backtop


Print 33 comment(s) - last by JimKiler.. on Jul 16 at 2:22 PM

Fortunately passwords appear to have been strongly hashed

NVIDIA Corp. (NVDA) had some bad news to announce late yesterday.  The site posted the following statement on its Forums page:

NVIDIA suspended operations of the NVIDIA Forums (forums.nvidia.com) last week.

We did this in response to suspicious activity and immediately began an investigation. We apologize that our continuing investigation is taking this long. Know that we are working around the clock to ensure that secure operations can be restored.

Our investigation has identified that unauthorized third parties gained access to some user information, including:

 
  • username
  • email address
  • hashed passwords with random salt value
  • public-facing "About Me" profile information
NVIDIA did not store any passwords in clear text. "About Me" optional profiles could include a user’s title, age, birthdate, gender, location, interests, email and website URL – all of which was already publicly accessible.

NVIDIA is continuing to investigate this matter and is working to restore the Forums as soon as possible. We are employing additional security measures to minimize the impact of future attacks.

All user passwords for our Forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to the user’s registered email address.

As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.

NVIDIA does not request sensitive information by email. Do not provide personal, financial or sensitive information (including new passwords) in response to any email purporting to be sent by an NVIDIA employee or representative.

NVIDIA, like Sony Corp. (TYO:6758), Nokia Oyj. (HEX:NOK1V), and others likely fell victim to an SQL injection attack.  SQL injection attacks exploit the fact that internet user databases are publicly hosted and send them malformed request strings designed to execute disallowed commands.  They can be defeated by careful programming, but implementing protections is a time intensive and expensive process, hence many companies have vulnerable databases.

NVIDIA logo
[Image Source: NVIDIA Wallpapers]

NVIDIA Forums is a popular stomping ground both for gaming enthusiasts and for programmers developing GPU applications using NVIDIA's proprietary CUDA API.

The first of two major concerns arising from the NVIDIA attack is the possibility of phishing.  Now that an unknown party has users emails, it could send them messages (as the NVIDIA post alludes to), trying to trick them into providing their password in plaintext or other personal details.

The second danger is the possibility that the hashed passwords could be cracked.  NVIDIA did not reveal what hashing algorithm it used, but the fact that it used a random salt value indicates that its passwords were likely relatively strongly hashed.

The announcement was actually the second major announcement of a SQL injection breach on Thursday.  Earlier, Yahoo! Inc. (YHOO) announced that hackers had found 453,000 of its user passwords.  Yahoo! was less fortunate than NVIDIA -- baffingly it decided to store its user passwords in plaintext, greatly increasing the potential damage to its users.

Source: NVIDIA Forums



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Eventually
By TSS on 7/13/2012 6:22:32 PM , Rating: 2
All this hacking is going to shut down the internet as we know it, probably turning it into an entity managed by some nation's government with strict controls on everything. Including, most likely, information.

It worries me greatly especially since it's been increasing as of late with more and more high profile targets being hit. Kick the leg of enough big corperations and they will want to do something about it.

I'm just wondering what can be done about this. This has long since gone past white hat hacking and civil protests. How can we stop this, without impacting the free information flow the internet is known for? And more importantly, what should we give up for more safety? (for the record, i'm fine with losing the ability to hack in "civil protest". Wanna protest, occupy a building and refuse to leave. That's a protest. More effective, too).




RE: Eventually
By Trisped on 7/13/2012 6:36:02 PM , Rating: 3
Hacking will not shut down the internet.

The quickest, cheapest, easiest way to prevent SQL injection is to use an existing SQL interface which parameterizes your variables for you. For example, LINQ to SQL. There are many other options, just make sure it is a well supported system, so people can not exploit bugs in it.


RE: Eventually
By Ammohunt on 7/13/2012 8:09:26 PM , Rating: 2
Exactly lazy devlopers and lazy systems guys leave stuff like this for the hackers to graze upon.


RE: Eventually
By Samus on 7/13/2012 11:38:33 PM , Rating: 3
It's long been my experience that 9/10 database developers know quite little about SQL, so I'd assume those hosting the databases know even less.

It really isn't that complicated. I took a SQL 2005 (v5.5) class at a community college nearly a decade ago and can still securely deploy and upgrade older databases to SQL 2008. Not much has changed, in fact, they've actually tightened it down since its introduction in Windows NT, forcing you to perform a secure deployment (unless you stick with legacy compatibility)

But as OP said, it isn't completely a SQL problem, it's the link (or LINQ) from another program that leaves the holes.


RE: Eventually
By NellyFromMA on 7/16/2012 10:22:22 AM , Rating: 2
It's more like more often than not companies would rather not revamp existing systems that sometiems are older than 10 years. hindsight is 20/20, but getting approval to correct a security loophole you weren't privy to as a community at the time or wasn't as much of an issue back them is not the easiest thing.

Esp if you have to get approval from shareholders at any given moment.

Don't get me wrong, fixing this stuff is essential... there's just reasons why it persists to this day and will for a few years more.


RE: Eventually
By Flunk on 7/14/2012 8:13:10 AM , Rating: 2
Watch out there, LINQ to SQL is actually not immune to SQL injection because it works by string translation. You need to use LINQ to Entity Framework for injection protection.

There are a lot of developers out there who don't stay up on current technology and a lot if systems that were designed many many years ago that are considered "good enough". Until companies take IT security seriously this is going to keep happening.


RE: Eventually
By Flunk on 7/14/12, Rating: 0
RE: Eventually
By Flunk on 7/14/12, Rating: 0
RE: Eventually
By Flunk on 7/14/12, Rating: 0
RE: Eventually
By Flunk on 7/14/12, Rating: 0
RE: Eventually
By Flunk on 7/14/2012 8:15:13 AM , Rating: 1
Watch out there, LINQ to SQL is actually not immune to SQL injection because it works by string translation. You need to use LINQ to Entity Framework for injection protection.

There are a lot of developers out there who don't stay up on current technology and a lot if systems that were designed many many years ago that are considered "good enough". Until companies take IT security seriously this is going to keep happening.


RE: Eventually
By formulav8 on 7/14/2012 12:17:59 PM , Rating: 4
OK, we completely understand now :)


RE: Eventually
By 440sixpack on 7/14/2012 1:20:05 PM , Rating: 2
Well at least it's an appropriate username, "Flunk" multi-posting fail. :-)


RE: Eventually
By geddarkstorm on 7/13/2012 9:39:11 PM , Rating: 2
Setting up an SQL system that is so unsecure as to be vulnerable to this elementary hack is akin to having sex without a condom. Will all humans stop having sex because a few foolishly pal-around and unsafely spread sexually transmitted diseases?


RE: Eventually
By dark matter on 7/14/2012 5:03:56 PM , Rating: 3
The Op is right. This isn't about what method the hackers used, or what db system is the best. I't about politics. And laws, and there will be a time when we are all tracked.

(not so far off for us in the UK, by the way)


Interesting...
By NicodemusMM on 7/13/2012 7:26:27 PM , Rating: 5
I don't want to jump to conclusions, but it's odd that this happened and I received three Viagra spams today. These are the first spam I've received on this account since its creation.

I guess these Viagra spammers are hard at work. They've penetrated nVidia's security. My most secure inbox is now getting reamed. Many other users are going to get screwed as well. Hopefully someone nails these guys.

End Of Line




RE: Interesting...
By EricMartello on 7/13/2012 8:40:42 PM , Rating: 2
Maybe they started using viagra to help with the penetration of security. As long as it doesn't take them more than 4 hours.


RE: Interesting...
By 440sixpack on 7/14/2012 1:21:19 PM , Rating: 2
6


RE: Interesting...
By inperfectdarkness on 7/16/2012 4:53:37 AM , Rating: 2
Spam-Filter? I'm afraid I can't let you do that, Dave.


Thanks NVIDIA
By Mitch101 on 7/13/2012 7:17:27 PM , Rating: 3
Im happy to see NVIDIA Man up on it. I'm a bit confused what hackers would be after on NVIDIA and it sounds like NVIDIA was doing the right thing by encrypting.

As a general practice users shouldn't use the same login/password across sites.

Id even recommend purchasing your own domain and using a catch all email account and having different e-mail addresses. Also tells you which sites sell your info as spam.

I haven't purchased an NVIDIA product in a while and Ill say this wont effect me in any negative way from purchasing from them in the future if I choose to.




RE: Thanks NVIDIA
By andrewaggb on 7/14/2012 10:21:08 AM , Rating: 2
I think the article is a bit unfair to compare this to yahoo's. It does mention the passwords were hashed with random salts, but in my opinion the yahoo system had no place being used on the internet period. It's totally irresponsible.
Nvidia used hashed passwords and a random salt, which is about the best you can do right now. Quite a difference.

SQL injection is preventable as others have pointed out, so it's still bad, but it's alot easier to be unaware you have a sql injection vulnerability than to be unaware you have plain text passwords.

Anyways, I got an email from nvidia yesterday...


RE: Thanks NVIDIA
By Etsp on 7/14/2012 3:38:04 PM , Rating: 2
At this point, it really depends on the hash used. All a salt does is prevent the use of rainbow tables.

If it was MD5, these passwords have been decrypted, salt or no salt.

If it was a single pass of SHA512, then, maybe some of them can be decrypted in the coming months.

If it was .1 seconds worth of computation time on an average CPU (1000+ passes of SHA512 hashing), the passwords are likely safe for a few years.


RE: Thanks NVIDIA
By erple2 on 7/15/2012 12:21:56 PM , Rating: 2
I used to think that. But then I read up something Jeff Atwood posted... http://www.codinghorror.com/blog/2012/04/speed-has...

Ultimately it depends on how the nvidia forums hashed their password. SHA512 isn't really safe, and neither is salting. If hackers gained the password db, it's a good bet they might also have gained the salt values, which makes salting worthless. Given the speed at which modern (and ironically, NVidia) GPUs can process most hashing algorithms, it's only a matter of less time than you think of hacking. The only security you have, then, is making a gigantically long password.


I'm cursed - this is the sixt time in a year!
By BZDTemp on 7/13/2012 8:31:42 PM , Rating: 2
It is like where ever I've registered it is hacked and I'm always on the victim list. Luckily I haven't been using duplicate passwords and the mail address used is one for non-essential stuff but still this is getting old.

It is a scandal that companies have not yet gotten their security fixed - it's not like the guys at say Nvidia can claim they haven't heard of something like this happening.




By StevoLincolnite on 7/13/2012 9:40:17 PM , Rating: 3
quote:
It is a scandal that companies have not yet gotten their security fixed


The problem though is that regardless of what security measures are in place, it can always be broken or by-passed.

Case in point, you put iron bars on the windows of your home to stop intruders, just smash through the walls instead if it ain't brick.

It's an endless cycle of improving security as hackers get smarter.


By 440sixpack on 7/14/2012 1:24:42 PM , Rating: 2
Exactly, and it's allocation of resources too. Would you rather Nvidia were spending its time and money always working on their security, or making better video chips? They just have to decide where in the risk/reward area those activities fall.


By ArizonaSteve on 7/14/2012 2:47:46 PM , Rating: 2
...in their SQL should be immediately fired. There is absolutely no excuse for this, none at all.

Concatenating user-entered data into a SQL statement is a recipe for this sort of security breach.




By japlha on 7/16/2012 10:43:14 AM , Rating: 2
Exactly. I work with Oracle. I see programmers concatenting strings from user input to create SQL statements that are passed to the database.

Also, their code fails when a user enters a single quote. Then they waste more time writing elaborate parsers.

Just use bind variables and call stored procedures.
SQL injection attacks will go away because there is no SQL to inject!


By Acacetus on 7/13/2012 6:40:08 PM , Rating: 3
This problem is all a result of holes in code. Being a programmer I understand very keenly how much being caught with your pants down can hurt.

The only way for this problem to be remedied in any reasonable sense is by developers of web facing tools being more mind full of the basic security holes that are out there.

Hacking in the grand scheme is never completely going to be eradicated. Databases aren't going away on the web. We developers need to redouble our efforts to ensure our inputs our properly cleaned to prevent these types of breaches.




pffff
By Nosebleeder on 7/14/2012 11:42:25 AM , Rating: 2
As if this is even remotely surprising... plenty more to expect in the future




Lies and misinformation.
By Visual on 7/16/2012 5:45:10 AM , Rating: 2
quote:
SQL injection attacks exploit the fact that internet user databases are publicly hosted...

Publicly hosted? That has nothing to do with anything.

quote:
They can be defeated by careful programming, but implementing protections is a time intensive and expensive process, hence many companies have vulnerable databases.

No. It is not expensive nor time consuming, it is usually handled easily by the framework or database API, but even if not, it is trivial to do manually and should have been done the first time around. And since when is "careful" a synonym of "not completely brain-dead"?

Little Bobby Tables strikes again!




Nvidia shuts down their store
By JimKiler on 7/16/2012 2:22:44 PM , Rating: 2
At least Nvidia is proactive and turning off their web store as a precaution to prevent fraud.




adv
By PittmanJack on 7/15/2012 2:27:11 PM , Rating: 1
as Kim implied I didnt even know that people able to make $5085 in four weeks on the internet. did you see this page makecash16 com




"People Don't Respect Confidentiality in This Industry" -- Sony Computer Entertainment of America President and CEO Jack Tretton














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki