Open Source Intelligence (OSINT) OSINT and TRASHINT This presentation is the sole property of OSPA. Distribution is limited to OSPA members registered in the OSPA OPSEC Academy http://www.opsecacademy.org TRASHINT: “Trash Intelligence”; Intelligence that is collected from refuse containers, to include recycling, dumpsters and other refuse bins. Often referred to as “Dumpster Diving”, but can include any form of refuse collection. While local laws may vary, TRASHINT is an easy and often legal way to obtain critical information about a target, which may include private parties, businesses, military or government entities. Recycling, in particular, may be outsourced, even to other countries. There are multiple opportunities for sensitive information to be intercepted after being discarded: In containers In transit At destination (trash dump, recycling facility) A specific document or item, in itself, may not be significant, but when joined with other pieces of information, it could be extremely damaging. For example, finding a single invoice in the trash wouldn’t necessarily reveal a complete customer list to a business competitor, but several weeks, months or years worth may. Similarly, a single cafeteria inventory may not reveal anything of value, but by establishing a pattern of lunch orders, an adversary may be able to identify a major activity by noting a spike in orders. Risks to private individuals Potential harm to private individuals includes, but is certainly not limited to: • Phone bills • Credit card receipts and other financial records • Personal correspondence • Vacation plans (printed receipts, ticket confirmations, etc) • Family records and other information • Employment information • Receipts from recent major purchases • Digital media (CD’s, etc) • School records • Information that could reveal regular schedules, such as church fliers, sporting event schedules, etc Risks to businesses Potential harm to businesses includes, but is certainly not limited to: • Customer invoices, packing lists and order confirmations allowing a customer and price list to be determined • Purchase orders, revealing suppliers and prices paid • Employee and payroll records, potentially exposing sensitive personal information • Memos and printed emails • Internal employee directories • Marketing and development plans • Sales, accounts receivable and accounts payable reports • Internal white papers and reports Risks to Military and Government Potential harm to military and government includes, but is certainly not limited to: • Deployment rosters and schedules • Maintenance records, showing current deficiencies and increased schedules • Pre-deployment or exercise deliveries and deliverables • Unit strength information • Internal memos and training schedules • Employee and/or Soldier/Sailor/Airman personal information • Documents showing intent or capabilities Countermeasures • Conduct periodic inspections of outgoing trash and recycle containers • Provide awareness training for personnel, highlighting the TRASHINT threat • Provide periodic reminders, including posters, labels, etc • Provide high-quality shredders that destroy the documents to such a level as commensurate with the sensitivity of the data. • If necessary, consider the use of a document destruction service, which often utilize mobile, high-volume shredders • Securely store sensitive information pending destruction