Dumpster Diving – CompTIA Security+ SY0-401: 3.3

| September 9, 2014 | 0 Comments


One man’s trash is another man’s security exploit. In this video, you’ll learn about the dangers involved when disposing of your organization’s rubbish.

<< Previous Video: Shoulder SurfingNext: Tailgating >>


This can be a very, very messy social engineering exercise, but it’s what the bad guys are doing to get information about what’s happening inside of your organization. The term dumpster diving came from this brand name of Dumpster here in the United States. This Dempsey Dumpster. It is, as I’m told, very similar to a rubbish skip in the UK and elsewhere in the world.

It’s a garbage bin and it’s somewhere where people are throwing their trash out. And it’s placed– usually it’s a mobile device in a larger organization. These are around the back of the building. And every week or so a truck shows up, takes away the old and leaves an empty garbage bin in its place. And in the meantime, this becomes a place where people are putting a lot of interesting information.

They’re throwing away things they should absolutely not be throwing away. Internal company documents, information about names and email addresses inside of the organization, or really, really important data that might be private. People, unfortunately, are not following the right procedures and throwing out information they absolutely shouldn’t be.

Sometimes even make it so easy for me. They’ll put it in a bag. They’ll put it in the garbage.

All you have to do is show up with a truck, pull out your truck, throw the bag in the back of the truck, and you’re off. And you can take those bags somewhere else and open them up later and see what’s inside of those. You can get a lot of interesting details here. So it could be phone numbers that you could then use as social engineering to call somebody directly.

Hi, Mary. It’s Bill in technical support. And you already know Mary’s name. You already know Mary’s number. You’re just a little bit farther along.

Even better, you can call someone else and say that you’re somebody internal in the organization because you have names, email addresses, and phone numbers. The timing is very important for dumpster diving. Usually, it’s once a week or once a month. You can also get very interesting information, depending on what time of the month it might be.

You may be finding that you’re at the end of a month or end of a quarter where a lot of information is thrown out right after that. They’re purging their archives and freeing up room. They may be throwing out some very, very valuable information. So you may want to find out when their schedule is corporately and find out when they are due to have their garbage picked up every week.

Because of these security concerns, it’s very, very common these days for people to lock up their garbage. Something they didn’t even think about previously. But obviously, when you’re throwing data out and that data can be used by someone else, you want to make it so it’s very, very hard for them to get their hands on that.

There will be a fence. There will be barbed wire. There will be a lock. It will be very, very difficult to gain access to that one would hope.

You also want to consider shredding your documents. This is, of course, only going to go so far. It is not uncommon for somebody who is very, very dedicated and wants to be sure they’re seeing information to take the shredded documents and unshred them. It’s a big jigsaw puzzle. They’ll put back together all of the documents.

A number of our more modern shredders pulverize this into tiny little pieces of dust. So you may want to think about making sure that if your data is being shredded that it’s being shredded as finely as possible so that someone can’t reconstruct it. The US government certainly realizes this so they’ll burn it.

They just have burn bags. They throw their very, very important thing in the bags and the bags go out and they get incinerated so that nobody could ever possibly rebuild and reconstruct what was thrown out with the garbage. So you may want to go look at your trash. What’s inside of your garbage in your organization?

Go down there and poke around. Grab some garbage yourself. Open up a bag. Is there something inside of there that could hurt your organization or that somebody else could use to gain access to people or resources inside of your organization? Dumpster diving is a very, very easy way to do that.

Tags: , , , , ,

Category: CompTIA Security+ SY0-401

X