***** NATS Issue - What we know about it *****

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • milan
    Confirmed User
    • May 2005
    • 800

    #1

    ***** NATS Issue - What we know about it *****

    After many MANY emails and VM's I will post what OC3 Networks discovered back in October after routine audit of 2 of our clients security.

    We know this issue exist since mid Aug 2007, secured our customers and blocked the intruder IP?s from any access to our network.

    We posted the thread {url]http://www.gfy.com/showthread.php?t=779742[/url] and got some lawsuit treat to sue us that we could have care less? BUT when our customers that we tracked the breach on their servers got treats as well and requested us to NOT come out public with it, we honored their request.

    Just as a side info, I think NATS is a great product and it's a shame that after the months they had to fix or come clean with their clients it never happened...


    Credit for this below info should go to our SUPER SYSADMIN/Security fanatic Dale that has never posted on this board so I'm doing this for him, He wanted to come out with this long ago!
    =====
    The issue with this "intruder" does not seem to be an exploit of the nats software itself. *Someone* has access to TMM's clients database with your admin logins and passwords. That?s what the issue is. I'm not posting this to bash TMM. I'm posting this because they have had month to fix this issue and have apparently failed. They didn't even let (some of?) their customers know they implemented this "Admin activity log" and installed it behind their backs.

    I've been involved with a high number of NATS clients and have found the following to be true:
    *) Changing all admin level account passwords stops the intruder. He still attempts to login, but in vain.
    *) As soon as TMM has admin access to NATS the intruder is back. Sometimes the same day.
    *) Intruder is using an automation script that dumps the NATS members list. In some cases he is doing this every hour on the hour.
    *) If you have web logs, look for hits against "admin_reports.php?report=surfer_stats&member=#### ##". You will see a number of those hits in sequential order.
    *) NATS was vulnerable to SQL injection attacks. I haven't investigated whether it still is.

    I have some suggestions for people using NATS:
    *) Change all your admin level passwords.
    *) Do not give TMM an admin account they can use anytime they want. Change the pass when they are done.
    *) Restrict access to the admin*.php files by IP. This is inconvenient, but if you can do this it will circumvent any future intrusion. There may be other files you want to do this with. You can do this with apache easily (syntax depends on your version. this is for 2.0):
    <Files "admin*">
    Order deny,allow
    Deny from all
    Allow from your.ip.addr.here
    </Files>
    *) Keep an eye on the ssh user you have given TMM to fix/maintain your NATS install. Change their password every time they need access and as soon as they are done. I have experience with TMM ssh-ing in and making changes to NATS software without permission.
    *) Be thankful of many things I'll not get into.


    P.S. Im hearing that there is a backdoor that TMM can use to get into your NATS, but I havent investigated so its speculation. Only reason I even mention this is because NATS is encrypted and you dont know. Im not interested in decrypting NATS just to find out. There are other ways. I hope this isn?t true.
    QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
    24/7 "REALLY ON-SITE" Support - Completely Premium Network
    Public & Private Network, Remote Reboot, Private VLANs
    99.99% Guaranteed Network Uptime / BGP4 Multihomed
    24/7 LIVE CHAT, Phone and Ticket Support
    1-888-5-QUADRA
  • Dirty F
    Too lazy to set a custom title
    • Jul 2001
    • 59204

    #2
    Amazing this has been happening SO fucking long and nobody knew about it because of Nats crying about lawsuits all over the place.

    Comment

    • Dirty F
      Too lazy to set a custom title
      • Jul 2001
      • 59204

      #3
      Originally posted by milan
      We know this issue exist since mid Aug 2007, secured our customers and blocked the intruder IP?s from any access to our network.

      We posted the thread {url]http://www.gfy.com/showthread.php?t=779742[/url] and got some lawsuit treat to sue us that we could have care less? BUT when our customers that we tracked the breach on their servers got treats as well and requested us to NOT come out public with it, we honored their request.
      This is just nuts.

      Reminds me very much of GTS and Mark and how they operate. Say anything bad about them and he will "destroy your business". Point out they are working with scammers and you'll get "banned" etc.

      Comment

      • Snake Doctor
        I'm Lenny2 Bitch
        • Mar 2001
        • 13449

        #4
        Wowsers, nice work OC3
        sig too big

        Comment

        • baddog
          So Fucking Banned
          • Apr 2001
          • 107089

          #5
          kudos to Dale

          Comment

          • SmokeyTheBear
            ►SouthOfHeaven
            • Jun 2004
            • 28609

            #6
            p.s.

            ip's of interest

            67.19.188.250
            67.84.12.95
            69.94.70.187
            66.118.176.86
            82.199.118.23
            hatisblack at yahoo.com

            Comment

            • 3xTom
              Confirmed User
              • Dec 2002
              • 1610

              #7
              That guys needs a raise

              Comment

              • HS-Trixxxia
                Confirmed User
                • Mar 2002
                • 2946

                #8
                milan & OC3 - Thanks for that vital information.

                OH how can I not mention DALE Thank you for keeping a vigilant eye!
                Last edited by HS-Trixxxia; 12-22-2007, 09:01 AM.

                ~~~~~~~~~~~~~~~~~~
                Patrizia
                COO - MassiveDollars
                Email: patrizia at MassiveDollars dot com
                ICQ: 465.826.441 Yahoo: trixxxia_me MSN: trixxxia at hotmail dot com

                Comment

                • JOKER
                  Facit Omnia Voluntas
                  • Apr 2003
                  • 2105

                  #9
                  Thanx a LOT Milan and Dale for getting to the bottom of this AND sharing it with GFY

                  From your point of view - has the affiliates' info been extracted / compromised as well, or is this unlikely?

                  Again, thanx a LOT for going public with this.

                  Steve
                  Facilitation - BizDev - Traffic - Consulting - Marketing
                  Skype: jokerempire | Silent Circle: joker

                  Comment

                  • milan
                    Confirmed User
                    • May 2005
                    • 800

                    #10
                    Originally posted by JOKER | JOKEREMPIRE Inc.
                    Thanx a LOT Milan and Dale for getting to the bottom of this AND sharing it with GFY

                    From your point of view - has the affiliates' info been extracted / compromised as well, or is this unlikely?

                    Again, thanx a LOT for going public with this.

                    Steve
                    The bot has FULL ADMIN access to what you have so YES this is very likely.

                    BTW we have null routed those 5-6 IP's from any access to our network long ago, other ISP's should follow.
                    QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                    24/7 "REALLY ON-SITE" Support - Completely Premium Network
                    Public & Private Network, Remote Reboot, Private VLANs
                    99.99% Guaranteed Network Uptime / BGP4 Multihomed
                    24/7 LIVE CHAT, Phone and Ticket Support
                    1-888-5-QUADRA

                    Comment

                    • Sebastian Sands
                      Confirmed User
                      • Mar 2005
                      • 5223

                      #11
                      you guys go above and beyond, I am happy I have some of my stuff hosted with you guys. I know it's in good hands.

                      Comment

                      • Headless
                        Registered User
                        • Jan 2001
                        • 26727

                        #12
                        holy shit this isnt good...

                        Comment

                        • Dirty F
                          Too lazy to set a custom title
                          • Jul 2001
                          • 59204

                          #13
                          Isnt anybody amazed this has been going on since august? How come a hosting company knows about this and the owners of the software didnt? For 4 months already?

                          Comment

                          • milan
                            Confirmed User
                            • May 2005
                            • 800

                            #14
                            Originally posted by Dirty F
                            Isnt anybody amazed this has been going on since august? How come a hosting company knows about this and the owners of the software didnt? For 4 months already?
                            Well they DID know... at least from October when we told them (seem like they knew already) if you read the post above. I still have respect for the idea that security issues should be secret until their fixed. Even tho TMM hasn't fixed their issue.
                            QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                            24/7 "REALLY ON-SITE" Support - Completely Premium Network
                            Public & Private Network, Remote Reboot, Private VLANs
                            99.99% Guaranteed Network Uptime / BGP4 Multihomed
                            24/7 LIVE CHAT, Phone and Ticket Support
                            1-888-5-QUADRA

                            Comment

                            • Dirty F
                              Too lazy to set a custom title
                              • Jul 2001
                              • 59204

                              #15
                              Originally posted by milan
                              Well they DID know... at least from October when we told them (seem like they knew already) if you read the post above. I still have respect for the idea that security issues should be secret until their fixed. Even tho TMM hasn't fixed their issue.
                              Ok let me put it this way: Isnt anybody surpised they knew about this and didnt fix it?? I just cant think of one reason for that.

                              Comment

                              • JOKER
                                Facit Omnia Voluntas
                                • Apr 2003
                                • 2105

                                #16
                                Originally posted by milan
                                The bot has FULL ADMIN access to what you have so YES this is very likely.

                                BTW we have null routed those 5-6 IP's from any access to our network long ago, other ISP's should follow.
                                That's what I suspected as well.

                                Not good, at all.

                                Will I see eMails / Newsletters of the programs that I'm signed up with that my info has been compromised and my Identity / Banking Info / ePass info has been stolen?

                                Well, let's just say I doubt it, but I still HOPE that they will be honest about it.

                                I've already started to ask some of the program owners that I'm signed up with if they had that issue - but to be honest, it shouldn't be MY job to ask them if my info is / was secure, but theirs to inform me that I've got a serious problem now and need to change all this data / info.

                                Just my
                                Facilitation - BizDev - Traffic - Consulting - Marketing
                                Skype: jokerempire | Silent Circle: joker

                                Comment

                                • milan
                                  Confirmed User
                                  • May 2005
                                  • 800

                                  #17
                                  Originally posted by Dirty F
                                  Ok let me put it this way: Isnt anybody surpised they knew about this and didnt fix it?? I just cant think of one reason for that.
                                  I believe they tried/trying to fix the security breach in house and hoped to do that BEFORE this exploded. bad judgment in my opinion.

                                  Easier to notify customer of the issue
                                  QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                                  24/7 "REALLY ON-SITE" Support - Completely Premium Network
                                  Public & Private Network, Remote Reboot, Private VLANs
                                  99.99% Guaranteed Network Uptime / BGP4 Multihomed
                                  24/7 LIVE CHAT, Phone and Ticket Support
                                  1-888-5-QUADRA

                                  Comment

                                  • TheDoc
                                    Too lazy to set a custom title
                                    • Jul 2001
                                    • 13827

                                    #18
                                    Need to add:

                                    1) Using the ADMIN_IPS security settings within the NATS Config Admin stops unauthorized IP's from entering, viewing, or getting any Admin related documents or data.

                                    IP LOCK YOU ADMIN AREA - It's a built in feature within NATS.

                                    2) NATS IP is: 67.84.12.95

                                    3) When NATS is done updating they tell you to change passwords. This is a great time to change the NATS PW and set the account status to normal. You should already be changing your FTP/SSH pw each time, which nats tells you to do.
                                    ~TheDoc - ICQ7765825
                                    It's all disambiguation

                                    Comment

                                    • BOSS1
                                      Confirmed User
                                      • Sep 2005
                                      • 4331

                                      #19
                                      bookmarked

                                      NEW SITE: Stockings Kingdom
                                      Lesbians in Latex, Lesbians in Stockings, Granny Sex, BDSM Porn, Latex and Sex, Custom Foot Fetish, Femdom Movies and Kinky Porn Pass.
                                      300+ hosted flvs, 500+ hosted galleries, Page Peel ADs.. NATS export and payouts twice a month

                                      Comment

                                      • CurrentlySober
                                        Too lazy to wipe my ass
                                        • Aug 2002
                                        • 38945

                                        #20
                                        i like elephants


                                        👁️ 👍️ 💩

                                        Comment

                                        • DWB
                                          Registered User
                                          • Jul 2003
                                          • 31779

                                          #21

                                          Comment

                                          • D
                                            Confirmed User
                                            • Jan 2006
                                            • 7412

                                            #22
                                            Good info.
                                            -D.
                                            ICQ: 202-96-31

                                            Comment

                                            • raymor
                                              Confirmed User
                                              • Oct 2002
                                              • 3745

                                              #23
                                              Thanks for handling this reponsibly, contacting NATS first and then going to
                                              full disclosure mode only when it became necesary. As a security professional
                                              who works with a lot of NATS sites, and someone who has previously
                                              raised questions about the security implications of having that kind of data
                                              on the web server at all as well as specific concerns about NATS, this is
                                              of great interest to me and leaves me with a question.

                                              Most of the "symptoms" you describe could be explained by a simpler problem
                                              that that "*Someone* has access to TMM's clients database with your admin
                                              logins and passwords.". There are numerous other ways for a cracker to get
                                              the admin user name and password. Most webmasters choose poor passwords,
                                              with "admin:admin" being common, as are certain variations on that.
                                              You don't have to crack TMM's database to get in when the password is
                                              that obvious. Most webmasters use passwords based on English words,
                                              such a dictionary attack is simple enough. More likely, any PHP script
                                              anywhere on the server might be exploited and used to read the password
                                              from the database. Based on what you've posted, the only evidence that
                                              the bad guy(s) have access to the TMM database is:

                                              *) Changing all admin level account passwords stops the intruder. He still attempts to login, but in vain.
                                              *) As soon as TMM has admin access to NATS the intruder is back. Sometimes the same day.
                                              Is that a solid pattern that you saw repeatedly, or is it a case where it
                                              happened one time that the cracker definitely was gone and then came back
                                              shortly after TMM was given admin access?


                                              Just as a side info, I think NATS is a great product and
                                              ...
                                              I'm not posting this to bash TMM.

                                              Agreed - they have an impressive product and the current crop of people there
                                              seem to be good people. Some on this board know we once had some
                                              intellectual property concerns regarding the actions of somewhere who no
                                              longer works there, but that's been properly taken care of by TMM. My interest
                                              is in helping webmasters who use NATS and TMM to take care of any problems
                                              so that everyone can get back to the business of getting the porn to the people.
                                              For historical display only. This information is not current:
                                              support&#64;bettercgi.com ICQ 7208627
                                              Strongbox - The next generation in site security
                                              Throttlebox - The next generation in bandwidth control
                                              Clonebox - Backup and disaster recovery on steroids

                                              Comment

                                              • minusonebit
                                                So Fucking Banned
                                                • Feb 2006
                                                • 7391

                                                #24
                                                Ah, now ain't that nice? Does that mean all of the affiliates' information is compromised as well? God, this entire industry sucks with regard to security and privacy practices. People need to get their heads out of their asses. Add this to the list of reasons why I am glad I use a taxpayer ID for program signups.

                                                Now, the question that remains in my mind is two fold:

                                                1. Why is TMM sitting on their goddamned asses with regard to this?
                                                2. Milan, why did you give them as long as you did to fix this before letting it out?

                                                This is a serious issue and you giving them three fucking months is to address it before going public with it is way too damn long. They should have had 48 hours - maximum - to address it. You're right, they should have notified the customers. Their failure to do that is another nail in their coffin. And right after they bought SegPay? Hah, now there is one billing company I'll never do business with.

                                                Fuck TMM's reputation and the damage that releasing this after 48 hours would have caused, let me be the first to say that I don't give a good goddamn about that at all. When privacy and security and people having access to private data is concerned, the reputation of the companies involved does not matter, the security of the data in a timely manner trumps all ego concerns.

                                                This industry worries way too fucking much about the reputation of other companies when it comes to shit like this. When something stinks, the dirty laundry needs to be aired now, not after three months of back room pleasantries and friendly chats.
                                                Last edited by minusonebit; 12-22-2007, 12:18 PM.

                                                Comment

                                                • Dirty F
                                                  Too lazy to set a custom title
                                                  • Jul 2001
                                                  • 59204

                                                  #25
                                                  Originally posted by minusonebit
                                                  Ah, now ain't that nice? Does that mean all of the affiliates' information is compromised as well? God, this entire industry sucks with regard to security and privacy practices. People need to get their heads out of their asses.

                                                  Ommmmggg the irony

                                                  Holy shit! Im sure now, youre fucked in your head.

                                                  Comment

                                                  • minusonebit
                                                    So Fucking Banned
                                                    • Feb 2006
                                                    • 7391

                                                    #26
                                                    Originally posted by Dirty F
                                                    Ommmmggg the irony

                                                    Holy shit! Im sure now, youre fucked in your head.
                                                    Shut the fuck up you piece of rotting rat shit. I am tired of listening to you yammer on about the password non-issue. You are using it for sig views and its getting old. Why don't you go back to fucking Juicy's dog and get off my nuts you stupid, two bit, good for nothing, ain't worth a shit pile of rat droppings?

                                                    Comment

                                                    • Dirty F
                                                      Too lazy to set a custom title
                                                      • Jul 2001
                                                      • 59204

                                                      #27
                                                      Originally posted by minusonebit
                                                      Shut the fuck up you piece of rotting rat shit. I am tired of listening to you yammer on about the password non-issue. You are using it for sig views and its getting old. Why don't you go back to fucking Juicy's dog and get off my nuts you stupid, two bit, good for nothing, ain't worth a shit pile of rat droppings?
                                                      Non issue? Oh yeah i forgot what you said for a minute:
                                                      Posting 300 passwords, usernames, full names, telephone numbers, addresses didnt do any harm.

                                                      Silly me, how could i forget that

                                                      Comment

                                                      • AlienQ - BANNED FOR LIFE
                                                        best designer on GFY
                                                        • Mar 2003
                                                        • 30307

                                                        #28
                                                        Originally posted by AlienQ
                                                        Legal action?

                                                        Bring it LOL! I beg for it. What I am saying is not false. Its all 100&#37; true and there is not shit you can say or do otherwise that prove what I am saying is false.

                                                        I am looking here on how it went down on GFY regarding the porngraph heist. Hell I was active when that scam went down.

                                                        Next you are trying to tell me NATS never had core access to its clients?

                                                        HAha! OMG
                                                        ALIEN
                                                        http://www.gofuckyourself.com/showth...ight=Porngraph
                                                        Posted 01-16-2006, 12:53 PM

                                                        Comment

                                                        • minusonebit
                                                          So Fucking Banned
                                                          • Feb 2006
                                                          • 7391

                                                          #29
                                                          Originally posted by Dirty F
                                                          Non issue? Oh yeah i forgot what you said for a minute:
                                                          Posting 300 passwords, usernames, full names, telephone numbers, addresses didnt do any harm.

                                                          Silly me, how could i forget that
                                                          You know Franck, I'm not gonna let you trick me into hi-jacking this thread over this petty bullshit you and I have between us. You talk more shit than a fucking sewer. You are too much of a pussy to back up all your shit talking in person - you had your chance and you got real quiet like a scared little bitch - so just fucking shut up already. Or if you really want to keep going, then start a new thread and lets have at it. Got it?

                                                          Comment

                                                          • papill0n
                                                            Unregistered Abuser
                                                            • Oct 2007
                                                            • 15547

                                                            #30
                                                            yeah sounds like a real non issue to me



                                                            Nice work Milan, you guys run an excellent operation!!

                                                            Comment

                                                            • Dirty F
                                                              Too lazy to set a custom title
                                                              • Jul 2001
                                                              • 59204

                                                              #31
                                                              Originally posted by minusonebit
                                                              You know Franck, I'm not gonna let you trick me into hi-jacking this thread over this petty bullshit you and I have between us. You talk more shit than a fucking sewer. You are too much of a pussy to back up all your shit talking in person - you had your chance and you got real quiet like a scared little bitch - so just fucking shut up already. Or if you really want to keep going, then start a new thread and lets have at it. Got it?
                                                              Wtf? Youre so fucking fucked in your head, you should seek help you fucking imbecile. I had my chance but got quiet? Had what chance you retard boy? Oh yeah now i remember, you said i stopped posting on gfy for 3 weeks after you said you would beat me up
                                                              Man, if you read all this shit back about yourself dont you just want to shoot yourself?
                                                              Please explain to me how exactly i got quiet and scared? Fucking delusional piece of password sharing shit!

                                                              Comment

                                                              • u-Bob
                                                                there's no $$$ in porn
                                                                • Jul 2005
                                                                • 33063

                                                                #32
                                                                hmmkay, this would explain all the spam to UNIQUE-ADDRESS-USED-ONLY-TOSIGNUP-TO...fmydomains.com and UNIQUE-ADDRESS-USED-ONLY-TOSIGNUP-TO...fmydomains.com and UNIQUE-ADDRESS-USED-ONLY-TOSIGNUP-TO...fmydomains.com
                                                                and...

                                                                Comment

                                                                • minusonebit
                                                                  So Fucking Banned
                                                                  • Feb 2006
                                                                  • 7391

                                                                  #33
                                                                  I wonder if this is where Kandah gets his/her/it's lists. Anyone have that little fucker's IP addresses, could match them against the list of intruders... we all know the lists that nic is peddling are stolen, stolen, stolen... would make sense...

                                                                  Comment

                                                                  • Doctor Dre
                                                                    Too lazy to set a custom title
                                                                    • Jan 2001
                                                                    • 51692

                                                                    #34
                                                                    Ok Frank just totally owned & destroyed Minusonebit, now move on to the real topic and stop fighting.
                                                                    Originally posted by rayadp05
                                                                    I rebooted, deleted temp files, history, cookies and everything...still cannot view the news clip. All I see is that fucking gay ass music video from "Rick Roll". Anyone else have a different link to the news clip?

                                                                    Comment

                                                                    • HunkyLuke
                                                                      Virgin by request ;)
                                                                      • Feb 2002
                                                                      • 1924

                                                                      #35
                                                                      QUESTION: what is the correct way to specify an IP range plus 1 other IP when setting up the ADMIN_IPS in a NATS configuration?

                                                                      would it be 1.2.3.*,5.6.7.8
                                                                      or 1.2.3.1-255,5.6.7.8
                                                                      or something else?

                                                                      Comment

                                                                      • ronaldo
                                                                        Confirmed User
                                                                        • Jan 2002
                                                                        • 5475

                                                                        #36
                                                                        If I understand correctly from the other thread, OC3Networks is working with, or assisting MojoHost and quite possibly others as well.

                                                                        If that's true, I have to give props to a company (that I don't host with btw) for working DIRECTLY WITH their competition to help solve an issue that effects our entire industry instead of capitalizing on it for their own gains.

                                                                        That deserves the utmost respect.

                                                                        Comment

                                                                        • Gordon G
                                                                          So Fucking Banned
                                                                          • May 2006
                                                                          • 646

                                                                          #37
                                                                          Originally posted by Dirty F
                                                                          Ommmmggg the irony

                                                                          Holy shit! Im sure now, youre fucked in your head.

                                                                          Comment

                                                                          • quantum-x
                                                                            Confirmed User
                                                                            • Feb 2002
                                                                            • 6863

                                                                            #38
                                                                            I'd just like to say great work on this, and as I'd mentioned in other threads [and was told I was an idiot for it] - NATS was vulnerable to SQL injections. I'm not sure if it still is now, but it certainly was.
                                                                            PrettyInCash.com - BoozedGFs.com - TeenGFs.com - JizzGFs.com- MilfUploads.com -

                                                                            Comment

                                                                            • Sebastian Sands
                                                                              Confirmed User
                                                                              • Mar 2005
                                                                              • 5223

                                                                              #39
                                                                              Are the processors concerned at all?

                                                                              Comment

                                                                              • milan
                                                                                Confirmed User
                                                                                • May 2005
                                                                                • 800

                                                                                #40
                                                                                Originally posted by ronaldo
                                                                                If I understand correctly from the other thread, OC3Networks is working with, or assisting MojoHost and quite possibly others as well.

                                                                                If that's true, I have to give props to a company (that I don't host with btw) for working DIRECTLY WITH their competition to help solve an issue that effects our entire industry instead of capitalizing on it for their own gains.

                                                                                That deserves the utmost respect.


                                                                                Thank you but I really don't see any of other hosts as competition I see them as peers, there is SO much business for everyone and i think any industry should stick one to another.

                                                                                MojoHost, Webair, Splitinfinity and Natnet all great operation and should share security matters. (hope didn't forget or offended anyone)
                                                                                QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                                                                                24/7 "REALLY ON-SITE" Support - Completely Premium Network
                                                                                Public & Private Network, Remote Reboot, Private VLANs
                                                                                99.99% Guaranteed Network Uptime / BGP4 Multihomed
                                                                                24/7 LIVE CHAT, Phone and Ticket Support
                                                                                1-888-5-QUADRA

                                                                                Comment

                                                                                • milan
                                                                                  Confirmed User
                                                                                  • May 2005
                                                                                  • 800

                                                                                  #41
                                                                                  Originally posted by minusonebit
                                                                                  Ah, now ain't that nice? Does that mean all of the affiliates' information is compromised as well? God, this entire industry sucks with regard to security and privacy practices. People need to get their heads out of their asses. Add this to the list of reasons why I am glad I use a taxpayer ID for program signups.

                                                                                  Now, the question that remains in my mind is two fold:

                                                                                  1. Why is TMM sitting on their goddamned asses with regard to this?
                                                                                  2. Milan, why did you give them as long as you did to fix this before letting it out?

                                                                                  This is a serious issue and you giving them three fucking months is to address it before going public with it is way too damn long. They should have had 48 hours - maximum - to address it. You're right, they should have notified the customers. Their failure to do that is another nail in their coffin. And right after they bought SegPay? Hah, now there is one billing company I'll never do business with.

                                                                                  Fuck TMM's reputation and the damage that releasing this after 48 hours would have caused, let me be the first to say that I don't give a good goddamn about that at all. When privacy and security and people having access to private data is concerned, the reputation of the companies involved does not matter, the security of the data in a timely manner trumps all ego concerns.

                                                                                  This industry worries way too fucking much about the reputation of other companies when it comes to shit like this. When something stinks, the dirty laundry needs to be aired now, not after three months of back room pleasantries and friendly chats.
                                                                                  I can't answer #1 as I knew they are trying to resolve this, they did not sit on their ass... (I still think letting the customers know would be first priority)

                                                                                  as for #2 I will repeat that we still have respect for the idea that security issues should be secret until their fixed. and was urged by our clients that we located the issue on their server NOT to go public or something bad will happen to them, who know what bad is but lawsuit and revoke of license is what I heard... can't confirm the second one.
                                                                                  QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                                                                                  24/7 "REALLY ON-SITE" Support - Completely Premium Network
                                                                                  Public & Private Network, Remote Reboot, Private VLANs
                                                                                  99.99% Guaranteed Network Uptime / BGP4 Multihomed
                                                                                  24/7 LIVE CHAT, Phone and Ticket Support
                                                                                  1-888-5-QUADRA

                                                                                  Comment

                                                                                  • milan
                                                                                    Confirmed User
                                                                                    • May 2005
                                                                                    • 800

                                                                                    #42
                                                                                    Originally posted by raymor
                                                                                    Thanks for handling this reponsibly, contacting NATS first and then going to
                                                                                    full disclosure mode only when it became necesary. As a security professional
                                                                                    who works with a lot of NATS sites, and someone who has previously
                                                                                    raised questions about the security implications of having that kind of data
                                                                                    on the web server at all as well as specific concerns about NATS, this is
                                                                                    of great interest to me and leaves me with a question.

                                                                                    Most of the "symptoms" you describe could be explained by a simpler problem
                                                                                    that that "*Someone* has access to TMM's clients database with your admin
                                                                                    logins and passwords.". There are numerous other ways for a cracker to get
                                                                                    the admin user name and password. Most webmasters choose poor passwords,
                                                                                    with "admin:admin" being common, as are certain variations on that.
                                                                                    You don't have to crack TMM's database to get in when the password is
                                                                                    that obvious. Most webmasters use passwords based on English words,
                                                                                    such a dictionary attack is simple enough. More likely, any PHP script
                                                                                    anywhere on the server might be exploited and used to read the password
                                                                                    from the database. Based on what you've posted, the only evidence that
                                                                                    the bad guy(s) have access to the TMM database is:



                                                                                    Is that a solid pattern that you saw repeatedly, or is it a case where it
                                                                                    happened one time that the cracker definitely was gone and then came back
                                                                                    shortly after TMM was given admin access?





                                                                                    Agreed - they have an impressive product and the current crop of people there
                                                                                    seem to be good people. Some on this board know we once had some
                                                                                    intellectual property concerns regarding the actions of somewhere who no
                                                                                    longer works there, but that's been properly taken care of by TMM. My interest
                                                                                    is in helping webmasters who use NATS and TMM to take care of any problems
                                                                                    so that everyone can get back to the business of getting the porn to the people.
                                                                                    YES solid as can be, we will keep all logs and evidence... as soon as they (TMM) get the "new" admin password within hours we saw the attacks comeback, more than that after we blocked the 2-3 IP's on the core network they came from, a few weeks later the "hacker" changed IP's while attacking our customers so another protection went into place.
                                                                                    QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                                                                                    24/7 "REALLY ON-SITE" Support - Completely Premium Network
                                                                                    Public & Private Network, Remote Reboot, Private VLANs
                                                                                    99.99% Guaranteed Network Uptime / BGP4 Multihomed
                                                                                    24/7 LIVE CHAT, Phone and Ticket Support
                                                                                    1-888-5-QUADRA

                                                                                    Comment

                                                                                    • milan
                                                                                      Confirmed User
                                                                                      • May 2005
                                                                                      • 800

                                                                                      #43
                                                                                      Originally posted by Sebastian Sands
                                                                                      Are the processors concerned at all?
                                                                                      Yes they are, some have been responsible and contact me to get more info on what we have and I did, it doesn't look like they got any of the CC info tho.
                                                                                      they were more interested in the email list
                                                                                      QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                                                                                      24/7 "REALLY ON-SITE" Support - Completely Premium Network
                                                                                      Public & Private Network, Remote Reboot, Private VLANs
                                                                                      99.99% Guaranteed Network Uptime / BGP4 Multihomed
                                                                                      24/7 LIVE CHAT, Phone and Ticket Support
                                                                                      1-888-5-QUADRA

                                                                                      Comment

                                                                                      • TMM_John
                                                                                        Confirmed User
                                                                                        • May 2004
                                                                                        • 6664

                                                                                        #44
                                                                                        Milan and Caz, I want to apologize to both of you.

                                                                                        I realize now that you guys were only trying to help in this situation. I had received comments from a few people indicating to me that wasn't the case and I took them to be true without speaking with you guys myself. I always try to form my own opinions on things and in this case I'm sorry for not getting my own opinion of what you were doing about the situation.

                                                                                        I would also like to tell you that there is no backdoor we have put in NATS for us to access. I understand this is a common rumor but that is all that it is.

                                                                                        I realize now you guys are only here trying to help and I appreciate it. Thank you. I hope you can accept my apology.


                                                                                        Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

                                                                                        Comment

                                                                                        • milan
                                                                                          Confirmed User
                                                                                          • May 2005
                                                                                          • 800

                                                                                          #45
                                                                                          Originally posted by PBucksJohn
                                                                                          Milan and Caz, I want to apologize to both of you.

                                                                                          I realize now that you guys were only trying to help in this situation. I had received comments from a few people indicating to me that wasn't the case and I took them to be true without speaking with you guys myself. I always try to form my own opinions on things and in this case I'm sorry for not getting my own opinion of what you were doing about the situation.

                                                                                          I would also like to tell you that there is no backdoor we have put in NATS for us to access. I understand this is a common rumor but that is all that it is.

                                                                                          I realize now you guys are only here trying to help and I appreciate it. Thank you. I hope you can accept my apology.
                                                                                          John,

                                                                                          People that know me aware how easy going I am.

                                                                                          We respected the major dilemma you were facing and really tried to help you, TMM and the industry securing the data nothing more.
                                                                                          Your product is great and we are working on a daily basis with your install and support team, what a great bunch of guys they are.

                                                                                          Me and I can speak in the name of Caz here that we without question accept the apology with no hard feeling, I really think in the future anyone should really talk face to face (or by phone...) without prejudice and try to understand the problem.

                                                                                          We are here 24/7 to help you if needed to solve the security breach, since at the end this is ALL it is.

                                                                                          I truly hope you can enjoy this holiday even if you are probably occupied with this issue.

                                                                                          Respectfully,
                                                                                          QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                                                                                          24/7 "REALLY ON-SITE" Support - Completely Premium Network
                                                                                          Public & Private Network, Remote Reboot, Private VLANs
                                                                                          99.99% Guaranteed Network Uptime / BGP4 Multihomed
                                                                                          24/7 LIVE CHAT, Phone and Ticket Support
                                                                                          1-888-5-QUADRA

                                                                                          Comment

                                                                                          • TMM_John
                                                                                            Confirmed User
                                                                                            • May 2004
                                                                                            • 6664

                                                                                            #46
                                                                                            Originally posted by milan
                                                                                            John,

                                                                                            People that know me aware how easy going I am.

                                                                                            We respected the major dilemma you were facing and really tried to help you, TMM and the industry securing the data nothing more.
                                                                                            Your product is great and we are working on a daily basis with your install and support team, what a great bunch of guys they are.

                                                                                            Me and I can speak in the name of Caz here that we without question accept the apology with no hard feeling, I really think in the future anyone should really talk face to face (or by phone...) without prejudice and try to understand the problem.

                                                                                            We are here 24/7 to help you if needed to solve the security breach, since at the end this is ALL it is.

                                                                                            I truly hope you can enjoy this holiday even if you are probably occupied with this issue.

                                                                                            Respectfully,
                                                                                            Thank you. We have really gotten off on the wrong foot here, which is my fault. I hope we can sit down in Vegas and get to know each other, as well as with Caz. I sent you an ICQ also but did not receive a reply, not sure if it made it through to you. My ICQ is 5596373.


                                                                                            Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

                                                                                            Comment

                                                                                            • seeric
                                                                                              ..........
                                                                                              • Aug 2004
                                                                                              • 41917

                                                                                              #47
                                                                                              just a little PSA here.

                                                                                              if you dont have this product, get it.

                                                                                              www.lifelock.com

                                                                                              change all your passwords to places that you use the same pass as your nats account.

                                                                                              problem solved, or at least your level of protection is intensely elevated.

                                                                                              i've been using this for a while and you wouldnt believe the activity a normal persons credit data sees. i get calls about once a month for someone or another trying to access my credit info for this or that.

                                                                                              its worth it.

                                                                                              Comment

                                                                                              • milan
                                                                                                Confirmed User
                                                                                                • May 2005
                                                                                                • 800

                                                                                                #48
                                                                                                Originally posted by PBucksJohn
                                                                                                Thank you. We have really gotten off on the wrong foot here, which is my fault. I hope we can sit down in Vegas and get to know each other, as well as with Caz. I sent you an ICQ also but did not receive a reply, not sure if it made it through to you. My ICQ is 5596373.
                                                                                                Didn't get it as I'm not at my computer but my wifes notebook... will see it soon... thx for that.

                                                                                                Absolutely on the sit down, would be great to meet you heard lots of good things about you from a mutual friend (NJ guy that leave out here in Cali now)
                                                                                                QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
                                                                                                24/7 "REALLY ON-SITE" Support - Completely Premium Network
                                                                                                Public & Private Network, Remote Reboot, Private VLANs
                                                                                                99.99% Guaranteed Network Uptime / BGP4 Multihomed
                                                                                                24/7 LIVE CHAT, Phone and Ticket Support
                                                                                                1-888-5-QUADRA

                                                                                                Comment

                                                                                                • munki
                                                                                                  Do Fun Shit.
                                                                                                  • Dec 2004
                                                                                                  • 13393

                                                                                                  #49
                                                                                                  <---- not fucking happy at this point...

                                                                                                  I have the simplest tastes. I am always satisfied with the best.” -Oscar Wilde

                                                                                                  Comment

                                                                                                  • BoyAlley
                                                                                                    So Fucking Gay
                                                                                                    • Nov 2004
                                                                                                    • 19714

                                                                                                    #50
                                                                                                    You know what, maybe OC3 should have fucking come out about this issue MONTHS ago instead of rolling over because their clients, whoever they are, were fucking scared of the wrath of TMM John of all god forsaken people.

                                                                                                    Instead who knows how many people have been fucked up their ass worse than me without lube in the 4 months since.

                                                                                                    Now TMM's John is coming forward with some pathetic little "Oopsie daisy my fault I'm so sorry have cybersex with me on ICQ now", and OC3 is immediately all like "so what are you wearing".

                                                                                                    Fucking retarded.
                                                                                                    Last edited by BoyAlley; 12-22-2007, 05:28 PM.

                                                                                                    Comment

                                                                                                    Working...