Penetration Testing mailing list archives
Re: Pen - Test technique: Shred diving
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 3 Jan 2002 18:38:57 -0500 (EST)
even better, saving lots of time the 'pre-shred' bins, those waste disposal bins where whole sheets are dummped for later shredding, seldom locked, and very exposed, especially at night, when staff is low in count, or noon hours, when the lunch bell chimes and the office clears out. then again almost any cubicle and office wall might well be littered withdocumentation, of course, it all depends upon access to the site, which is often fully available to pen=testers and auditors, let alone visitors, even if they have to be accompanied by an real employee. If someone really wants information, its not all that hard to gleen in paper format... On Thu, 3 Jan 2002, Mike Shaw wrote:
Don't know if this will pass list muster, but I just had a great time in a client company's shredder bin. This was a very inadequate shredder, very wide 'noodles' and no cross-shredding. I've always disregarded the shredder bin because I thought it'd be too much trouble, but this is definitely not the case. I was able to reconstruct a page of text in about 20 minutes. This particular page was not very useful, but it proved the point. The big bananas were a list of routers, IPs, and circuit IDs, and (drum roll...) a complete company employee roster including salaries (including CIO!). These were printed landscape, and because there was no cross-shredding, the records were in very convenient strips, like they came from a fortune cookie. One handful and 15 minutes of sorting made a very attractive list. I don't know if anyone has coined a term for this yet, but I dubbed it "the fortune cookie effect". <technical muse> I'm toying with the idea of a "shred-cracker". Basically you would scan the strips in, then the program would reconstruct them in every possibility and pass it through an OCR library. When the OCR started hitting recognizable words, it would 'lock' those strips in place. Sadly, my coding skills aren't really up to this project and even if they were I don't have that time. </technical muse> Anyway, if anyone is doing a pen-test that involves physical security, don't overlook the shred bin! -Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Pen - Test technique: Shred diving Mike Shaw (Jan 03)
- Re: Pen - Test technique: Shred diving R. DuFresne (Jan 03)
- Re: Pen - Test technique: Shred diving William Knowles (Jan 04)
- Re: Pen - Test technique: Shred diving Rainer Duffner (Jan 04)
- Re: Pen - Test technique: Shred diving R. DuFresne (Jan 03)