Data, particularly sensitive data, has become increasingly valuable. As the amount of data being created and stored electronically has increased, so to have nefarious marketplaces where stolen data is exchanged. The dark web and the TOR network allow for near anonymity in brokering the sale of ill obtained credit card numbers, health records, bank account numbers, and social security numbers. In a cyber threat context, personal information about employees working at targeted companies or government agencies has very high value. Both companies and individual people face a real risk of improperly disposed garbage, realized by a social engineer finding data of value in the rubbish. Social engineering is one method by which valuable information may be ill obtained. Specifically, dumpster diving represents one tactic the social engineer may employ. The Larry Ellison case and the Jerry Schneider case represent two examples of exploiting information through dumpster diving.
The Case of Larry Ellison – Dumpster Diving Oracle
The art of dumpster diving involves combing through the trash and recycling bins of an organization or individual for the purpose of identifying and acquiring documents that contain sensitive information. Social engineers use this tactic to help inform their social engineering attacks by identifying targets, obtaining information about organization structures, and adding details to their pretexting attacks. One such example of social engineering through dumpster diving for the purpose of identifying information about organizational structure was perpetrated by Larry Ellison in 2000.
Larry Ellison was then the CEO of Oracle. His company thrived in the server and database infrastructure space. Under Larry’s leadership, his company competed directly against Microsoft and Larry’s personal rival, Bill Gates. In the year 2000, Microsoft was in a legal anti-trust battle and Larry believed this was the time to act. Larry hired private investigators to comb through the garbage of groups defending Microsoft. They ultimately uncovered information that Microsoft was secretly funding front groups in order to manipulate public opinion in their favor. The goal of this social engineering attack was to discredit Microsoft and reinforce the monopoly argument during its legal battle.
The intruder included agents of the private investigation firm Investigative Group International (IGI). This group was admittedly hired by Larry Ellison for the purpose of dumpster diving specific targets with a high likelihood of possessing confidential or sensitive information about Microsoft. Investigative Group International is currently headquartered in Washington, DC and operates internationally. IGI markets itself as a private investigation firm offering the following services, due diligence, internal investigations, litigation support, business and financial investigations, regulatory & competitive intelligence, and a laundry list of other services. In this case, IGI likely classified their dumpster diving operation as a competitive intelligence collection operation.
The victim in this case was not restricted to the ultimate target, Microsoft. Rather the physical victim of the operation included a multitude of third-party companies with an affiliation with Microsoft. These third-party companies’ office dumpsters and recycling bins were compromised by the Investigative Group International on the direct behest of Larry Ellison. One such third party was the Independent Institute. Dumpster diving agents found documentation that linked a $200,000 payment from Microsoft to that organization in exchange for pro-Microsoft ads and spin. One other such group was the Association for Competitive Technology. This dumpster diving attempt was unsuccessful and is discussed below. While Microsoft was the intended target of Larry Ellison’s social engineering attack, the victims of the dumpster diving operation were third party companies. This attack demonstrates a very broad scope of information sought by social engineers through dumpster diving.
During the operation, Larry Ellison’s agents were private investigators with the Investigative Group International firm. These agents employed various processes of intrusion. As discussed above, the third-party company victim of the dumpster diving operation, the Association for Competitive Technology, intrusion resulted in an unsuccessful attempt by Larry Ellison’s agents. During this attempt, IGI agents employed human Intelligence (HUMINT) collection techniques to gain access. This technique included an approach to janitorial staff with an offer to purchase the trash for cash. The agents believed that money would have been a great motivator for turning a spy in this situation, but they were incorrect, and the janitor reported the incident.
More generally, the methods of intrusion include access, identification, exploitation and exfiltration. A social engineer using a dumpster diving tactic could gain access to a target’s trash bin in a variety of ways. The engineer could hop the fence and jump in the dumpster, they could bribe a janitor to put the garbage of high-ranking employees in a separate bag next to the dumpster, or they could employ a variety of HUMINT collection, or social engineering techniques to gain access. Once they have access, it’s a matter of finding the relevant sensitive information, extracting it and then exfiltrating.
The Larry Ellison case study on dumpster diving did have an unexpected impact once brought to light. It appears that the impact intended by the perpetrator was to disrupt Microsoft’s operations, discredit that organization, and open the door for its own financial and business gain from the fall-out of the disclosed sensitive information. While this impact did happen in part, there was an unintended backfiring of public opinion on Oracle and its CEO, Larry Ellison. The public was made aware of Ellison’s mantra on business. That is that not only must his company win, but all others must fail. This type of business mindset coupled with the ethically questionable practice of dumpster diving resulted in a shock to the public’s consciousness. This impact and further consequences, including the bad press for Oracle, and the stepping down of Larry Ellison as CEO articulate the threat and demonstrate the risk companies have, even tangentially related to another party. Some strategies for mitigation the dumpster diving risk were evidently employed by the victims in this case, particularly by the Association for Competitive Technology. A white-shoe global private investigations firm’s expert intelligence collectors were unsuccessful in a HUMINT operation to bribe a low-level employee on the janitorial staff for access to the company’s trash show that the company has created a culture of loyalty and awareness to threats in this form. Fostering a culture of loyalty, as it appears the Association for Competitive Technology did, is one way of combating HUMINT solicitations in exchange for trash. As such, the Larry Ellison case highlights the fact that the intended target is not always the victim.
Jerry Schneider – The Entrepreneurial Dumpster Diver
While cyberwarfare and cyber itself are new and still emerging concepts. Dumpster diving has been a social engineering tactic for a long time and is versatile enough that any person can dumpster dive for the purpose of a competitive edge and personal gain. The Jerry Neil Schneider case is one example of dumpster diving by one person for a commercial advantage and financial gain.
Jerry Schneider owned a company in the telecommunication and consumer electronics space. Over the course of a few years, 1968-1972, Jerry conducted a multitude of dumpster diving operations against various competitors, including utility companies, and upmarket competitors, notably Pacific Telephone and Telegraph. The goals of these operations included, acquiring technical manuals and specifications of various consumer communication products, learn the invoicing process for upmarket competitors and suppliers, and learn the processes and procedures of the upmarket companies and supplier’s employees.
The chief intruder and dumpster diver in this case was Jerry Schneider himself. Jerry, now a notable social engineer and security consultant, was then still in high school when he formed a company called Creative Systems Enterprises. This company’s business was to sell custom electronic communication devices invented and built directly by Jerry. To get a leg up and help with his business, Jerry started dumpster diving on Pacific Telephone and Telegraph’s premises. He found invoices and training manuals along with various processes and procedures information. Jerry used this information to improve his own products. Nefariously, Jerry learned the invoicing process of various suppliers and was able to exploit that process for free equipment. He would then resell the equipment under the label of ‘refurbished’.
The victim in this case included suppliers and competitors. The most significant victim was the Pacific Telephone and Telegraph company. This company was in the business of providing telephone services and equipment in California. Through his invoicing exploitation, learned from sensitive information obtained in the company’s trash, Jerry Schneider was able to steal approximately $900,000 worth of equipment. He then resold the equipment for a profit.
Jerry used a very straightforward process of intrusion into the physical dumpsters of Pacific Telephone and Telegraph Company. Jerry would gain physical access to the premises by simply walking and hoping the occasional fence. He then would physically enter the unguarded and unsecure dumpsters and conduct his search. Once the sensitive information was found, Jerry would simply remove the documents and broken components from the dumpster before exfiltrating the dumpster and premises himself.
For the invoice scam, Jerry would order equipment directly from Pacific Telephone and Telegraph and other similar companies, like Western Electric. The order parts would be delivered to various locations and Jerry would then pick up the parts overnight. Little is known about the logistics of this part of the scam, but Jerry did have a van marked with the Pacific Bell logo which he kept in his mother’s garage. The assumption was that Jerry would pick up the parts using the van to avoid suspicion. Then Jerry likely informed the company that he paid his invoice and did so in a way that was consistent with the company’s policy and procedures, which he learned from dumpster diving.
This case did result in substantial impact to both Jerry and the companies by which he conducted his social engineering tactic of dumpster diving. This scheme was made public by a whistleblower and disgruntled former employee of Jerry Schneider’s company, Creative Systems Enterprises. The former employee was refused a raise from 11.00 dollars per hour to 13 dollars per hour and as such, the former employee tipped off law enforcement. Jerry was arrested in 1972 and his social engineering prowess earned him a spot as one of the most famous computer related crimes in history. Following his arrest and substantial plea bargaining, Jerry Schneider pleaded guilty to one count of grand theft and was sentenced to two months in a minimum-security facility. In reality, Jerry only served forty days in jail and paid a $500 fine. Jerry Schneider was also sued personally by PTT. The final judgment indicated $214,000 in damages were assessed against Jerry Schneider as a result of his scam.
Dumpster diving has posed a real threat to companies, individuals, and even nations. As such, risk mitigation against dumpster divers includes some countermeasures. Had some of the following been in place by the Pacific Telephone and Telegraph company, the exploitation of the company’s invoicing process could have remained sensitive, and Jerry Schneider would likely not have entered his reselling scheme. Some countermeasures include training employees to shred and safeguard sensitive documents and old data. This is a simple yet effective method to mitigate dumpster diving risk.
Another simple counter measure is to secure the dumpsters. This can be done with simple locks and paired with a video surveillance system. As unappealing it seems to monitor dumpsters on video camera, this security procedure can alert the business to attempted social engineering attacks. The video can then assist law enforcement in identifying the perpetrators. Hiring a well reputed disposal vendor is another good countermeasure companies can implement to mitigate the risk of dumpster diving. However, any vendor can be impersonated or turned by a HUMINT collector, so even the countermeasures are not without some risk.
