When one thinks of Open Source Intelligence (OSINT), things like Facebook, court records, and Google-fu typically come to mind. However, a skilled reconnoiter will also utilize the contents of your trash when looking for information. Fraudsters can use the information found in a dumpster to find vendor lists, quotes, customer information, and other proprietary secrets of a business. If they are searching the trash from your house, they may be able to find out banking information, insurance policies, and other Personally Identifiable Information (PII) on you and your family. Whether itās business or personal, the information found can be used to mount a vishing or phishing attack against you, used to steal your identity, or as corporate espionage to gain a competitive advantage.
Legalities of dumpster diving
Different cities and states have varying laws on anyone being able to peruse through garbage; however, itās generally not considered a crime in most places. Currently, the U.S. Supreme Court has deemed that things thrown in a curbside receptacle are considered āabandonedā and are up for grabs by the public and police without a warrant.
Protecting your corporate secrets
Itās important to protect your proprietary secrets and customer PII from exposure to a third-party. Part of a corporationās security policy should have terms in place for dealing with the proper disposal of sensitive information and media. Cross-cut shredders should always be used, and it may be helpful to have several throughout the facility for easy access. If this isnāt possible, there are companies that will come to your office and shred the documents for a fee. If this is the route chosen, make sure employees have secure/locked bins for them to dispose of materials in the interim. For media such as CDs, hard drives, and thumb drives; employees should turn these into the I.T. department for physical destruction of the media. Regular checks should be done to ensure employees are disposing of things properly. Sadly, it is all too common that corporations are found dumping whole records like medical files, nuclear secrets, and payroll information in their dumpsters. These kinds of exposures can lead to fines, lawsuits, and violations of laws such as HIPAA and PCI compliance.
Protecting yourself at home
At home, you should shred all bills, credit card offers, insurance information, and anything containing sensitive data/PII. (Donāt forget the shipping labels from delivered packages.) Make sure to invest in a good cross-cut shredder, you can even get one for $30 on Amazon that will shred credit cards too. Many of the newer credit cards are made of metal and your standard home shredder wonāt be tough enough to destroy them. While you can use the pre-paid envelope to return these for destruction by the issuer, it can be a risky move. If that mail gets lost or stolen, a criminal can easily use the information to vish as you get access to your current account. The best way is to use a torch or place it in a fire to melt off any of the PII on the card, then disposing of it once it is cooled down.
Stay safe if youāre doing the diving
If youāre in a situation where you are doing a security assessment or penetration test, make sure to check out the available rubbish that employees are throwing out. Always wear sturdy leather boots, jeans, long-sleeve shirts, and use heavy leather gloves. This will help you to avoid being injured by anything sharp and dangerous that may be lurking among the other treasures. Happy hunting!
Sources:
https://www.amazon.com/AmazonBasics-6-Sheet-Cross-Cut-Credit-Shredder/dp/B00HFJWKWK/
https://en.wikipedia.org/wiki/California_v._Greenwood
https://www.publicintegrity.org/2016/02/03/19243/workers-threw-out-us-nuclear-secrets-common-rubbish-20-years
https://www.kitv.com/story/36705195/medical-records-found-in-trash-bins-in-palolo
https://www.findlaw.com/injury/torts-and-personal-injuries/dumpster-diving.html
