OSINT and TRASHINT

advertisement
Open Source Intelligence
(OSINT)
OSINT and TRASHINT
This presentation is the sole property of OSPA. Distribution is limited to OSPA members registered in the
OSPA OPSEC Academy
http://www.opsecacademy.org
TRASHINT: “Trash Intelligence”; Intelligence that is collected from refuse
containers, to include recycling, dumpsters and other refuse bins. Often
referred to as “Dumpster Diving”, but can include any form of refuse
collection.
While local laws may vary, TRASHINT is an easy and often legal way to
obtain critical information about a target, which may include private parties,
businesses, military or government entities. Recycling, in particular, may be
outsourced, even to other countries.
There are multiple opportunities for sensitive information to be intercepted
after being discarded:
In containers
In transit
At destination (trash
dump, recycling
facility)
A specific document or item, in itself, may not be significant, but when joined
with other pieces of information, it could be extremely damaging.
For example, finding a single invoice in the trash wouldn’t necessarily reveal
a complete customer list to a business competitor, but several weeks,
months or years worth may.
Similarly, a single cafeteria inventory may not reveal anything of value, but by
establishing a pattern of lunch orders, an adversary may be able to identify a
major activity by noting a spike in orders.
Risks to private individuals
Potential harm to private individuals includes, but is certainly not limited to:
• Phone bills
• Credit card receipts and other financial records
• Personal correspondence
• Vacation plans (printed receipts, ticket confirmations, etc)
• Family records and other information
• Employment information
• Receipts from recent major purchases
• Digital media (CD’s, etc)
• School records
• Information that could reveal regular schedules, such as church fliers,
sporting event schedules, etc
Risks to businesses
Potential harm to businesses includes, but is certainly not limited to:
• Customer invoices, packing lists and order confirmations allowing a
customer and price list to be determined
• Purchase orders, revealing suppliers and prices paid
• Employee and payroll records, potentially exposing sensitive personal
information
• Memos and printed emails
• Internal employee directories
• Marketing and development plans
• Sales, accounts receivable and accounts payable reports
• Internal white papers and reports
Risks to Military and Government
Potential harm to military and government includes, but is certainly not
limited to:
• Deployment rosters and schedules
• Maintenance records, showing current deficiencies and increased
schedules
• Pre-deployment or exercise deliveries and deliverables
• Unit strength information
• Internal memos and training schedules
• Employee and/or Soldier/Sailor/Airman personal information
• Documents showing intent or capabilities
Countermeasures
• Conduct periodic inspections of outgoing trash and recycle containers
• Provide awareness training for personnel, highlighting the TRASHINT threat
• Provide periodic reminders, including posters, labels, etc
• Provide high-quality shredders that destroy the documents to such a level as
commensurate with the sensitivity of the data.
• If necessary, consider the use of a document destruction service, which often
utilize mobile, high-volume shredders
• Securely store sensitive information pending destruction
Download