Dumpster Diving - Unauthorised Access. Physical Penetration Testing For IT Security Teams. Wil

A lot can be learned about people by just observing them but you can learn more than you ever wanted to know by going through their trash.

On September 15th 1993 the FBI, gathering evidence to indict suspected double agent Aldrich Ames, found a note in his trash – a note discussing an imminent meeting with the KGB. You would think that a 31 year veteran of the CIA would have practiced better tradecraft. However, this is illustrative. If someone whose stock in trade is secrets and lies would have made a rookie mistake like this, how can the rest of the world be expected to fare any better?

Dumpster diving or trashing is simply going through the target’s garbage looking for information, documents and electronic media that would be helpful to an attacker. Accessing a facility at night and obtaining conﬁ-dential information from the trash will sometimes comprise the entirety of the test. However, the exercise is far more useful when combined with a complete physical test to assess the usability of the acquired information.

Obviously, some kinds of information are more useful than others, so what are testers looking for? If you are implementing security, what kind of information should you be sure doesn’t reach your dumpsters?

• Employee info: Any information that allows an attacker to masquerade as an insider is useful. Employee information is particularly useful in social engineering attacks as it gives the impression of inside knowl-edge. Even apparently innocuous data such as name, department, and employee number are sufﬁcient to create a plausible pre-texting attack which is discussed in Chapter 4.

• Emails: Printed emails allow attackers to determine how email addresses are structured, but this can usually be worked out from other sources as well. It can be interesting to see who emails whom, and the emails themselves may contain pertinent information. For example an email from systems notifying the company of imminent network down time provides the name and email address of the sys-tems administrator. Similarly, an email informing the company of a new hire has obvious value. Employees discuss all manner of things via email and the sorts of emails that get printed tend to be those that have reference value.

DUMPSTER DIVING 91

• Network Maps: Information about the structure of the internal net-work and particularly netnet-work maps and diagrams are invaluable to the penetration tester. Attackers can halve the amount of work they have to do inside a company facility if they already know the structure of the network. Information such as IP addresses and ranges, server names, operating system distribution and vendor names are particu-larly useful. This is information that should never be thrown in the trash.

• Headed Paper: Company headed paper regardless of its contents is extremely useful. It allows an attacker to make realistic forgeries of company communications, either to its employees or third parties. It’s also useful to a penetration testing team as it allows them to do exactly the same thing. Creating well forged letters is an essential aspect of social engineering.

• Billing documents/invoices: Such information reveals who the target does business with, which is useful to know. An attacker may be able to masquerade as a business partner or a client later in the exercise.

If the target outsources IT (or other services) then knowing who they use is useful for the same reason.

• Signatures: A signed document, like headed paper is valuable in and of itself. Knowing a signature makes it easy to copy. Mass mailed letters often have a photocopied signature, which makes it even easier.

Signatures that are particularly useful are those of CEOs, department heads, accountants, ofﬁce managers, and anyone responsible for invoicing or billing.

• Usernames/Passwords: Finding usernames is useful because it reveals how such usernames are created. Usually this is quite simple i.e. John Smith becomes jsmith or john.smith. However, this is not always the case, on some internal and perhaps more classified systems there may be no way to guess them. Therefore any document that references usernames is a great find. Even better is finding passwords. That’s really hitting pay dirt. Yes, people write them down all the time, usually on little yellow post it notes they stick to their monitor . . . . Ironically, this is often a reaction to the administrator’s attempts to enforce difficult to guess passwords; difficult to guess translates as difficult to remember.

• Company Handbooks and Operating Procedures: All the companies’

rules, regulations and day-to-day operating procedures are usually handed to new hires during the induction process in the form of a company handbook. As these things are often updated faster than they can be read, they ﬁnd their way into the trash with unsurprising regularity. This is pay dirt to the social engineer.

92 INFORMATION GATHERING

• Shredded Paper: Yes, you read that right. Although a lot of documents do get shredded, your average office shredder is pretty useless at keeping it that way. Paper that’s been shredded into strips can be easily reassembled, often without any high tech assistance. When the paper is fed into the shredder, and the shreds are not mixed, the paper strips stay in proximity to one another. In addition, if the documents are fed into the shredder with the lines of text parallel and not perpendicular to the shredder blades, then long legible stripes of the document remain. Conversely large amount of paper strips from multiple documents are more difficult to piece together (unless you have vast amounts of time on your hand and if you’re reading this, you probably don’t). Enter document reconstruction software. The FBI, forensic accountants and other investigators regularly need to recover shredded data. The way they go about this in the age of Enron is to scan all the little pieces and use software that automatically reconstructs documents. There is a commercial solution; The Unshredder is a commercial document reconstruction tool and it’s a lot of fun. If you find yourself playing with shredded paper on a regular basis, you should check it out.

• Electronic Media: Floppy disks, cdroms, dvds, old hard drives, usb sticks. It’s amazing what people throw away. I’ve seen old hard disks come out of the trash packed with employee information, prescription data from a pharmacy (names, addresses, medical conditions) and all kinds of miscellaneous documents, spreadsheets and databases.

Electronic media is our number one target. Virtually nobody securely deletes drives or shreds cdroms before this stuff ﬁnds its way into the trash. Recovering data from electronic media deserves a section of its own and you look at it in detail later in this chapter.

Diving in

When your trash hits the street it enters the public domain, anyone can go through it and not have to worry about breaking the law. This is the case in most jurisdictions and certainly in the UK and US (although in some places there are speciﬁc bylaws to prevent it). However, most dumpsters containing corporate trash are onsite on private land. However be assured they won’t be under 24 hour armed guard with cameras and dogs. In fact they will most likely not even be locked. If theyarelocked, it won’t be anything serious. If you are running a test remember dumpsters will be on private property so treat the dumpster diving exercise with the same seriousness as you would any other part of an assignment. Plan ahead and make it your goal to be in and out as quickly as possible.

Don’t be tempted to start sorting through the stuff in situ, grab what you can carry – bring a couple of large canvas bags with you – and do the analysis off site.

DUMPSTER DIVING 93

In document Unauthorised Access. Physical Penetration Testing For IT Security Teams. Wil Allsopp. A John Wiley and Sons, Ltd., Publication (Page 112-115)