RazorSharpe

it is totally possible to take the concept of security way too far and thus make normal workings of any software totally unusable. Where do you stop? I'm sure you've patched plenty of apache or mysql installs after hearing of vulnerabilities via security newsgroups or mailinglists or are you the type that finds all of them on your own? Don't treat your mind to illusions of its own grandeur ladida, it is making you seem rather foolish.

__________________
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

RP Fade

I think quite a few are saying 'what holiday' right about now

__________________
HomemadeCash.com - Homemade & GF sites powered by NScash.com
HomemadeVideoPass.com - The only all homemade mega site
OurHomemadePorno.com - Real couples fucking on camera
Contact ICQ: 400-786-531 Email: fade AT nscash.com

RazorSharpe

what holiday?

__________________
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

jcsike

of course there is a backdoor with nats. how else do they know what their customers plan levels are to bill them? the question is what other information gets passed

__________________

RazorSharpe

maybe i shouldn't drink and post ... corrections to my post follow:

I have no false impressions about software but I do expect that when I pay for a software such as NATS and the developers of the software are aware of an issue that they will make it a priority to investigate the issue and make their clients aware of it and what they intend to do about it. I'm sure you can understand how i don't feel like this is too much to ask for.

This vulnerability specifically targetted the NATS staff admin account and no others, as far as i can tell, which leads me to assume that it wasn't a brute force attack and if it were it was done because the nats staff account used the same username across multiple nats installations which is a total no-no in security 101 in and of itself.

__________________
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

Dirty D

People, keep in mind that the only admin account that has been compromised is the TMM admin account. For god's sake, delete this account immediately.

This breach would also explain the multiple waves of compromised user passwords that we have seen. User passwords are easy to see in NATS, affiliate passwords are not.

My members area security software has reported dozens of compromised passwords logging in within less than 5 minutes. This only happens when there is a compiled list of valid passwords, not from passwords obtained by brute force.

After over 20 hours, I finally got a response to my trouble ticket:

TMM ‎(3:55 PM):
I'm sorry and it look like I have to get you an full upgrade to have this new feature
TMM ‎(3:56 PM):
and we are currently develope on better security system on NATS and there will be release on Monday hopfully
TMM ‎(3:58 PM):
can we do the update on Monday instead?

Dirty D ‎(3:59 PM):
Keep in mind we are one of the MANY programs that the TMM admin login was compromised. Before I get pissed off, let me get this straight and make sure I understand.

#1. The IP Log feature won't work until the next release comes out... maybe monday

#2. NATS will not log the admin login info to a log file and the ONLY way to get admin login information is for me to WRITE A SCRIPT to accept a POST with info from NATS using these undocumented variables xxxxxx , xxxxxxx, xxxxxxxx, xxxxxxxx, xxxxxxx

#3. Nothing has been accomplished to resolve this Trouble Ticket

TMM ‎(4:05 PM):
#1 yes, we are currently develope on the security script on will try to get relase as soon as possble.
#2 Currently no, but I will add this to the feature request.
#3 I'm sorry about this, we are wokring on the relase, and will let you know as soon as it is ready.
TMM ‎(4:11 PM):
I'm sorry for any inconvenience that cause on this issue, please change the ssh password and disable the nats admin login, one of us will contact you as soon as the new release is ready.

__________________

Dirty D - ICQ #1326843 - $1 Million Dollars of Bonus Money - 8,000+ FHG!
Glory Hole Girlz - Crack Whore Confessions - Tampa Bukkake - Slut Wife Training - Fuck a Fan
Electricity Play - Porn Video Drive - Theater Sluts - Skunk Riley - Ukraine Amateurs - Strapon Sessions

AlienQ - BANNED FOR LIFE

WTF? They outsourcing to Russian programmers or something?
Thats some serious broken english.

And certainly not the brightest of decisions.

__________________

hateman

Holy shit, this is huge

Imagine how much data was stolen through this NATS fuck up

hateman

This is crazy!

baddog

Are you kidding me? You invented broken English.

crockett

Every webmaster on this board whom has signed up as an affiliate of a NATS program, has a very good chance that their personal info has been compromised. You have done nothing but blame everyone else in this thread trying to make it seem like it's everyone else's bad security. Yet the finger keeps pointing back at one central point.

Real good choice you are taking there, ignoring not only the companies whom use your product, but also the affiliates whom promote those companies.

So first we had pornograph fiasco and now this.. What was that old saying? Fool me once shame on me... Fool me twice???

RazorSharpe

Actually the first time I have laughed at anything you've said.

__________________
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

Gordon G

he wont do jack shit about it. John thinks he is better than everyone else.

Gordon G

this thread should be a sticky.

TMM_John

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

hateman

Gordon G

Oh wow, you have typed a bullshit statement, sorry yes you have done something about it.

Gordon G

tom3k

heres a band aid solution for those who have dynamic ips and absolutely cant 'lock down' their admins to a specific ip... at least until the problem is resolved fully.

have your coder code up a small script:

w w w . d o m a i n . c o m /somesecretfile.php?key=somesecretkey

if the key is correct have it make the changes to allow the ip accessing the script to log into admin.

should take him about 15 minutes to code.

and security wise, even if someone found this file AND your key it wouldn't be a major compromise... all it would do is allow his ip to enter admin, nothing more... they would still need the password of course.

ciao.

Rui

So, can you please clue us in regarding what seems to be your real agenda regarding this?

baddog

My agenda?

DamageX

Wow, took this guy a full seven pages to make an appearance...

__________________

quantum-x

Here's the important question. Literally hundreds of people have evidence that they have had data stolen electronically.

When are the authorities contacted? When does the cyber crime unit step into this? If this is as big as it seems, action needs to be taken. There's no shortage of cash or backing to get this solved.

AlienQ - BANNED FOR LIFE

Nothing will be done.
The Bro squad is on the way to spin it, and this chapter will be swept under the carpet just like all the other dirty secrets in online adult.

Merry Xmas Chumps you all got robbed.

__________________

Axeman

This was definitely a breach on the NATS side as far as I can tell. All the programs I have talked to have had Fred's usernames be completely different from one another. This leads me to believe they kept a log/record of all user/passes on their side of things that got hacked/exploited/leaked/shared you take your pick of what happened.

If everyone getting exploited was being used by the same user/pass of an admin that would be one thing, but having them be so random and different from program to program shows quite clearly where the first issue started.

We are lucky we host at swiftwill and have ip protection in place. Though Fred was able to login, we show zero evidence he was able to log into the actual admin since he was not allowed via ip protection. The only parts he was able to access was like an affiliate could, the ad tools and link codes. So for hosts like Swiftwill and others like it that demand IP protection on Nats, that is a positive. For others that don't require it, this is a major issue of all the data that could have been collected over the min 6 months this has been an issue based on the various evidence in this thread.

__________________
XXXRewards - Karups - Boyfun - Jawked. Paying on time since 1997. Contact me at brent [at] xxxrewards.com

V_RocKs

The only similarity here is that they both use hacker speak...

Move along novice.

V_RocKs

IP RESTRICTION...

But my IP address changes....

Bullshit. You make enough money to call your provider and request a PERMANENT one. But they don't provide one. What the fuck? Are you on Dialup because most Cable, DSL, Broadband providers WILL give you a permanent IP if you pay monthly for leasing. Usually $20. Consider it a cost of doing business and a tax write off.

OK... But I AM ON DIALUP! So pay an admin here to setup a proxy on a dedicated server with a NON-ADULT hosting company picked at random. Have that proxy password protected.

Case closed...

The fact that a village idiot can get into this industry if he has $100,000 in inheritance money frightens me. It frightens me because when it comes to security you are all village idiots! Every last one of you!

90% of you have hackers on your boxes because they hacked your forum, your support system, your webcam software or by some other means. You don't know because all the hacker wants is your password DB and not the Emails.

They trade those DB's like Pokemon cards. They give 1 account away to each person who asks for them on newsgroups and IRC channels. It NEVER trips your strongbox, pennywize, proxy pass, etc, because they give each requester a different account. So even if the real user and the fake one use it at the same time they fall with in the AOL threshold (5 IP's in 15 minutes).

You all think.. Impossible because those previously mentioned programs shut this kinda shit down! No... They don't... Because each request gets a different account. This isn't password boards where 15,000 people get the same account. This is the designer version where everyone gets their own unique, free account.

But bandwidth is so cheap I don't give a fuck!... I know.. But in one channel on the IRC alone you will have up to 1000 people receive a password in a day. You are pissing away $35,000 a day! Smaller programs a few thousand...

Industry wide? About $800,000,000 a year is just pissed away...

OK.. Back to your original programming where you just bury your heads in the sand.

the indigo

No needs for all that crap... you can easily edit that IP (in case it changes every few days) via SSH/FTP. The problem is that NATS only notified the change via the admin area, which make things worse.

Oh, and yes... you are the king. Whatever. I clicked your sig.

__________________
"There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die." -Hunter S. Thompson

Tempest

The usual... meds (i.e. viagra)... and porn sites..

Paul Markham

Excuse me for not understanding this, can you explain what it means. Please.

http://www.alexa.com/data/details/tr...3y&size=Medium

Saw it posted on another board.

__________________



Blowout deal. 880 videos, 2,400 image sets, plus many RAW videos. $500.
PM me for a deal. Skype Paulmarkham70

Paul Markham

This was sent to me last night and I was asked to post it without naming the source. I have no time to investigate it as I'm off out after checking the site.

Please draw your own conclusions from it.

Seems to me that changed a policy they never had.

__________________



Blowout deal. 880 videos, 2,400 image sets, plus many RAW videos. $500.
PM me for a deal. Skype Paulmarkham70

TMM_John

The original post was in reference to SSH passwords. I should have been more clear and it may be more clear in context rather than quoted as you did.

You're on my do not argue list and I'm heading to sleep anyway. Think as you wish, you always do.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

ladida

Prepare to be called an idiot by people living in bubbles in 3-2-1...


Guess some people do realise how it is, but those are the same people that have either worked in security, or have had their boxes used as toys by hackers and have been awaken by the sad truth that their box is banned by google, listed on every blacklist known to man for spamming, their members sending 100 complaints, their databases beeing erased and indexes overwritten by kids etc etc. Then they realise that if it's at the point that your database is erased, the person that erased is not the hacker, hacker got in a long time ago. It's now to the point that he sold the access to turkish or who knows wannabes.

Still long till time comes when people here take security seriously since so few understand it.

__________________
agentGFY *at* gmail.com

justsexxx

Just curious. Did you have the SAME user/pass for EVERY program?

I mean, that would be REALLY bad.....

Also, if the 'hacker' had/had full admin access. He might have created a 2nd user with access to the affiliate info...Better check out ALL users with more access than a normal affiliate

__________________
Questions?

ICQ: 125184542

chupacabra

you know, reading what you typed above really struck a nerve w/ me... i don't even use NATS for my small sites, but i do use SegPay as a processor. a few months back i started seeing the exact same you describe above. waves of locked/banned user accounts one after another, like 50 in a row all caught by PWSentry due to multiple logins from too many geo locales... this would be all at once, and then stop once all the compromised accounts got caught. a week or two later, boom, same thing. lots of wasted time for me changing passwords for everyone and pissed off/canceling customers, and as you said, obviously not brute-force here...

i'm going to go dig back and see when this trend started, but i cant help but wonder if this is tied to when NATS and Segpay started their incestuous relationship, as i had never seen this kind if account compromising over the past 8 years, not so many simultaneously and then suddenly stoppping in a single wave.

sounds way too close to what you describe above, *way* too close to me..

__________________
...promise her a defamation, tell her where the rain will fall..

TeenCat

it is not only nats there are public dumps of generated passwords from other programs and systems also, adult security experts are step behind hackers

__________________

chri$tian

WOW this post got BIG fast.. Left it on Saturday on the first page, just read the rest now..

__________________
http://www.3dsex.com

RomaCash

popular topic, what you want.

we want to switch, so now we this twicely.

__________________
PORNUPLOAD.COM Free Traffic &
Easy $$$money$$$ making service!