Re: [privacy] AOL's Big Privacy Blunder

["Dr. Neal Krawetz" <hf () hackerfactor com>]

On Mon Aug  7 08:23:35 2006, Richard M. Smith wrote:
> http://english.ohmynews.com/articleview/article_view.asp?article_class=4
> <http://english.ohmynews.com/articleview/article_view.asp?article_class=4&no
> =309830&rel_no=1> &no=309830&rel_no=1
>  
> In an inexplicably foolish and potentially devastating move, America Online
> (AOL) released massive amounts of private data to the whole world. Sometime
...
> The private data contains searches from these 650,000 AOL users over the
> course of three months (March through May) in 2006. It also includes
> indications of whether or not a user actually clicked on a search result,
> what the result was, and what rank the result held on the search results
> page.

Hi RMS,

(I'm BCC'ing a couple of other people.)
The AOL logs contain more than that!
I'm looking at a mirror of the logs...

There are over a hundred social security numbers -- many including full
names, addresses, DoB, etc.  (One poor bastard was looking for his Experian
report -- probably due to prior credit fraud.)

There are also credit card numbers.  At least 58 cards contain valid BINs
(bank identification numbers -- the account number may still be invalid,
but the BIN looks real).
Another hundred may be valid and not in my list of valid BINs.  Some of
the queries include card numbers as well as other personal information.
And don't get me started on passwords -- lots of passwords.  (Here's a
hint: don't type into the search engine "how do I change my password from
WORD to WORD".)

Then there are other items, like UPS and Fedex tracking codes.
Fortunately, this data is too old to intercept packages.  Unfortunately, it
may be used to associate an AOL ID with a real person's name and address.
(How long does UPS and Fedex hold package information online?)

(People will type the darnedest things into search engines.) There are even
people doing investigative searches -- things that appear to be searches
for criminals or suspects.  (One person looks like they are looking for
gang members.)

And all of this is before we start using profiling techniques (like I
presented at Blackhat) where we can determine physical aspects such as
left/right handed based on their search terms.  (Not every term is good for
the profile system, but some are -- lots of keyboard banging.)

I wonder if AOL will send out a credit fraud alert.

                                        -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/
Author of "Introduction to Network Security" (Charles River Media, 2006)
http://www.charlesriver.com/Books/BookDetail.aspx?productID=126130

_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy