Dumpster diving is the colloquial name for going through somebody's garbage -- which will usually be in dumpsters for large organizations. This is a powerful tactic because it is protected by social taboos. Trash is bad, and once it goes into the trash, something is best forgotten. The reality is that most company trash is fairly clean, and provides a gold mine of information.
The best thing about this is that it is LEGAL! It should be the first step in any serious intrusion. The hacker can map out the target, understand the interpersonal relationships that can be subverted, and most important, can glean technical details, often passwords and account names.
When dumpster diving, hackers look for:
Organizational changes, such as mergers, acquitistions, and "re-orgs" leave the company in disarray that can be exploited by hackers (in much the same way that hackers look upon January 1, 2000 as a prime hacking day).
- Phone lists
- Helps map out the power structure of the company, and gives possible account names, and is essential in appearing as a member of the organization.
- Reveal activities inside the target organization.
- Policy manuals
- Today's employee manuals give instructions on how not to be victimized by hackers, and likewise help the hacker know which attacks to avoid, or at least try in a different manner than specified in the policy manual.
- Calenders of events
- Tells the hackers when everyone will be elsewhere and not logged into the system. Best time to break in.
- system manuals, packing crates
- Tells the hackers about new systems that they can break into.
- Print outs
- Source code is frequently found in dumpsters, along with e-mails (revealing account names), and PostIt&tm; notes containing written passwords.
- disks, tapes, CD-ROMs
- People forget to erase storage media, leaving sensitive data exposed. These days, dumpsters may contain larger number of "broken" CD-Rs. The CD-ROM "burning" process is sensitive, and can lead to failures, which are simply thrown away. However, some drives can still read these disks, allowing the hacker to read a half-way completed backup or other sensitive piece of information.
- old hard drives
- Like CD-ROMs, information from broken drives can usually be recovered. It depends only upon the hacker's determination.
In order to prevent this attack from being successful against yourself, you should do the reverse. Shred as much as you can; you can buy bulk shredders fairly cheap. Simply institute a policy that all paper should be shredded and recycled. Note that strip shredders often result in documents that can be reconstructed, because the strips are usually in close physical proximity in the trash. Use cross-cut shredders whenever possible.
Erase all media. Simple erasure is sometimes not efficient; most crypto programs come with a "wipe" feature that will overwrite 8 or more times. CD-Rs cannot be erased. The best solution for them is to put them in a microwave for 15 seconds (though disposal should still be careful, because even then a dedicated hacker might still be able to glean some information).