When one thinks of Open Source Intelligence (OSINT) things like Facebook, court records, and Google-fu typically come to mind. However, a skilled reconnoiter will also utilize the contents of your trash when looking for information. Fraudsters can use information found in a dumpster to find vendor lists, quotes, customer information, and other proprietary secrets of a business. If they are searching the trash from your house, they may be able to find out banking information, insurance policies, and other Personally Identifiable Information (PII) on you and your family. Whether it’s business or personal, information found can be used to mount a vishing or phishing attack against you, used to steal your identity, or as corporate espionage to gain a competitive advantage.
Legalities of dumpster diving
Different cities and states have varying laws on anyone being able to peruse through garbage; however, it’s generally not considered a crime in most places. Currently the U.S. Supreme Court has deemed that things thrown in an curbside receptacle are considered “abandoned” and are up for grabs by the public and police without a warrant.
Protecting your corporate secrets
It’s important to protect your proprietary secrets and customer PII from exposure to a third-party. Part of a corporation’s security policy should have terms in place for dealing with the proper disposal of sensitive information and media. Cross-cut shredders should always be used, and it may be helpful to have several throughout the facility for easy access. If this isn’t possible, there are companies that will come to your office and shred the documents for a fee. If this is the route chosen, make sure employees have secure/locked bins for them to dispose of materials in the interim. For media such as CDs, hard drives, and thumb drives; employees should turn these in to the I.T. department for physical destruction of the media. Regular checks should be done to ensure employees are disposing things properly. Sadly, it is all too common that corporations are found dumping whole records like medical files, nuclear secrets, and payroll information in their dumpsters. These kinds of exposures can lead to fines, lawsuits, and violations of laws such as HIPAA and PCI compliance.
Protecting yourself at home
At home you should shred all bills, credit card offers, insurance information, and anything containing sensitive data/PII. (Don’t forget the shipping labels from delivered packages.) Make sure to invest in a good cross-cut shredder, you can even get one for $30 on Amazon that will shred credit cards too. Many of the newer credit cards are made of metal and your standard home shredder won’t be tough enough to destroy them. While you can use the pre-paid envelope to return these for destruction by the issuer, it can be a risky move. If that mail gets lost or stolen, a criminal can easily use the information to vish as you to get access to your current account. The best way is to use a torch or place it in a fire to melt off any of the PII on the card, then disposing it once it is cooled down.
Stay safe if you’re doing the diving
If you’re in a situation where you are doing a security assessment or penetration test, make sure to check out the available rubbish that employees are throwing out. Always wear sturdy leather boots, jeans, long sleeve shirts, and use heavy leather gloves. This will help you to avoid being injured from anything sharp and dangerous that may be lurking among the other treasures. Happy hunting!
*** This is a Security Bloggers Network syndicated blog from Social-Engineer.Com – Professional Social Engineering Training and Services authored by Social-Engineer. Read the original post at: https://www.social-engineer.com/vigilant-dumpster-diving-attack/