Dumpster Diving - No firewall helps

[InfoSec News <isn () C4I ORG>]

Forwarded By: mea culpa <jericho () dimensional com>

Friday, 7 July 2000
Dumpster Diving - No firewall helps

FORGET THE FIREWALL; GUARD YOUR GARBAGE AGAINST 'DUMPSTER DIVING' HACKERS

AFTER YEARS OF information system security analysis, we have come to
realize that the most damaging data is rarely trumpeted from the front
page of the newspaper. True enough, The Wall Street Journal of June 16
ran only a small headline on the front page linked to an article on
page A3 describing an attempt by shady individuals to purchase garbage
from the Washington offices of a company associated with Microsoft.

That's right: garbage.  It's been a number of years since the hacking
underground brought the term Dumpster diving into vogue, but it's
apparently enjoying a renaissance of sorts.  Dumpster diving is an
apt, if a bit fanciful, description of the process of sifting through
the garbage of large companies searching for information on how to
access corporate networks or fodder for social engineering attacks,
which are the online equivalent of a con man running a scam.  The Wall
Street Journal story instructs about the potential harm to a company
and its network and of the ease with which such attacks can be carried
out.

The details of the case, according to the Journal, are fascinating for
a number of reasons.  Between June 1 and 6, a woman calling herself
Blanca Lopez twice approached night cleaning staff at a building
housing offices of the Association for Competitive Technology (ACT), a
pro-Microsoft trade group.  On the first attempt to buy the garbage,
Lopez offered between $50 and $60 apiece to the two workers handling
the trash. She spoke in the native language of the two staffers,
apparently in an attempt to appear unthreatening and trustworthy.
The second time Lopez showed up, one day before U.S.  District Judge
Thomas Penfield Jackson ordered the breakup of Microsoft, the offer
was $500 each for the two cleaners and $200 for their supervisor.

To their enormous credit, the night cleaning staff turned down the
$1,200, according to the Journal.  Days later, a break-in occurred at
Microsoft offices in the area in what may have been an unrelated
event.  Or it could have been someone making good on the failed
attempt to gather the same data through the garbage.

A follow-up article made page A48 of the Journal on June 19, but
details are still hazy.  What is known is that Lopez asked the workers
to bring the trash to the offices of Upstream Technologies (UT),
located in the same building as ACT.  UT appears to be a shell company
operated by Investigative Group International (IGI), a high-profile
detective agency run by Terry Lezner that is rumored to have dug up
dirt on nemeses of President Clinton at the behest of his lawyers.
Lezner has publicly admired the technique of leasing office space in
the same building as investigative targets in order to avoid
trespassing charges.

Leaving aside our personal instinct that someone should be rummaging
through Attorney General Janet Reno's and Chief Microsoft Prosecutor
Joel Klein's garbage to figure out what really happened, here's the
fact most relevant to readers: In the aftermath, the cleaning company
threw a pizza party to celebrate the upstanding citizenship of their
employees and lavished them with rewards of far less than $500 each.
Anyone who thinks they can defend against this type of attack is
ignorant of economics.

'Biggest' hack in history The suspicion of a major industrialized
nation's government sponsoring such acts is terrifying enough, but of
course, plain old malicious hackers still rely on the field of
"garbology" pretty heavily as well.  In a front-page article in the
Journal in late 1999, a cracker ring, dubbed the Phonemasters, was
alleged to have penetrated systems at AT&T, MCI WorldCom, Sprint,
Equifax, TRW, and the databases of Lexis-Nexis and Dun & Bradstreet
using mostly Dumpster diving and social engineering techniques.
Online coverage of the Phonemasters (see
http://netsecurity.miningco.com/compute/netsecurity ) labeled it the
"biggest bust of a cracker ring in the history of network computing."
The sheer extent of the penetration of public network infrastructures
achieved by the Phonemasters supports this claim quite strongly.

What, if anything, can companies do to protect themselves?  We draw a
few lessons from the above tales; one man's garbage is another's gold,
as the saying goes.  Install centralized, tamper-resistant receptacles
for disposing of sensitive documents.  Feed the contents of the
container through a shredder on a regular basis or contract with one
of the many secure document destruction companies now dotting the
landscape.  Also consider separate receptacles for media such as
floppies and CDs and install magnets in the bins to wipe the floppies
as they get discarded. Educate management and staff on the dangers of
untracked trash and audit everyone's compliance periodically by hiring
someone such as IGI to see what they dig up.  (Make sure you retain
all copies of the report, though.)

Have you lost any sleep lately worrying about your garbage?  Send your
own stories or thoughts (no trash-talking, please) to
security_watch () infoworld com.

Stuart McClure is president and CTO and Joel Scambray is managing
principal at security consultant Foundstone ( www.foundstone.com ).
Their best-selling book, Hacking Exposed, has sold more than 100,000
copies in six months.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".