Quote
Posted July 24, 2012
We are continuing to complete work on strengthening security for the NVIDIA Forums.
We expect to bring this site back online soon.
Thanks for your patience.
Posted July 12, 2012
NVIDIA suspended operations of the NVIDIA Forums (forums.nvidia.com) last week.
We did this in response to suspicious activity and immediately began an investigation. We apologize that our continuing investigation is taking this long. Know that we are working around the clock to ensure that secure operations can be restored.
Our investigation has identified that unauthorized third parties gained access to some user information, including:
username
email address
hashed passwords with random salt value
public-facing "About Me" profile information
NVIDIA did not store any passwords in clear text. "About Me" optional profiles could include a user's title, age, birthdate, gender, location, interests, email and website URL - all of which was already publicly accessible.
NVIDIA is continuing to investigate this matter and is working to restore the Forums as soon as possible. We are employing additional security measures to minimize the impact of future attacks.
All user passwords for our Forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to the user's registered email address.
As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.
NVIDIA does not request sensitive information by email. Do not provide personal, financial or sensitive information (including new passwords) in response to any email purporting to be sent by an NVIDIA employee or representative.
We will post updates about this matter here. For any questions, email us at forumsupdate@nvidia.com.
For technical support, go to www.nvidia.com/support.
http://www.nvidia.com/content/forums/index.html
Found this trying to fix an issue with nVidia and Modern Warefare 2 at Frag today.
Dammit, I'll have to go reset my account I think.
Quote from: Mr. Analog on August 09, 2012, 04:08:29 PM
Dammit, I'll have to go reset my account I think.
Well they will be forcing a reset however "hashed passwords with random salt value" so the risk should be greatly minimized.
Yeah, the randomized salts on hashed passwords is nice to see. Good on them for saying it, too, as opposed to some other security leaks we've seen recently where they talk about which users have "weak" passwords (implying that they can read them at will).
Quote from: Thorin on August 09, 2012, 04:58:26 PM
where they talk about which users have "weak" passwords (implying that they can read them at will).
Yeah, it makes it seem that they stored them as freetext. But reality is they likely hashed them without salt, and some folks used too simple a password and thus might be crackable via Brute Force or else Rainbow Table lookups or whatever.
Funny thing is, even with computing power like it is there is still no reason for the Average Joe to worry about his hashed password being figured out, if they just make sure to include a couple of symbols in there -- since that increased computing power has just reduced the time it takes for either Brute Force or Rainbow Table lookups to run, however neither of which would ever find your password of "John...." within a reasonable time.
It doesn't take a LOT of LENGTH, mainly just complexity via 2+ chars outside the AlphaNum range. As proven by Gibson Research (http://forums.righteouswrath.com/index.php/topic,8826.msg62407.html#msg62407) <-- thread from a few weeks ago.
And yet so many IT departments force over-worked (and possible under-intelligenced) staff to change their password every 60 or 30 days and be at least 8 characters and have "at least 1 Uppercase and 1 lowercase and 1 number and 1 symbol" well not everybody will REMEMBER that and therefore inevitably writes it down or similar -- unless they know of the "trick" to replace letters with #'s or symbols, it's still amazing based on that web tool linked above that the incredibly short "G0@t!!" or similar which is just 6 characters ("23.62 years" vs. "Gtaozx"=7.69 months ; "$a1234"=3.48 years vs. "$a12345"=240 years!) but covers pretty much every requirement other than length but is virtually unbreakable via automation.
But sadly the easiest way for hackers to get into systems will remain the SOCIAL engineering (i.e. spam that looks like The Real Deal, or else physically looking around the workstation for sticky notes) because of passwords that must also be a certain length and not just use more than AlphaNum.
That isn't really true since some rainbow tables and brute force attacks are optimized for common character substitutions, thus narrowing down the attack. End users predictably use common special characters more often as well.
Quote from: Darren Dirt on August 10, 2012, 07:37:46 AM
It doesn't take a LOT of LENGTH, mainly just complexity via 2+ chars outside the AlphaNum range. As proven by Gibson Research (http://forums.righteouswrath.com/index.php/topic,8826.msg62407.html#msg62407) <-- thread from a few weeks ago.
Here you're saying that complexity matters more than length. Your linked previous post says the opposite, that length matters more than complexity. So...
Rainbow tables can be made
surprisingly large these days, but a random 16 character salt added to any password before hashing will still render those rainbow tables basically useless. Unless of course the salt is known (its usually stored in the same table as the salted+hashed passwords), although if its random salts then you still need an entire rainbow table for just one password. That still slows 'em down quite a bit.
And thus the social engineering and phishing attacks will remain prevalent.
Speaking of which, people keep calling my mom telling her there's a problem with her computer (THERE DEFINITELY IS NOT). Clearly they've figured out she's an older lady and are preying on her now.
Quote from: Thorin on August 10, 2012, 10:36:30 AM
Speaking of which, people keep calling my mom telling her there's a problem with her computer (THERE DEFINITELY IS NOT). Clearly they've figured out she's an older lady and are preying on her now.
Well my dad called me the other night telling me that the computer promoted him that it had found a virus and he had two options 1) call a friend or 2) have the program fix the problem.. He picked 2 and now his computer is borked... Obviously got hit with one of those fake AV Trojans.
The phone calls to my mom are ones where they're trying to convince her to install a program from the web and "they can even walk her through it". Basically it's a fake AV trojan being installed by gullible people following directions from someone that called them.
Sucks that your dad picked #2, though.
I keep telling my kids, "If you don't know what it is, don't click it". Kinda hard with the six year old who doesn't listen, but at least he's only on places like Club Penguin.
Quote from: Thorin on August 10, 2012, 12:48:43 PM
The phone calls to my mom are ones where they're trying to convince her to install a program from the web and "they can even walk her through it". Basically it's a fake AV trojan being installed by gullible people following directions from someone that called them.
Yeah, I've heard of that. The thing you install is really a vnc/rdp client that they use to break your system if you don't pay them. Then they call back later, or you call them back to pay them to fix it...
Quote from: Tom on August 10, 2012, 01:48:46 PM
Quote from: Thorin on August 10, 2012, 12:48:43 PM
The phone calls to my mom are ones where they're trying to convince her to install a program from the web and "they can even walk her through it". Basically it's a fake AV trojan being installed by gullible people following directions from someone that called them.
Yeah, I've heard of that. The thing you install is really a vnc/rdp client that they use to break your system if you don't pay them. Then they call back later, or you call them back to pay them to fix it...
The funny thing according to somethings I read is that because it is an RDP/VNC connection you can actually see them disabling services and breaking files.... Well if you are technical and know what you are seeing happen.
Quote from: Lazybones on August 10, 2012, 08:25:26 AM
That isn't really true since some rainbow tables and brute force attacks are optimized for common character substitutions, thus narrowing down the attack. End users predictably use common special characters more often as well.
Very true -- but adding multiple symbols at the end is still un-rainbowtable-able.
I was very sleep deprived when typing above, I'm surprised that's the only thing that was inaccurate or just plain wrong :o
Edit: Thorin ftw -- never disappoints ;)
You can have rainbow attacks with symbols, even unicode pages.
It's slower, but it still works.
Interesting Rainbow Table post from 2007: http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html. The salient point from this post was that desktop computers were getting so powerful that very large rainbow tables could be loaded.
Interesting Rainbow Table Is Dead post from 2011: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html. The salient point is that GPUs are getting so damn fast now that brute forcing passwords is even quicker than using rainbow tables. And hey, Tom had even talked recently about getting a couple of GPUs going to do BitCoin mining, or something.
sigh
Security is hard.
Also remember the 10 Immutable Laws of Security: http://technet.microsoft.com/library/cc722487.aspx
Forget GPU if there is money to be made you can get access to huge amounts of cloud powered parallel CPU for relatively cheap.
Well if you're cracking passwords you might not want to use cloud computing as you might be paranoid about who could be recording what you're doing :P Also, the time required to crack the password(s) might exponentially increase due to network speed becoming the bottleneck...
Quote from: Thorin on August 12, 2012, 01:00:00 AM
Well if you're cracking passwords you might not want to use cloud computing as you might be paranoid about who could be recording what you're doing :P Also, the time required to crack the password(s) might exponentially increase due to network speed becoming the bottleneck...
You give the job to many difference servers and assign each a difference start / search space... When they find the answer the winner reports back to you..
You are correct that using public clouds would increase the risk of getting found.
Quote from: Thorin on August 11, 2012, 03:58:04 PM
Interesting Rainbow Table post from 2007: http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html. The salient point from this post was that desktop computers were getting so powerful that very large rainbow tables could be loaded.
Interesting Rainbow Table Is Dead post from 2011: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html. The salient point is that GPUs are getting so damn fast now that brute forcing passwords is even quicker than using rainbow tables. And hey, Tom had even talked recently about getting a couple of GPUs going to do BitCoin mining, or something.
I love how attention-grabbing some of the titles of the links at the bottom...
http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
http://www.codinghorror.com/blog/2009/05/i-just-logged-in-as-you-how-it-happened.html
Quote from: Thorin on August 11, 2012, 03:58:04 PM
Security is hard.
Also remember the 10 Immutable Laws of Security: http://technet.microsoft.com/library/cc722487.aspx
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea
well here's a gem -- as a developer especially
http://www.codinghorror.com/blog/2012/04/speed-hashing.html
Quote
Secure hashes are designed to be tamper-proof
A properly designed secure hash function changes its output radically with tiny single bit changes to the input data, even if those changes are malicious and intended to cheat the hash. Unfortunately, not all hashes were designed properly, and some, like MD5, are outright broken and should probably be reverted to checksums.
...
I'm too busy to read all this.
If you are a user:
Make sure all your passwords are 12 characters or more, ideally a lot more. I recommend adopting pass phrases ( http://www.codinghorror.com/blog/2005/07/passwords-vs-pass-phrases.html ) , which are not only a lot easier to remember than passwords (if not type) but also ridiculously secure against brute forcing purely due to their length.
If you are a developer:
Use bcrypt or PBKDF2 exclusively to hash anything you need to be secure. These new hashes were specifically designed to be difficult to implement on GPUs. Do not use any other form of hash. Almost every other popular hashing scheme is vulnerable to brute forcing by arrays of commodity GPUs, which only get faster and more parallel and easier to program for every year.
http://en.wikipedia.org/wiki/Bcrypt
http://en.wikipedia.org/wiki/Pbkdf2
so I guess laziness (i.e. using MD5 with a "random" salt) should no longer be a default ... damn you increasing clock speeds and whatnot!
Yepp, it's essentially a processing race, lengthening and increasing password complexity only buys time.
So gotta start getting better at locking down passwords in the first place, amirite?
I dunno, I like the newest tack security professionals are taking - make the hashing algorithm slow instead of fast so that it takes way longer to generate all the hashes for either brute forcing or rainbow tabling. And adding a long salt that is different for every password will certainly significantly increase the time it takes.
Still, "Hello, this is George from IT. We're having a problem on the mail server with a large attachment sent to you. Can I have your password to try and fix that, please?"...
Exactly, humans will always be the weakest link when it comes to security.
Speaking of security... What about those nice security questions places like to ask for? this guy (https://www.schneier.com/blog/archives/2010/04/fun_with_secret.html) has figured out how to have some fun with them.
Quote from: Tom on August 13, 2012, 09:53:20 PM
Speaking of security... What about those nice security questions places like to ask for? this guy (https://www.schneier.com/blog/archives/2010/04/fun_with_secret.html) has figured out how to have some fun with them.
article = 8/10
most of the suggestions in the COMMENTS = (http://25.media.tumblr.com/tumblr_luctq4v8DK1qdkv8qo1_500.jpg) !
and similar to "fun with secret questions and answers", check this prankster out...
http://www.fourhourworkweek.com/blog/2010/05/01/credit-card-concierge/