After many MANY emails and VM's I will post what OC3 Networks discovered back in October after routine audit of 2 of our clients security.

We know this issue exist since mid Aug 2007, secured our customers and blocked the intruder IP’s from any access to our network.

We posted the thread {url]http://www.gfy.com/showthread.php?t=779742[/url] and got some lawsuit treat to sue us that we could have care less… BUT when our customers that we tracked the breach on their servers got treats as well and requested us to NOT come out public with it, we honored their request.

Just as a side info, I think NATS is a great product and it's a shame that after the months they had to fix or come clean with their clients it never happened...


Credit for this below info should go to our SUPER SYSADMIN/Security fanatic Dale that has never posted on this board so I'm doing this for him, He wanted to come out with this long ago!
=====
The issue with this "intruder" does not seem to be an exploit of the nats software itself. *Someone* has access to TMM's clients database with your admin logins and passwords. That’s what the issue is. I'm not posting this to bash TMM. I'm posting this because they have had month to fix this issue and have apparently failed. They didn't even let (some of?) their customers know they implemented this "Admin activity log" and installed it behind their backs.

I've been involved with a high number of NATS clients and have found the following to be true:
*) Changing all admin level account passwords stops the intruder. He still attempts to login, but in vain.
*) As soon as TMM has admin access to NATS the intruder is back. Sometimes the same day.
*) Intruder is using an automation script that dumps the NATS members list. In some cases he is doing this every hour on the hour.
*) If you have web logs, look for hits against "admin_reports.php?report=surfer_stats&member=#### ##". You will see a number of those hits in sequential order.
*) NATS was vulnerable to SQL injection attacks. I haven't investigated whether it still is.

I have some suggestions for people using NATS:
*) Change all your admin level passwords.
*) Do not give TMM an admin account they can use anytime they want. Change the pass when they are done.
*) Restrict access to the admin*.php files by IP. This is inconvenient, but if you can do this it will circumvent any future intrusion. There may be other files you want to do this with. You can do this with apache easily (syntax depends on your version. this is for 2.0):
<Files "admin*">
Order deny,allow
Deny from all
Allow from your.ip.addr.here
</Files>
*) Keep an eye on the ssh user you have given TMM to fix/maintain your NATS install. Change their password every time they need access and as soon as they are done. I have experience with TMM ssh-ing in and making changes to NATS software without permission.
*) Be thankful of many things I'll not get into.


P.S. Im hearing that there is a backdoor that TMM can use to get into your NATS, but I havent investigated so its speculation. Only reason I even mention this is because NATS is encrypted and you dont know. Im not interested in decrypting NATS just to find out. There are other ways. I hope this isn’t true.

http://www.gfy.com/showthread.php?t=794159

Some pretty serious shit.

I'm glad that I'm not a program owner using NATS right now.

I'm NOT at all pleased that my affiliate account info with NATS programs may have been compromised and I wasn't informed.

Looks like it's time to get out the little black book and update some logins. :mad:

My fear at this point isn't that an admin password might have been comprised, as much as what hidden damage could be done with such access. This could be anything from putting in a back door to allow for future access to modifying the NATS codebase to allow all sorts of potential issues.

I know John will freak at the suggestion, but with this level of access, a smart hacker would do something to make money with their access, such as substituting affiliate codes or otherwise trying to obtain income from the sites in question. With 400 installs, a good hacker would only need to get 1 signup per day per site (at, say $20) to clear almost 3 million a year through purloined signups.

While I am not suggesting that this is the case, I think that NATS people need consider the larger implications beyond a spam scam. One of the IP addresses tossed into the ring traces back to a well known group in Russia. This may be significantly larger than anyone would like.

John Albright responds...

This issue has been a real eye opener for me.

First, I would like to address the issue. It appears at this point that a number of the non-unique admin usernames & passwords we maintain for support were compromised. All passwords were had changed were charged to a random string and we have destroyed our list and our mechanism of keeping it which resided on a local server in the office. We are still investigating whether or not someone accessed them from there and if so, how someone may have accessed that server. We have implemented a policy change in that we will no longer maintain any NATS admin accounts. We had made this change a while ago regarding SSH information. We are now doing this with all passwords. You will need to grant us access for any level of support. We have also contacted all clients to inform them of the security features in NATS they can utilize to better prevent any security situation from arising in the future.

Whether you are a NATS client or not you are more than welcome to contact us with any questions about these issues.

Second, I would like to talk about our previous handling of the issue. Our security and the security of our clients is of extreme importance to us. We had become aware over the past few months that a few clients were being accessed wrongly using the account we maintain. We believed we had a way of knowing which clients were affected and we contacted them immediately. Apparently we were wrong. I apologize for this. As perfect as I wish we can be we are going to make mistakes from time to time. If we had known that the issue was more widespread we would have without question contacted everyone. We did not believe at the time it was a widespread issue. Again, this was a mistake on our part and I apologize to everyone for it. I was not trying to put blame on our clients for this and I'm sorry if I was taken that way. I was simply trying to point out the various possibilities as to what may have been going on while we were investigating it. This is not our clients fault in any way.

Many people here have brought forth a lot of information and helped greatly with this issue. I am very grateful for that. However, I am sad to see so many people enjoying the problems we and our clients are having because they have some personal agenda. We never have a problem with anyone any stating issues we may have. I appreciate those who brought the issue up and contributed to what we hope is the resolution of it. However, there have been numerous misstatements and false accusations flying around. I assure you there is no backdoor in NATS which we use to access your system and I assure you Fred is not stealing your emails and spamming your members. These are just two of the many untrue things that we have been accused of over the past 72 hours. Due to all of this I will not be continuing a discussion of the issue here. I feel I have addressed what the issue is and I apologize again for our being wrong about it originally. I wish we hadn't been both for our sake and yours.

Again, anyone is free to contact me to discuss this directly

Hopefully they have the matter under control.

The fact that TMM's internal database of admin passes was even web accessible is shocking. Major fuck-up, on several levels. :thumbdown

i seem to recall a issue back about a year ago when bank of america got hacked and approx 40mil users data was passed around the net

didn't hear too much about that in the news though

shit happens, deal with it and move on...NOTHING, and let me repeat, NOTHING is hacker/cracker proof

If I was a sponsor running NATS I would certianly disable that admin account if I wasnt doing so every month after they did the "our accounting department cant post that youve paid for your license" fix.

Im not worried about my personal information. I dont use a SS# ...Ive long since incorporated and have a FIN to take care of this issue.

As an affiliate you might want to change your passwords but if they wanted that information it has long since been scammed.

Personally I am disgusted how a couple of OC3 Network sigwhores have handled this and Im disappointed in the lack of information to clients from John Albright and TMM.

Thanks Gonzo. My sentiments exactly. I asked John earlier today what was what as you know. I didn't panic but do see the magnitude of potential harm. The way things got handled isn't cool but it's up to John to spell it all out now and show what's what. What happens next will define the whole incident.

On another note, thanks to Gonzo here and his data, he didn't panic or get hyper critical, but provided data we could analyze and process. This shows that the industry has professionals who can analyze a situation no matter how bad it is and offer solutions instead of board attacks and such. It's how you respond to adversity that defines who and what you are.

Like Gonzo I went straight to the source and asked the horse, John gave me an answer quick and friendly. Other industries might have fallen apart but we need to just listen to the experts and follow through and show the public that they're safe to a better degree than mainstream. Yes, Bank of America got big time hacked. It happens.

The gays are now saying this is MinusOneBits problem.

http://www.gaymainstreet.com/TheStreets/showthread.php?threadid=8165

Thanks Gonzo...It's all starting to fall into place now.

Hangin' around Gonzo is like hangin' around Sam Spade.

Thanks Gonzo...It's all starting to fall into place now.

Hangin' around Gonzo is like hangin' around Sam Spade.

You should see what happens when you hang around the AVN award winning Mike South....

http://www.oprano.com/msgboard/forumdisplay.php?f=50

The last thing the porn industry needs is a major security breach that makes the public feel insecure visiting our sites.

The second to last thing the porn industry needs is a loser like minusonebit spewing to the media about it. If this guy is promoting your program, I would HIGHLY recommend cutting him off. This is the type of action detrimental to all of the adult industy. Worse, this is a guy that isn't even doing beer money in porn.

i seem to recall a issue back about a year ago when bank of america got hacked and approx 40mil users data was passed around the net

didn't hear too much about that in the news though

shit happens, deal with it and move on...NOTHING, and let me repeat, NOTHING is hacker/cracker proof

True.

Just as no business is immune to outages no matter how good you think your redundant systems and disaster recovery is.

The real measure is how a business reacts to it when it does happen to them.

If nothing else, this whole scenerio is proof that larger companies should be investing in PR / public relations people to handle their stuff, and they should not get involved in trying to defend themselves on chatboards.

IMHO, John / TMM have posted some stuff on GFY that has pretty much put themselves in an ugly position.

If nothing else, this whole scenerio is proof that larger companies should be investing in PR / public relations people to handle their stuff, and they should not get involved in trying to defend themselves on chatboards.

IMHO, John / TMM have posted some stuff on GFY that has pretty much put themselves in an ugly position.


So true! I do PR for several companies. They love me! I get em' out of jams like no tomorrow. One company I'm hoping for a big payday from soon and I can retire for the third and final time.

I'm glad I got a brief chance to chat with John and kept a cool head. I knew I was right to do so after then chatting with Gonzo and seeing this thread and Gonzo's responses on other boards.

This was a dangerous scenario but I see the industry responding to and handling a potentially major fuck up in a pro level way.

Albright has his own stalker now.
Maybe its Confucy's brother?

The first step to resolving a problem is admitting you have one. John took it solidly on the chin by doing that old "iceberg? What iceberg" routine for a while. He picked it up a little after that, but it is still a fairly shaky situation.

To this point, I have had about a dozen companies using NATS contact me as an affiliate to let me know where they are at with it. None of them has included an official statement, comment, or anything from NATS themselves.

Smooth PR and clear communications would go a long way to resolving this issue.

Gonzo, it really looks like a confucy junior on the game there, someone with a significantly interesting past and an issue with, I gather, not taking his meds all the time. While it would be amusing at any other time, it is really a major sore spot right now. Combined with (what I see as) a failure by TMM / NATS to communicate their situation effectively, and you are looking at all the ingredients for an ugly deal with no winners, just bigger and smaller losers.