Re: Pen - Test technique: Shred diving

["Rainer Duffner" <rainer () ultra-secure de>]

Mike Shaw writes:

> Don't know if this will pass list muster, but I just had a great time in a 
> client company's shredder bin.

Cool ;-)
[snip] 

> <technical muse>
> I'm toying with the idea of a "shred-cracker".  Basically you would scan 
> the strips in, then the program would reconstruct them in every 
> possibility and pass it through an OCR library.  When the OCR started 
> hitting recognizable words, it would 'lock' those strips in place.

Well, I had thought of the idea to scan the things in as they are fed
into the shredder.
You'd have to tamper with the shredder, but nevertheless... 

> Sadly, my coding skills aren't really up to this project and even if they 
> were I don't have that time.
> </technical muse>


IIRC, software for that exists already. At least, software that turns scans
of torn paper into clean copies (by matching "pieces").
The East-German secret service (MfS, aka "Stasi", try 
http://www.bstu.de/home.htm ) left over 15000 sacks of torn paper, before it 
was shut down after the German re-unification.
The paper was torn because the shredders were broken (too much paper in to 
short time). 

> Anyway, if anyone is doing a pen-test that involves physical security, 
> don't overlook the shred bin!

"Only the paranoid survive" 



cheers,
Rainer
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rainer Duffner                   Munich
rainer () ultra-secure de          Germany
http://www.i-duffner.de        Freising
========================================
   When shall we three meet again
 In thunder, lightning, or in rain?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/