| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 |
||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||
 COLUMN
Forget the firewall; guard your garbage against 'Dumpster diving' hackers AFTER YEARS OF information system security analysis, we have come to realize that the most damaging data is rarely trumpeted from the front page of the newspaper. True enough, The Wall Street Journal of June 16 ran only a small headline on the front page linked to an article on page A3 describing an attempt by shady individuals to purchase garbage from the Washington offices of a company associated with Microsoft.
The details of the case, according to the Journal, are fascinating for a number of reasons. Between June 1 and 6, a woman calling herself Blanca Lopez twice approached night cleaning staff at a building housing offices of the Association for Competitive Technology (ACT), a pro-Microsoft trade group. On the first attempt to buy the garbage, Lopez offered between $50 and $60 apiece to the two workers handling the trash. She spoke in the native language of the two staffers, apparently in an attempt to appear unthreatening and trustworthy. The second time Lopez showed up, one day before U.S. District Judge Thomas Penfield Jackson ordered the breakup of Microsoft, the offer was $500 each for the two cleaners and $200 for their supervisor. To their enormous credit, the night cleaning staff turned down the $1,200, according to the Journal. Days later, a break-in occurred at Microsoft offices in the area in what may have been an unrelated event. Or it could have been someone making good on the failed attempt to gather the same data through the garbage. A follow-up article made page A48 of the Journal on June 19, but details are still hazy. What is known is that Lopez asked the workers to bring the trash to the offices of Upstream Technologies (UT), located in the same building as ACT. UT appears to be a shell company operated by Investigative Group International (IGI), a high-profile detective agency run by Terry Lezner that is rumored to have dug up dirt on nemeses of President Clinton at the behest of his lawyers. Lezner has publicly admired the technique of leasing office space in the same building as investigative targets in order to avoid trespassing charges. Leaving aside our personal instinct that someone should be rummaging through Attorney General Janet Reno's and Chief Microsoft Prosecutor Joel Klein's garbage to figure out what really happened, here's the fact most relevant to readers: In the aftermath, the cleaning company threw a pizza party to celebrate the upstanding citizenship of their employees and lavished them with rewards of far less than $500 each. Anyone who thinks they can defend against this type of attack is ignorant of economics. 'Biggest' hack in history The suspicion of a major industrialized nation's government sponsoring such acts is terrifying enough, but of course, plain old malicious hackers still rely on the field of "garbology" pretty heavily as well. In a front-page article in the Journal in late 1999, a cracker ring, dubbed the Phonemasters, was alleged to have penetrated systems at AT&T, MCI WorldCom, Sprint, Equifax, TRW, and the databases of Lexis-Nexis and Dun & Bradstreet using mostly Dumpster diving and social engineering techniques. Online coverage of the Phonemasters (see netsecurity.miningco.com/compute/netsecurity) labeled it the "biggest bust of a cracker ring in the history of network computing." The sheer extent of the penetration of public network infrastructures achieved by the Phonemasters supports this claim quite strongly. What, if anything, can companies do to protect themselves? We draw a few lessons from the above tales; one man's garbage is another's gold, as the saying goes. Install centralized, tamper-resistant receptacles for disposing of sensitive documents. Feed the contents of the container through a shredder on a regular basis or contract with one of the many secure document destruction companies now dotting the landscape. Also consider separate receptacles for media such as floppies and CDs and install magnets in the bins to wipe the floppies as they get discarded. Educate management and staff on the dangers of untracked trash and audit everyone's compliance periodically by hiring someone such as IGI to see what they dig up. (Make sure you retain all copies of the report, though.) Have you lost any sleep lately worrying about your garbage? Send your own stories or thoughts (no trash-talking, please) to security_watch@infoworld.com. Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone ( www.foundstone.com ). Their best-selling book, Hacking Exposed, has sold more than 100,000 copies in six months.  RELATED SUBJECTS  SecurityMORE > SPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
