SAN MATEO (07/03/2000) - After years of information system security analysis, we have come to realize that the most damaging data is rarely trumpeted from the front page of the newspaper. True enough, The Wall Street Journal of June 16 ran only a small headline on the front page linked to an article on page A3 describing an attempt by shady individuals to purchase garbage from the Washington offices of a company associated with Microsoft.
That's right: garbage. It's been a number of years since the hacking underground brought the term Dumpster diving into vogue, but it's apparently enjoying a renaissance of sorts. Dumpster diving is an apt, if a bit fanciful, description of the process of sifting through the garbage of large companies searching for information on how to access corporate networks or fodder for social engineering attacks, which are the online equivalent of a con man running a scam. The Wall Street Journal story instructs about the potential harm to a company and its network and of the ease with which such attacks can be carried out.
The details of the case, according to the Journal, are fascinating for a number of reasons. Between June 1 and 6, a woman calling herself Blanca Lopez twice approached night cleaning staff at a building housing offices of the Association for Competitive Technology (ACT), a pro-Microsoft Corp. trade group. On the first attempt to buy the garbage, Lopez offered between $50 and $60 apiece to the two workers handling the trash. She spoke in the native language of the two staffers, apparently in an attempt to appear unthreatening and trustworthy. The second time Lopez showed up, one day before U.S. District Judge Thomas Penfield Jackson ordered the breakup of Microsoft, the offer was $500 each for the two cleaners and $200 for their supervisor.
To their enormous credit, the night cleaning staff turned down the $1,200, according to the Journal. Days later, a break-in occurred at Microsoft offices in the area in what may have been an unrelated event. Or it could have been someone making good on the failed attempt to gather the same data through the garbage.
A follow-up article made page A48 of the Journal on June 19, but details are still hazy. What is known is that Lopez asked the workers to bring the trash to the offices of Upstream Technologies (UT), located in the same building as ACT.
UT appears to be a shell company operated by Investigative Group International (IGI), a high-profile detective agency run by Terry Lezner that is rumored to have dug up dirt on nemeses of President Clinton at the behest of his lawyers.
Lezner has publicly admired the technique of leasing office space in the same building as investigative targets in order to avoid trespassing charges.
Leaving aside our personal instinct that someone should be rummaging through Attorney General Janet Reno's and Chief Microsoft Prosecutor Joel Klein's garbage to figure out what really happened, here's the fact most relevant to readers: In the aftermath, the cleaning company threw a pizza party to celebrate the upstanding citizenship of their employees and lavished them with rewards of far less than $500 each. Anyone who thinks they can defend against this type of attack is ignorant of economics.
'Biggest' hack in history
The suspicion of a major industrialized nation's government sponsoring such acts is terrifying enough, but of course, plain old malicious hackers still rely on the field of "garbology" pretty heavily as well. In a front-page article in the Journal in late 1999, a cracker ring, dubbed the Phonemasters, was alleged to have penetrated systems at AT&T Corp., MCI WorldCom Inc., Sprint Corp., Equifax, TRW Inc., and the databases of Lexis-Nexis and Dun & Bradstreet using mostly Dumpster diving and social engineering techniques. Online coverage of the Phonemasters (see netsecurity.miningco.com/compute/netsecurity) labeled it the "biggest bust of a cracker ring in the history of network computing."
The sheer extent of the penetration of public network infrastructures achieved by the Phonemasters supports this claim quite strongly.
What, if anything, can companies do to protect themselves? We draw a few lessons from the above tales; one man's garbage is another's gold, as the saying goes. Install centralized, tamper-resistant receptacles for disposing of sensitive documents. Feed the contents of the container through a shredder on a regular basis or contract with one of the many secure document destruction companies now dotting the landscape. Also consider separate receptacles for media such as floppies and CDs and install magnets in the bins to wipe the floppies as they get discarded. Educate management and staff on the dangers of untracked trash and audit everyone's compliance periodically by hiring someone such as IGI to see what they dig up. (Make sure you retain all copies of the report, though.)Have you lost any sleep lately worrying about your garbage? Send your own stories or thoughts (no trash-talking, please) to firstname.lastname@example.org.
Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone (www.foundstone.com). Their best-selling book, Hacking Exposed, has sold more than 100,000 copies in six months.