Rational Explanation Please...

[gaystoryman]

Let me preface this with a simply disclaimer. I am not a program owner. NATS and the other stuff is all Greek to me. However I am an affiliate of sponsors who do use NATS, among others.

It also seems that some webmasters are unperturbed by the whole NATS issue, while other's are nearing a state of declaring all out war. Name calling, useless threads about who said what, or is doing what simply makes the issue more obscure and confusing, so could someone, without disdain explain a few things to a simple blond old man, like me?

1. What information has been put at risk? One thread said name, address, and email, but others are claiming far more, such as SSN and perhaps even banking information.

So to begin with, has there been any reported, verified, incidents of such information being obtained? Is someone getting tons of extra spam, or has their banking information been compromised?

2. How can I, as an affiliate determine if my sponsor is indeed using NATS?

3. Have any actual program owners reported break ins, where information MIGHT have been obtained? I know, that's a tough one, but has any program owner made public a claim that such an action might have happened?

4. Now I am not asking for evidence to take to court, because by then it would be too late, but is there anything other than a report of 'what might happen' if such and such isn't changed in the admin?

5. As an affiliate, what steps are there in place by program owners now, to insure that my information is secure? I read Luke's thread, but am wondering, should I be contacting the program owners, or should they be contacting me?

6. There is talk about some 'back door' exploit, but how do I know if any other similar programs are subject to this exploit, as is currently happening to NATS?

I am just the poor schmuck who tries to eek out a living off your product, so I wonder, does it even effect me, or is this just something you get to agonize over, and if not, why isn't there more hard evidence being discussed? Or is it that many sponsors are simply ignoring the issue, or refusing to discuss it for some unknown fear or phobia?

Now I know, hard evidence is not always easy to get. However, there was fairly clear evidence that the Japanese were going to attack the USA, and no one quite bought into that, until December 7. Kind of too late then, so I am not asking for such proof, but more of why some are so worried, what authentication is there that this 'break down' has created danger? Have sponsors not closed the holes, or does anyone know?

an interested third party. :morning:

[basschick]

the criminals who accessed the programs used the NATS admin login. i believe that means that they have access to pretty much everything - affiliate info, member info, everything that is stored in NATS.

at least a couple webmasters who received complaints from members joined their own sites and did start getting spam.

all the NATS programs that i am aware of. you click to get your links, and first you are asked to choose your campaign, and if you don't have a campaign, default shows on the dropdown.

yes, when i checked a couple days ago, several NATS program owners said that they found regular daily logins every few hours from the NATS admin password.

if certain steps aren't taken by NATS program owners, i believe that the people with the NATS admin login will continue to be able to log in and collect member and affiliate info as well as having access to stats.

[Chilihost]

Here's the story as far as I can tell.

The security issue was that TooMuchMedia created a NATS admin user account for every NATS install they did and they stored them on a local server - that local server was compromised by someone, possibly by an ex employee, who took the NATS admin u/p and used them to login to other programs' NATS admin areas.

This admin u/p gave the criminals access to all admin information. At this time, it seems all they took was names and emails for highly targeted spamming. However, they did have access to webmaster info like name, address, email, epass ID (no epass password), but NOT webmaster passwords.

Note: This did not affect all NATS programs, as there are additional security measures that program owners could have used. These measures were considered "optional" but have now been bumped to "critical" to stop unwanted admin logins.

TMM has now made a change in policy to no longer store admin userids. Now, every time they need to login to your NATS installation (usually to do software upgrades) they request an admin login and they also tell you to disable that admin account they are complete. TMM has also created a new admin login logging function, which details exactly what IPs have logged into your NATS installation and where they have logged in.

So how do you know if your sponsor program has been compromised? Thats a tough question - mainly because this issue was first discovered in mid-August (TMM kept secret about it to most of us until last weekend), and most servers only store log files for the last 7 days due to disk space. So although a program owner can scan their current logs, its near impossible to find out if the criminals logged in back in August.

What should you do?
1) login to every affiliate program running NATS and verify your details are still correct and then change your password to a unique password.
2) contact the program owners to ask them if they have strengthened their NATS security and have followed through on all the recommendations. IMHO, program owners should have done this already and contacted all of their affiliates, but I can see from the lack of email notices that most have not.
3) If they have not already done this, then their system is still at risk and you may want to consider closing your account with them and demanding that your account be deleted from their NATS system (alternatively, change your info to bogus info to protect yourself if you cannot get the program owners to help).

I hope this helps, please note that this is just my understanding of things and I am not a TMM employee so I probably only know a portion of the real facts.

cheers,
Luke

[gaystoryman]

Thanks Luke.. answered a great deal but did raise a question. This exploit or hack was not actually the NATS program itself, but was to the server where TMM stored login info to installed NATS on sponsor sites?

Is that right?

If so, rather explains some things in my old noggin. Again thanks.

[Mansized]

Thanks Luke.. answered a great deal but did raise a question. This exploit or hack was not actually the NATS program itself, but was to the server where TMM stored login info to installed NATS on sponsor sites?

Is that right?

If so, rather explains some things in my old noggin. Again thanks.

It was a server that contained administrators user ids & passwords.
So, no, it was not an exploit or hack of NATS itself.

[gaybucks_chip]

As far as I have heard and read, there is no known exploit or backdoor into the individual NATS installations each affiliate program has. The hacker simply obtained a list of user/password combinations for each affiliate system and used that to enter each system. So the hacker had info to all the info any administrator/program owner of that NATS system would have access to (in other words, all info affiliates provided to the program when they signed up, and limited info, such as name and address and logins) about members.

The reason that some have said that info such as SSN or TIN and bank account info may be at risk is because most programs require affiliates to list a TIN or SSN when they sign up so that affiliates can be sent proper 1099 information at the end of each year. So any information entered by an affiliate into a NATS-based affiliate tracking system used by a given sponsor would, potentially, have been available to the hacker.

I am not sure why people seem to think this information (SSN, etc) is not at risk; it would seem to me that a hacker logging into a system and grabbing info would grab anything that could potentially be useful, rather than just an email address. A SSN and legal name, address, and banking info (if the affiliate is paid by wire transfer) would certainly be valuable.

I think the basis for saying no other info was taken is that, so far, no one has any identifiable identity theft cases that appear correlated to NATS... but then again, I doubt anyone has had any time to seek correlations. I suspect this issue will be unfolding for quite a while yet, and so the real answer as to identity theft risk may not yet be known.

[Chilihost]

It was a server that contained administrators user ids & passwords.
So, no, it was not an exploit or hack of NATS itself.

that is correct, thank you sir!

[Chilihost]

... I suspect this issue will be unfolding for quite a while yet

I suspect you are correct, too!

[Squirt]

NAT's had this issue popup on gfy in OCTOBER 2006 not October 2007, not just a few months ago, but over a year and 2 months ago http://www.gfy.com/showthread.php?t=671565

Notice the I.P. of the attacker at the time: 65.110.62.120

It's on the Tampa Bay Sagonet system, the same I.P. ranges as the "new" attacks ( i.e. 65.110.53.100 )

It doesn't seem as though anyone else has put the recent incidents, and the ones that occurred over a year ago, together yet, at least on GFY Certainly nobody has pointed out that the attacks over a year ago are on the same I.P. range on the Sagonet system in Tampa Bay, FL. as the current attacks.

TMM is claiming they thought this was an isolated incident. It seems an obvious first step when an issue like this pops up would be to logon to all your clients servers, with the usernames and passwords they used to keep on file, and check for the same issues. They haven't answered as of yet if they did this simple procedure.

They also refuse to answer publicly if they've notified the FBI yet, instead claiming that due to their counsel "I have also been advised not to discuss it at this point. "

At first the TMM rep stated they had a policy of not keeping user/passes , then he stated as part of a fix for this issue they would no longer retain user/passes.

It's also tactless the amount of times they mention their "counsel" and warn posters of the assumed possible liability of their comments and claims.

I personally don't use NATS, and by chance, don't promote any sites that do. I'm extremely happy, and excited, at the thought of signing up for CCBill after their cascading billing system is released :thumbsup:

[gaybucks_chip]

I'm not trying to support TMM here, but I do think one minor clarification is in order: When TMM said they did not keep login/pass info, they were referring to SSH info to login to the program owner's server where NATS is installed. They have always kept the admin login to people's servers.

However, everything else Squirt has said matches what I've read and heard, though the info about the 2006 intrusion was new info to me.

I just hope this unfolds without a lot of difficulty for affiliates.

[Mansized]

that is correct, thank you sir!

You're most welcomed sweetie!
So when do I get an invite to come and stay at your guest house?

[abostonboy]

http://www.dailynews.com/news/ci_7816784

THIS SUCKS!

[Squirt]

I liked the story here http://www.icwt.us/index.php/2007/12...s-compromised/

except for the fact they say October 2007 instead of October 2006 :snake:

[Chilihost]

You're most welcomed sweetie!
So when do I get an invite to come and stay at your guest house?

as soon as we are setup in Brazil

[abostonboy]

as soon as we are setup in Brazil

LOL...

My employee just came back from Brazil and said he saw a few of the ounique models in the bathhouse. He showed me the one he had sex with. YUMMY!