Slashdot Mirror
Thousands of Adult Website Accounts Compromised
Keith writes "Tens of thousands — or maybe more — accounts to adult websites were recently declared compromised and apparently have been that way since some time in October 2007. The break occurred when the NATS software used to track and manage sales and affiliate revenues was accessed by an intruder. The miscreant apparently discovered a list of admin passwords residing on an unsecured office server at Too Much Media, which makes and maintains NATS installations for adult companies. It would appear that Too Much Media knew of the breach back in October, and rather than fixing the issue tried to bury it by threatening to sue anyone in the adult industry who talked about it." The article gives suggestions for anyone who opened an account at any adult website in the last several months.
Well, I guess that explains why it's so quiet around here.
rub this problem out in a hurry.
""Tens of thousands -- or maybe more -- accounts to adult websites were recently declared compromised and apparently have been that way since some time in October 2007. "
Quick! Someone see if Taco's on that list.
For everyone who opened up an account on an adult website:
Usenet.
Hopefully I didn't put any [] around my words.
We are, after all, talking about pornography paid for with credit cards. The entity which lost these data is a clearinghouse for porn payments; its customers are the webmasters who run individual adult sites. Webmasters who, of course, have a vested interest in keeping this quiet. The fault was not theirs, per say, but the repercussions if this becomes public knowledge would bear heavily upon them.
In addition, it's porn. Individual end users cannot protest very much without either A: Admitting they pay for porn online or B: being the subject of askance glances and the occasional, "Methinks he doth protest too much." Some folks won't care, but the kind of people who actually have influence in the real world can't afford that kind of tarnish.
So, even if the worst happens and large amounts of private data are in nefarious hands, it'll all get dealt with quietly. The victims will sort it out in private with their banks, the webmasters will never speak of it, and the company itself probably won't feel much of a hit. If they really do have 90% market share, I doubt anyone else in the field is ready to just jump in and take over.
It's me, I'm the guy who hacked the passwords in the OP.
.. Oh boy, that *SUCKS*
To Terminate, or not to Terminate, that's the question - SCSIROB
There was a great disturbance in the geek community.
There are people who actually PAY for pr0n?!?
Contrary to popular belief, we don't all live in our parents' basements. Not all houses have basements. Also, I don't even have 500GB of total hard drive space. Anyway, it is relevant because it happened through the negligence of the person maintaining the originally compromised system. Had the person(s) responsible done their job in keeping the computer secure, the system wouldn't have been compromised. Thus, it serves as warning to all of us, that if we present a sufficient target, we must be proportionally vigilant at protecting the systems under our stewardship.
>so tell me again why this is relevent.
We'll tell you as soon as you tell as what "supposubly" means.
"The article gives suggestions for anyone who opened an account at any adult website in the last several months"
Nice way to create paranoia for those of us who run secure adult websites. Thanks.
"pwned" becomes "pr0ned"?
Operation Guillotine is in effect.
"Or even better find two women, impress them both with your wealth and power at the same time."
The guys who run Piratebay must get laid a lot.
After you buy it, you go to a web site from the card vendor, enter the card number and security code, and then set the user name and billing zip code. Then go wild (well, to the extent that you can go wild with $50...). Here's one such card that is available at a lot of places.
There are also cards that you can refill from your "real" credit card, but then you are easier to trace. Might as well use a non-refillable card, purchased with cash. That way, if "all models 18 or over, proof on file" turns out to not quite be true, no credit card that can be tied to you will be in the site's records. :-)
If that's not a concern, though, and you are just trying to limit exposure of your real credit card, then go ahead with the refillable cards. In fact, there are even some that are purely online. They don't provide a physical card. You just go to their site, sign up with your credit card, and they give you a credit card number to use online, with a limit of whatever you want to transfer from your credit card. Here is one such virtual card.
NOTE: some gift cards cannot be used for porn or gambling, so choose appropriately. And some can be so used, but add a surcharge for porn.
Thank god for BitTorrent. Get all your pr0nz and don't even need a user name. Sometimes being an anonymous coward has its advantages.
Of course, really, unless there is someone with a high-profile in that list accessing some really really naughty stuff, this breach won't affect the average Joe Blow out there.
The game.
... more penetration testing
Well, I see a few Pink Tacos...
Just -1, Troll talking to another.
I work in adult, and have worked with this CMS very closely for the last 2 years.
I'm not on anyone's side, but unfortunately this problem has been surrounded by a lot of misinformation.
It is interesting and rather important to note: The poster of the blog article is an absolute douchebag. I'm not happy with the situation obviously, I had my own system compromised, but this guy is an idiot on a warpath - 95% of what's written on his blog is off in the fairyland.
He fails to mention that he's hated by the industry, mainly for the reason that he posted 300 username / password combinations of webmasters publically, which resulted in a lot of them having money stolen from online accounts, etc.
More intelligent ramblings from this guy: My Guide To Tax Evasion - Why The Unibomber was right
Summary: The breach was real. Scope seems to be limited ONLY to member data. Signed up? Expect some spam. Signed up with a password that you use on all your accounts? check your head, change the passwords.
Read more about our friend "minusonbit" - here - on an industry forum and judge for yourself.
The real kicker is that every one of our customers that use NATS have been complaining that their affiliates (people that send traffic to them) are being spammed on one-time-use addresses they only typed into NATS. TMM told them that it was our systems that had been hacked, even after we submitted detailed information to them.
Our customers are not happy.
Ah, it IS a very merry Christmas after all. Santa brought me some KY Jelly and some Kleenex. Time to reap the rewards of poor security.
I am the guy who wrote the story.
I have already been threatened with a libel lawsuit by a senior executive of Too Much Media for publishing this. I published it anyway. They are still making lawsuit threats http://www.gfy.com/showpost.php?p=13561241&postcount=418. I honestly do not care about their threats, I will continue to give media interviews and I will continue to push this story out there. Because people need to know what the industry does not want to tell you.
Go ahead and do what the other poster recommends. Go to GFY and look up "minusonebit". You'll see that I am not well liked within the industry. Its a good thing I am not in the industry to make friends with people therein. I have a growing following of trolls and bashers who are trying everything to tear me down because I have told it like it is. I went to GFY to grow a venture I started. I have been around there a while and I have seen alot of BS go down but this takes the cake.
The adult industry would love to sweep this under the rug. They have already directed everyone here to try and do damage control, to vote this down or do whatever they can to keep it from spreading. I don't think thats the way it should be handled so I have spent most of the weekend making sure that this story gets out and people The industry has also been telling me how http://www.gfy.com/showpost.php?p=13561426&postcount=12 this story wont last here because apparently the ownership of Slashdot has an interest in NATS.
Yes folks, people still do buy porn. Not everyone uses the torrents. But this is your credit card information that they couldn't care less about. They tried to cover it up. They are still trying to cover it up! They still have not notified the customers. Please people, flush this toilet. Write to your elected officials and your banks and demand action. This is not the first time that the industry has suffered a breach. But it hasn't been publicized like this one. This is not how all of the adult industry wants to do business. Some people want to bury this as well and have business as usual. But some of us welcome a chance to clean this mess up and restore respect to the profession.
I STAND BEHIND MY REPORT. I CHALLENGE ANYONE TO DISPROVE IT.
Just WOW. Even if this person had a legitimate point about personal data being stolen, his credibility just went down the pan.
:)
I don't live in the USA but I presume Keith Kimmel does. If I did live in the USA I'd be wary about posting this information in public forums. He admits to tax evasion, not just a few undeclared dollars but big-time tax evasion. He admits to supporting terrorism - "Its unfortunate that people had to die so that his message could be heard, but I think in the end it was a worthwhile cost to society."
I hope he looks good in orange
I do not admit to tax evasion. I posted a guide on how people might avoid being coerced into illegal taxes. I don't support terrorism. I support freedom and the end of government control over things they have no business controlling, but THAT is a topic for another day.
As has been clarified on GFY several times, I did NOT post anyone's passwords anywhere. I linked to a Google cache of about 300 of them that was exposed due to another one of this industry's miserable failings in the security area - a poorly design admin area that did not censor the passwords that got stored in Google. And I covered that on my blog as well. I have never heard the end of that because other people in the industry were upset that another dirty little adult industry secret made it out for everyone to see. You can see what I wrote at the link below - including the link to the now removed Google cache. http://www.icwt.us/index.php/2007/09/30/privacy-of-adult-webmasters-breached-by-google-search-poor-security/ Opinions are like anuses. Everybody has got one. Plenty of people don't like me. Good for them. I honestly could not care less. Yes, I am pretty much universally hated in the adult industry. Thats what happens when you poo poo on everyone in a public manner. But as I have said many times before I do not care and after this over, the industry will be better because of what I have done. No one will ever do something bone headed like this again because this one is going to cost some people their livelihoods and adult websites are going to suffer a hit in the PR department which sadly is a necessary cost to make sure that this does not happen again.
I've seen estimates as high as that 95% of adult sites use NATS and that is just patently not the case. First of all, only sites which have affiliate programs would have any use for NATS at all. Many site owners who have affiliate programs use one of the half dozen other major affiliate program solutions out there or use a custom software solution.
I can personally vouch for the fact that neither BlueBlood.com nor SpookyCash.com nor any of their subsidiary or partner sites have ever implemented NATS in any way.
If, during the time of the alleged NATS security breach, you bought a membership to an adult site, the odds are that no vital data of yours was harvested. If you happened to buy from a site using NATS and anything was harvested, it was probably only your email address. Which sucks, but does not mean you need to cancel your credit cards and checking account. Some industry insiders allege that NATS knew about the data security breach and ignored it, some say NATS thought they had successfully fixed the problem, and some say there was no technical data leak and NATS people were the ones spamming. The specifics do not matter all that much to me because I don't personally use their software and I'm resigned to being spammed. Your credit card info is probably safer at an adult site than most places on the net because adult industry tends to lead technological advances in media.
I do think it is important for people to understand that a sites' members are vital for the site to continue. If you like the kind of content a site is posting, buying a membership is the most effective way to keep that kind of content being produced. It might seem like your few dollars, plus or minus, would not make that big a difference, but it really does. It is basically voting with your wallet for what you want to exist and flourish.
chick-in-charge at Blue Blood
Thats about the sum of it.
The MinusOneBit Guide to Tax Evasion
And the kicker:
If You Cheat on Your Taxes and Get Away With It... Do the Right Thing... If You Cheat on Your Taxes and Get Away With It... Do the Right Thing...
E-mail me at minusonebit@gmail.com and tell me how you did it so I can spread the tip to others.
Well, I'll freely admit that I'm easily amused.
Some banks offer one-time credit card numbers that you can just generate dynamically over the web. Unlike gift cards, they don't cost extra, you don't have to prepay, and you can get them in any amount you need.
I hope this is the beginning of a trend: hack all adult sites and cause them as much trouble as possible. The world doesn't need that filth.
Besides, it would be payback for taking over all of the home computers in their attempt to sell their crap.
Fata viam invenient.
More and more frequently it seems that the first patch to be applied to broken software like this is a legal patch.
me. --a by-product of public education
Now, I've never actually bought porn before, but assuming that porn sites work like every other ecommerce site in existance, the credit card number is most certainly entered into a form that's sent to the web server of the porn site. And if the web site has been compromised by a shell account that has premissions to modify the website software (like, say, it has been), then the credit card numbers of anyone who has signed up since the breach are likely to have been stolen.
Which is exactly what was reported. I'm not happy with the situation obviously, I had my own system compromised, but this guy is an idiot on a warpath - 95% of what's written on his blog is off in the fairyland. You gave a privileged SSH account to a third party, what did you expect?!
Secondly, the blog is titled "In Corruption We Trust" and refered to "the PSA (Police State of America)" - I was already expecting it to be off in la-la land. Scope seems to be limited ONLY to member data. Seems? So even you admit you don't actually know whether credit card numbers were stolen.
I'll bet you some were stolen. Any account opened since the breach or that used a recurring payment scheme should check to make sure their credit card wasn't stolen.
The links in the parent to www.gofuckyourself.com aren't safe to open at work or in front of more conservative family members. Otherwise it is a very informative post.
_____
Thank you.
Heh.
Now, I've never actually bought porn before, but assuming that porn sites work like every other ecommerce site in existance, the credit card number is most certainly entered into a form that's sent to the web server of the porn site. And if the web site has been compromised by a shell account that has premissions to modify the website software (like, say, it has been), then the credit card numbers of anyone who has signed up since the breach are likely to have been stolen. It actually doesn't work like that.
NATS, the software in question here, acts as a gateway to the payment processor. CC information is never entered or passed through NATs.
It's just the same as when you make a purchase on a website through paypal. No CC information information is ever given to the site, all they receive is a postback. That's exactly the situation here, CC data is stored on the processing servers, and is completely distinct from this mess.
It was reported that CC data was stolen, or may have been but this is entirely untrue as you can see above. You gave a privileged SSH account to a third party, what did you expect?! No, I didn't. The accounts were NOT ssh accounts, they were logins to Web UI systems. Seems? So even you admit you don't actually know whether credit card numbers were stolen. I do. CC numbers are not stored on this system [I sound like a broken record]. When I say 'seems', I mean that the hacker did not try to take any other information, such as affiliate information, statistics information, or anything else stored in NATS, the software in question. I'll bet you some were stolen. Any account opened since the breach or that used a recurring payment scheme should check to make sure their credit card wasn't stolen. Rubbish. This information is not stored in the software or on any of the servers. You can 'bet' all you want. I'll take you on that wager, because you're posting and not knowing what you're talking about.
... all those ads for "STOLEN PASSWORDS!" were just a hoax.
HAHAHaHHAHAH "Penetration"!! Hehehehehehe omg rotflmao
-- 'The' Lord and Master Bitman On High, Master Of All
I can't help it; business talk gets me excited ;-)
chick-in-charge at Blue Blood
I'm tired of getting jerked around by these folks.
sig has been sent away for a few small repairs...
I have a small Notice of Retraction that I am legally obligated to publish here: Official statement from Keith/ICWT: "Finally, it has been brought to my attention that NATS does not enjoy 80% to 95% market penetration as was originally reported here. Instead, that number is more like 35% to 40% of all porn sites online today, according to an industry source who requested that I not name him. I am very sorry for implying that Too Much Media was more successful than it really is. ICWT and I both regret the error."
Not sure who the biggest douchebag is here, but since you're a top poster, magic eight ball is leaning to you....
Supposubly is the indecisive act of stuffing a suppository, or possibly not. It just depends on the mood. Supposubly.
Thanks Santa!
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
its a good thing I use virtual credit card numbers for the exact price. For me its a, "Nothing to see here, move along" Your credit card agency provides virtual credit card numbers? Right? Best thing since sliced bread...
somebody has to support the artists
...with hacked passwords!
Huh?? Unless I'm passing off the user to a third-party page to enter credit card information, what's to stop me from saving the CC info for my own convenience? Lots of companies (majority?) have you enter CC information on their own pages. I would expect a porn web site to be even more careless with such information.
The effing bible? Which translation is THAT? Must be some kind of Hindu text if it includes the teaching of karma.
You would, but you'd be wrong.
In all examples I can think of, and definitely in the question of this software, the CC processing is passed to a processing company.
I can't think of any sites off the top of my head that don't pass the person to the 3rd party page for processing.
... There is a staggering amount of people not using condoms anymore !
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
if you think you may have been affected by this tragedy, I have been chosen by the industry to assist you. Please email me with the site you've subscribed to, your assigned login and pass. I can be reached at internetis4porn@bugmenot.com
I will be happy to help as quickly as possible.
This is posted too late to actually matter (Merry Christmas, everyone!) but the information doesn't have to wind up on the server to be stolen.
All it has to do is go either through the server or on the same network as the server to be compromised.
Now someone might cry "encryption!" but don't forget, if the webserver is compromised, what's to prevent the attacker from gaining access to the billing server?
And just because the information isn't supposed to be stored on the server, doesn't mean that after its been compromised it can't have been altered to store the information.
So unless you've verified that no credit card information is ever stored on the server in any way, you can't say that no credit card numbers have been stolen.
Let's just put it this way. A paranoid anti-government freak on the internet is far more credible than an online pornographer. The adult web industry is responsible for more spyware, more dialers, and more spam than any other industry in the history of the Internet.
I cried real tears when Li Mu Bai died.
Those who watch pr0n should try a safer activity, like getting out of the house once in a while.
It's exactly the same situation here.
This makes me wonder about all those times in South Korea that I paid for a hooker with a credit card. Yes they take Visa in Seoul.. Now I have to worry about all of those adult websites I subscribed to as well in just the past few months? That must be damn near a thousand, and counting. What is this world coming to?
I don't know where you are, so this may not be applicable. I'm in Texas. We have Ace Cash Express stores (check cashing places, mostly) all over the place. You just walk up to the window and ask for a gift card and tell them how much money you want to put on it, up to $250. The cost is $5 over the amount on the card.
Here's a tip: If they start asking you for identity information (name, address, etc.) they've misunderstood your request and are trying to sell you a reloadable credit card. If you want an *untraceable* credit card for online purchases, you want the *gift* card, not the *reloadable* card. At least a third of the time, the clerk misunderstands my request and I have to correct him/her. I get the feeling they sell lots of reloadable cards and not very many gift cards.
Thank you for reminding me why I never respond to ACs. ;)
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Did this tracking software have a leak of information? Yes it did, but it was nothing more than a harvest of emails using a stolen admin password.
The administrators of this tracking software called NATS maintain a password to access the installation of the tracking software to maintain support & upgrades. This password was compromised by methods unknown and was used by spammers.
NO PRIVATE CONSUMER INFO WAS COMPROMISED!
NATS DOES NOT RECORD, NOR STORE CREDIT CARD OR CHECKING INFORMATION!
The only persons whose private info may have been compromised are the webmaster affiliates of programs using NATS as it maintains SSN & sometimes bank wire info, for payments to the affiliate.
Anyone seriously interested in the whole story should look into Keith Kimmel as nothing more than someone fabricating misleading & deceptive information due to his personal vendetta against John Albright & Too Much Media in retaliation for an implied threat of legal action by TMM for LIBEL!
As far as his & other peoples claims of so called sweeping this under the rug, that is complete bullshit. We as adult webmasters only wish to make sure that consumers & others have CORRECT & ACCURATE information regarding this as Keith Kimmels claims are erroneous with intentfully deceptive & misleading information.
Best.
/everyone/ who decries these sites as filth and filth magnets and breeders of perversion should go get a fucking job instead of playing Nanny to those who are obviously intelligent enough to type in a URL or a search term in Google. Such people are obviously intelligent enough to know what it is they're looking for and the nature of the less savoury of search terms. If they or others around them are concerned at what they're looking at (I know of a few people who use third party tools to limit their /own/ searching) then they use something like netdog or netnanny to limit the types of content that makes it to their consoles. We can perform self-censorship. We don't need nannying by our government or by lobby groups, and least of all by the fucking church!
Thread.
Ever.
On topic: Given the nature of adult content sites, particularly subscription sites, do you not think that they would employ not only industry-leading security, they would be at the forefront of making sure that the systems they employ are more secure than NORAD, by virtue of the fact that they presumably also lead the industry in network security research?
Now off topic again; I'm all for adult content sites; it keeps the perverts off the streets and where we know we can keep an eye on 'em (keep the troughs full and the pig'll never lift his head). Everyone, and I mean
Operation Guillotine is in effect.
Wow, amazingly enough, it would appear that the best and brightest do not, in fact, work in porn. Whoever would have thought. I'll say this as simply as possible, but given that it's been said multiple times and you've failed to grasp it I doubt it will matter:
Just because the credit card data "isn't stored" doesn't mean it can't have been captured.
See, just because the credit card information is supposed to be entered on a different site doesn't mean it actually is once the original site has been compromised. Even if it still moves to the other site, there's nothing stopping the original site from using a variety of XSS attacks to gain access to the credit card numbers.
In short, there's no way you can claim that it's "impossible" for the credit card numbers to be accessed. They could be, using a variety of techniques that any competent web developer would know about, although competent web developers presumably get real jobs instead of being stuck working for pornographers.
Buy.com, Amazon.com, Paypal.com, netflix.com, your-favorite-shady-webhost.com, walmart.com...
For one, I'm talking about adult. The scope of the article is in adult, afterall.
For two, Paypal is a processor. They retain data, but the sites that use them as a processor DO NOT. Johnny Geocities never gets passed the CC info on who donated to his blog, no matter how insecure his security is.
Exactly like what happened here..
Keith Kimmel, one of three men charged with the theft of more than $200,000 in Ameritech equipment this summer, identifies himself with Martin Luther King Jr. as he fights for consumer rights to low priced telecommunications services and free access to proprietary information about how devices work. Such ideas might be typical of people claiming to be "hackers." But Kimmel's parents suggest his alleged actions may be related to a psychiatric condition. Police arrested Keith Kimmel on July 29, along with two other Mishawaka men. Kimmel, who is president of the South Bend Hackers Club, was charged in July with two Class C felonies in connection with the break-ins.
http://www.newsbits.net/2000/20001102.htm
Why weren't the passwords encrypted? That's an extremely foolish thing to do. They could at least use a 1-way encryption.
Favorite username: admin'--
This is just another sign of how far slashdot had fallen. It used to be that slashdotters had an understanding of how shit worked, and Archon wouldn't need to explain this beyond saying that the billing system was not compromised.
It's not offtopic, dumbass. It's orthogonal.