Last updated on April 18, 2022
Dumpster diving – it’s not hard to guess what it is. It is a type of activity that involves diving into the trash of a business or individual with the aim of discovering any kind of valuable information or discarded data that can be used against it.
Human weakness is at the root of dumpster diving, an inability to secure one’s property. A dumpster diver can yield many valuable items, including hard drives, diskettes, business directories, and so forth.
People have their own ways of explaining this term, with some saying that it refers to uncovering treasure hidden among others’ trash.
What is dumpster diving in social engineering?
Within the realm of information technology, among many social engineering attacks – dumpster diving refers to retrieving information from discarded items in order to perpetrate a cyber-attack by gaining control of the computer network with the help of discarded items.
You may wonder how something like this is possible or what to do with the discarded items. Don’t worry – we are here to help you out with that.
Below you will find some dumpster diving examples as well as a few techniques to prevent dumpster diving attacks.
Dumpster diving goes beyond finding treasures in the trash, such as sticky notes written with access codes and passwords plus other paper documents.
An attacker using these techniques can use seemingly harmless data from such information, for instance, a list of phone numbers, bank statements, a calendar, or an easily understood organizational chart could provide assistance to the attacker attempting to hack the system.
Dumpster diving attack examples
It is impossible to talk about dumpster diving without mentioning “Jerry Schneider”. In 1968, while still in high school, Jerry was the one behind a wholesale telephone equipment company. A Dumpster gave rise to the idea, in particular, “Pacific Telephone’s Trash” which included documents, manuals, and invoices related to the ordering and delivery systems.
Larry Ellison’s most notable case was found in 2000 when he hired private investigators to search through the Microsoft dumpsters for any useful information. In this regard, an attempt was made to get a better understanding of future developments in order to sustain its claims.
How to prevent dumpster diving attacks?
Despite the hassle of properly disposing of trash, firms can implement measures to help prevent dumpster diving incidents. Employees should be informed of these measures and they should be documented.
- Employee education is crucial – explain proper disposal procedures as well as common social engineering techniques. Printouts must not be taken home by employees, nor should old computers be given to them.
- Before selling or disposing of any equipment belonging to your company, make sure all identifiable information is removed.
- Ensure that the trash is securely disposed of. Put trash and recycling bins in locked containers, and secure the refuse until the day of pickup.
- The cross-cut shredders should be placed near recycling bins, or there should be secure shred containers by the trash bin. You can also provide home shredders to staff members who work remotely.
- Data retention policies must be in place, and sensitive data should be destroyed with certificates of destruction.
Dumpster Diving: Experts’ Advice
As a precaution against dumpster divers finding valuables among the trash, experts suggest that businesses set up a disposal policy that ensures paper waste, such as printed materials, are properly shredded prior to disposal, all storage devices are wiped.
It is vital for all employees of an organization to have minimum security knowledge about the fact that untracked trash is hazardous.
Think Twice Prior To Disposing Items
Attackers can profit handsomely from the discarded computer hardware. It is possible to recover data from storage devices after they have been misformatted or wiped.
In case you are wondering what else can be recovered, then you should know that passwords and certificates can also be retrieved.
On the other hand, improper disposal of medical records or personnel information can result in legal liabilities.
It is imperative to destroy all files containing personal or sensitive information; otherwise, businesses may face breaches and fines.
Just wondering if this is still relevant today with companies moving to secure paper shredding services and electronic equipment disposal programs. Is this still an ongoing issue heading into 2023?