The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [80]
We were all puzzle-doers, so this offered the stimulating challenge of a giant jigsaw puzzle ... but turned out to have more than a childish reward. When done, we had pieced together the entire account name and password list for one of the company’s critical computer systems.
Were our Dumpster-diving exploits worth the risk and the effort? You bet they were. Even more than you would think, because the risk is zero. It was true then and still true today: As long as you’re not trespassing, poring through someone else’s trash is 100 percent legal.
Of course, phone phreaks and hackers aren’t the only ones with their heads in trash cans. Police departments around the country paw through trash regularly, and a parade of people from Mafia dons to petty embezzlers have been convicted based in part on evidence gathered from their rubbish. Intelligence agencies, including our own, have resorted to this method for years.
It may be a tactic too low down for James Bond—movie-goers would much rather watch him outfoxing the villain and bedding a beauty than standing up to his knees in garbage. Real-life spies are less squeamish when something of value may be bagged among the banana peels and coffee grounds, the newspapers and grocery lists. Especially if gathering the information doesn’t put them in harm’s way.
Cash for Trash
Corporations play the Dumpster-diving game, too. Newspapers had a field day in June 2000, reporting that Oracle Corporation (whose CEO, Larry Ellison, is probably the nation’s most outspoken foe of Microsoft) had hired an investigative firm that had been caught with their hands in the cookie jar. It seems the investigators wanted trash from a Microsoft-supported lobbying outfit, ACT, but they didn’t want to risk getting caught. According to press reports, the investigative firm sent in a woman who offered the janitors $60 to let her have the ACT trash. They turned her down. She was back the next night, upping the offer to $500 for the cleaners and $200 for the supervisor.
The janitors turned her down and then turned her in.
Leading on-line journalist Declan McCullah, taking a leaf from literature, titled his Wired News story on the episode, “‘Twas Oracle That Spied on MS.” Time magazine, nailing Oracle’s Ellison, titled their article simply “Peeping Larry.”
Analyzing the Con
Based on my own experience and the experience of Oracle, you might wonder why anybody would bother taking the risk of stealing someone’s trash.
The answer, I think, is that the risk is nil and the benefits can be substantial. Okay, maybe trying to bribe the janitors increases the chance of consequences, but for anyone who’s willing to get a little dirty, bribes aren’t necessary.
For a social engineer, Dumpster diving has its benefits. He can get enough information to guide his assault against the target company, including memos, meeting agendas, letters and the like that reveal names, departments, titles, phone numbers, and project assignments. Trash can yield company organizational charts, information about corporate structure, travel schedules, and so on. All those details might seem trivial to insiders, yet they may be highly valuable information to an attacker.
Mark Joseph Edwards, in his book Internet Security with Windows NT, talks about “entire reports discarded because of typos, passwords written on scraps of paper, ‘While you were out’ messages with phone numbers, whole file folders with documents still in them, diskettes and tapes that weren’t erased or destroyed—all of which could help a would-be intruder.”
The writer goes on to ask, “And who are those people on your cleaning crew? You’ve decided that the cleaning crew won’t [be permitted to] enter the computer room but don’t forget the other trash cans. If federal agencies deem it necessary to do background checks on people who have access to their wastebaskets and