Security of Adult Websites Compromised

This article claims the software that runs the back end of either 35% or 80%-95% (depending on which part of the article you read) has been compromised, and that the adult industry is hushing this up. Like many of these sorts of stories, there's no evidence that the bad guys have the personal information database. The vulnerability only means that they could have it.

Does anyone know about this?

Slashdot thread.

Posted on December 28, 2007 at 7:54 AM • 21 Comments

Comments

SMAWGDecember 28, 2007 9:30 AM

Man, I sure hope they fix this soon! 'Cause when I send my credit card number to a porn pay site, I want to know it's being used to compel young, abused, drug addicted women to prostitute themselves on camera, and not going to some criminal enterprise somewhere...

Christian VogelDecember 28, 2007 9:44 AM

I just read through this (highly not-safe-for-work :-) ) forum. It seems that it's not about a security problem inside the software (NATS) but rather a leak somewhere in the comany (TMM) that makes it.

There seems to be evidence that the problem appears as soon as adult webmasters make admin-accounts available to the vendor for maintenance. Shortly after that seemingly automated scripts start accessing admin-pages. Disabling accounts and/or changing passwords deters these scripts.

Furthermore, I got the impression that most of these adult sites are administrered in a rather amateurish way and these people don't really know how to evaluate security in their web-based applications. Just read the threads about limiting access by IP-address, more elaborate means are not even discussed...

John RidleyDecember 28, 2007 10:23 AM

From my understanding, when the leak was discovered, the company not only failed to disclose the breach, they threatened to sue anyone who talked about it.

jack c liptonDecember 28, 2007 10:32 AM

One reason that these sites don't get much respect is because of an insidious meme in so-called "western civilization":

respectabiliy is inversely proportional to sexuality

And, yeah, when Mahatma Ghandi was asked what he thought about western civilization, he answered "I think it would be a good idea".

John RidleyDecember 28, 2007 10:52 AM

@Niyaz
Why would we not care, any more or less than any other company that had a stupid data loss and then covered it up?

John WDecember 28, 2007 11:06 AM

I suspect I'm not alone in my disdain for such sites, and my lack of respect for those who establish them.

That said, we shouldn't confuse dislike for these sites with the rights of those whom do things we disagree, and as such we can't turn a blind eye. Otherwise, who is to say that we won't fall victim if people have disdain for something we engate in.

Fact is, they have just as much of a right to know if their sensitive information has been disclosed as a user of amazon.com does.

2 cents

Happy New Year

Petréa MitchellDecember 28, 2007 11:48 AM

Exposed data? Compromised back ends? The jokes practically write themselves.

Seriously, this sounds like the start of practically every other massive personal info loss story this year, except that in this case, the company can count on the potential identity theft victims to be too embarrassed to consider suing.

-ac-December 28, 2007 12:46 PM

This demonstrates how far the current state is from achieving herd immunity.

And let's face it, the "adult entertainment" hook is a very potent once for cyber attacks. It's a bully platform from which to compromise the services/sectors that provide services to this industry.

Rich WilsonDecember 28, 2007 12:54 PM

Reminds me of a story a while back in which an adult site (I believe in Australia) was deliberately overcharging credit cards. When requested, they would issue a refund, as a check (or is it a cheque in Australia?), not as a credit on the card. The cheque would be made out from the company's 'full name' which was something like 'The Kinky Perverted Sex Company'. Most people declined to cash the cheque.

The fact that victims generally don't want the fact that they've been using such sites disclosed is an advantage to the attacker.

John RidleyDecember 28, 2007 1:30 PM

@Rich:[The cheque would be made out from the company's 'full name' which was something like 'The Kinky Perverted Sex Company'. Most people declined to cash the cheque.]

I wouldn't cash it either. I'd frame it.

TinchoDecember 28, 2007 3:14 PM

Why is that difficult to accept that there could be people that will knowingly accept being a sex worker without any need of abuse/drug usage/etc?

Or that industries based around this doesn't _need_ to be shady? Maybe most if this is shady because that stupid attitude of refusing any link with them. In my country Visa won't accept a porn site as a merchant; why not?

I'd say selling porn is much less indecent than selling products at 500% their price just because they are shown in half-hour-long advertisements on tv.

And John, I'd frame the cheque too :)

LeoDecember 28, 2007 6:28 PM

@SMAWG

You might want to know what you're talking about before you post. There are days when I get better news coverage, especially international news, from the Naked News than I do from CNN. And the women there aren't abused or drug addicted.

Porlock JuniorDecember 29, 2007 1:46 AM

Going off topic on that Gandhi quote about Western Civilisation [spelling in deference to British influence in India]--

Does anybody anywhere have a source for it? It seemed to pop out of nowhere, to the best of my recollection, in the early 1970s, after which it caught on quickly. It was a good 60s sort of meme. But I've got 50 bucks for the first one to come up with an authentic, verifiable source that dates before 1968. That's sixty-eight with a six, not a four. Double for one that's even close to Gandhi's lifetime.

Good quip, though.

SMAWGDecember 29, 2007 10:29 AM

For every Jessica Steinhauser* (a woman who seemed to handle her time as a sex worker well) there is a Shannon Wilsey*, or a Colleen Applegate*. And in between is a spectrum of experience. But that spectrum exists in an environment of organized crime and lawlessness, which lends itself to abuse. Sending your credit card number to a porn paysite is to trust organized crime not to steal your information. Is that smart? And you're helping convince 18 year old women to engage in risky sex on camera for about $500 a trick. Is that what you'd want YOUR daughter doing?

Many women pass through the sex-work system without dramatically and obviously bad outcomes. But many are damaged before entering (by rape and incest) and others are damaged in the system in ways which they may not recognize for years, if ever.

Do you really think that the sex industry promotes the mental and emotional health of the people that are in it?

*If you don't know who these people are, you may want to know more about what you're discussing before you post.

CipherChaosDecember 29, 2007 1:51 PM

@jack c lipton

"respectabiliy is inversely proportional to sexuality"

I don't know about all sexuality being that way - but I do believe in the statement, "Men have a brain and a dingus, and only enough blood to run one at a time." ;-)

@John Ridley

"I wouldn't cash it either. I'd frame it."

LOL!

@SMAWG

Since when did this become a place to debate the morals of porn or sexuality in general? This is about the security breach.

****

My $0.02? I wonder how much blackmail money a cracker could rake in, if they could link a politician (or other famous person who relies on a cleanly image) with a particularly deviant site?

They could make a gold mine - and depending on what country they're in, the various national authorities/Interpol/whatever would be helpless to do anything...

SMAWGDecember 29, 2007 3:08 PM

I was initially aiming to make a comment about the stupidity of sending your credit card number to organized crime websites and then worrying about its security. Somehow the topic got derailed a bit, sorry.

gregDecember 30, 2007 8:02 AM

@SMAWG

The majority of porn sites are legit. They check the age of the girls etc etc. They are legal in every sense of the word. They pay there taxes and run a business properly. They are not organized crime groups. Otherwise they wouldn't have almost direct merchant affiliation (Its common to use a 3rd party pay system for all smaller web sites.)

Furthermore since i once worked at a ISP i can tell you that the vast majorty of men use these porn sites regularly to some degree. The most common phone call for the help desk was how to delete the browser history!

I would say that some of the people above that are acting that porn==Evil are in fact looking at it on line. The pot is calling the kettle black.

Peter LewisDecember 30, 2007 1:39 PM

Tincho said: **"Why is that difficult to accept that there could be people that will knowingly accept being a sex worker without any need of abuse/drug usage/etc?

Or that industries based around this doesn't _need_ to be shady?"**

There are at least two that I could name you which aren't shady. (One site's name rhymes with "tabby splinters" and the other's with "dutiful flagon B."). The models, and the situations they were depicted in, were all the epitome of "vanilla"; healthy, regular people, hired just for a shoot or two, not drugged-up, abused or absurdly-attired sex workers. And as far as I can tell, they were never coerced into being on-camera (ever hear of "exhibitionists?"). At the time, the company was totally above-board in its billing practices, I never had an issue with them. They appear to have been sold, so I can't say anything else about their current billing practices. It's probably best to use a gift card to buy a fixed (non-ongoing) unit of time with porn sites rather than using one's credit card. It probably gives a margin of safety.

The blackmail potential for those "outed" as users of net porn probably varies according to their situations and to what they were paying to see (someone using a "vanilla" web site might be in less jeopardy than someone who frequented one which offered more unorthodox or sordid fare). Mr. Lipton is right - without the prevailing ideology that respectability is inversely proportional to sexuality, sexual blackmail would be pointless.

But porn sites are the tip of the iceberg. Suppose that common business sites like Itunes, Amazon.com or Buy.com got hacked, and their owners hushed it up. Wouldn't that make life interesting for thousands of people?

Whenever I purchase anything on-line, if it's possible to do so, I delete my credit card info from the seller site's database as soon as I've completed my purchase and payment, in case they do get hacked.

KeithDecember 31, 2007 2:06 AM

I was the guy who wrote the story mentioned here. We later corrected the top of the story. We also posted a small retraction at the bottom. NATS has 35% to 40% market share. TMM representatives yelled on an adult industry forum about our mis-statement that they had 90% of the market, but failed to address any other issues in any detail, like what they plan to do to correct the issue. ICWT and I personally regret the error in which TMM was credited with being more successful than it really is.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..