Information diving

Last updated

Information diving is the practice of recovering technical data, sometimes confidential or secret, from discarded material. In recent times, this has chiefly been from data storage elements in discarded computers, most notably recoverable data remaining on hard drives. Those in charge of discarding computers usually neglect to erase the hard drive. It is often in such circumstances for an information diver to copy installed software (e.g., word processors, operating systems, computer games, etc.). Other data may also be available, such as credit card information that was stored on the machine. Companies claim to be especially careful with customer data, but the number of data breaches by any type of entity (e.g., education, health care, insurance, government, ...) suggest otherwise. In the UK, information diving has been referred to as "binology". [1] [2] [3]

Contents

Today, files, letters, memos, photographs, IDs, passwords, credit cards, and more can be found in dumpsters. Many people do not consider that sensitive information on items they discarded may be recovered. Such information, when recovered, is sometimes usable for fraudulent purposes (see also "identity theft" and physical information security). This method of dumpster diving is also sometimes used by attorneys or their agents when seeking to enforce court-ordered money judgments: the judgment debtor's trash may contain information about assets that can then be more-readily located for levying. [4]

Supposedly, information diving was more common in the 1980s due to lax security; when businesses became aware of the need for increased security in the early 1990s, sensitive documents were shredded before being placed in dumpsters. There is still considerable Internet activity on the subject of dumpster diving, so it is unlikely to have stopped with the widespread introduction of document shredding. Security mythology has it that curious hackers or malicious crackers commonly use this technique.

Cases

Printed manuals

In earlier times, the available discarded data included printed manuals and design records. In a famous case, a student, Jerry Schneider, discovered some discarded manuals for a telephone system ordering/shipping system and was able to build a business selling 'surplus' gear ordered from the telephone company as though it was for an internal company department.

Discarded computers

Two MIT students purchased a large number of obsolete computers at yard sales, and they were able to obtain information such as credit card information and tax return data. They published a paper, Remembrance of Things Past, documenting their discoveries. [5]

Dumpster diving

Dumpster diving is commonly practiced by "watchdog" organizations seeking information on groups they are investigating. The Trinity Foundation successfully used this technique to report on the activities of televangelist Robert Tilton and was also able to obtain information on Benny Hinn. [6]

See also

Related Research Articles

<span class="mw-page-title-main">Dumpster diving</span> Taking items from piles of waste for personal use

Dumpster diving is salvaging from large commercial, residential, industrial and construction containers for unused items discarded by their owners but deemed useful to the picker. It is not confined to dumpsters and skips specifically and may cover standard household waste containers, curb sides, landfills or small dumps.

<span class="mw-page-title-main">Paper shredder</span> Device used to cut paper into pieces

A paper shredder is a mechanical device used to cut sheets of paper into either strips or fine particles. Government organizations, businesses, and private individuals use shredders to destroy private, confidential, or otherwise sensitive documents.

<span class="mw-page-title-main">End user</span> Regular user of a product

In product development, an end user is a person who ultimately uses or is intended to ultimately use a product. The end user stands in contrast to users who support or maintain the product, such as sysops, system administrators, database administrators, information technology (IT) experts, software professionals, and computer technicians. End users typically do not possess the technical understanding or skill of the product designers, a fact easily overlooked and forgotten by designers: leading to features creating low customer satisfaction. In information technology, end users are not customers in the usual sense—they are typically employees of the customer. For example, if a large retail corporation buys a software package for its employees to use, even though the large retail corporation was the customer that purchased the software, the end users are the employees of the company, who will use the software at work.

In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.

<span class="mw-page-title-main">Identity theft</span> Deliberate use of someone elses identity, usually as a method to gain a financial advantage

Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

Robert Tilton is an American televangelist and the former pastor of the Word of Faith Family Church in Farmers Branch, Texas, a suburb of Dallas. At his ministry's peak in 1991, Tilton's infomercial-style program, Success-N-Life, aired in all 235 American television markets and brought in nearly $80 million per year; it was described as "the fastest growing television ministry in America."

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

Data remanence is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written to the media, or through physical properties of the storage media that allow previously written data to be recovered. Data remanence may make inadvertent disclosure of sensitive information possible should the storage media be released into an uncontrolled environment.

File deletion is the removal of a file from a computer's file system.

Redaction or sanitization is the process of removing sensitive information from a document so that it may be distributed to a broader audience. It is intended to allow the selective disclosure of information. Typically, the result is a document that is suitable for publication or for dissemination to others rather than the intended audience of the original document.

A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Physical information security is the intersection, the common ground between physical security and information security. It primarily concerns the protection of tangible information-related assets such as computer systems and storage media against physical, real-world threats such as unauthorized physical access, theft, fire and flood. It typically involves physical controls such as protective barriers and locks, uninterruptible power supplies, and shredders. Information security controls in the physical domain complement those in the logical domain, and procedural or administrative controls.

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Data erasure is a software-based method of data sanitization that aims to completely destroy all electronic data residing on a hard disk drive or other digital media by overwriting data onto all sectors of the device in an irreversible process. By overwriting the data on the storage device, the data is rendered irrecoverable.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. Social hacking is most commonly associated as a component of “social engineering”.

Data sanitization involves the secure and permanent erasure of sensitive data from datasets and media to guarantee that no residual data can be recovered even through extensive forensic analysis. Data sanitization has a wide range of applications but is mainly used for clearing out end-of-life electronic devices or for the sharing and use of large datasets that contain sensitive information. The main strategies for erasing personal data from devices are physical destruction, cryptographic erasure, and data erasure. While the term data sanitization may lead some to believe that it only includes data on electronic media, the term also broadly covers physical media, such as paper copies. These data types are termed soft for electronic files and hard for physical media paper copies. Data sanitization methods are also applied for the cleaning of sensitive data, such as through heuristic-based methods, machine-learning based methods, and k-source anonymity.

References

  1. binology - Oxford Reference
  2. Leveson inquiry: Nick Davies, Paul McMullan and Richard Peppiatt appear - theguardian.com - 29 November 2011
  3. Leveson inquiry: Piers Morgan gives evidence - theguardian.com - 20 December 2011
  4. "How To Dumpster Dive" . Retrieved 16 August 2015.
  5. Garfinkel, Simson (1 April 2001). "Remembrance of Things Past" . Retrieved 16 August 2015.
  6. "Robert Tilton the greedy televangelist This MAn Rips Off Millions From Gullible Followers: The Desperate, Lonely, Forgotten, Afraid, Elderly, Religious and Others Fort Lauderdale Florida". 3 October 2006. Retrieved 16 August 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.