How is making people aware of an exploit that's been going on for some time a security issue? Nobody has posted how the exploit is achieved - just forewarning others that the issue is a real issue, which has made you sit up and take action. Isn't that a Good Thing??

I did not say pointing it out is a bad thing. I said discussing the details of it, what is being done, and what is being done to combat it isn't the smartest.

It takes all of 1 min to back up your nats templates. I would suggest you do that now

They all are, not the point.

I'm not quite sure what you mean by discussing the details of it. All that has been posted are a set of IPs from a scammer, so that others can check their logs. Like you said:

Through this very thread, started by someone wanting to know what was happening, other people have stepped forward with information that has helped others realise what has gone on. Followed on by your email, now all NATS clients realise there is a problem. Nothing untoward or compromising to others has been discussed.

for those that aren't sure - just a mysql dump/backup, which you are all doing regularly anyway right :winkwink: takes care of all that

You're right, the end result has been a good thing. It has also resulted in us making a policy change. Although I don't think it is the root of the issue it is better to be safe than sorry.

I am not saying things people have said are horrendous. People have asked me to go into details about what we know and what we have done in the past here. I'm simply saying I think this is not the place for that.

Im still in a state of utter disbelief that they knew or so long and didnt think to tell us.

Not to bust balls, but hasn't the only indication so far been members who have signed up and cared enough to sign up with a unique email address to then determine they were receiving spam? That's a pretty rare thing to happen..

I'm wondering if you have or are going to contact the authorities?

We were not under the impression it was a widespread problem or we would have made an announcement as we have in the past.

I still do not believe it is a completely widespread issue but we are taking strong action anyway.

After we collect all of the info we can we will see what we can do with it. However, I'm sure they will wish to speak with those who are having their systems accessed. We can not act on your behalf in that regard.

Strong action doesnt mean shit now its happened, you have totally lost my confidence in your software, there has been a lot of talk everywhere about whats best NATS or CCbill, I think this turn of events has just answered that common thread topic!

I'm sorry to hear that.

tdfcash3 raised this point and a very valid one. European law for example is extremely strict and clear on this matter, and all programme owners anyway, but especially Europe need to take data security very VERY seriously. The end user of any software that implements personal data storage is ultimately responsible for the security of that data. Not TMM. Most all business software is closed source, so everyone in this industry needs to not be complacent that because XYZ is their software that it's secure.

It looks like NATS has a security hole which is/is being/has been closed, I dunno. But you all need to be taking your customer's data security seriously and checking login logs periodically. You, the user are ultimately responsible for that.

We are proactive on these matters, which is why we've been breach-free for some time now

I am out of town and getting on a plane shortly. This will be my last post in this thread for at least hours. Please submit tickets if you have any further questions.

It seems clear to me until TMM sorts its issues out sponsors can either wait and see or move now, theres plenty of options that john seriously needs to address namely MPA3 and Epoch are looking like a better option right now.

Thats a good point.

I know firms in the UK facing BIG fines. I presume that websites based in the UK could also be subject to BIG fines.

Looks pretty widespread to me...

The scary thing is how easy MPA and Nats are to hack. The even scarier thing is both of those companies think their program can not be hacked. If they'd get off their high horse for a second they'd realize how many exploits each of them has they may be able to actually secure their script. Instead they are too busy getting drunk on their own kool aid.

Anybody thinking of buying Nats should read John's posts in this thread. Is that the type of guy you want to do business with?

You think MPA doesn't have issues like this? Or any other software paysites use for that matter like the various number of CMS's? Ask around...

People in this thread are funny. Noone cares about their security untill it's either
a) posted on a public board
b) starts receiving complaints from members

so what options are left?

ehm, *cough* *cough* *cough*

damn, I'm getting a bad throat *cough*

How would someone go about finding where there was an exploit and getting rid of it?

sounds bad

have a drink of water.

Care about your own security, or hire someone if you want to be secure. No other way. And even then, you are NOT going to be unhackable, you'll just patch things faster, close holes faster, and minimise the damage. Live with it, internet is like that.
You should get that cough looked at, especially if you meant to imply they weren't hacked...

By hiring someone that's worth alot more then what people in the industry think they are. Other then that, living in ignorance is possibly the best bet. What you don't know doesn't hurt you.

Please see thread

http://www.gfy.com/showthread.php?t=779742

issue was knows to them LONG ago but rather then notifying customer they preferred the scare tactics... called Caz and threaten to sue.

great way to conduct business. :2 cents:

Your post is ignorance at its very finest. Most people here are not infuriated that the NATS script is hackable, they are infuriated, and rightly so, that the exploit may have been known to the developers for quite some time and nothing was done about it.

John's many posts have me feeling like a mug especially considering that he feels the problems was not widespread and he only informed certain clients who he thought it might have affected. Why not email all clients and request that they submit a ticket for an upgrade and have the TMM techs check it across the board? This could have been prevented if they had informed all clients from the get go.

Your mightier than thou attitude about how little and how much people know or don't know is what is funny about this thread.

...

Called Caz and threaten to sue for what - Letting people know about a serious exploit?? wtf

As the day goes on and more people keep coming to me saying "Thank You" it just keeps getting better and better. I'm at a loss for words right now. :disgust

http://corecoder.com/gfy/validate_access.jpg

Have your system admin monitor all admin accounts. By doing that you will have no more problems from this.

Seeing as you have no idea what i do, you're not only funny, but ignorant to that.

Fact 1. Several webmasters in this very thread knew about these issues. They ignored them knowingly (not the nats issue, the issues that their data is leaking)
Fact 2. Several webmasters in this thread have been notified of harvesting emails from their databases in the past and have chose to ignore it (unrelated to the problem in the thread, but they have the hollier then thou attitude)
Fact 3. There's alot more webmasters on this board that know their databases are compromised and still chose to ignore it.

Now crawl back to where you came from since you have no idea what im talking about. Nats was once a good product while Nathan was around. I don't like John from TMM, nor do i like Garry from MPA, nor do i like any other software producer more then the other. I'm just stating facts. Facts you have no idea about.

Thank you for this thread.

A real eye opener... and answers a few questions about security that have recently come up!

Hmm??

Here's something about your Fred Schank.

Scroll down to the 3rd post under service providers
http://www.getafreelancer.com/projec...rogrammer.html

"I am the lead programmer for a software company based in NJ. We design backend software for webmasters. I have done the majority of the programming on a CMS geared towards the adult industry. I am interested in finding a few projects to work on, during my free time"

Can't post other forums, so here's screen cap.
http://i15.tinypic.com/6l171gx.jpg

lets see how far this rabbit hole goes...

I didn't think I had to know you to be qualified to answer a post in which you blatantly state that all webmasters in this thread don't care about their security. You don't me or what i do to be qualified enough to make an assertion like that. Why is it so many people, yourself included, seem to think that we should know them and if we don't know them or what they do we should "crawl back into our holes"? What is that all about? Did you develop some miracle drug? Stop apartheid? Maybe brought peace to the world? No? Then i don't give two fucks who you are to be honest .... Jesus, some of you twats have an awfully high estimation of yourselves.

...

This is going to be a loooooooooooooooong thread.

best get your sig spots in and pretend you have somthing important to say on the subject.

Looks like xmass will suck this year for Nats.

OK, "agentGFY", stop the rumour-mongering right there and stop trying to be the big guy. Point me to a single post in this thread that shows a webmaster has known about this issue and ignored it? Or where one has been notified of harvesting emails and ingored it? Your "facts" are without substance.

There are A LOT of responsible programme owners in this industry, some are more conscious and aware about certain matters than others, and nobody has ignored anything.

We did not plan to post in this thread since it had nothing to do about
us. But ShotGun and ladida changed that and their posts needs a reply
from us.

Now I don't want to go in to a discussion about whether this was a hack
or an inside job. But ShotGun and ladida are correct when he say that
any program is hackable. However, they are not correct when they say
that we think that our program cannot be hacked. We are very aware of
this, and have taken all available precautions possible and we continue
to strive to keep up to date on what possible hackers try to achieve. We
even hired two known hackers to try to hack in to our program, and on
top of that when a prominent program moved over to MPA3 we had to have a
3rd party audit company go over the whole source code.

All of this and still I am not saying we are totally un-touchable. No
one is. However, the last two years we have not had one report about
any hacks, we have gotten plenty of hack attempts reported, but no
actual breach. But maybe the most important thing is that when and if
we do get any breach we stop everything else we are doing to fix and
update all programs.

I can also guarantee you all that we do not have any one password
working as master access to all MPA3 installs.

yeah seems it's overdue imo..

We were affected by this as well.... thanks to Razorsharpe for calling me today to bring this to my attention. We'll be talking to the NATS guys tomorrow and hoping to have this resolved. Nats isn't exactly cheap, I really shouldn't have to deal with problems like this.

And the list grows - "But its not widespread" pffff

Have a good Holiday people - It's family time :thumbsup

I sure hope all the techs at NATS got their Xmas shopping done early - doesn't look like they'll have time this weekend.

I truly hope that Swiftwill being diligent with security, covered our ass with this.

You sure yap'd alot of nonsense in that post of yours, however, i don't think anything, unlike you. I know, since i have been shown emails where program owners have been notified, or i have notified them myself, and they ignored problem, untill it is brought up in a thread like this for example (i didn't say ALL, nor did i mean you since i dont even know you). So again, think before you speak, or don't speak at all, at least don't attack the person you know nothing about.

I don't have to point you anywhere since i dont owe you anything. I trade info, and you are not on my list of clients. Those that i speak of know it's them and they won't dispute my post. If they do, it'll get even funnier. I just stated how things are, whether you chose to believe it or not, it's your business, but i'm not gona stand by when clueless people attack me for what i know.


Furthermore, there's alot of backstabbing in this thread from people that supposedly "want to help". So nats got hacked. WOOO HOOO... What do you (or other in the thread) know exactly of the time that Mansion got hacked? Strongbox? Sitedepth? AdultWebware? Or any other shit that people use?
So some are furious that they have not been notified? LOL. Get a grip. Ofcourse John is not gona make a public statement their server is compromised (if it is), or that they have a problem in the code. It'd be a suicide. Same as when any other porn company gets hacked, you don't see a public apology here that people's emails/personal info got harvested do you? No, they fix the shit and move on (or don't even fix it and blame someone else). Or when software companies fix faults in their software on your server without you even knowing that it was a live exploit through which your server got hacked?

You don't really need a Nats tech to resolve this.

Re-read through the thread, as some users posted instructions on how to deny Fred from gaining access to the admin

I would hope all of you who have been affected will contact the authorities about this. Whoever did this has to be somewhat knowledgeable with the industry. A run-of-the-mill hacker would have harvested the CC data as well as the e-mail data. The hacker knew what they could and couldn't get away with.

I'd suggest looking at the spam e-mails you received following the member signups. See if there is a common sponsor or theme to those spams. See if you can get the affiliate data from that particular sponsor. It shouldn't be too difficult to see who profited off this data.

ccbill is coming out with their new cascading system right on time..

Question for NATS sponsors. Would this have given them access to affiliate data? We promote a lot of NATS sponsors and store not only our business information but bank information and our password. I just want to know if they can see that and if so, we will change the payment method until the issue is resolved.

So he works for TMM?

Glad I dont use Nats