Schneier on Security
A blog covering security and security technology.
« Picasso Stolen from Brazilian Museum |
| FBI Building Biometrics Database »
December 28, 2007
Security of Adult Websites Compromised
This article claims the software that runs the back end of either 35% or 80%-95% (depending on which part of the article you read) has been compromised, and that the adult industry is hushing this up. Like many of these sorts of stories, there's no evidence that the bad guys have the personal information database. The vulnerability only means that they could have it.
Does anyone know about this?
Posted on December 28, 2007 at 7:54 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Man, I sure hope they fix this soon! 'Cause when I send my credit card number to a porn pay site, I want to know it's being used to compel young, abused, drug addicted women to prostitute themselves on camera, and not going to some criminal enterprise somewhere...
I just read through this (highly not-safe-for-work :-) ) forum. It seems that it's not about a security problem inside the software (NATS) but rather a leak somewhere in the comany (TMM) that makes it.
There seems to be evidence that the problem appears as soon as adult webmasters make admin-accounts available to the vendor for maintenance. Shortly after that seemingly automated scripts start accessing admin-pages. Disabling accounts and/or changing passwords deters these scripts.
Furthermore, I got the impression that most of these adult sites are administrered in a rather amateurish way and these people don't really know how to evaluate security in their web-based applications. Just read the threads about limiting access by IP-address, more elaborate means are not even discussed...
From my understanding, when the leak was discovered, the company not only failed to disclose the breach, they threatened to sue anyone who talked about it.
One reason that these sites don't get much respect is because of an insidious meme in so-called "western civilization":
respectabiliy is inversely proportional to sexuality
And, yeah, when Mahatma Ghandi was asked what he thought about western civilization, he answered "I think it would be a good idea".
Why would we not care, any more or less than any other company that had a stupid data loss and then covered it up?
I suspect I'm not alone in my disdain for such sites, and my lack of respect for those who establish them.
That said, we shouldn't confuse dislike for these sites with the rights of those whom do things we disagree, and as such we can't turn a blind eye. Otherwise, who is to say that we won't fall victim if people have disdain for something we engate in.
Fact is, they have just as much of a right to know if their sensitive information has been disclosed as a user of amazon.com does.
Happy New Year
Exposed data? Compromised back ends? The jokes practically write themselves.
Seriously, this sounds like the start of practically every other massive personal info loss story this year, except that in this case, the company can count on the potential identity theft victims to be too embarrassed to consider suing.
This demonstrates how far the current state is from achieving herd immunity.
And let's face it, the "adult entertainment" hook is a very potent once for cyber attacks. It's a bully platform from which to compromise the services/sectors that provide services to this industry.
Reminds me of a story a while back in which an adult site (I believe in Australia) was deliberately overcharging credit cards. When requested, they would issue a refund, as a check (or is it a cheque in Australia?), not as a credit on the card. The cheque would be made out from the company's 'full name' which was something like 'The Kinky Perverted Sex Company'. Most people declined to cash the cheque.
The fact that victims generally don't want the fact that they've been using such sites disclosed is an advantage to the attacker.
@Rich:[The cheque would be made out from the company's 'full name' which was something like 'The Kinky Perverted Sex Company'. Most people declined to cash the cheque.]
I wouldn't cash it either. I'd frame it.
Why is that difficult to accept that there could be people that will knowingly accept being a sex worker without any need of abuse/drug usage/etc?
Or that industries based around this doesn't _need_ to be shady? Maybe most if this is shady because that stupid attitude of refusing any link with them. In my country Visa won't accept a porn site as a merchant; why not?
I'd say selling porn is much less indecent than selling products at 500% their price just because they are shown in half-hour-long advertisements on tv.
And John, I'd frame the cheque too :)
You might want to know what you're talking about before you post. There are days when I get better news coverage, especially international news, from the Naked News than I do from CNN. And the women there aren't abused or drug addicted.
Going off topic on that Gandhi quote about Western Civilisation [spelling in deference to British influence in India]--
Does anybody anywhere have a source for it? It seemed to pop out of nowhere, to the best of my recollection, in the early 1970s, after which it caught on quickly. It was a good 60s sort of meme. But I've got 50 bucks for the first one to come up with an authentic, verifiable source that dates before 1968. That's sixty-eight with a six, not a four. Double for one that's even close to Gandhi's lifetime.
Good quip, though.
"the software that runs the back end"...hmmm....
For every Jessica Steinhauser* (a woman who seemed to handle her time as a sex worker well) there is a Shannon Wilsey*, or a Colleen Applegate*. And in between is a spectrum of experience. But that spectrum exists in an environment of organized crime and lawlessness, which lends itself to abuse. Sending your credit card number to a porn paysite is to trust organized crime not to steal your information. Is that smart? And you're helping convince 18 year old women to engage in risky sex on camera for about $500 a trick. Is that what you'd want YOUR daughter doing?
Many women pass through the sex-work system without dramatically and obviously bad outcomes. But many are damaged before entering (by rape and incest) and others are damaged in the system in ways which they may not recognize for years, if ever.
Do you really think that the sex industry promotes the mental and emotional health of the people that are in it?
*If you don't know who these people are, you may want to know more about what you're discussing before you post.
@jack c lipton
"respectabiliy is inversely proportional to sexuality"
I don't know about all sexuality being that way - but I do believe in the statement, "Men have a brain and a dingus, and only enough blood to run one at a time." ;-)
"I wouldn't cash it either. I'd frame it."
Since when did this become a place to debate the morals of porn or sexuality in general? This is about the security breach.
My $0.02? I wonder how much blackmail money a cracker could rake in, if they could link a politician (or other famous person who relies on a cleanly image) with a particularly deviant site?
They could make a gold mine - and depending on what country they're in, the various national authorities/Interpol/whatever would be helpless to do anything...
I was initially aiming to make a comment about the stupidity of sending your credit card number to organized crime websites and then worrying about its security. Somehow the topic got derailed a bit, sorry.
The majority of porn sites are legit. They check the age of the girls etc etc. They are legal in every sense of the word. They pay there taxes and run a business properly. They are not organized crime groups. Otherwise they wouldn't have almost direct merchant affiliation (Its common to use a 3rd party pay system for all smaller web sites.)
Furthermore since i once worked at a ISP i can tell you that the vast majorty of men use these porn sites regularly to some degree. The most common phone call for the help desk was how to delete the browser history!
I would say that some of the people above that are acting that porn==Evil are in fact looking at it on line. The pot is calling the kettle black.
Tincho said: **"Why is that difficult to accept that there could be people that will knowingly accept being a sex worker without any need of abuse/drug usage/etc?
Or that industries based around this doesn't _need_ to be shady?"**
There are at least two that I could name you which aren't shady. (One site's name rhymes with "tabby splinters" and the other's with "dutiful flagon B."). The models, and the situations they were depicted in, were all the epitome of "vanilla"; healthy, regular people, hired just for a shoot or two, not drugged-up, abused or absurdly-attired sex workers. And as far as I can tell, they were never coerced into being on-camera (ever hear of "exhibitionists?"). At the time, the company was totally above-board in its billing practices, I never had an issue with them. They appear to have been sold, so I can't say anything else about their current billing practices. It's probably best to use a gift card to buy a fixed (non-ongoing) unit of time with porn sites rather than using one's credit card. It probably gives a margin of safety.
The blackmail potential for those "outed" as users of net porn probably varies according to their situations and to what they were paying to see (someone using a "vanilla" web site might be in less jeopardy than someone who frequented one which offered more unorthodox or sordid fare). Mr. Lipton is right - without the prevailing ideology that respectability is inversely proportional to sexuality, sexual blackmail would be pointless.
But porn sites are the tip of the iceberg. Suppose that common business sites like Itunes, Amazon.com or Buy.com got hacked, and their owners hushed it up. Wouldn't that make life interesting for thousands of people?
Whenever I purchase anything on-line, if it's possible to do so, I delete my credit card info from the seller site's database as soon as I've completed my purchase and payment, in case they do get hacked.
I was the guy who wrote the story mentioned here. We later corrected the top of the story. We also posted a small retraction at the bottom. NATS has 35% to 40% market share. TMM representatives yelled on an adult industry forum about our mis-statement that they had 90% of the market, but failed to address any other issues in any detail, like what they plan to do to correct the issue. ICWT and I personally regret the error in which TMM was credited with being more successful than it really is.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.