Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT

NVIDIA Breached 59

jones_supa writes: Another day, another corporate network intrusion. NVIDIA has reportedly been breached in the first week of December, with the attack compromising personal information of the employees. There is no indication that other data has been compromised. This is according to an email sent out by the company's privacy office and Nvidia's SVP and CIO Bob Worwall on December 17th. It took NVIDIA a couple of weeks to pick up all the pieces and assess the incident. It appears that the issue was pinned down by an employee or several employees getting their personal data compromised outside of the company network. After that, the information was used to gain unauthorized access to the internal corporate network. NVIDIA's IT team has taken extensive measures since then to enhance the security of the network against similar attacks in the future.
This discussion has been archived. No new comments can be posted.

NVIDIA Breached

Comments Filter:
  • by mlts ( 1038732 ) on Tuesday December 30, 2014 @02:23PM (#48698237)

    I wonder what that means, exactly.

    My hopes are that it means ensuring anyone on the outside is coming in via 2FA, internal and DMZ networks have a proper IDS/IPS in place that is tailored to the division in question (i.e. a bunch of point of sale terminals would sound an alarm if one of them decides to start making random connections to a site in Elbonia), there is an internal detection process so someone trying to brute force an account will make an audit trail and get a curious admin looking at why the events are happening.

    My hopes also include isolation of DMZ boxes so that unless they are intended to communicate with each other, they can't. Isolation between departments would be nice as well.

    Finally, my hopes include having remote access being more of using Citrix or RDP and having the remote machine be more of a dumb terminal, as opposed to an active VPN, making the remote machine a part of the corporate network.

    Of course, my fear is that "extensive measures" will be a domain admin logging on, popping up a command shell, typing in:

    dsquery user | dsmod user -mustchpwd yes

    and calling it a wrap.

    I'm hoping nVidia does more of the "hopes" portion.

    • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday December 30, 2014 @02:40PM (#48698389) Journal
      Given that I have no particular personal stake in Nvidia's problems, I would hope, in the spirit of general benevolence, that they take actually effective action; but I would much, much, much more strongly hope, in my own interests and those of computer users generally, that they've taken effective measures surrounding control of their signing keys.

      Aside from a few *nixes that are actively hostile to proprietary drivers or simply don't do any integration work for Nvidia's, Nvidia is one of the hardware companies whose signature is pretty much universally trusted, without much question or notification, on a driver. If their signing infrastructure were to have been compromised, some very, very, interesting 'GPU drivers' might make it out into the wild and raise some hell.

      Unfortunately, this is true of other hardware outfits as well. I don't much care how they run things, though friendly advice would be to pay attention to the security geeks; but anyone who has a signing key that will get a driver right into the kernel of any windows system without comment(extra credit for getting it on Windows Update) is an active menace if they lose control of that.
      • by mlts ( 1038732 )

        The best thing they can do with signing keys is use HSMs.

        This limits the intruder to only being able to access and use the key if the HSM's users and roles are AD linked. With proper logging, it can be told what packages were signed, and when, and if the key or package IDs needs to be actively revoked.

        This happened to a Linux distro vendor, and they managed to do an effective job at limiting the damage.

        If nVidia isn't using HSMs for the key signing, they better start, as virtually every blackhat knows that

        • There is also the much trickier; but potentially really unpleasant, matter of firmware. GPU cards have at least some flash onboard, not certain exactly how much probably varies by model; and they are a peripheral in a position of a great deal of power(big fat kernel driver, all the DMA they can eat, enough onboard RAM and computational capacity to really do interesting things with that). Certainly wouldn't want any bugged firmware sneaking around.
    • My hopes also include isolation of DMZ boxes so that unless they are intended to communicate with each other, they can't. Isolation between departments would be nice as well.

      The problem with isolation is that some twit of an employee decides it's inconvenient, sneaks in a couple wifi routers, and sets up an authorized bridge.

      Proper security relies not just on IT locking everything down. IT has to be willing to go the extra mile to do so in a way which minimally hampers other employees from doing their

      • by lgw ( 121541 )

        Well said. Security is not about being a control freak, because the more you tighten your grasp, the more systems will slip through your fingers (doubly so if you imagine you can police kernel devs). Instead, security is measured as follows:

        [Difficulty of unauthorized access] / [Difficulty of authorized access]

        Making authorized access harder reduces security because people. People will always make it easier fo themselves. In the world of physical security, the lesson is: "any door along the quickest path

        • by khasim ( 1285 )

          [Difficulty of unauthorized access] / [Difficulty of authorized access]

          I would change that second part to

          "necessary access"

          . I'll explain in a moment.

          Making authorized access harder reduces security because people. People will always make it easier fo themselves.

          In my experience, the first problem is EGO. There is always some executive who bases his/her EGO on what exemptions he/she can get.

          I'm too important NOT to have access to X.
          From anywhere.
          Along with all my people.

          And then other executives have

          • by tlhIngan ( 30335 )

            In my experience, the first problem is EGO. There is always some executive who bases his/her EGO on what exemptions he/she can get.

            I'm too important NOT to have access to X.
            From anywhere.
            Along with all my people.

            And then other executives have to have the same access because, otherwise, they are not as important. And IT can handle it, right?

            So you end up with too many people with too much access. And admin/root access to their machines. That they also use for non-work related activities because why shouldn't

          • by lgw ( 121541 )

            No, "necessary" entirely misses the point. You're control-freaking. Users will find a way to do what they desire to do, and they'll find a way to make it easy to do so. That's humans for you - we're adaptive animals. Don't fight human nature.

            Instead, make it easier to hit Facebook without hurting corporate security than to do something "clever" to hit Facebook. Make it easy to IM securely, to trade work-related files securely, and so on. Get out in front of what users want to do and make the easiest w

            • by khasim ( 1285 )

              No, "necessary" entirely misses the point.

              No. That is the point.

              Users will find a way to do what they desire to do, and they'll find a way to make it easy to do so.

              Now think about a bank. Physical access to the money is controlled and verified and audited.

              Employees at a bank are NOT allowed to do whatever is easier for them. They do NOT prop open the secure doors.

              If they do so, they are fired.

              So why would Facebook be any different? Because people can SEE when the doors to the money are propped open. But the

              • by lgw ( 121541 )

                If you can't make it easy for employees to do what they desire, you're just not very good at your job since that is the job of IT. Keep trying to change human nature and you'll simply fail at security and be seen as an asshole control freak by the people who do the useful and productive work at the company. Especially if those people are driver devs and kernel hackers, who might make a sport of subverting controls.

                It's just a nasty combination of hubris and laziness that leads IT to try to change the user

      • by mlts ( 1038732 )

        Proper security requires a lot of factors, and as you said, this is no walk in the park. You are right that IT can't do everything. However, technical solutions are 90%-99% of what can be done and done right with minimal user inconvenience.

        However, from how the successful hacks were described, there are four things that would have slowed, if not stopped almost all of them:

        1: IDS/IPS. This shouldn't be something that a user should know/care about, unless they decide to run nmap from their PC and wonder w

    • by RingDev ( 879105 )

      "Finally, my hopes include having remote access being more of using Citrix or RDP and having the remote machine be more of a dumb terminal, as opposed to an active VPN, making the remote machine a part of the corporate network."

      Either way there are concerns. With Citrix (assuming Citrix Web, since you specifically call out no VPN), you wind up with the exact same issue as what happened here. As soon as someone's username/password is compromised, the would be hacker has full access to what ever is publicly e

    • My hopes are that it means ensuring anyone on the outside is coming in via 2FA

      What difference does it make where you are coming from? Majority of costly threats are inside jobs and or enabled by inside human error... All it takes is one marketing goon to get owned and the castle wall is breached.

      The very concept of network security is the most disastrous and perilous idea the security world has ever fabricated. If you want network security make IPSec mandatory across the enterprise everything short of this is worthless masturbation.

      and DMZ networks have a proper IDS/IPS in place that is tailored to the division in question

      IDS/IPS systems are nothing more than bureaucratic

  • by slashmydots ( 2189826 ) on Tuesday December 30, 2014 @02:23PM (#48698241)
    And yet at my company I can't get the GM and president to let me implement a basic computer and security competency test for all new hires that use computers. I'm CIO by the way.
    • I'm CIO by the way.

      Yeah, right. First of all, a real spy wouldn't tell everyone they were a spy, and secondly, you spelt it wrong!

      Whadya take me for, some kinda maroon?

    • I agree with your GM and President. Not all positions require computer competency, and computer competency should have nothing to do with your security measures.

      • We had a new salesman take a fake fedex cryptowall e-mail and forward it to the entire company. Explain that then.
    • Not speaking to your suggested control in particular, I do think that in general the non-technical/MBA world, especially the older ones, simply do not take network security seriously enough to properly evaluate the tradeoff in risks to dollar figures. They see it as a cost center (which it is), but do not properly appreciate just how bad things can get. It's our job as network security professionals to make the case for this, but it's not easy when a lot of them still seem to have a view of the computer as
    • We have yearly mandatory security training and testing for all employees. They like to recap recent incidents that hit the news and point out how following proper security policies could prevent a similar incident.

    • Why would you implement a test? We have mandatory basic security training and awareness, breaches of security policy range from being forced to attend the training again right up to being sacked, testing just shows what everyone already knows, I.e. that most people are unaware of security.

  • by MagickalMyst ( 1003128 ) on Tuesday December 30, 2014 @02:23PM (#48698245)
    Perhaps there will be some 'unexpected improvements' in open-source drivers for nVidia chipsets in the near future...
  • by slashmydots ( 2189826 ) on Tuesday December 30, 2014 @02:40PM (#48698397)
    The #1 question on everyone's mind is, does the data leaked indicate that mangement at Nvidia also admits that the shield is a pointless, overpriced device with no market? I'm reeeeally dying to know. They're like a tablet mixed with a PSP mixed with a steambox but worse than all 3. I can't imagine anyone there is too happy with it.
  • by wonkey_monkey ( 2592601 ) on Tuesday December 30, 2014 @03:00PM (#48698591) Homepage

    NVIDIA has reportedly been breached in the first week of December

    Bit of a mixed up tense there. Makes it sound like time travellers did (are doing) it.

  • Are these hacks happening more often or is it a mixture of actually catching the breaches now and more reporting on the breaches?
  • by Anonymous Coward

    with things like this is that one finds out that enterprise IT admins frequently store passwords in plaintext... it's the only way they can tell that your new password is "not sufficiently different" from the previous one... eg at a previous employer that starts with A, i had a password like "App7!S@uCE". admittedly i was being lazy, but being told that "App7!S@uC3" was too similar (change last char from 'E' to '3', in this example) would only be possible if they were storing the plaintext rather than a

  • Hrm... (Score:5, Interesting)

    by Charliemopps ( 1157495 ) on Tuesday December 30, 2014 @03:38PM (#48698985)

    Does anyone else find it ironic that every time one of these breaches happens... all the employee and costumer data walks right out the door. But their source code? Propitiatory corporate secrets? Oh, those are locked up tighter than a drum.

    It's not hard to prevent these "hacks" or "Leaks" they just only chose to actually spend money to protect what's valuable to them. After their employees or Customers personal info is out there, they throw some money at a Credit monitoring service and pretend like that means anything at all? What did it cost them? $1 a user? LOL

    We need federal liability laws. The feds do not need to dictate what they need to do to secure data like they've requested. They know, and we know that's a joke. The law will be out of date before it even takes effect. Simply make them liable for $100k per persons personal data they leak. They will quickly just flat out stop storing the data in the first place and we'll all be better off.

    • In the Libertarian paradise they have eliminated all external costs so you don't need to distinguish between a free market an an unregulated market. Therefore we can cut laws and regulations completely out of the problem!

  • With all these issues, I am wondering whether beyond the firewall to the external network, internal portions of a corporate network should be firewalled too. For example HR related data should be on a sub-section of the network protected by its own firewall. I would imagine the chances of breaching multiple firewalls being low, unless the penetration into the network is either done by an insider or someone who has been able to lay low on the network for a while?

    This may already be the case in many organisat

    • by ledow ( 319597 )

      That's covered by basic permissioning, surely?

      If the user you got access to has access to HR data, they have access to HR data. Anything else in the way is merely a hindrance (to you, and an intruder).

      But if you compromised a server and used them to get administrator access on the storage arrays, pretty much it doesn't matter what you've got in-between.

      The real solution, I think, would be proper encryption. But even there, you have the problem of key management that doesn't just hand out keys to the serve

    • Comment removed based on user account deletion
  • It looks like they forgot to turn the Windows Firewall to "on" and set the Internet Security Zone to "High". That should prevent all hacks, right? /me ducks

  • When you read that Stuxnet was an NSA/Israel creation and every month you get drip fed news about NSA's true illegal/terrorist side (like finding ways to hack popular email servers or backend links of cloud storage) and just now, cracking VPN services [slashdot.org], you have to ask yourself this: "Who has opened Pandora's box? Who deserves to suffer from it [first]?"

You know you've landed gear-up when it takes full power to taxi.

Working...