When considering the security threats your organisation will encounter you would be forgiven if the humble bin slipped your mind. Every instance of this invisible cyber, hacking, scare story we receive on the media these days is referring to ‘complex and sustained attacks’. The innocent rubbish receptacles definitely don’t seem complex… But there is a wealth of knowledge hidden amongst the used tea bags and half-eaten sandwiches. I always try to access bins prior and during an onsite social engineering assessment.
Allow me to throw away five minutes of your time and explain about this favourite attack task of mine.
Most organised places of work these days are going to be shredding documents as standard. This is a great step towards keeping your secrets secret but there have been recent technological advances in this field and you should be aware. Like the developments of encryption the complex task of sorting used coffee cups from sensitive documents is constantly evolving – no longer is SSL V2 valid and safe and no longer is cross-cut shredding.
When shredders were invented the simple strips of paper were painstakingly re-assembled by hand by forensics officers and alike. Later came software that could reassemble these strips automatically – using a scanner and some clever software. Crosscut shredders were supposed to end this, but again even more complex re-assembly software has been created. Have a further read of the paper here.
Crosscut shredders are still perfectly valid and so are the blue shredded waste bins but I recommend a new addition, a single top secret shredded bin/tray. This bin should be under lock and key somewhere and the contents of the bin should be already shredded. This shouldn’t be used as a hopper for un-shredded documents and the contents of the bin should be disposed of securely preferably by incineration.
If you ever had the thought that social engineering is a glamorous task, pillaging corporate head quarters like bond with Q on call – you were wrong.
Dissecting the mess
Any colleague that has witnessed me skip merrily from behind a company with 2 sacks of rubbish will testify the level of impish glee I have at the sight of good quality rubbish is worrying.
Quickly off site the rubbish is laid out on a plastic sheet, in a hotel room, in a carpark – I’m not picky.
If this was evidence from a crime scene the conditions would be surgically clean, even the smallest pieces of lint would be noted but we can safely zoom out a little bit through this faux forensic investigation. and start to concentrate on the physical items. Imaginations have to run wild and you have to go with instinct.
1 Coffee cup makes me question what the nearest stores are. 2 Coffee cups make me think how old each cup is… could this be 2 colleagues one day with a single coffee each or the one staff member with the same coffee over 2 days… Is this ‘his’ coffee store… are there 5 cups in there? Do they have a kettle? Is there a kitchen in the office? Is his name on the cup? All these questions arise from a fictions coffee cup. Can you imagine what its like with 200 items in the waste? Shredded material that you have to judge it’s value based on the type of rubbish accompanying it.
It quickly falls into place. You’ll always get the person who rips stuff in half and puts it in the waste. Clues of staff names, deliveries, bank details and even amazon accounts and the odd free half working pen. It’s a goldmine.
Getting in, armed with rubbish
With only a few items analysed from the waste, you can see quickly how the information gained from this messy task is shaped into an attack. Let’s say we found 2 coffee cups in the bin, I’m going to grab one of them to blend in. An Amazon invoice revealed a staff members name and address, a little recon and a few phishing emails later you have access to her mailbox. With this new access, I might try to book a visitors pass with a receptionist using a friendly email. I might get onto the office floor with an amazon shirt explaining the recent purchase is unsafe and needs to be returned. I might be an investigator and ask the staff member for a short discussion. The number of possible pretexts spins off with the more information analysed from the waste. Entry is a lot easier when you have a half working company pen sticking out your blazer and the knowledge of the previous evening googling the most obscure things about this persons life and company. By the time you meet a mark you have an amazing insight into their life. You could hazard a guess about their character, how they will respond in situations, where they shop, their whole life is detailed for you be able to address this person in the best way possible for success.
So next time you throw away that perfectly good piece of fruit, think of what that says about your lifestyle. Next time you chuck away that receipt from coffee, have a look to see if your card issuer is on there. When you shred that top secret document think could I re-assemble it if I got paid 5,000 for the task?
Principal consultant Richard De Vere has an extensive background in penetration testing and social engineering, including ‘red team’ exercises and information gathering assessments. Qualifications include CISMP and CompTIA Security+.
Our team includes other experienced social engineers as well as individuals with specific technical strengths where broader penetration testing services are required. For training projects, we work in partnership with social engineering specialist Jenny Radcliffe Training.