CS406: Information Security

Dumpster Diving

An old bit of wisdom says "One man's trash is another man's treasure". While this makes sense also in its originally intended, general meaning (suggesting that old stuff can still be of use to somebody), it has a special meaning in data security.

Sometimes, important stuff ends up in the trash accidentally. More than often, however, it is thrown out by ignorant people. But whatever the reason, dumpsters can contain rather interesting material (and as shown on the photos in Johnny Long's book, they sometimes do not even need any diving).

Probably anyone would understand the security risk if a discarded and picked-up (by a stranger) document contains someone's password. Seemingly less obvious cases can however be as dangerous. For example, a job-seeker's form partially filled by a system administrator of a major defense contractor might be of interest to an agent of a hostile foreign power (disgruntled employees are easier to bribe). Payment invoices can point out shady transactions. But even a department staff list with working room and internal telephone numbers can be a good starting point for a social engineering scheme ("Hi, this is James from accounting, room 116. My boss, Mrs Peabody, asked me about <something of interest>, could you helped me with that?").

A special case worth mentioning are the "yellow sticky notes" (aka Post-Its and other fancy names). They are often used to write down important bits of information and stuck to some easily visible place. On the one hand, they often contain information that should NOT be that visible. On the other hand, the glue holding them in place tends to wear off after a while, the note glides down - and often ends up in some out of sight place (e.g. between a table leg and a wall). Depending of the janitor, the following step may be

• the note is returned to the table for the owner to find
• the note will remain where it is
• the note ends up in the dumpster (for someone else to find)
• the janitor has some interesting ideas what to do with the found information

The last two options can spell a lot of trouble. 

Countermeasures

As with other similar activities, countering dumpster diving starts with raising awareness. People should know what kind of information is sensitive and what may be the consequences of leaks.

Number two is protocol - clear rules must exist for handling at least the kinds of trash that may contain data.

Physical protection - mostly locks, either on rooms or also trash depots or even cans - helps too. In some places, it may also help with another problem, namely, obnoxious neighbours 'optimizing the costs' by dropping their trash to others' cans.

Physically destroying sensitive documents is increasingly a must. Paper shredders are available in a range of prices - care must be taken to get one with high enough shredding density, as some cheaper models may produce strips of paper with legible text. 

Source: https://beta.wikiversity.org/wiki/Security_and_Privacy_in_a_Networked_World/No_Tech_Hacking
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.