funsec mailing list archives
Re: Apple's worst security breach: 114, 000 iPad owners exposed
From: Jeffrey Walton <noloader () gmail com>
Date: Sun, 27 Jun 2010 15:02:14 -0400
Sometimes it's very interesting to note that an address given only to A turns up in B's hands...or B's, C's, D's, E's, etc. hands in some instances. ... For instance, United Airlines has been observed leaking addresses to Brazilian spammers.
HP is notoriously bad about selling and sharing. Proof by example: call support, and verify the email you supply will *only* be used for support reasons (the call center folks will state it without asking). Then wait about two weeks. Question: since I called and authorized one business unit (support), and support stated the data was not authorized for use in other departments, does that mean an internal breach occurred because a second business unit (marketing) obtained and abused the data? On Sun, Jun 27, 2010 at 2:28 PM, Rich Kulawiec <rsk () gsp org> wrote:
On Sun, Jun 13, 2010 at 11:19:16AM +1200, Nick FitzGerald wrote:Most security professionals I've either asked directly about this or with whom it's come up some way or other in conversation (admittedly not a large proportion of all such folk I know), _do_ exactly that. And at least some "more normal" folk I know (i.e. not security professionals) do this too. There are a number of reasons, but commonly having a single "well protected" (by the privacy policies of those companies they trust to share the address with) address is the reason (the other one is tracking who sell, etc addresses and these folk use a separate address for each company/entity that they share contact details with).I've done this for a very long time. Sometimes the individually-supplied addresses are rather obviously mine; sometimes they're not. And I keep very careful records of which addresses were given to whom. I've also trained some other people to do the same. Sometimes it's very interesting to note that an address given only to A turns up in B's hands...or B's, C's, D's, E's, etc. hands in some instances. There have been any number of fascinating little case studies demonstrating that data is either being sold or stolen or otherwise leaked from numerous operations (some of which predictably claim that this is impossible and that those reporting same must be mistaken, incompetent, senile or lying). For instance, United Airlines has been observed leaking addresses to Brazilian spammers. ---Rsk
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Apple's worst security breach: 114, 000 iPad owners exposed, (continued)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Dave Dennis (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Nick FitzGerald (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Dave Dennis (Jun 10)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Dan Kaminsky (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Randal T. Rioux (Jun 11)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Nick FitzGerald (Jun 12)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 13)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Rich Kulawiec (Jun 27)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Jeffrey Walton (Jun 27)
- Re: Apple's worst security breach: 114, 000 iPad owners exposed Joel Esler (Jun 10)