Re: [privacy] AOL's Big Privacy Blunder

["Randy Abrams" <abrams () eset com>]

I particularly like the ones where they have gone to a bunch of sites and
then look for things like the term "adware" :)

Gee, I wonder what happened. 

Cheers,

Randy

-----Original Message-----
From: Dr. Neal Krawetz [mailto:hf () hackerfactor com] 
Sent: Tuesday, August 08, 2006 12:56 PM
To: Richard M. Smith
Cc: privacy () whitestar linuxbox org
Subject: Re: [privacy] AOL's Big Privacy Blunder

On Mon Aug  7 08:23:35 2006, Richard M. Smith wrote:
> http://english.ohmynews.com/articleview/article_view.asp?article_class
> =4 
> <http://english.ohmynews.com/articleview/article_view.asp?article_clas
> s=4&no
> =309830&rel_no=1> &no=309830&rel_no=1
>  
> In an inexplicably foolish and potentially devastating move, America 
> Online
> (AOL) released massive amounts of private data to the whole world. 
> Sometime
...
> The private data contains searches from these 650,000 AOL users over 
> the course of three months (March through May) in 2006. It also 
> includes indications of whether or not a user actually clicked on a 
> search result, what the result was, and what rank the result held on 
> the search results page.

Hi RMS,

(I'm BCC'ing a couple of other people.)
The AOL logs contain more than that!
I'm looking at a mirror of the logs...

There are over a hundred social security numbers -- many including full
names, addresses, DoB, etc.  (One poor bastard was looking for his Experian
report -- probably due to prior credit fraud.)

There are also credit card numbers.  At least 58 cards contain valid BINs
(bank identification numbers -- the account number may still be invalid, but
the BIN looks real).
Another hundred may be valid and not in my list of valid BINs.  Some of the
queries include card numbers as well as other personal information.
And don't get me started on passwords -- lots of passwords.  (Here's a
hint: don't type into the search engine "how do I change my password from
WORD to WORD".)

Then there are other items, like UPS and Fedex tracking codes.
Fortunately, this data is too old to intercept packages.  Unfortunately, it
may be used to associate an AOL ID with a real person's name and address.
(How long does UPS and Fedex hold package information online?)

(People will type the darnedest things into search engines.) There are even
people doing investigative searches -- things that appear to be searches for
criminals or suspects.  (One person looks like they are looking for gang
members.)

And all of this is before we start using profiling techniques (like I
presented at Blackhat) where we can determine physical aspects such as
left/right handed based on their search terms.  (Not every term is good for
the profile system, but some are -- lots of keyboard banging.)

I wonder if AOL will send out a credit fraud alert.

                                        -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/
Author of "Introduction to Network Security" (Charles River Media, 2006)
http://www.charlesriver.com/Books/BookDetail.aspx?productID=126130

_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy

_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy