NATS Security Problem May Not Be New

FREEHOLD, N.J. - Too Much Media maintains that unauthorized access to clients' installations of its NATS back-end management system only occurred recently and was not widespread, but some affiliate-program owners say the apparent security hole in the software has existed for at least a year.

 

One program owner who asked not to be identified because he feared retaliation from TMM said he discovered evidence about 18 months ago of possible unauthorized access using an administrative-level password belonging to TMM.

 

Another said his network of Web servers developed severe performance issues "over a year ago." He said investigation by his hosting company revealed repeated access attempts by someone using a NATS admin-level username and password.

 

"The servers were going down like 10-15 times a day," he said. "Our hosting company stabilized them and secured them by blocking IP addresses, unnecessary requests, et cetera. They said it had been hacked [by someone] in the main office."

 

The program owner and representatives from his hosting company reported the issue to TMM during a conference call while they were involved in the problem-resolution process. He said he thought everything was fixed until reports detailing similar issues began surfacing during the final week of December on popular adult-industry forum GFY.

 

"When everything hit the boards, we went back to check [our server logs] and found the same admin account trying to access our servers every hour," he said Friday. "The IP [address] block was the same one that was blocked over a year ago, so [the person using the account] couldn't get in. It is slowing down the servers a little bit, but they're not actually getting in."

 

The same can't be said for other NATS clients, however, even those who thought they had eradicated all default settings supplied by the developer.

 

"We didn't have any [NATS-based] clients who were not affected," MojoHost owner Brad Mitchell told AVN Online, adding that he and his technical-support staff resolved unauthorized-access issues for clients over the weekend before Christmas. Only one MojoHost client had been apprised of the situation before then, and that client fixed the problem without MojoHost's assistance, Mitchell said.

 

"It didn't take as much time as I anticipated," he added. "In a situation where there's a security flaw, your first priority is to protect yourself and your clients."

 

Although NATS is said to be a "closed system" from which even administrative-level users cannot access the rest of a server, Mitchell said it's safe to assume all NATS data on systems the assailant accessed has been compromised.

 

According to NATS clients, that data includes all financial-reporting information and affiliates' and consumers' personal information, excluding credit-card data. According to a prepared statement by TMM partner John Albright, NATS "hands off" consumers to secure financial networks before they enter credit-card information.

 

On Wednesday, Albright took exception to any implication that Too Much Media sought to hide the problem from its clients or failed to respond quickly and thoroughly.

 

"First, no one from our organization has ever claimed this to be a new issue," he told AVN Online. "We have said on several occasions that we were aware of a problem a few months ago. At that time, we were confident we had a way to fix the issue and that we could determine those clients that were affected by it. We did what we believed would resolve the problem and notified the clients we knew had been affected.

 

"There is nothing to indicate this issue goes back as far as 18 months. As with any software program, security is an ongoing battle and there have been issues in the past. I doubt whatever issue [the confidential source] is referring to is related."

 

Furthermore, Albright noted, "this issue has not caused any performance issues on any clients, and it would certainly not cause servers to go down."

 

The program owner whose servers crashed a year ago said the IP addresses, username and password employed in the most recent attacks were the same ones his hosting company banned at the time of the initial assault, which he said had an effect similar to a denial-of-service attack. DOS attacks usually are malicious and consume so much of a server's resources that they often make websites unavailable and can disable entire systems or networks.

 

"Just because there was a DOS attack a year or two ago and we had a hacker last week does not mean they are in any way related," Albright said. "Everything we have seen points to an email-harvesting operation.

 

"This issue has been far less widespread than many people have indicated. There were security features in place in NATS far prior to this, which, when used by a client, would have prevented [the breach]. Many clients took advantage of these features and thus were not affected by this incident, as well as the fact that many clients disabled the admin account we maintained for support, as it was not required. Regardless, our policy is now that we will no longer be keeping any passwords."

 

External evidence of NATS data leakage began surfacing about eight months ago, affiliate-program owners said. Suddenly, website members began complaining about receiving unsolicited email the program owners denied sending. By tracking the spam, the program owners discovered that someone had gleaned the information from within their NATS databases.

 

"We noticed that some of our [in-house] email addresses were getting spammed - 30-plus per day per email account," Atlas Multimedia Director of Operations Christian Amico told AVN Online. "The spams were for other adult sites. We did a bunch of research and found out they were coming from NATS.

 

"So far, the only data that has been used is the surfer email addresses that are collected in NATS; these addresses were spammed. This can potentially be millions - if not more - of email addresses. Some companies do thousands of sign-ups a day, and there are about 500 NATS installs [according to TMM]."

 

On the black market, email addresses can be sold for 20 cents to several dollars each. Affiliate-program owners are worried their customers' email addresses have been sold to "professional" spammers who now may be violating U.S. law by sending unsolicited email messages advertising porn.

 

A program owner who asked not to be identified said he was angered by the discovery that someone was spamming his members.

 

"I've never in my life sent out an email to members - ever," he said. "We only email our affiliates maybe once a month."

 

The experience - which he said has cost him time and money - convinced him to abandon NATS for another commercial affiliate-management program.

 

"I'm thinking [this apparent security breach is] really bad for our industry," he said. "There are some of us that have worked really hard to make this industry a trusted source. It's a real business, like General Motors, and we have employees and families to support.

 

"The people that decide to stay on [NATS] kind of worry me. How can you trust someone after this?"

 

Another program owner who wished to remain anonymous said he lost so much faith in NATS and TMM over the customer-spamming behavior adopted by "whoever compromised the system" that he abandoned NATS in favor of the free back-end management software provided by his Internet payment service provider. He expects to have a new proprietary back-end system installed by April 1.

 

But Amico said his faith in NATS and TMM hasn't been shaken.

 

"This issue is and could be very serious," he said. "I really don't think NATS had any part of stealing the info, though. Someone probably just figured out how to exploit an area that was not secure enough."

 

As for his fellow NATS clients, Amico suggested that they change any passwords associated with or stored in their NATS installations and block any IP addresses except their own from logging in at the admin level.

 

"NATS realizes they made a mistake," he said. "I'm sure the shock factor was very high at the time."

 

It was, according to Albright, but he said his company reacted promptly and appropriately.

 

"I have spoken with many of our clients over the past two weeks," he said. "All of them have been very understanding and very supportive. They understand that we were the first victim of this crime when our systems were hacked."

 

The National Information Infrastructure Protection Act of 1996 made computer hacking a federal crime punishable by 10 years to life in prison, depending on the value of the information taken, the illicit use to which it is put and the commercial value of the data. According to an analysis of the law by the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, "the crime becomes a felony if the offense was committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any [s]tate, or if the value of the information obtained exceeds $5,000."

 

Albright would not comment on whether his company is working with law enforcement to track and prosecute the person or people responsible for the recent security issue.

 

"That is all being conducted under the advisement of counsel, and we aren't commenting on it at this point," he said.