nVidia Forums Hacked

[Melbosa]

Posted July 24, 2012

We are continuing to complete work on strengthening security for the NVIDIA Forums.

We expect to bring this site back online soon.

Thanks for your patience.


Posted July 12, 2012

NVIDIA suspended operations of the NVIDIA Forums (forums.nvidia.com) last week.

We did this in response to suspicious activity and immediately began an investigation. We apologize that our continuing investigation is taking this long. Know that we are working around the clock to ensure that secure operations can be restored.

Our investigation has identified that unauthorized third parties gained access to some user information, including:

username
email address
hashed passwords with random salt value
public-facing "About Me" profile information
NVIDIA did not store any passwords in clear text. "About Me" optional profiles could include a user's title, age, birthdate, gender, location, interests, email and website URL - all of which was already publicly accessible.

NVIDIA is continuing to investigate this matter and is working to restore the Forums as soon as possible. We are employing additional security measures to minimize the impact of future attacks.

All user passwords for our Forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to the user's registered email address.

As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.

NVIDIA does not request sensitive information by email. Do not provide personal, financial or sensitive information (including new passwords) in response to any email purporting to be sent by an NVIDIA employee or representative.

We will post updates about this matter here. For any questions, email us at forumsupdate@nvidia.com.

For technical support, go to www.nvidia.com/support.

http://www.nvidia.com/content/forums/index.html

Found this trying to fix an issue with nVidia and Modern Warefare 2  at Frag today.

[Mr. Analog]

Dammit, I'll have to go reset my account I think.

[Lazybones]

Dammit, I'll have to go reset my account I think.

Well they will be forcing a reset however "hashed passwords with random salt value" so the risk should be greatly minimized.

[Thorin]

Yeah, the randomized salts on hashed passwords is nice to see.  Good on them for saying it, too, as opposed to some other security leaks we've seen recently where they talk about which users have "weak" passwords (implying that they can read them at will).

[Darren Dirt]

where they talk about which users have "weak" passwords (implying that they can read them at will).

Yeah, it makes it seem that they stored them as freetext. But reality is they likely hashed them without salt, and some folks used too simple a password and thus might be crackable via Brute Force or else Rainbow Table lookups or whatever.

Funny thing is, even with computing power like it is there is still no reason for the Average Joe to worry about his hashed password being figured out, if they just make sure to include a couple of symbols in there -- since that increased computing power has just reduced the time it takes for either Brute Force or Rainbow Table lookups to run, however neither of which would ever find your password of "John...." within a reasonable time.

It doesn't take a LOT of LENGTH, mainly just complexity via 2+ chars outside the AlphaNum range. As proven by Gibson Research <-- thread from a few weeks ago.

And yet so many IT departments force over-worked (and possible under-intelligenced) staff to change their password every 60 or 30 days and be at least 8 characters and have "at least 1 Uppercase and 1 lowercase and 1 number and 1 symbol" well not everybody will REMEMBER that and therefore inevitably writes it down or similar -- unless they know of the "trick" to replace letters with #'s or symbols, it's still amazing based on that web tool linked above that the incredibly short "G0@t!!" or similar which is just 6 characters ("23.62 years" vs. "Gtaozx"=7.69 months ; "$a1234"=3.48 years vs. "$a12345"=240 years!) but covers pretty much every requirement other than length but is virtually unbreakable via automation.

But sadly the easiest way for hackers to get into systems will remain the SOCIAL engineering (i.e. spam that looks like The Real Deal, or else physically looking around the workstation for sticky notes) because of passwords that must also be a certain length and not just use more than AlphaNum.

[Lazybones]

That isn't really true since some rainbow tables and brute force attacks are optimized for common character substitutions, thus narrowing down the attack. End users predictably use common special characters more often as well.

[Thorin]

It doesn't take a LOT of LENGTH, mainly just complexity via 2+ chars outside the AlphaNum range. As proven by Gibson Research <-- thread from a few weeks ago.

Here you're saying that complexity matters more than length.  Your linked previous post says the opposite, that length matters more than complexity.  So...

Rainbow tables can be made surprisingly large these days, but a random 16 character salt added to any password before hashing will still render those rainbow tables basically useless.  Unless of course the salt is known (its usually stored in the same table as the salted+hashed passwords), although if its random salts then you still need an entire rainbow table for just one password.  That still slows 'em down quite a bit.

And thus the social engineering and phishing attacks will remain prevalent.

Speaking of which, people keep calling my mom telling her there's a problem with her computer (THERE DEFINITELY IS NOT).  Clearly they've figured out she's an older lady and are preying on her now.

[Lazybones]

Speaking of which, people keep calling my mom telling her there's a problem with her computer (THERE DEFINITELY IS NOT).  Clearly they've figured out she's an older lady and are preying on her now.

Well my dad called me the other night telling me that the computer promoted him that it had found a virus and he had two options 1) call a friend or 2) have the program fix the problem.. He picked 2 and now his computer is borked... Obviously got hit with one of those fake AV Trojans.

[Thorin]

The phone calls to my mom are ones where they're trying to convince her to install a program from the web and "they can even walk her through it".  Basically it's a fake AV trojan being installed by gullible people following directions from someone that called them.

Sucks that your dad picked #2, though.

I keep telling my kids, "If you don't know what it is, don't click it".  Kinda hard with the six year old who doesn't listen, but at least he's only on places like Club Penguin.

[Tom]

The phone calls to my mom are ones where they're trying to convince her to install a program from the web and "they can even walk her through it".  Basically it's a fake AV trojan being installed by gullible people following directions from someone that called them.

Yeah, I've heard of that. The thing you install is really a vnc/rdp client that they use to break your system if you don't pay them. Then they call back later, or you call them back to pay them to fix it...

[Lazybones]

The phone calls to my mom are ones where they're trying to convince her to install a program from the web and "they can even walk her through it".  Basically it's a fake AV trojan being installed by gullible people following directions from someone that called them.

Yeah, I've heard of that. The thing you install is really a vnc/rdp client that they use to break your system if you don't pay them. Then they call back later, or you call them back to pay them to fix it...

The funny thing according to somethings I read is that because it is an RDP/VNC connection you can actually see them disabling services and breaking files.... Well if you are technical and know what you are seeing happen.

[Darren Dirt]

That isn't really true since some rainbow tables and brute force attacks are optimized for common character substitutions, thus narrowing down the attack. End users predictably use common special characters more often as well.

Very true -- but adding multiple symbols at the end is still un-rainbowtable-able.

I was very sleep deprived when typing above, I'm surprised that's the only thing that was inaccurate or just plain wrong 

Edit: Thorin ftw -- never disappoints

[Mr. Analog]

You can have rainbow attacks with symbols, even unicode pages.

It's slower, but it still works.

[Thorin]

Interesting Rainbow Table post from 2007: http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html.  The salient point from this post was that desktop computers were getting so powerful that very large rainbow tables could be loaded.

Interesting Rainbow Table Is Dead post from 2011: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html.  The salient point is that GPUs are getting so damn fast now that brute forcing passwords is even quicker than using rainbow tables.  And hey, Tom had even talked recently about getting a couple of GPUs going to do BitCoin mining, or something.

sigh

Security is hard.

Also remember the 10 Immutable Laws of Security: http://technet.microsoft.com/library/cc722487.aspx

[Lazybones]

Forget GPU if there is money to be made you can get access to huge amounts of cloud powered parallel CPU for relatively cheap.