Friday, 29 April 2011

Social Engineering Techniques: Dumpster Diving

Information that companies consider sensitive is thrown out daily in the normal garbage cans. Attackers can successfully retrieve this data by literally climbing into the company dumpsters and pilfering through the garbage. Information such as names, Social Security numbers,
addresses, phone numbers, account numbers, balances, and so forth is thrown out every day somewhere. I personally know a nationally recognized movie rental company that still uses carbon paper in its fax machine. Once the roll is used up they simply throw the entire
roll in the dumpster. The information on that roll is priceless, including names, addresses, account numbers, phone numbers, how much they actually pay for their movies, and so forth.

Another social engineering attack that also proves to be very successful is when an attacker dresses in the uniform of those personnel considered “honest” and “important” or even “expensive.” For example; an attacker purchases/steals the uniform of a carrier, telephone, or gas or electric employee and appears carrying boxes and/or clipboards, pens, tools,
etc. and perhaps even an “official-looking” identification badge or a dolly carrying “equipment.” These attackers generally have unchallenged access throughout the building as employees tend to see “through” these types of people. When is the last time you challenged
one of these personnel to verify their credentials?

This attack is very risky as the attacker can now be personally identified should he or she get caught. Again, this attack is normally very successful so bear this in mind.

No comments:

Post a Comment