funsec mailing list archives
Re: [privacy] AOL's Big Privacy Blunder
From: "Randy Abrams" <abrams () eset com>
Date: Tue, 8 Aug 2006 13:53:59 -0700
I particularly like the ones where they have gone to a bunch of sites and then look for things like the term "adware" :) Gee, I wonder what happened. Cheers, Randy -----Original Message----- From: Dr. Neal Krawetz [mailto:hf () hackerfactor com] Sent: Tuesday, August 08, 2006 12:56 PM To: Richard M. Smith Cc: privacy () whitestar linuxbox org Subject: Re: [privacy] AOL's Big Privacy Blunder On Mon Aug 7 08:23:35 2006, Richard M. Smith wrote:
http://english.ohmynews.com/articleview/article_view.asp?article_class =4 <http://english.ohmynews.com/articleview/article_view.asp?article_clas s=4&no =309830&rel_no=1> &no=309830&rel_no=1 In an inexplicably foolish and potentially devastating move, America Online (AOL) released massive amounts of private data to the whole world. Sometime
...
The private data contains searches from these 650,000 AOL users over the course of three months (March through May) in 2006. It also includes indications of whether or not a user actually clicked on a search result, what the result was, and what rank the result held on the search results page.
Hi RMS, (I'm BCC'ing a couple of other people.) The AOL logs contain more than that! I'm looking at a mirror of the logs... There are over a hundred social security numbers -- many including full names, addresses, DoB, etc. (One poor bastard was looking for his Experian report -- probably due to prior credit fraud.) There are also credit card numbers. At least 58 cards contain valid BINs (bank identification numbers -- the account number may still be invalid, but the BIN looks real). Another hundred may be valid and not in my list of valid BINs. Some of the queries include card numbers as well as other personal information. And don't get me started on passwords -- lots of passwords. (Here's a hint: don't type into the search engine "how do I change my password from WORD to WORD".) Then there are other items, like UPS and Fedex tracking codes. Fortunately, this data is too old to intercept packages. Unfortunately, it may be used to associate an AOL ID with a real person's name and address. (How long does UPS and Fedex hold package information online?) (People will type the darnedest things into search engines.) There are even people doing investigative searches -- things that appear to be searches for criminals or suspects. (One person looks like they are looking for gang members.) And all of this is before we start using profiling techniques (like I presented at Blackhat) where we can determine physical aspects such as left/right handed based on their search terms. (Not every term is good for the profile system, but some are -- lots of keyboard banging.) I wonder if AOL will send out a credit fraud alert. -Neal -- Neal Krawetz, Ph.D. Hacker Factor Solutions http://www.hackerfactor.com/ Author of "Introduction to Network Security" (Charles River Media, 2006) http://www.charlesriver.com/Books/BookDetail.aspx?productID=126130 _______________________________________________ privacy mailing list privacy () whitestar linuxbox org http://www.whitestar.linuxbox.org/mailman/listinfo/privacy _______________________________________________ privacy mailing list privacy () whitestar linuxbox org http://www.whitestar.linuxbox.org/mailman/listinfo/privacy
Current thread:
- [privacy] AOL's Big Privacy Blunder Richard M. Smith (Aug 07)
- Re: [privacy] AOL's Big Privacy Blunder Robert D. Holtz (Aug 07)
- Re: [privacy] AOL's Big Privacy Blunder Dude VanWinkle (Aug 07)
- Re: [privacy] AOL's Big Privacy Blunder Robert D. Holtz (Aug 08)
- Re: [privacy] AOL's Big Privacy Blunder Dude VanWinkle (Aug 07)
- Re: [privacy] AOL's Big Privacy Blunder Dr. Neal Krawetz (Aug 08)
- Re: [privacy] AOL's Big Privacy Blunder Dude VanWinkle (Aug 08)
- Re: [privacy] AOL's Big Privacy Blunder Randy Abrams (Aug 08)
- Re: [privacy] AOL's Big Privacy Blunder Robert D. Holtz (Aug 08)
- Re: [privacy] AOL's Big Privacy Blunder Robert D. Holtz (Aug 07)