Mohd khairul amin bin Mohd Zaki (106709) CST233 Dumpster Diving

Abstract

Dumpster diving represents a key attack method that preys upon a significant failure in computer security: the very information that people covet, protect and dutifully secure can be attained by almost anyone willing to sift through garbage. This lowtech attack type has many implications, most of which will be discussed in this paper.

Introduction Dumpster diving is involving the searching of waste for confidential information that has been discarded. The term refers to any general, useful information that is found and taken from areas in which it is discarded.[1] These areas include dumpsters, trash cans, curbside containers and the like, from which information can be obtained at no cost. Malicious and/or curious attackers may find manuals, password files, diskettes, sensitive documents, credit card numbers, receipts, or reports that have been thrown away. Simply put, the examination of waste products may be helpful to another, and there is ample information to support this concept.[8] Such useful information was discarded with no thought of whose hands it may end up in. This data can be used to carry out attacks on others' computer systems, or the objects found can precipitate other types of attacks, like those based on social engineering.[2]

There are many kind of thing that can be found by using Dumpster Diving or Shoulder Surfing. Dumpster divers can seek a number of different things in order to potentially gain access to a computer system. For examples Phone lists and organizational charts map out the structure of the company, provide names (and possibly usernames) and may help with impersonations and other forms of social engineering. Second, Memos, faxes, email printouts or notes may reveal inside operations, personal details, passwords, contacts, certain useful instructions or other material. Third, Old hard drives, as part of a discarded computer can usually be recovered as well, most likely with highly sensitive information.[3].

Attack Capabilities

For its attack capabilities, dumpster diving although it is not exactly look like a method for attacking the system but it is a serious attack that are becoming more common. Many times, dumpster diving is used for identity theft (which is the second largest white collar crime in the world), as people unknowingly discard credit card receipts, bank statements and other identifiable information into the trash. Any trash item bearing a name, telephone number, address, social security number is potentially valuable.[5] This proves to be a gold mine for anyone with malicious intent to use this data for personal gain. Identity thieves are aware of the ease of attaining and using stolen information. [5] There have been instances where information gleaned from dumpster diving has led to serious instances of identity theft, mainly, a criminal accumulating $100,000 worth of credit card bills, obtaining a home loan, and bought motorcycles and guns in the victim's name. The criminal filed for bankruptcy, leaving the victim to spend years and thousands of dollars to restore his credit.[6].

Identity theft isn't the only problem, especially when corporate trade secrets, espionage and fraud are involved. Corporations were quick to adopt technology to stay ahead of the competitive market, but the resource on which they thrive is hurting them as well. As part of attack methods on a corporation, dumpster diving is included among social engineering, malicious hacking and others. Corporate trash is considered 'fair game', as it is usually kept in an alleyway or side street until picked up. [7] Any of the items mentioned previously can be found in corporate trash and used and exploited as potential security leaks. As with corporations, who thrive on the marketing and selling of new products and services, what they throw away could be used against them by another competitor.

Examples of Real Case Below are the examples of the real cases that happen around the world:

This case happened at U.S during the year 1991. Spies posed as garbage collectors outside of a U.S. defense contractor executive's home, dug through trash cans looking for information. One of the collectors was actually France's consul general and claimed he was collecting fill for a hole in his yard.[15] Upon investigation, the FBI determined that this operation was part of a French secret-searching mission, aimed at finding U.S. military or scientific information.

This case happened during the year 1999: Two key members of a group called the "Phonemasters" were convicted of theft and possession of unauthorized access devices and unauthorized access to a federal interest computer. This international group of cyber criminals had allegedly penetrated the computer systems of MCI, Sprint, AT&T, Equifax and

the National Crime Information Center.[14] The Phonemasters' skills had enabled them to download hundreds of calling card numbers and distribute them to organized crime groups around the world. Part of their method included dumpster diving and collecting old phone books and system manuals. These tools, combined with social engineering, led to the attacks on the mentioned systems.[14]

This case happened during the year 2000: In a widely publicized case, the CEO of Oracle, Larry Ellison, hired private investigators to dig through corporate dumpsters at Microsoft. This was an effort aimed at finding information about Microsoft's possible development of grassroots organizations to support it's side in an anti-trust lawsuit.[10] One of the investigators unsuccessfully tried to pay off a member of the janitorial service in exchange for the garbage of one of these organizations. Ellison held that his actions were a 'civic duty', to uncover Microsoft's secret funding of such groups, but his opponents assert that the incident was distasteful and scandalous.[10]

This case happened during the year 2001: Industrial espionage came to light concerning the shampoo market between fierce competitors Proctor & Gamble and Unilever. Private Investigators hired by Proctor & Gamble sifted through garbage bins outside of the Unilever corporation, succeeding in gathering viable information about market analysis, predictions and future products.[16] Upon legal action by Unilever, the two corporations settled out-ofcourt, because these actions broke Proctor & Gamble's internal policy on information gathering.

The survey, which interviewed local councils in the UK, revealed a significant number of incidents involving the practice and which specifically targets individuals at home where the use of paper shredders, for example, is still relatively uncommon and where awareness of the associated risk is similarly low. The survey also identified many cases of information that could be used to instigate identity theft such as utility bills, bank statements and blank cheques together with household documentation that included samples of individuals signatures.

Security measures There are many ways to prevent the dumpster diving from happening. For instances, Shred all sensitive documents with any personal information, including credit card receipts, bank statements, medical documents, paycheck stubs, utility bills, old tax returns and anything with your social security number. Dont forget those pre-approved credit card offers, as they often have a lot of personal information on them. Contact your accountant, doctor, bank, utility company to enquire how they destroy sensitive information. Make sure you are satisfied with their response and that they dispose of records with your information correctly. Ask if these companies will provide you with documentation stating how they will dispose of your personal information. Never give out personal information over the phone, the internet or through the mail unless you instigated the contact. Dont carry your Social Security card with you and keep ID cards to a minimum in your wallet or purse.

Conclusion

Strict procedures usually rule the disposal of classified information, but for the data that is considered unclassified, disposal methods are at the discretion of the corporation or government office. Cross-cut shredders or bins that magnetically wipe hard drives and floppy disks are recommended. Staff education is also important to prevent against dumpster diving: adopt trash audit trails and hire outside investigators to see what they can dig up. When it comes to dumpster diving, the old adage rings true: "One man's trash is another man's treasure."

References 1. http://www.controlcreditcarddebt.com/stolen-identity.html 2. http://www.controlcreditcarddebt.com/dumpster-diving.html 3. http://all.net/CID/Attack/papers/DumpsterDiving2.html 4. http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Wet Ware/Dumpster_Diving/default.htm 5. http://www.zdnet.com.au/companies-throw-security-out-with-the-garbage120272912.htm 6. Identity Theft: Managing the Risk by Siemens Enterprise