Medical records, resumes, personal photos, emails, bank statements, account details, information about software, tech support logs, and so much more have all been found while dumpster diving. This article reports on medical records found in a dumpster.
Dumpster divers are a diverse set of people. There are those searching for food or clothing. Others are looking for information to commit identity theft. Security professionals practice dumpster diving as part of their security services. This article we found on about.com regarding identity theft, explains some of the dangers of people sifting through company trash.
One thing to keep in mind, for the USA at least, things that are discarded in the trash are not considered illegal to take. Yet there is a large caveat to this. If a dumpster is on private property and not on the street corner then it may be considered trespassing to go on their property and enter their dumpster. For more information regarding the legality of dumpster diving see this article, California vs Greenwood.
Why Does Dumpster Diving Work?
As with most forms of social engineering, “Working smarter, not harder” is a good slogan. Doing hours of work brute-forcing a password or account number may be unnecessary when you can just obtain the same information from something as simple as a discarded and unshredded post-it note.
The more common form of dumpster diving, as it pertains to hacking and identity thieves is Information Diving. Innocent looking information like a phone list, calendar, or organizational chart can be used by an attacker to gain access to the network. Benjamin Pell is a famous British dumpster diver who has made a living of selling off his “prizes”.
Crime and Clues
Dumpsters: Beware of the Treasures. The website Crime and Clues has a nice article we archived here. This article helps us to see how commonly very valuable information is simply discarded because many people do not think someone would dig through their trash to locate the information.
No Tech Hacking
One of the best resources we could find on dumpster diving for the field of security is Johnny Long’s book “No Tech Hacking”. This books is full of amazing information regarding Social Engineering. Page two starts an Introduction to Dumpster Diving. There are pictures of information that can be obtained from the trash without ever having to even crawl inside a dumpster.
To see how valuable this information is, there was a TV Series called Tiger Team. A team of social engineers in one episode showed how they used a bag of trash to find valuable details about their target. Once they located the name of the tech support team they where able to send in a team member to act as a support employee and was given full access to their servers.
Original source: YouTube.