> Sometimes it's very interesting to note that an address > given only to A turns up in B's hands...or B's, > C's, D's, E's, etc. hands in some instances. > ... > For instance, United Airlines has been observed leaking > addresses to Brazilian spammers. HP is notoriously bad about selling and sharing. Proof by example: call support, and verify the email you supply will *only* be used for support reasons (the call center folks will state it without asking). Then wait about two weeks. Question: since I called and authorized one business unit (support), and support stated the data was not authorized for use in other departments, does that mean an internal breach occurred because a second business unit (marketing) obtained and abused the data?
On Sun, Jun 27, 2010 at 2:28 PM, Rich Kulawiec <[email protected]> wrote: > On Sun, Jun 13, 2010 at 11:19:16AM +1200, Nick FitzGerald wrote: >> Most security professionals I've either asked directly about this or >> with whom it's come up some way or other in conversation (admittedly >> not a large proportion of all such folk I know), _do_ exactly that. >> And at least some "more normal" folk I know (i.e. not security >> professionals) do this too. There are a number of reasons, but >> commonly having a single "well protected" (by the privacy policies of >> those companies they trust to share the address with) address is the >> reason (the other one is tracking who sell, etc addresses and these >> folk use a separate address for each company/entity that they share >> contact details with). > > I've done this for a very long time. Sometimes the individually-supplied > addresses are rather obviously mine; sometimes they're not. And I keep > very careful records of which addresses were given to whom. I've also > trained some other people to do the same. Sometimes it's very interesting > to note that an address given only to A turns up in B's hands...or B's, > C's, D's, E's, etc. hands in some instances. There have been any number > of fascinating little case studies demonstrating that data is either > being sold or stolen or otherwise leaked from numerous operations (some > of which predictably claim that this is impossible and that those reporting > same must be mistaken, incompetent, senile or lying). For instance, > United Airlines has been observed leaking addresses to Brazilian spammers. > > ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
