What is Dumpster Diving?

In the world of information technology, dumpster diving is a technique which is used to retrieve information that could be used to carry out a fraudulent activity. Many people throw away their sensitive documents that contain their personal information without destroying them properly that a fraudster can find in trash cans and as a result use this information to commit a fraud. Dumpster diving is not too meant to probing through the trash for noticeable resources like identity numbers or passwords written down on papers. Apparently useless information like a phone list, calendar, or organizational chart can be used to obtain valuable information. Shopping, can easily memorize your details including name, address and the last three numbers of your credit card during the short time it takes you to write a check.

Dumpster Diving in Process

There is another type of computer-related “trash” that we might not consider. In the system itself are files that have been deleted, but that haven’t actually been erased from the system. Computers and users used only to save data, not destroying it, and sometimes some data is saved that shouldn’t be saved. Electronic trashing is easy because of the way that systems typically delete data. Usually, deleting a file, a disk, or a tape doesn’t actually delete data, but simply rewrites a header record. Using MS-DOS, for example, a file can be deleted via the DEL command, however, someone else can retrieve the contents of the file simply by running UNDELETE. System utilities are available that make it easy to retrieve files that may seem to be completely gone.

Although there are methods for truly erasing files and magnetic media, most users who work on large systems do not take the time to erase disks and tapes when they are finished with them. They may discard old disks and tapes with data still on them. They simply write the new data over the old data already on the tape. Because the new data may not be the same length as the old, there may be sensitive data left for those skilled enough to find it. It is far safer to explicitly write over storage media and memory contents with random data and to degauss magnetic tapes.

Notable Cases of Dumpster Diving

One computer company in Texas that does business with a number of oil companies noticed that whenever a certain company asked them to mount a temporary storage (scratch) tape on the tape drive, the read-tape light would always come on before the write-tape light. The ingenious oil company was scavenging the tape for information that might have been put on it by competitors that used the tape before them.

Trashing can have deadly consequences. When some old Department of Justice computers were sold off, they had on their disks information on the whereabouts of witnesses in the Federal Witness Protection Program. Although the data had been deleted, it had not been completely erased from the disk. The DOJ was able to get back some of the computers, but not all, and was forced to relocate the compromised families as a result.

In 1991, spies posed as garbage collectors outside of a U.S. defense contractor executive’s home, dug through trash cans looking for information. One of the collectors was actually France’s consul general and claimed he was collecting fill for a hole in his yard. Upon investigation, the FBI determined that this operation was part of a French secret-searching mission, aimed at finding U.S. military or scientific information.

Then in 1999, two key members of a group called the “Phonemasters” were convicted of theft and possession of unauthorized access devices and unauthorized access to a federal interest computer. This international group of cyber criminals had allegedly penetrated the computer systems of MCI, Sprint, AT&T, Equifax and the National Crime Information Center. The Phonemasters’ skills had enabled them to download hundreds of calling card numbers and distribute them to organized crime groups around the world. Part of their method included dumpster diving and collecting old phone books and system manuals. These tools, combined with social engineering, led to the attacks on the mentioned systems.

In 2000, in a widely publicized case, the CEO of Oracle, Larry Ellison, hired private investigators to dig through corporate dumpsters at Microsoft. This was an effort aimed at finding information about Microsoft’s possible development of grassroots organizations to support it’s side in an anti-trust lawsuit. One of the investigators unsuccessfully tried to pay off a member of the janitorial service in exchange for the garbage of one of these organizations. Ellison held that his actions were a ‘civic duty’, to uncover Microsoft’s secret funding of such groups, but his opponents assert that the incident was distasteful and scandalous. Microsoft complained that various organizations allied to it have been victimized by industrial espionage agents who attempted to steal documents from trash bins. The organizations include the Association for Competitive Technology in Washington, D.C., the Independent Institute in Oakland, California, and Citizens for a Sound Economy, another Washington D.C. based entity. Microsoft said, “We have sort of always known that our competitors have been actively engaged in trying to define us, and sort of attack us. But these revelations are particularly concerning and really show the lengths to which they’re willing to go to attack Microsoft.” Saying he was exercising a “civic duty,” Oracle chairman and founder Larry Ellison defended his company of suggestions that Oracle’s behavior was “Nixonian” when it hired private detectives to scrutinize organizations that supported Microsoft’s side in the antitrust suit brought against it by the government. The investigators went through trash from those organizations in attempts to find information that would show that the organizations were controlled by Microsoft. Ellison, who, like his nemesis Bill Gates at Microsoft, is a billionaire, said, “All we did was to try to take information that was hidden and bring it into the light,” and added: “We will ship our garbage to Microsoft, and they can go through it. We believe in full disclosure.” “The only thing more disturbing than Oracle’s behavior is their ongoing attempt to justify these actions,” Microsoft said in a statement. “Mr. Ellison now appears to acknowledge that he was personally aware of and personally authorized the broad overall strategy of a covert operation against a variety of trade associations.”

During the year 2001, industrial espionage came to light concerning the shampoo market between fierce competitors Proctor & Gamble and Unilever. Private Investigators hired by Proctor & Gamble sifted through garbage bins outside of the Unilever corporation, succeeding in gathering viable information about market analysis, predictions and future products. Upon legal action by Unilever, the two corporations settled out-of-court, because these actions broke Proctor & Gamble’s internal policy on information gathering.