NVIDIA Breached

← Back to Stories (view on slashdot.org)

Posted by Soulskill on Tuesday December 30, 2014 @07:02AM from the caught-in-the-crossfire dept.

jones_supa writes: Another day, another corporate network intrusion. NVIDIA has reportedly been breached in the first week of December, with the attack compromising personal information of the employees. There is no indication that other data has been compromised. This is according to an email sent out by the company's privacy office and Nvidia's SVP and CIO Bob Worwall on December 17th. It took NVIDIA a couple of weeks to pick up all the pieces and assess the incident. It appears that the issue was pinned down by an employee or several employees getting their personal data compromised outside of the company network. After that, the information was used to gain unauthorized access to the internal corporate network. NVIDIA's IT team has taken extensive measures since then to enhance the security of the network against similar attacks in the future.

4 of 59 comments (clear)

Min score:

Reason:

Sort:

"extensive measures" taken... by mlts · 2014-12-30 07:23 · Score: 3, Informative

I wonder what that means, exactly.
My hopes are that it means ensuring anyone on the outside is coming in via 2FA, internal and DMZ networks have a proper IDS/IPS in place that is tailored to the division in question (i.e. a bunch of point of sale terminals would sound an alarm if one of them decides to start making random connections to a site in Elbonia), there is an internal detection process so someone trying to brute force an account will make an audit trail and get a curious admin looking at why the events are happening.
My hopes also include isolation of DMZ boxes so that unless they are intended to communicate with each other, they can't. Isolation between departments would be nice as well.
Finally, my hopes include having remote access being more of using Citrix or RDP and having the remote machine be more of a dumb terminal, as opposed to an active VPN, making the remote machine a part of the corporate network.
Of course, my fear is that "extensive measures" will be a domain admin logging on, popping up a command shell, typing in:
dsquery user | dsmod user -mustchpwd yes
and calling it a wrap.
I'm hoping nVidia does more of the "hopes" portion.
1. Re:"extensive measures" taken... by fuzzyfuzzyfungus · 2014-12-30 07:40 · Score: 3, Interesting
  
  Given that I have no particular personal stake in Nvidia's problems, I would hope, in the spirit of general benevolence, that they take actually effective action; but I would much, much, much more strongly hope, in my own interests and those of computer users generally, that they've taken effective measures surrounding control of their signing keys.
  
  Aside from a few *nixes that are actively hostile to proprietary drivers or simply don't do any integration work for Nvidia's, Nvidia is one of the hardware companies whose signature is pretty much universally trusted, without much question or notification, on a driver. If their signing infrastructure were to have been compromised, some very, very, interesting 'GPU drivers' might make it out into the wild and raise some hell.
  
  Unfortunately, this is true of other hardware outfits as well. I don't much care how they run things, though friendly advice would be to pay attention to the security geeks; but anyone who has a signing key that will get a driver right into the kernel of any windows system without comment(extra credit for getting it on Windows Update) is an active menace if they lose control of that.
On a positive note... by MagickalMyst · 2014-12-30 07:23 · Score: 5, Funny

Perhaps there will be some 'unexpected improvements' in open-source drivers for nVidia chipsets in the near future...

--
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Hrm... by Charliemopps · 2014-12-30 08:38 · Score: 4, Interesting

Does anyone else find it ironic that every time one of these breaches happens... all the employee and costumer data walks right out the door. But their source code? Propitiatory corporate secrets? Oh, those are locked up tighter than a drum.
It's not hard to prevent these "hacks" or "Leaks" they just only chose to actually spend money to protect what's valuable to them. After their employees or Customers personal info is out there, they throw some money at a Credit monitoring service and pretend like that means anything at all? What did it cost them? $1 a user? LOL
We need federal liability laws. The feds do not need to dictate what they need to do to secure data like they've requested. They know, and we know that's a joke. The law will be out of date before it even takes effect. Simply make them liable for $100k per persons personal data they leak. They will quickly just flat out stop storing the data in the first place and we'll all be better off.