Slashdot Mirror

← Back to Stories (view on slashdot.org)

NVIDIA Breached

Posted by Soulskill on from the caught-in-the-crossfire dept.

jones_supa writes: Another day, another corporate network intrusion. NVIDIA has reportedly been breached in the first week of December, with the attack compromising personal information of the employees. There is no indication that other data has been compromised. This is according to an email sent out by the company's privacy office and Nvidia's SVP and CIO Bob Worwall on December 17th. It took NVIDIA a couple of weeks to pick up all the pieces and assess the incident. It appears that the issue was pinned down by an employee or several employees getting their personal data compromised outside of the company network. After that, the information was used to gain unauthorized access to the internal corporate network. NVIDIA's IT team has taken extensive measures since then to enhance the security of the network against similar attacks in the future.

14 of 59 comments (clear)

  1. "extensive measures" taken... by mlts · · Score: 3, Informative

    I wonder what that means, exactly.

    My hopes are that it means ensuring anyone on the outside is coming in via 2FA, internal and DMZ networks have a proper IDS/IPS in place that is tailored to the division in question (i.e. a bunch of point of sale terminals would sound an alarm if one of them decides to start making random connections to a site in Elbonia), there is an internal detection process so someone trying to brute force an account will make an audit trail and get a curious admin looking at why the events are happening.

    My hopes also include isolation of DMZ boxes so that unless they are intended to communicate with each other, they can't. Isolation between departments would be nice as well.

    Finally, my hopes include having remote access being more of using Citrix or RDP and having the remote machine be more of a dumb terminal, as opposed to an active VPN, making the remote machine a part of the corporate network.

    Of course, my fear is that "extensive measures" will be a domain admin logging on, popping up a command shell, typing in:

    dsquery user | dsmod user -mustchpwd yes

    and calling it a wrap.

    I'm hoping nVidia does more of the "hopes" portion.

    1. Re:"extensive measures" taken... by fuzzyfuzzyfungus · · Score: 3, Interesting

      Given that I have no particular personal stake in Nvidia's problems, I would hope, in the spirit of general benevolence, that they take actually effective action; but I would much, much, much more strongly hope, in my own interests and those of computer users generally, that they've taken effective measures surrounding control of their signing keys.

      Aside from a few *nixes that are actively hostile to proprietary drivers or simply don't do any integration work for Nvidia's, Nvidia is one of the hardware companies whose signature is pretty much universally trusted, without much question or notification, on a driver. If their signing infrastructure were to have been compromised, some very, very, interesting 'GPU drivers' might make it out into the wild and raise some hell.

      Unfortunately, this is true of other hardware outfits as well. I don't much care how they run things, though friendly advice would be to pay attention to the security geeks; but anyone who has a signing key that will get a driver right into the kernel of any windows system without comment(extra credit for getting it on Windows Update) is an active menace if they lose control of that.

    2. Re:"extensive measures" taken... by Solandri · · Score: 2

      My hopes also include isolation of DMZ boxes so that unless they are intended to communicate with each other, they can't. Isolation between departments would be nice as well.

      The problem with isolation is that some twit of an employee decides it's inconvenient, sneaks in a couple wifi routers, and sets up an authorized bridge.

      Proper security relies not just on IT locking everything down. IT has to be willing to go the extra mile to do so in a way which minimally hampers other employees from doing their jobs. Fail at that and you get employees setting up rogue bridges and networks. Unfortunately, some IT people I've encountered act like they're on a power trip and control "their" network with an iron fist. One place I visited wouldn't even let you plug in flash drives to transfer data (we tried to get authorization and were told it was never allowed). So that data ended up being sent as an oh-so-secure email attachment. Unencrypted since the system interpreted an encrypted zip file as malware and auto-deleted it.

      Putting a super-secure lock on a door is pointless if it makes getting around the workplace so difficult that everyone just uses a trash can to hold door open all the time. IT needs to make things secure while minimally impeding other employees from doing their jobs. No that's not easy. If it were easy, it wouldn't be a high-paying job.

    3. Re:"extensive measures" taken... by mlts · · Score: 2

      The best thing they can do with signing keys is use HSMs.

      This limits the intruder to only being able to access and use the key if the HSM's users and roles are AD linked. With proper logging, it can be told what packages were signed, and when, and if the key or package IDs needs to be actively revoked.

      This happened to a Linux distro vendor, and they managed to do an effective job at limiting the damage.

      If nVidia isn't using HSMs for the key signing, they better start, as virtually every blackhat knows that getting their code to run under the signed nVidia flag is obtaining the key to the city, virtually everywhere.

    4. Re:"extensive measures" taken... by mlts · · Score: 2

      Proper security requires a lot of factors, and as you said, this is no walk in the park. You are right that IT can't do everything. However, technical solutions are 90%-99% of what can be done and done right with minimal user inconvenience.

      However, from how the successful hacks were described, there are four things that would have slowed, if not stopped almost all of them:

      1: IDS/IPS. This shouldn't be something that a user should know/care about, unless they decide to run nmap from their PC and wonder why their box's port got dropped from the internal network. However, an IDS is like the ZoneAlarm of yore. Unless one knows what to set to have alert on the spot, and what to stuff a ball-gag in, it will be quite yappy. But there are plenty of books on this subject as well as Internet based documentation.

      2: Logging and responding to logs. For example, the Sony hack would have been mitigated by a tool like SolarWinds, SCOM, or Splunk that was configured to have thresholds, and if too many bad passwords happen, alert an admin. If AD locked a user out due to too many bad PW guesses, even if the lockout period is 1-5 seconds [1], it should generate an alert.

      3: 2FA. SecurID isn't cheap, but for a large business, it isn't that large an expense. It also provides good management, and is decently flexible. It also works with virtually anything.

      4: Measures to limit malware's influence. I brought up Citrix because a RAT could snap screenshots and capture keystrokes, but through a Citrix session, files would be a lot harder to steal, and if a user was using 2FA, as soon as the user logged out and the session key deactivated, there would be nothing a remote attacker could really do other than hope the user logs again, get screenshots, or maybe seize active control of the session (which likely will panic the user.)

      I have met some people in my field who had the mentality that they were the COs and users were the inmates. However, effective security can come without penalizing users. It just takes some common sense.

      [1]: AD's default is 20 minutes, but I've found reducing it to 3-5 minutes decent enough to not lock legit users out, but only provide an attacker 288 chances every 24 hour period to get into an account, once the lockout activates. With a sane password system (again, the default AD settings come to mind), guessing a PW of a user isn't going to be easy.

  2. and yet... by slashmydots · · Score: 2

    And yet at my company I can't get the GM and president to let me implement a basic computer and security competency test for all new hires that use computers. I'm CIO by the way.

    1. Re:and yet... by pr0fessor · · Score: 2

      We have yearly mandatory security training and testing for all employees. They like to recap recent incidents that hit the news and point out how following proper security policies could prevent a similar incident.

    2. Re:and yet... by bloodhawk · · Score: 2

      Why would you implement a test? We have mandatory basic security training and awareness, breaches of security policy range from being forced to attend the training again right up to being sacked, testing just shows what everyone already knows, I.e. that most people are unaware of security.

  3. On a positive note... by MagickalMyst · · Score: 5, Funny

    Perhaps there will be some 'unexpected improvements' in open-source drivers for nVidia chipsets in the near future...

    --
    Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
    1. Re:On a positive note... by Anonymous Coward · · Score: 2, Funny

      "Open source the driver or we... we'll make this public information PUBLIC"

  4. the real question by slashmydots · · Score: 2

    The #1 question on everyone's mind is, does the data leaked indicate that mangement at Nvidia also admits that the shield is a pointless, overpriced device with no market? I'm reeeeally dying to know. They're like a tablet mixed with a PSP mixed with a steambox but worse than all 3. I can't imagine anyone there is too happy with it.

  5. Was it time travellers? by wonkey_monkey · · Score: 2

    NVIDIA has reportedly been breached in the first week of December

    Bit of a mixed up tense there. Makes it sound like time travellers did (are doing) it.

    --
    systemd is Roko's Basilisk.
  6. Hrm... by Charliemopps · · Score: 4, Interesting

    Does anyone else find it ironic that every time one of these breaches happens... all the employee and costumer data walks right out the door. But their source code? Propitiatory corporate secrets? Oh, those are locked up tighter than a drum.

    It's not hard to prevent these "hacks" or "Leaks" they just only chose to actually spend money to protect what's valuable to them. After their employees or Customers personal info is out there, they throw some money at a Credit monitoring service and pretend like that means anything at all? What did it cost them? $1 a user? LOL

    We need federal liability laws. The feds do not need to dictate what they need to do to secure data like they've requested. They know, and we know that's a joke. The law will be out of date before it even takes effect. Simply make them liable for $100k per persons personal data they leak. They will quickly just flat out stop storing the data in the first place and we'll all be better off.

  7. Re:Security rings? by ledow · · Score: 2

    That's covered by basic permissioning, surely?

    If the user you got access to has access to HR data, they have access to HR data. Anything else in the way is merely a hindrance (to you, and an intruder).

    But if you compromised a server and used them to get administrator access on the storage arrays, pretty much it doesn't matter what you've got in-between.

    The real solution, I think, would be proper encryption. But even there, you have the problem of key management that doesn't just hand out keys to the servers when they request them.

    Fact is, yes, it might be sensible to cordon-off a few of these things. You already have to have PCI-DSS stuff on isolated networks (to simplify their requirements), but it doesn't seem to stop this stuff. I know schools that, for years, separated off curriculum and admin - i.e. it was impossible for a child to compromise the deputy-head's login in the classroom and use it to get access to personnel data). I still stick to that mentality and move things to be physically apart wherever possible but nowadays it's considered old-hat and all the separation is virtual - VLAN's and permissioning on the servers and storage arrays.

    You put barriers in between but this kind of attack is more akin to the boy with his finger in the dyke. Your users (in HR, or Finance, or wherever) need that tiny hole to be open for them, and so piggybacking in on their connection automatically gives you access to this stuff.

    The problem is that intrusion detection / prevention, really, is nothing more than checking EVERY transaction back and forth and that's a huge undertaking, slow, requires lots of equipment, and has to be constantly updated by people as threats appear. It's not an easy problem to solve. Even governments are having slips with their classified data, because even though the networks are supposed to be completely isolated, it only takes one guy (malicious or not) to be compromised for that barrier to have a gaping hole in it for him to do his job through.