks have a proper IDS/IPS in place that is tailored to the division in question (i.e. a bunch of point of sale terminals would sound an alarm if one of them decides to start making random connections to a site in Elbonia), there is an internal detection process so someone trying to brute force an account will make an audit trail and get a curious admin looking at why the events are happening.
My hopes also include isolation of DMZ boxes so that unless they are intended to communicate with each other, they can't. Isolation between departments would be nice as well.
Finally, my hopes include having remote access being more of using Citrix or RDP and having the remote machine be more of a dumb terminal, as opposed to an active VPN, making the remote machine a part of the corporate network.
Of course, my fear is that "extensive measures" will be a domain admin logging on, popping up a command shell, typing in:
dsquery user | dsmod user -mustchpwd yes
and calling it a wrap.
I'm hoping nVidia does more of the "hopes" portion.
Re:"extensive measures" taken... (Score:4, Interesting)
Aside from a few *nixes that are actively hostile to proprietary drivers or simply don't do any integration work for Nvidia's, Nvidia is one of the hardware companies whose signature is pretty much universally trusted, without much question or notification, on a driver. If their signing infrastructure were to have been compromised, some very, very, interesting 'GPU drivers' might make it out into the wild and raise some hell.
Unfortunately, this is true of other hardware outfits as well. I don't much care how they run things, though friendly advice would be to pay attention to the security geeks; but anyone who has a signing key that will get a driver right into the kernel of any windows system without comment(extra credit for getting it on Windows Update) is an active menace if they lose control of that.
Re: (Score:3)
The best thing they can do with signing keys is use HSMs.
This limits the intruder to only being able to access and use the key if the HSM's users and roles are AD linked. With proper logging, it can be told what packages were signed, and when, and if the key or package IDs needs to be actively revoked.
This happened to a Linux distro vendor, and they managed to do an effective job at limiting the damage.
If nVidia isn't using HSMs for the key signing, they better start, as virtually every blackhat knows that
Re: "extensive measures" taken... (Score:2)
Re: (Score:3)
The problem with isolation is that some twit of an employee decides it's inconvenient, sneaks in a couple wifi routers, and sets up an authorized bridge.
Proper security relies not just on IT locking everything down. IT has to be willing to go the extra mile to do so in a way which minimally hampers other employees from doing their
Re: (Score:2)
Well said. Security is not about being a control freak, because the more you tighten your grasp, the more systems will slip through your fingers (doubly so if you imagine you can police kernel devs). Instead, security is measured as follows:
[Difficulty of unauthorized access] / [Difficulty of authorized access]
Making authorized access harder reduces security because people. People will always make it easier fo themselves. In the world of physical security, the lesson is: "any door along the quickest path
Re: (Score:2)
I would change that second part to
. I'll explain in a moment.
In my experience, the first problem is EGO. There is always some executive who bases his/her EGO on what exemptions he/she can get.
I'm too important NOT to have access to X.
From anywhere.
Along with all my people.
And then other executives have
Re: (Score:2)
Re: (Score:2)
No, "necessary" entirely misses the point. You're control-freaking. Users will find a way to do what they desire to do, and they'll find a way to make it easy to do so. That's humans for you - we're adaptive animals. Don't fight human nature.
Instead, make it easier to hit Facebook without hurting corporate security than to do something "clever" to hit Facebook. Make it easy to IM securely, to trade work-related files securely, and so on. Get out in front of what users want to do and make the easiest w
Re: (Score:2)
No. That is the point.
Now think about a bank. Physical access to the money is controlled and verified and audited.
Employees at a bank are NOT allowed to do whatever is easier for them. They do NOT prop open the secure doors.
If they do so, they are fired.
So why would Facebook be any different? Because people can SEE when the doors to the money are propped open. But the
Re: (Score:2)
If you can't make it easy for employees to do what they desire, you're just not very good at your job since that is the job of IT. Keep trying to change human nature and you'll simply fail at security and be seen as an asshole control freak by the people who do the useful and productive work at the company. Especially if those people are driver devs and kernel hackers, who might make a sport of subverting controls.
It's just a nasty combination of hubris and laziness that leads IT to try to change the user
Re: (Score:3)
Proper security requires a lot of factors, and as you said, this is no walk in the park. You are right that IT can't do everything. However, technical solutions are 90%-99% of what can be done and done right with minimal user inconvenience.
However, from how the successful hacks were described, there are four things that would have slowed, if not stopped almost all of them:
1: IDS/IPS. This shouldn't be something that a user should know/care about, unless they decide to run nmap from their PC and wonder w
Re: (Score:2)
"Finally, my hopes include having remote access being more of using Citrix or RDP and having the remote machine be more of a dumb terminal, as opposed to an active VPN, making the remote machine a part of the corporate network."
Either way there are concerns. With Citrix (assuming Citrix Web, since you specifically call out no VPN), you wind up with the exact same issue as what happened here. As soon as someone's username/password is compromised, the would be hacker has full access to what ever is publicly e
Re: (Score:2)
My hopes are that it means ensuring anyone on the outside is coming in via 2FA
What difference does it make where you are coming from? Majority of costly threats are inside jobs and or enabled by inside human error... All it takes is one marketing goon to get owned and the castle wall is breached.
The very concept of network security is the most disastrous and perilous idea the security world has ever fabricated. If you want network security make IPSec mandatory across the enterprise everything short of this is worthless masturbation.
and DMZ networks have a proper IDS/IPS in place that is tailored to the division in question
IDS/IPS systems are nothing more than bureaucratic
and yet... (Score:3)
Re: (Score:1)
I'm CIO by the way.
Yeah, right. First of all, a real spy wouldn't tell everyone they were a spy, and secondly, you spelt it wrong!
Whadya take me for, some kinda maroon?
Re: (Score:2)
I agree with your GM and President. Not all positions require computer competency, and computer competency should have nothing to do with your security measures.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
We have yearly mandatory security training and testing for all employees. They like to recap recent incidents that hit the news and point out how following proper security policies could prevent a similar incident.
Re: (Score:3)
Why would you implement a test? We have mandatory basic security training and awareness, breaches of security policy range from being forced to attend the training again right up to being sacked, testing just shows what everyone already knows, I.e. that most people are unaware of security.
On a positive note... (Score:5, Funny)
Re: (Score:1)
The employee information was likely targeted in order to gain account information to access to critical systems with sensitive or confidential data.
Re: (Score:2, Funny)
"Open source the driver or we... we'll make this public information PUBLIC"
Re: (Score:2)
I can't see how employee's SSN's will improve the open source codebase.
Why are SSN's permanent life-long secret codes only the people who represent them should know?
I think in aggregate if everyone's SSN were made public it would prevent a vast sea of morons from relying on them for purposes for which they were neither intended or suitable and everyone would be better for it.
Re: (Score:2)
Where I live, everyone's national ID number is a matter of public record.
the real question (Score:3)
Was it time travellers? (Score:3)
NVIDIA has reportedly been breached in the first week of December
Bit of a mixed up tense there. Makes it sound like time travellers did (are doing) it.
Awareness (Score:1)
my problem (Score:1)
with things like this is that one finds out that enterprise IT admins frequently store passwords in plaintext... it's the only way they can tell that your new password is "not sufficiently different" from the previous one... eg at a previous employer that starts with A, i had a password like "App7!S@uCE". admittedly i was being lazy, but being told that "App7!S@uC3" was too similar (change last char from 'E' to '3', in this example) would only be possible if they were storing the plaintext rather than a
Hrm... (Score:5, Interesting)
Does anyone else find it ironic that every time one of these breaches happens... all the employee and costumer data walks right out the door. But their source code? Propitiatory corporate secrets? Oh, those are locked up tighter than a drum.
It's not hard to prevent these "hacks" or "Leaks" they just only chose to actually spend money to protect what's valuable to them. After their employees or Customers personal info is out there, they throw some money at a Credit monitoring service and pretend like that means anything at all? What did it cost them? $1 a user? LOL
We need federal liability laws. The feds do not need to dictate what they need to do to secure data like they've requested. They know, and we know that's a joke. The law will be out of date before it even takes effect. Simply make them liable for $100k per persons personal data they leak. They will quickly just flat out stop storing the data in the first place and we'll all be better off.
Re: (Score:2)
In the Libertarian paradise they have eliminated all external costs so you don't need to distinguish between a free market an an unregulated market. Therefore we can cut laws and regulations completely out of the problem!
Security rings? (Score:2)
With all these issues, I am wondering whether beyond the firewall to the external network, internal portions of a corporate network should be firewalled too. For example HR related data should be on a sub-section of the network protected by its own firewall. I would imagine the chances of breaching multiple firewalls being low, unless the penetration into the network is either done by an insider or someone who has been able to lay low on the network for a while?
This may already be the case in many organisat
Re: (Score:3)
That's covered by basic permissioning, surely?
If the user you got access to has access to HR data, they have access to HR data. Anything else in the way is merely a hindrance (to you, and an intruder).
But if you compromised a server and used them to get administrator access on the storage arrays, pretty much it doesn't matter what you've got in-between.
The real solution, I think, would be proper encryption. But even there, you have the problem of key management that doesn't just hand out keys to the serve
Re: (Score:2)
I guess they missed the most important thing (Score:2)
It looks like they forgot to turn the Windows Firewall to "on" and set the Internet Security Zone to "High". That should prevent all hacks, right? /me ducks
Once it's out in the wild, it's game over! (Score:2)