Dumpster diving represents a key attack method that preys upon a significant failure in computer security: the very information that people covet, protect and dutifully secure can be attained by almost anyone willing to sift through garbage. This low-tech attack type has many implications, most of which will be discussed in this paper.
Dumpster diving was actually quite popular in the 1980's, due to less security than there is today. The term refers to any general, useful information that is found and taken from areas in which it is discarded.[1] These areas include dumpsters, trash cans, curbside containers and the like, from which information can be obtained at no cost. Malicious and/or curious attackers may find manuals, password files, diskettes, sensitive documents, credit card numbers, receipts, or reports that have been thrown away. Simply put, the examination of waste products may be helpful to another, and there is ample information to support this concept.[8] Such useful information was discarded with no thought of whose hands it may end up in. This data can be used to carry out attacks on others' computer systems, or the objects found can precipitate other types of attacks, like those based on social engineering.[2]
Dumpster divers can seek a number of different things in order to potentially gain access to a computer system:
Phone lists and organizational charts map out the structure of the company, provide names (and possibly usernames) and may help with impersonations and other forms of social engineering.
Memos, faxes, email printouts or notes may reveal inside operations, personal details, passwords, contacts, certain useful instructions or other material.
Policy manuals - relating to employment, computer use or operations can provide vital information that an attacker could use to precisely circumvent the enforced rules of a company.
Calendars, computer use logs or event notes tell when users are logged into the system, in the office, at meetings, or when the best times to carry out an attack might be.
Broken CD-ROMs or disks, used tapes, and other old media can sometimes be recovered, depending on the condition it's in. Information gained from these sources is usually sensitive and many people forget to completely erase or destroy it.
Old hard drives, as part of a discarded computer can usually be recovered as well, most likely with highly sensitive information.[3]
Although terms like "dumpster diving" and "shoulder surfing" seem more like extreme sports than methods of attacking a computer system, they are both real, serious attack methods that are becoming more common.[9] Many times, dumpster diving is used for identity theft (which is the second largest white collar crime in the world), as people unknowingly discard credit card receipts, bank statements and other identifiable information into the trash. Any trash item bearing a name, telephone number, address, social security number is potentially valuable.[5] This proves to be a gold mine for anyone with malicious intent to use this data for personal gain. Identity thieves are aware of the ease of attaining and using stolen information.[4] Based on the United States Department of Justice's definition of identity theft, it refers to the fraudulent use of another's personal data, usually for economic gain.[5] There have been instances where information gleaned from dumpster diving has led to serious instances of identity theft, mainly, a criminal accumulating $100,000 worth of credit card bills, obtaining a home loan, and bought motorcycles and guns in the victim's name. The criminal filed for bankruptcy, leaving the victim to spend years and thousands of dollars to restore his credit.[6]
Identity theft isn't the only problem, especially when corporate trade secrets, espionage and fraud are involved. Corporations were quick to adopt technology to stay ahead of the competitive market, but the resource on which they thrive is hurting them as well. As part of attack methods on a corporation, dumpster diving is included among social engineering, malicious hacking and others. Corporate trash is considered 'fair game', as it is usually kept in an alleyway or side street until picked up. The courts have held (in cases like California v. Greenwood) that rubbish placed where the public would have access to it is not reasonably expected to be private.[7] Any of the items mentioned previously can be found in corporate trash and used and exploited as potential security leaks. As with corporations, who thrive on the marketing and selling of new products and services, what they throw away could be used against them by another competitor.
Information gathering, or reconnaissance, takes place before an attack, so that the attacker has a base of data about a target. This freely available, public information can come in the form of web surfing, general observations, posing as a customer or dumpster diving.[12] These low-tech reconnaissance methods sometimes reveal the most intimate of details about a target and are highly effective in the planning of an attack. Even expired, old or incorrect information can be useful - it may determine patterns that can be used to predict the current state of a target, especially when combined with other gathered data.[13]
The individuals that dumpster dive could be just about anyone with enough motive to do so: commercial information brokers, international spies and moles, disgruntled employees, malicious hackers, and thieves.
Such an attack method could possibly be a national danger, even back in 1979. The United States embassy in Iran was taken over by a group of Iranian protesters and students, who had seized a large amount of U.S. classified documents and government reports.[11] These documents had been shredded by the staff inside the embassy, but the Iranians painstakingly reassembled some of the documents and proceeded to publish them. The many volumes of the "Documents of the U.S. Espionage Den" contain the original documents, along with Farsi translations, and expose U.S. intelligence operations that were taking place around the region.[10] This incident placed a damper on relations between the U.S. and Iran.
1991: Spies posed as garbage collectors outside of a U.S. defense contractor executive's home, dug through trash cans looking for information. One of the collectors was actually France's consul general and claimed he was collecting fill for a hole in his yard.[15] Upon investigation, the FBI determined that this operation was part of a French secret-searching mission, aimed at finding U.S. military or scientific information.
1999: Two key members of a group called the "Phonemasters" were convicted of theft and possession of unauthorized access devices and unauthorized access to a federal interest computer. This international group of cyber criminals had allegedly penetrated the computer systems of MCI, Sprint, AT&T, Equifax and the National Crime Information Center.[14] The Phonemasters' skills had enabled them to download hundreds of calling card numbers and distribute them to organized crime groups around the world. Part of their method included dumpster diving and collecting old phone books and system manuals. These tools, combined with social engineering, led to the attacks on the mentioned systems.[14]
2000: In a widely publicized case, the CEO of Oracle, Larry Ellison, hired private investigators to dig through corporate dumpsters at Microsoft. This was an effort aimed at finding information about Microsoft's possible development of grassroots organizations to support it's side in an anti-trust lawsuit.[10] One of the investigators unsuccessfully tried to pay off a member of the janitorial service in exchange for the garbage of one of these organizations. Ellison held that his actions were a 'civic duty', to uncover Microsoft's secret funding of such groups, but his opponents assert that the incident was distasteful and scandalous.[10]
2001: Industrial espionage came to light concerning the shampoo market between fierce competitors Proctor & Gamble and Unilever. Private Investigators hired by Proctor & Gamble sifted through garbage bins outside of the Unilever corporation, succeeding in gathering viable information about market analysis, predictions and future products.[16] Upon legal action by Unilever, the two corporations settled out-of-court, because these actions broke Proctor & Gamble's internal policy on information gathering.
Strict procedures usually rule the disposal of classified information, but for the data that is considered unclassified, disposal methods are at the discretion of the corporation or government office. Cross-cut shredders or bins that magnetically wipe hard drives and floppy disks are recommended. Staff education is also important to prevent against dumpster diving: adopt trash audit trails and hire outside investigators to see what they can dig up. When it comes to dumpster diving, the old adage rings true: "One man's trash is another man's treasure."
[1]. Wikipedia's definition of Dumpster Diving.
http://en.wikipedia.org/wiki/Dumpster_diving
[2]. searchSecurity.com's definition of Dumpster Diving.
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci801970,00.html
[3]. Internet Security System's policy and information about Dumpster
Diving.
http://www.iss.net/security_center/advi
ce/Underground/Hacking/Methods/WetWare/Dumpster_Diving/default.htm
[4]. ZDNet News & Technology: "Companies throw security out with the
garbage".
http://www.zdnet.com.au/newstech/enterprise/story/0,2000048640,20272912,00.htm
[5]. United States Department of Justice: Identity Theft and Fraud.
http://www.usdoj.gov/criminal/fraud/idtheft.html
[6]. California State University's Pioneer Newspaper: "Identity theft
increases due to 'dumpster diving'".
http://pioneer.csuhayward.edu/PioneerWeb/PioneerNews6-7-01/*PioneerNews6-7-01-page6.pdf
[7]. Sans.org white paper: Corporate Espionage 101.
http://www.sans.org/rr/papers/51/512.pdf
[8].All.net's definition of Dumpster Diving.
http://www.all.net
[9].Business Journal: "Identity theft used at expense of small businesses".
http://www.businessjournals.com/cgi-bin/artman/exec/view.cgi?archive=8&num=123
[10].Sans.org white paper: Ghosts in the machine.
http://www.sans.org/rr/papers/47/914.pdf
[11].Totse.com: CIA documents seized in Iran continue to be published".
http://www.totse.com/en/politics/central_intelligence_agency/irandocs.html
[12].Counter Hack, by Ed Skoudis. Prentice Hall PTR, 2002.
[13].Netspionage, by William Boni and Dr. Gerald L. Kovacich. Butterworth/Heinemann, 2000
[14].Congressional Statement: Federal Bureau of Investigation. Statement of
Michael A. Vatis, Director of the National Infrastructure Protection Center.
http://www.fbi.gov/congress/congress00/vatis030100.htm
[15].War By Any Other Means: Economic Espionage in America by John J. Fialka. W.W. Norton & Company, 1997.
[16].Cardiff Centre for Law, Ethics and Society.
http://www.ccels.cardiff.ac.uk/pubs/cranepaper.html