SmokeyTheBear

are there any nats sponsors who havent been compromised ?

seems like every sponsor who has commented has been compromised, just curious as to if anyone who runs nats that didn't get compromised by a nats employee's user/pass

__________________
hatisblack at yahoo.com

sicone

I find it odd that NATs insists on having admin access...


Doesn't NATs also own a pay site program (Teen Dolls)? Would seem to me that having a free list of verified emails of people who are willing to pull out their CC to join a site would be of great value to them.

Not accusing them of anything, just some food for thought

__________________

teksonline

hrmph, im hungry

iMind

threats of lawsuit in 10, 9 , 8 , 7 ...

SmokeyTheBear

i find it odd they would allow an employee one user/pass to get into every nats sponsor.

i find it doubly odd that nobody from nats noticed this account had been compromised before it was posted on gfy.

I find it even more strange that there are not any security measures in place that would have spotted this ( i.e. hourly logins from the same employee on almost every nats sponsor so far ) in laymans terms how an employye could log into several nats sponsors at the same time using the same account.

shouldn't any of these things raised more than 1 red flag ?

as far as affiliates are concerned , should we be worried we will now become targets of identity theft ? what plans does nats have on informing affiliates who's information might have been disclosed.

what information can any sponsors provide that might shed some light on what information is available to the nats employee's account that was used to login ? ( i.e. ss#'s ? passwords ? )

__________________
hatisblack at yahoo.com

sicone

sue for what.. pointing out the obvious conflicts of interest.

hope you didnt pay much for your law degree

__________________

OzMan

shit waddeye miss? ... time to search

dropped9

SmokeyTheBear

a nats employee's username was used to login and most likely steal information from quite a few nats sponsors. infact theres only one sponsor i have heard of using nats that hasn't been compromised , and only because they manually disabled nats employees from logging onto their server

__________________
hatisblack at yahoo.com

Gordon G

My god you are such a fucking idiot.

spacedog

A nats employee who last posted on the Nats board in August but then started posting elsewhere looking for freelance jobs in September?????

Gordon G

why anyone uses nats is beyond me

SmokeyTheBear

i wonder how many affiliates who used nats sponsors had their epassporte accounts stolen thru info obtained from this compromise ? it would explain the rash of epassporte thefts.

__________________
hatisblack at yahoo.com

spacedog

Not likely. Programs don't ask for your epass password.

Gotta be a real fucking idiot to be using same password everywhere in first place.

wtfent

Why the hell would they do that? So they can make a quick $10,000 and loose out on the millions they will make in the future with nats? I buy trials every now and then and if i saw them spamming me with their sites I think it would make for pretty huge drama that would spread within a week max. The Nats guys are all stand up guys.

__________________
ThisWillShockYou.com DVD Store - TWSY UNCENSORED
ICQ# 194020367 E-mail: shockingbucks(AT)gmail.com
Promote something different!! Shocking Bucks

SmokeyTheBear

do you think it would be easier to hack an epassporte account knowing all their personal information ?

also take into account that many sponsors created the epassporte accounts for their affiliates ( perhaps with the affiliates current password )

now obviously using shared passwords is a big no-no but thats beside the point. ideally everyone should have a deadbolt on their door , but i would think if your locksmith's key was used to get in you first look at the locksmith

__________________
hatisblack at yahoo.com

AlienQ - BANNED FOR LIFE

Stats and client information are the most coveted of things a program owner can have. Why people that use NATS chose NATS is pure stupidity.

I said it 3 years ago and I am still saying it.
People called me an idiot then, and will probably call me an idiot now for saying so...

And to this day I still say I told ya so.
No sympathy from me.

Dumb is dumb.

__________________

iMind

I was referring to John from nats, How he starts threatening lawsuits and using legal jargon to try and shut people up.

Gordon G

John and lawsuits have a ring to it lol

SmokeyTheBear

yer freakin nostradamus

i think many sponsors use nats because

A) its pretty easy
B) alot of other sponsors use it so for affiliates its easy to navigate.

those arent of course very good reasons , but understandable anyways.

having a standard sponsor software will always lead to troubles when you have a compromise like this .

__________________
hatisblack at yahoo.com

iMind

Alienq invented hacking nats

JOKER

Right on the fucking money.

Remember the TrafficHangar incident and how many have been affected?

Didnt see this thread at first, sorry...

Posted something similiar here as well:

http://www.gofuckyourself.com/showpo...&postcount=184

__________________
Facilitation - BizDev - Traffic - Consulting - Marketing
Skype: jokerempire | Silent Circle: joker

SmokeyTheBear

seems like a few sponsors would be glad to pipe in that their nats wasnt hacked unless everyone was hacked except those that banned nats employees access.

__________________
hatisblack at yahoo.com

V_RocKs

Epassporte hacks are usually someone using their Epassporte account password as their affiliate account password. The affiliate Db gets hacked and the hacker just has to trial and error his way through the DB...

Instant cash.

Then see where you bank if you are one of the wires types and use your password there too. Again.. easy money. Especially if the hacker can gain access to an account as the same bank... Transfer all your money with a few clicks...

Of course, every time this happens the guy who got fucked in the ass says he didn't use the same password. Yeah... Way to save face pall.. We all know you did. No use lying about it!

Brad Mitchell

oh jesus christ does NATS really store the affiliate passwords in plain text for an admin access user to view? Tell me that's not true. Please, really. Can anyone confirm?

Brad

__________________
President at MojoHost | brad at mojohost dot com | Skype MojoHostBrad
71 industry awards for hosting and professional excellence since 1999

SmokeyTheBear

i dont know about usally but i'm sure it happens this way quite often , but prob just as often it is other things further down the line , like once they know your epass account name = (affilid+sponsorname) + users real email they have ALOT more to go on even if the passwords are different ( besides having all your personal info needed to steal your identity )

gotta wonder how the "head programmer" of nats lost his password

you would think that would be a pretty important password to lose when it means you can backdoor every nats sponsor and walk away with a kings ransom in data.

you would also think it would be a pretty hard thing to miss for so long , the head programmers master backdoor is compromised and nobody notices a thing .

__________________
hatisblack at yahoo.com

rowan

Even if it's not plain text, it wouldn't take too long to brute force crack some common passwords such as 'coffee' or '12345'. As a bonus, they're probably the most likely people to use the same pass everywhere.

D

So, what I'm hearing is anyone using NATS who didn't disable TMM's access to their servers has the personal information of their entire user-base and affiliate-base compromised?

__________________
-D.
ICQ: 202-96-31

milan

Exactly!

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

Nails

Sounds like someone should be sueing Nats right about now.

D

Sorry I missed this before my first post in this thread... was kinda dumb-founded at the fact that I blew that thread off this morning as "another drama thread."

As of the last time we used NATS (a year ago), and as I can recall, all affiliate and user passwords, usernames, addresses, epass account names, etc. were stored in plain text.



Someone please correct me if that's not the status quo.

__________________
-D.
ICQ: 202-96-31

pocketkangaroo

Would this include banks and account numbers for wires/ACH? I'm just a tad worried that my company's banking information is sitting in the hands of a hacker right now. I'm hoping it's somehow protected though.

Also, what about stuff like SSN? My company uses a FEIN but I'm guessing some still use their SSN.

Doctor Dre

I'm in NO WAY saying Nat's are the one emailing the members... not at all. I think (to myself) with the answers we've seen here, it's pretty clear that John might be arrogant, but I doubt he's guilty of this one.

But having access to emailing 50 % + of the surfers paying for porn will bring a lot more money then $10 000. It's totally targetted surfers, the perfect list.

I'm sure lots of people could be willing to spend a tons of cash developping a technology to hack into that kind of data.

The webmaster epass stolen could also be explained.

__________________

SmokeyTheBear

my guess would be yes, if the account passwords were not encrypted then i dont know why they would encrypt the banking info.

besides if the password is there the hacker can just login with your account and see the banking info if its available in your settings.

__________________
hatisblack at yahoo.com

kmanrox

doh!!!!!!!

__________________
Crypto HODLr
Crypto mining
Angel investor

hateman

NATS is fucked

it has so many flaws

why sponsors use it is beyond me.

borked

No, members passes are cleartext by default. Affiliate passwords are two-way encrypted. What I don't understand is why the need for two-way encryption? To reset an affiliates pass if they forgot it in the backend is nothing, so 1-way encryption would have been far better. John posted in another thread that this is to be included in NATS4. Shame it wasn't sooner IMPO.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

c0py-BANNED FOR LIFE

All I can say is SQL Injection.

quantum-x

Bang on the money.

quantum-x

They already have pending law suits.

k0nr4d

I've seen code by the tmm guys, i seriously doubt there are any sql injection issues in nats...

__________________
Mechanical Bunny Media
Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

uno

Panchodog has had the admin locked down via specific full IPs for a very long time now.

__________________
-uno
icq: 111-914
CrazyBabe.com - porn art
MojoHost - For all your hosting needs, present and future. Tell them I sent ya!

quantum-x

Then you're a bad coder.
It's just that simple.

jscott

Any input from NATS on this matter? I find this very disturbing, need a little reassurance please John

k0nr4d

preventing sql injection is not rocket science, buddy.

__________________
Mechanical Bunny Media
Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

quantum-x

Please don't patronize me. I've worked very closely w/ NATS and CARMA since they were in beta.
I have personally tested and proved SQL injections against NATS and CARMA [and dutifully reported them]. I have looked at the source of both, and literally just took a scroll through it again. There are exploitable areas. I haven't seen a mysql_real_escape_string anywhere in the code I saw, and 6 months ago, there were definite issues. HTML_special_chars / [and god forbid] addslashes and the ilk are not sql protection.

Check out - http://www.gofuckyourself.com/showpo...&postcount=218

I know programmers love to piss on each other, but the fact of the matter is that basically ANY script online is susceptible to attack, whether it be by the script itself, or the frameworks that support it.

borked

John said in this thread that he's emailing all NATS customers. You haven't received that email by now?

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

borked

Interesting...
How many people have access to the open source of NATS? Surely the only way to know where these exploits are, if what you say is correct, is to have access to the source.

How come you have access to the source?

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

k0nr4d

You may be right, or they may be doing their escaping in the nats_db_query function or relying on magic_quotes_gpc. I don't have access to the nats source, but I'm working on a project with TMM and from the cleanliness of their code, I doubt they would make some noobish mistakes like not sanitizing user input.

__________________
Mechanical Bunny Media
Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

quantum-x

A lot of exploits are found by brute forcing. Even public live distros like Backtrack have huge DBs of exploits you can just run over a site / server looking for penetration points.

I don't have the full source, I just have it for a few key files that were left on my server after a tech did an upgrade. TMM knows I have seen them, and I promised them to pass on any info I saw in there that might cause problems, and I have