Slashdot Mirror
Searching For Trouble With Google
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
...it's called natural selection. Survival of the fittest... if people are that dumb to put stuff on the internet, so be it.
FLR
This was on bugtraq a week or two ago:
Check it out and there was a discussion of it a few days later.
Someone actually has a whole forum dedicated to finding things you can do with google here.
Apparently this was even a DEFCON speech subject.
This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.
-- Sorry, I can't think of anything funny to say here.
I feel sorry for 'Haley' and others with their Quicken files being shown to all of /. and presumably friends etc. I wonder what the 'reach' of the slashdot crowd is when it's a "You're not going to believe this!" story...
Simon
Physicists get Hadrons!
Looks more like Google found forums where people were swapping credit card numbers.
Good thing I've got a Mastercard then :)
This is the sig that says NI (again)
is that you can search for ranges of numbers like that in google. That's pretty neat.
I think there was a similar /. article a while back. Do a google search for "googledorks" to find out what additional kinds of data are accessible.
Is Google liable for harvesting and publishing sensitive information? If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?
Also, maybe those numbers are traps to catch people? Surely you need those goods to be sent to an address and someone has to eventually pick it up.
Uselessful technology (Air-Charged
There are only 23 matches for that search, most of which are dups!!! This is an artificial problem, which even if it existed, would have been problem of individuals who were retarded enough to post their credit cards in plain text on publicly accessible websites. Oh wait - they serve useful role in life - they serve as an example to others!
Very popular is the search for "Welcome to phpMyAdmin".
This will give you some nice databases to browse through.
How many people dug out their own visa cards and googled for the number ? :-) I managed to stop
myself.
All interpreted languages are abstractions over Lisp
Having google blocked (presumably from google's end) from this is just security through obscurity. Well it's not even that really, it means there is (1) stuff available in plain text which is a part of a website's (2) public access AND (3) for one reason or another has searching enabled. The problem is part 1 and/or 2, the symptom is 3. Cure the problem, not the symptom.
Was kinda scary the first time I trired it.
Not getting just credit cards, but other nice little things.. New Order
Just tried google for a SSN search as well. Same thing, you get a list of results within that social security number range, along with names, and addresses.
I just can't figure out why people would be victim to identity theft.
...as a result of blogs. The stuff I've posted in my various blogs would pound me to a paste in any sort of political election.
For now, it'll only be the foolish adult politicians who say things in their blogs that will come back to haunt them in their careers. Combine kids and blogs, and you'll have a public record of your childhood behavior.
tasks(723) drafts(105) languages(484) examples(29106)
Obfusacation may have allowed people to be sloppy with their data exposure until now. But that is no excuse for people being lax with their own data security.
The Internet is built by it's users. The responsibility for protecting data lies squarely with the users at the edges.
Just ordered a computer that can actually play Doom 3!
Thanks Slashdot!
Comment removed based on user account deletion
Check out the cached version of the third link and look in the text box. Hopefully it's not any of you... google link
I had trouble believing this, so I downloaded one of the .QDF files from the referenced link. I am feeling completely sick. This guy's checking account number, credit card number, and meticulously-maintained transaction history are sitting on my computer.
It's way too late to warn these people about the files. Their current identity is toast. So is their credit for the next seven or so years.
Is there anything we can advise these people to do to minimize the damage at this point?
Hoping to find thousands of results i did this ;)
fifteen jugglers, five believers
Don't publish this on ... hey!
Who needs P2P?
Now I can afford that new notebook after all!
sigaar
I believe it was covered on Slashdot before...
However search Google for cool stuff like:
"Index Of" "My Documents" "Last Modified"
You can see plenty of people's documents, about 1300 or so results.
Linux is less fun:
"Index of" "/etc" "Last Modified"
What can you do with this though?
Get your Unix fortune now!
Comment removed based on user account deletion
Comment removed based on user account deletion
of the VISA/Google search is that VISA is a sponsored link. Kind of like Microsoft advertising on a website that bashes it for its security holes...wait a minute...
This is EXTREMELY old news, shame on you, timothy for approving this story!
FYI, there has been so much discussion going on about this topic in all sorts of forums that what you are likely to find on Google now using such queries is discussions on this topic rather than actual credit cards numbers or other sensitive info.
a new type of google alerts should be released that will inform about these things, that a new google exploit is released and you should do something!! do google care about these things?
From google's cache:
[cached from saigonchat.org]
Looks like a list of poor bastards who have had their CC info stolen and posted for all to use.
Thanks Slashdot!
convert 29 fahrenheit to celsius
or
pi=
or
define: hubris
google's got neat tricks
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
If you think searching for quicken files is scary, then try Access Databases especially poor fools who have left the fpdb directory open (why put a private database in the websites directory structure anyway).
I sought for my credit card number on Google.. Is Google indexing our search key words?? Doh!! Now everybody can find my creditcard!
From the google search linked, there's a reason that those forums are crawling. Actually, mine is still trying to connect to the server.
/. geeks gotta get their pr0n, after all.
Lot of
Just in case a website decided to take an offending page down, google's cache is there to the rescue.
The sad thing is that now people will be Googling for their credit card numbers to be sure they're 'safe', but doing so means their credit card number will show up in the list of things people are Googling.
"Index of" mp3
gives you access to rather a lot of files. You can also replace mp3 with various other suffixes for added fun.
Don't forget that removing the filetype and including "site:yourdomain.com" will allow you to quickly check if any of your folders are visible to the world that shouldn't be.
Avantslash - View Slashdot cleanly on your mobile phone.
A lot of people can't/won't learn. I cross paths with people who don't want to know a damn thing about computers, they just want you use them.
I think the future model that works is that people will have to get 'experts' to do the tough stuff. Security, performance, reliability, etc. Everything the saleweasel said was automatic.
eric
None of my credit cards numbers begins with '4366'!!! ;-)
Another good one is searching for copywrite phrases found on front pages of eBooks such as O'Reilly CD Bookshelves. People seem to put up their eBooks for their own convenience. OTOH publishers seem to be doing a bit of Googling of their own, as they tend to be taken down pretty soon. Nothing that a quick WGET won't handle...
I'm sorry if I haven't offended anyone
Guess what - someone who isn't a /. reader is:
Probably the ones most vulnerable to Google mining (for lack of a better term)
The ones least likely to know what a robots.txt is, what it does, and how to utilize it to prevent stuff like this.
You better watch out, there may be dogs about . .
Norton DumbWall 2004
Featuring:
Order now and get a free drool-bib.
"Proudly Posting Without Reading The Article"
Thats my credit card number!
"index of /admin" site:.gov
Pwned!
http://www.google.ca/search?hl=en&ie=UTF-8&q=Welco me+to+phpmyadmin&spell=1
This could be good in finding websites that illegally publish this content.
With this search in google:
Mastercard 5000000000000000..5999999999999999
I found this russian site that published American credit card information with expiration dates, names and addresses:
http://kupi-cc.0golf.com/halyva.htm
Scary stuff. I would prefer google to find this information so that I can type in a simple query and see where my information is being wrongly published then not knowing at all.
I'm surprised at how easily you guys assume other net users are simply so dumb? Let's be a bit more humble and take any news/comment with a grain of salt. If you try the search suggested, you'll see some sites were russian forums exchanging credit card numbers they illegally obtained.
Besides, who would ever take the time to post one's own credit card numbers on the net? It's dumb to assume someone did that by themselves, frankly. I can only imagine someone might got card lost and the number got into those illegal forums, or someone put the number in an email to CS representative and the email got put into FAQ, or scenarios like that.
On a lark, I've tried searching P2P (in this case, Kazaa), for things that people have inadvertently made available. The things I found were jaw-dropping. Beyond the expected credit card and finance information, I found patent applications, doctoral dissertations, corporate documents, etc.
I'm pretty laissez faire on this one. If you leave your keys in the car and car running, the insurance company won't cover its theft (or at least, so goes the lore). Same principle applies here, I think.
-db
This person uses a lot of (paraphrase) "I haven't seen it myself, but I am sure real numbers are there."
Unless this person can site a real case then all he did was show us test files (as he claims he has seen)
I mod down so you can mod up. Your welcome.
NOT WORK SAFE!
NOT WORK SAFE!
NOT WORK SAFE!
Gah! And I here I thought I wouldn't be so stupid as to not realize what kind of link that would be.
(pounds head on desk repeatedly)
(no one notices since it's part of my job requirement)
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
But if you read everything like you're supposed to when installing something, you won't need to be surprised by it.
This doesn't have to be a bad thing. Imagine the positive applications of this knowledge in the area of web forms. Most membership/shopping cart sites have a link that you can click to retreive your password in the event that you forget it. Soon, shopping carts will have a link that you can click if you forget your card number and it'll look like this:
Forgot your credit card number? Click Here
At this point if I were someone looking for a free credit card, I'd probably go at least a few down in the results, I'd like to think that the top 20 or so are plants by law enforcement by now...at least I'd hope...
...in bed
This one's nice too. (Need to go beyond the first couple of pages.)
I know a company where they made the home directory web-accessible, and regularly logged into mysql like this.
Mind you, they also sent their servers' root passwords out over email.
Fuckwits.
I hope everyone knows that google (and other spiders) can be blocked rather easily.
t orial.htm
See the URL below for a robots.txt tutorial:
http://www.searchengineworld.com/robots/robots_tu
It is still possible to share files on a web server without search engine exposure.
Looking for
Welcome to phpMyAdmin x.x.x
MySQL x.x.x-log running on localhost as root@localhost
or parts of it can also be fun.
I'm not sure about legal stuff, but if you were not supposed to have access, there would be a password, I'd think...
Privacy is terrorism.
I have recently found google to be great for finding .torrents
.mp3, .pdf --- just about anything you can think of in fact..
eg
red-hat torrents
or
fonts
other filetype's that work
Electronic Music Made Using Linux http://soundcloud.com/polyp
DoH! didn't think about that ....
ehhehehe
actually, I didn't input the entire number, I omitted the last four.
If you look like your passport photo, you're too ill to travel. - Will Kommen
This one was just crazy!
Beware: In C++, your friends can see your privates!
Any website that accepts credit card payments worth using will require an AVS number and address.
As for coding these numbers on to other cards and using them in bricks and mortar shops, you would hope that the shops check that the embossed number matches. If they have checked all this, under UK law anyway, the CC company is liable.
With chip and pin cards being introduced across Europe CC numbers are becoming more and more useless to criminals now.
----
Hasn't anyone heard of using a robots.txt to block web spiders? If people are stupid enough not to, then their hidden data is just asking to be found by anyone. Thats my 2 cents.
Well anyone who runs a server and cares about security should not allow indexing of their directories.
:P
How stupid can you be?
Try this one, for "Visa 4366000000000000..4366999999999999'
What a great idea, now I can read the cached version of the article while the original gets Slashdotted :)
that's pretty funny, i never knew that, thanks ;-)
;-P
i see they got Douglas Adams fans at google!
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Not only blogs. I'm sometimes surprised for what is still available on Usenet archives... I found some post of me back to 1996, by searching with google on groups.
...into complete financial oblivion, any 2nd or 3rd party who is careless with our sensitive data.
I guess I don't have any mod points...
This has been talked about on blogs, on the Security Focus mailing lists and at several conferences, at length, for months now.
In fact the searches don't really even work anymore because the results all return articles, stories etc. about how easy it is to find this stuff.
The Anti-Blog
This has been fairly known and Johnny had great presentations in the last Blackhat and DefCon that really shook you up if you were not aware of the "Power of G"...
Very cool, a lot of very stupid people (from the myPHPAdmin, to the WebDAV-Frontpage passwords, all the way to nessus and ISS scan results...).
get a free ipod! This really works. (Free gmail invite to the ones using this referal and completing the offer!)
Although there may certainly be some egregious privacy issues found by Google search, he provides little solid evidence.
It seems he was far more concerned with making his 5 cents per word than providing a compelling case.
-- Scientist: You aren't going to leave me here, are you? Boagh! Thump...
Yes and they also mentioned that this wasn't as big a deal as people think.
For one the the valid credit cards numbers will be rapidly be made useless as 3rd parties use them and they are cancelled. The bottom line is very few customers will be liable for any of these fraudulent transactions.
The majority of the credit card numbers are on semi underground script kiddy sites. Where they are posted to gain cred or access to pr0n. I'd like to bet that most of these are invalid or the product of a credit card number generator.
Lastly this article implies (and a number of posters here) that the credit card numbersfound are the result of carelessness by credit card holders on the web and therfor it is their own fault. This is not the case. Google did not expose any mass stupidity by internet users, it simply exposed some of the sites that havest credit card numbers.
Unfortunately there isn't a good way to search for URL strings like this:
2 6b 40f-c8a84ba388
... EVERYONE will have Gmail!
http://gmail.google.com/gmail/a-e00073f786-289e
But once someone figures out a way
--
Until then, five of you can hit me up at kevinomara at gmail.
yesterday i walked by an atm machine just seconds after a guy left it - his card was still in the machine and it was at the screen where you can either quit (and get your card back) or carry on another transaction. as i have a guilt complex the state of utah, i got his card out and chased him down the sidewalk.
point being: debit/credit cards are insecure in the real world, too!
Did anyone else notice the 'Terrorism forum' on the second page of results from Google search link?
What's that all about then? Is it anti, or pro terrorism?
Why not search for "credit card filetype:sql"?
Seems that everything, except the personal information posted by a third party, can be summed up by a simple common acronym: RTFM. Ignorance of the law isnt a defense -- neither should be not reading the manual.
Sometimes I wish computers were less friendly.
It would be nice to think that the smart guys at Visa/MC/Amex/et al have bots crawling search engines for CC numbers and that they immediately cancel any compromised cards.
I happened to run across a guy discussing his career moves and some other somewhat sensitive items. I had put in a couple of company names in Google and up popped his blog.
One should try and be a bit more anonymous or general when blogging.
Another way of searching for trouble with google.
For those who don't read russian:
page says that these are just examples of the info they could sell to you, cards are not "working".
Did youse guys actually *see* what these sites are? When I hit the link, the first five sites were TERRORIST FORUMS.
Now whether these are for real or not, I don't care. That frightened me more than some a**hole 12 year old buying kewl crap on my dime...
"Parent directory". That Google search is the most fun you can have with your clothes on.
There are banks offering special 'web credit card' services. They issue credit card numbers that are valid only for a single transaction. After the transaction has taken place, the number expires. Even if a site would have serious security issues, allowing someone to see all the credit card numbers they ever received from people, these single-transaction numbers would be worthless to anyone finding them. Of course ultimately a website shouldn't ever receive credit card numbers, but instead relay credit card payment to a bank and then communicate with that bank to see if all went well, but that is another issue.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
The problem is also people who share their entire hard drive contents... email inbox files anyone?
When I used to use Kazaa, I deliberately left two text files in my share directory called 'mastercard details.txt' and 'visa card details.txt', with some colourful language contained within (so they weren't zero byte size)... not surprisingly I got quite a few downloads too! plus I got the satisfaction of them reading my little message (maybe I should have given them some goatse ascii art!).
Are you local? There's nothing for you here!
First googleon the link in the article points to a news article on eWeek. The date on the eWeek article ? August 30, 2004
Um... news?
http://efil.blogspot.com/
Quite honestly, the first thing I do if I see a girl I'm interested in on a dating site, or if someone from such a place approaches me, is googlestalk the username they use. As "faux pas" as it sounds, most people have a very small or nonexistant internet footprint. it's not like I'm digging through their purse. but it's nice to see if a girl posted on alt.bondage or alt.herpes. if someone is silly enough to leave that kind of info wide open, I think of it as a "primary screening" more than stalking.
Actually, at least here in Canada, the insurance companies have to cover you even if the keys are in the ignition--theft is theft. I know this because my father just went through getting his truck stolen after leaving the keys in the ignition.
:)
The insurance companies will try to bully you into thinking that they don't have to cover you, but they do. However if they can convince you that they don't have to and you just go away then they don't have to pay you. This is the usual course of action.
Luckily my father has a good insurance broker who knows the law and wouldn't let his client be bullied. Its astounding what insurance companies can get away with.
This of course after them pleading poor to the Canadian government only to report record profits a couple of months later. What's $2.6Billion among friends? Now that is in Canadian funds but it still works out to about $100US or so
I'd like to see more of that kind of thing, preferrably all of the following as options:
"Good everywhere all the time, with no control at all" just seems like a bad idea. But since banks either shit on the consumer or the merchant when it comes to fraud, they have little incentive to secure the system. When they pass the new bankruptcy bill in congress, even shoddy lending practices will be given a pass as well.
A while ago SOME GUY ON IRC personal Cabletron switch puked out, so SOME GUY ON IRC needed a new firmware image. Low and behold, SOME GUY found an account via google. Some school posted theirs online. (Cabletron makes overpriced gear sold to gov't mainly, you can generally get enterprise level huge switches on ebay for $5, since it doesn't carry the Cisco name.). Oh that was a lucky find, since hardly anyone uses Cabletron (now Enterasys) equipment, it is hard to find unlike Cisco CCO accounts.
Google rocks! Don't forget to google for your FLEXLM license files for your Solaris and similar systems, or your crusty Digital licenses for VMS, OSF/1, etc.
Southeastern Virginia REPRESENT!
A security focus article with many other ideas and a complete web site about google hacking. Happy searching :)
Search for "C:\Documents and Settings" on Google's Uncle Sam sub-search, here.
This is sort of like what eBay did through paypal. Well, at least until they _bought_ them. I guess that sort of relationship worked out (other people still use paypal as an external transaction processor).
But whoever steps up to the plate is going to have to offer a more compelling offering then whatever current credit authorization services can provide.
It's got to provide realtime feedback as to account status and such (for the vendor), or something.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
That's amazing! I've got the same combination on my luggage!
Soon enough all valid Visa numbers will be slashdotted by orders at ThinkGeek.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
"real security and ease of use"? That's a contradiction in terms. Any system thats easy to use is almost certainly easy to crack (hint, the crackers have as easy a time as the user).
I completely disagree. While the implementation of a secure system maybe incredibly complex, it does not necessarily follow that the system will be difficult to use.
The secure shell protocol maybe complex, and require a good understanding of communications and encryption algorithms to develop, but I have no problem using putty! -- Grouper --
Serach for 'french military victories' and click the 'I'm feeling lucky' button and prepare to laugh.
Some people have more time than I do.
If I purchase something over the internet and get taken for a ride, I have to rely on the Banks to resolve the issue. Especially if I decide to try and return the item for whatever reason.
If I purchase something at ABC widgets store, going face to face with him while bringing my cousin Bruno will get results a lot faster. It is also a lot more fun .
I'm always finding files on p2p networks that people either didn't know were available to the public, or had no idea what was in them.
.sql, also simple things like "phone" "password" "address work too.
next time your on a p2p search for access files, excel, QuickBooks,
Same thing really as with google where people had no idea what they were doing, and gave access to sensitive information to the public unknowingly.
TruePunk | Games
suppose I wanted to check to see if my vital info was release by some careless or malicious person(s). I might consider going to google and doing a search. BUT, I'd have to use that private data for the search. Once that is done the data is has been released, and possibly stored in some, in-the-clear, query history,
So how might I be proactive and research the issue, without revealing the info?
True friends are hard to come by... I need more money. - Calvin
this was discussed at defcon, was on bugtraq within a day or two of that and now you're calling it news?
...is the price of a cheese pizza and a large soda at Pinnuci's!
Facts do not cease to exist because they are ignored. - Aldous Huxley
(for those of you who don't know, the Razor states "Never attribute to malice that which can adequately be explained by stupidity.")
Facts do not cease to exist because they are ignored. - Aldous Huxley
How can you say if people are dumb enough then they deserve it? What if the person dumb enough to put it on the net or through some sort of open port on thier computer connected to the net has you or your families credit card and/or social security data ready for everyone to take a look at?
I don't think you'd be so quick to shrug it off and sneeze at it.
Well, read the end of my post. I was refering to average or below average computer users, not geeks or the computer literate. Undoubtably most of the Googlable* private info came from the Joe public crowd, and these people have a hard time with data security. My disagreement with the gandparent was over the implementation of widespread or universal security (of course I may have misunderstood his point, but mine still stands).
*I have no idea whether "Googlable" is a word, and my spelling is bad enought with normal english, but I think I spelled that right
Erotic is when you use a feather. Exotic is when you use the whole chicken.
surprised the secret service is not knocking on the door of slashdot's parent company about now. This is dumb. Even if there were other people publicizing this originally, etc. etc., still slashdot's editors have willingly made sensitive information public.
What happens if fraudulent use of a credit card is ultimately found to be due to slashdot publication of said cards? It's not like this is news at all, the problem's been around for decades. Just now some dumb kid who wants to be a writer and look cool in front of other geeks has provided tons more reach. Or does slashdot believe only "nice people" access their website. as if.
That you can use perl syntax (ellipses) for a numerical range is interesting but not particularly relevant to anything except self-serving "exposes" like this one. How about some news for a change? You can look at some of the other things people have submitted but not had published after getting caught in your "value" filter. hmph!
I don't read Russian so I don't know what the context is, but the Mazafaka site that comes up in the Google results seems to have info on real people in it. At least I am able to find them through Yahoo people search and get the same addresses. Perhaps the credit card numbers are real as well?
Lasers Controlled Games!
That search yields ust 6 hits, one of which is an eWeek article on the same topic - "do a search for #### visa on Google."
Navel-gazing, anyone?
Or maybe it was a slow news day, so they created their own story...
Try doing a search for password type:*.txt. The results are a bit more interesting.
As an artful and resourceful african i just cant wait to explain this new concept to My good friend Mr Omondi.
I just called all the people on one of the lists linked here and either left a msg or explained the situation. Took about 30 minutes. The clearest way I found of convincing them was to tell them how to do the Google search themselves. For most of them, their name in quotes and the word "MasterCard" or whatever brought up 1 page, the page with their info on it. I got many answering machines and disconnected numbers, but a few thanks as well.
Anyone know what that 481 on the signature strip is for?
It actually depends on what the name is on the front of the card. It has different meanings for different names.
Yours would be.... ?
--LordPixie
I once found some very interesting stuff using Google. Basically, it was all to do with the fact that customers of an online service (which my place of work used to use) were trying to use client-side scripting to do something that should have been done by server-side scripting; so their web sites were full of JavaScript (which some people still think is secure). The sites also necessarily linked to the central server, and were giving away information in cleartext that really was not meant for public consumption. Because there were these links to the central server script -- complete with the variable names and values in the query string -- on several pages on the clients' sites, Googlebot found them and indexed them. (THE PROPER WAY would have been to bury the variables which dealt with authentication in a local CGI script, which would then call the central CGI script. Authenticating to the local script is left as an exercise for the reader. At any rate, damage is inherently limited because the attacker does not gain the actual authentication tokens; only the chance to do whatever limited acts the site's programmer has chosen to allow.)
I am not saying any more. My boss told them what they had done, they know who we are and there could be repercussions. But anyway, I'll google for the same information again in a few months' time and see if it's there. If so, I might do a write-up. In my book, if you leave your valuables lying around where you know there are thieves, you deserve to be taught a lesson -- and you should be glad with knowing that your valuables are being taken care of by someone like me, rather than broken by some of the thugs out there.
"outlook.pst" filetype:pst
Discover card has a solution to this problem. Their software sits on your desktop with your credit card information. When you want to pay anything online it creates a one time credit card number which can be used to pay to the merchant. Seems like a good solution. I think everyone should implement a solution like this.. here is the link by the way
r ofile/pp/SafeOnline
https://www.novusnet.com/cardmembersvcs/personalp
When you search Google for your own CC#, you associate it with your IP#, and therefore other traffic, that can be read by sniffers on the Internet. Even if Google didn't have your CC# in their index, you've now advertised enough info for a bad guy to clone your identity and rip you off.
--
make install -not war
I just called all the people on the list linked here and either left a msg or explained the situation. Took about 30 minutes. The clearest way I found of convincing them was to tell them how to do the Google search themselves. For most of them, their name in quotes and the word "MasterCard" or whatever brought up 1 page, the page with their info on it. I got many answering machines and disconnected numbers, but a few thanks as well.
MBNA has ShopSafe
Citibank has Virtual Account Numbers
Discover has Discover Deskshop
even American Express...
This is *nothing* new
I filed a case with the FTC's fraud clearinghouse, filed a complaint with the FBI's fraud group, and called the guy who hosts it. At first he was like "yeah yeah.. send a msg to ...", then I told him there was a case filed with the FBI's consumer fraud group. The page was gone in seconds and is now 404. The page is still in google's cache, and i've put that search query in my fbi submission. LOL! Interesting morning.
For Visa, I did this one and got 2450 pages of listings of credit card numbers. Doing the same for Master Card returns only another 481 pages - not just card numbers, but web pages containing numbers - and some are test pages to demonstrate how LUHN codes work, but I don't think they all are. Oh, let's not leave home without American Express, where we can find a whopping 7,780 pages of listings!
I don't think they are all tests. Some include the number, expiration date, plus the name, address and telephone number of some people who apparently placed orders on-line. A great way to commit fraud or implement identity theft, wouldn't you say?
My guess is that if you called some of these people you would find out that yes, that is their credit card number and they had no idea it had been exposed.
Oh, I forgot to troll for Social Security Numbers. Now that returns 7 million pages, most being things like zip codes and such, but it wouldn't be hard to do that by redoing the search on an automated basis by inserting the '-' where appropriate and generating several thousand searches. At random I picked a range and tried all Social Security 301-01 numbers, and got 115 pages. Not only that, but the text ad from Google was for a company that offered on-line searches of social security information! Very helpful too!
Paul Robinson
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
This appeared on bugtraq, which was ripped from a website article about a presentation given at defcon or blackhat.. Sheesh.
Microsoft aggravates my tourettes syndrome.
Try a google search with the name of any large company followed by the word CONFIDENTIAL. That should make the security departments of some companies loose a little sleep.
http://help.yahoo.com/help/us/ysearch/tips/tips-01 .html
* Airport Information
* Airline Registration Information
* Area Codes
* Calculator
* Dictionary Definitions
* Encyclopedia Lookup
* Exchange Rates
* Flight Tracker
* Gas Prices
* Hotel Finder
* ISBN Numbers
* Local Search[new]
* Maps
* Movie Showtimes
* News
* Packages
* Patents
* Sports Scores
* Stock Quotes
* Synonym Finder
* Time Zones
* Traffic
* UPC Codes
* VIN Number
* Weights, Measures and Temperatures
* Weather
* Zip Codes
SIGUSR1
In fact, there wasn't isolation in the original example that inspired Darwin to pen 'The Origin of Species'. All of the finches on the Galapagos were assumed to come from the same original species, possibly as little as a few pair.
Have you been touched by his noodly appendage?
If you find something of yours that shouldn't be online, and you have access to the server, the best thing to do is put up an empty document with the same name.
Contacting google to remove their 'hit' on it could take a while, and remember--there *are* other search engines out there. If the doc just disappears, it'll stay in Google's cache (and who knows who else's) for who knows how long.
However, if a doc with the same name and same location still exists but has little, no, or bogus data, the engines will suck up this new worthless copy the next time they come 'round and the good copy in their cache will be overwritten with the new worthless copy.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
shamelessly ripped from PayPal's website:
What is a Card Verification Number?
The Card Verification Number is a security feature placed on credit cards and debit cards to ensure that the person entering the card number online or over the phone has possession of the card.
Facts do not cease to exist because they are ignored. - Aldous Huxley
"in.mbx" filetype:mbx
"Index of /private"
...
that turns up a few things
i got the same answer here
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
That shows up bad on your credit report.
Hollow words will burn and hollow men will burn.
Some of these may very well be debit cards. So I'm quite sure there are at least a few cardholders at risk here.
If other reasons we do lack, we swear no one will die when we attack
I'm not sure every corner of the net heard that.
See: Check Clearing for the 21st Century Act
Information Week raised some of the issues: Quality vs. Deception in Managing IRDs
I can be found @ 127.0.0.0
I left out that you won't be able to use the original check for proving forgery or alteration, since it may (read probably) will no longer exist!
I can be found @ 127.0.0.0
NWS! I didn't check the reply first! :(
The merchant takes the risk when someone uses your card. When Joe Sixpack gives his card info out to a phisher, and said phisher orders from a merchant, guess who's left holding the bags? The merchant.
Signed,
An Internet Merchant
Really, I'm not trying to be clever with my signature.
http://seewhatyoushare.com/, as covered in Slashdot before has a pretty good round up of sensitive and sometimes CLASSIFIED documents found on P2P networks.
Interesting non?
...unfortunately no one can be told what The Mat^H^H^HGoatse is...they must experience it for themselves...
(This does not apply for cardholder-present transactions, where liability is different.)
After someone dies, their SSN is listed in the SSDI - Social Security Death Index. I googled SSNs, and I pretty much all that came up were genealogy entries; relatives enter the SSN just for idendification purposes. So that's fine.
Handy to see if your card number is out there, search for a range in which your number is and your last name.
One thing I don't think I've seen mentioned yet though, is that everyone is assuming that people choose to post the data in question. While this is probably true to a large part, it is by no means always the case. Some of the data may have been stolen due in no part to the victims (hacked website, disgruntled employee at a bank, etc) was then posted.
Vote Quimby.
try typing
intitle:index.of mp3 coldplay
things like cv.doc also give realy emberrasing results as still 4,770,000 sites still give nice browsable results.....
See http://johnny.ihackstuff.com/ for details
Message from god, Please logoff, rebooting the Universe
...I'll just wait for the astute "summary" from Roland Piquepaille (aka, F-ckyface). What a tool.
'nuff said.
It is a completely voluntary program on the banks part:
The law does not require banks to accept checks in electronic form nor does it require banks to use the new authority granted by the act to create substitute checks.
I may be mistaken, but I could swear that possession of stolen credit card numbers is a crime. I "know" I've seen news stories about ID theft rings getting busted for the _possession_ of stolen credit cards and related info.
Now I do one of these Google searches, go to a page that has these numbers, names, addresses, etc. It's now in my browser cache of my laptop.
Some law enforcement person currently engaged in generating revenue for the city/state pulls me over for doing 45 in a 35 zone. As legally my car can be searched, they find my laptop and make me start it up. This guy decides to see what I've been looking at because of "kiddie porn" and stuff he's seen and he figures a +10 ticket is not enough to justify getting out of his cruiser on a 110 degree day in Arizona.
He discovers in my cache these "Stolen credit cards"
What happens then?
This may be tinfoil hat stuff, but maybe not. Kafka wasn't completely crazy.
What I don't know I just fake...
Considering the examples the writer used, such as Visa numbers and Quicken files. Did you notice there were only about 22 results a piece? Now take that number from the total amount of web pages crawled (4,285,199,774), and you'll have a nice percentage that tells you exactly how many people include insecure web page content. ...not many
The point is moot anyway-I did some further digging through the Federal Reserve site & found out (buried in their regulations for implementing the law) that it can't be used with ACH, as it requires an original check to create a substitute one.
The Federal Reserve Board took comments from concerned parties in formulating the regulations (many of which were the same as my concerns about fraud and forgery) and specifically added regulations to address them. I don't know if they covered every possible huckster's scheme, but enough of them to (pardon the mixed metaphor) take enough wind out of my sail to get me off this hobby horse...
If anyone else out there has any curiousity: Check 21 Regulations & Comments as PDF
I can be found @ 127.0.0.0
I worry, now that it's on Slashdot, a certain Visa search will end up on Zeitgeist for sure!
I wish one of them (Google or Yahoo) would allow typing in an IP address and getting the whois results.
Wanted: witty unique signature. Must be willing to relocate.
Sorry, this is completely off-topic, but when I pulled up this story the rotating ad landed on a Microsoft ad - here's a screen shot of what I'm talking about: Microsoft Ad
Is it just me, or does that whole concept seem ludicrous? I suppose it makes logical sense, in a twisted kind of way:
"At Microsoft, our programmers encounter security vulnerabilities each and every working day. Our experience with security is second to none! Not like those silly Linux dweebs who hardly ever see a security vulnerability. Who would you rather go to for security advice - a programmer who has never ever encountered a security hole, or seasoned programmers who run into security holes all day long, every day?"
That tag line should read "Go to microsoft.com today and get a free virus!"
-- *My* journal is more interesting than *yours*...