This is not some cute little composite story I’m making up to illustrate a patronizing point about cybersecurity. THIS HAPPENED ABOUT AN HOUR AGO: I went to check my mail at my PO box after a long day at work, right? My receptacle was bone dry. But, for those people that still get credit card offers, hardware store clearance flyers, and political action committee solicitations that somehow still look like real letters with cool stickers inside, there’s this really convenient trashcan outside the exit of the building on a public sidewalk. Sometimes I’ll stick my hand and head in to see if there’s anything juicy. . .Just like I did tonight. My hand went in, and out came:
- A ‘zine-style alumni newsletter from a private college
- A solicitation from a non-profit organization with the return address “President Donald J. Trump”
- A first-class letter (i.e. non-junk mail) from Medica Insurance Company
All addressed to the same poor fool who didn’t think twice about throwing his mail away in a public area. Just like countless others do every day.
Good thing I don’t have a personal vendetta against the guy.
Good thing I don’t need an HD TV from Amazon. Good thing I stay legal. If any of those factors were different, this guy would be so screwed. I mean, I could really mess with the guy! Call him up, pretend to be his insurance provider, could you please re-confirm your Social Security number so we can keep our records current? Or: Hello, this is Ashley from Pepperdine University, would you be interested in donating to our new foundation started for Pepperdine Alumni who are military veterans? It’s a great cause, could we just get some quick information? Or: Hey there John, it’s Cindy from the Trump Foundation; can we put you down for a $10 donation to ensure the President can get reelected in 2020; I just need some basic information. Heck, somebody with an entrepreneurial social engineering spirit could give a shot at all three of those scenarios!
Social engineering has become about 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more. -John McAfee
Notice, I didn’t even start on the possibilities getting one of my guy friends to pose as this person, perhaps calling up Medica to get some *really* juicy medical info and other personal stuff and work from there. The possibilities are positively titillating!
Oh snap. I think I just saw the manuscript for a lost Game of Thrones episode along with OJ’s glove.
I know, I know. “Wow, that’s so wrong, RealToughCandy. You’re a pervert.” Oh, I absolutely agree. I snag this stuff for thrills, see. It’s also great material to write about, since it helps illustrate the critical point of staying vigilant with your identity in the physical world.
Nice story and all, but what’s the point of it on this tech-oriented site?
Great question. If you’re an aspiring white-hat hacker (i.e. somebody who gets paid by a legitimate entity to legally penetration-test things), dumpster diving and trash picking can be an excellent source of material during your reconnaissance phase (Phase 1). Here are some tips to get you started:
•There is no reasonable expectation of privacy once something is in the garbage, said the United States Supreme Court in 1988’s California vs. Greenwood ruling. You may be a snoop, but you’re a legal snoop in the eyes of the federal government. (What the neighbors think of you when they see your pale plumber’s crack exposed while trying to fish out a sweet-looking document or motherboard, however, is a different story.)
•You came. You dove. You hit exploitation gold. Just because the dumpster diving part was legal, doesn’t mean the next parts are. If you use that information to, say, buy an HD TV from Amazon using somebody else’s credit card info from documents you dumpster’ed, you’re breaking a metric crap-ton of laws. So, like, don’t.
•Stay legal. While trash is largely considered abandoned property (and thus free for the legal taking) according to rulings like Long 166 v. Dilling Mechanical Contractors, Inc.’s, you’ll still be trespassing if you’re on private property that isn’t yours. Keep your exploits limited to public property!
Again, dumpster diving and trash picking are a truly wonderful source for culling information about a target during Phase 1 of your hack. It is also an equally wonderful playground for social engineering schemes.
Stay legal and have fun.