Don't know if this will pass list muster, but I just had a great time in a
client company's shredder bin.
This was a very inadequate shredder, very wide 'noodles' and no
cross-shredding. I've always disregarded the shredder bin because I
thought it'd be too much trouble, but this is definitely not the case.
I was able to reconstruct a page of text in about 20 minutes. This
particular page was not very useful, but it proved the point.
The big bananas were a list of routers, IPs, and circuit IDs, and (drum
roll...) a complete company employee roster including salaries (including
CIO!). These were printed landscape, and because there was no
cross-shredding, the records were in very convenient strips, like they came
from a fortune cookie. One handful and 15 minutes of sorting made a very
attractive list. I don't know if anyone has coined a term for this yet,
but I dubbed it "the fortune cookie effect".
<technical muse>
I'm toying with the idea of a "shred-cracker". Basically you would scan
the strips in, then the program would reconstruct them in every possibility
and pass it through an OCR library. When the OCR started hitting
recognizable words, it would 'lock' those strips in place.
Sadly, my coding skills aren't really up to this project and even if they
were I don't have that time.
</technical muse>
Anyway, if anyone is doing a pen-test that involves physical security,
don't overlook the shred bin!
-Mike
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Jan 03 2002
Intro
