6.1. Dumpster Diving
A lot can be learned about people by just observing them but you can learn more than you ever wanted to know by going through their trash.
On September 15th 1993 the FBI, gathering evidence to indict suspected double agent Aldrich Ames, found a note in his trash – a note discussing an imminent meeting with the KGB. You would think that a 31 year veteran of the CIA would have practiced better tradecraft. However, this is illustrative. If someone whose stock in trade is secrets and lies would have made a rookie mistake like this, how can the rest of the world be expected to fare any better?
Dumpster diving or trashing is simply going through the target's garbage looking for information, documents and electronic media that would be helpful to an attacker. Accessing a facility at night and obtaining confidential information from the trash will sometimes comprise the entirety of the test. However, the exercise is far more useful when combined with a complete physical test to assess the usability of the acquired information. Obviously, some kinds of information are more useful than others, so what are testers looking for? If you are implementing security, what kind of information should you be sure doesn't reach your dumpsters?
Employee info Any information that allows an attacker to masquerade as an insider is useful. Employee information is particularly useful in social engineering attacks as it gives the impression of inside knowledge. Even apparently innocuous ...
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
