Many offices have shred bins. Those garbage bin looking things with a locking lid and a slit cut on top for sliding in “raw” paper. They are low tech, usually secured with some “beefy” looking lock, with two roller wheels and not much else to them.

While out and about thinking over a project I went for a walk as I often do when I am trying to get my creativity flowing. I eventually found myself remembering how years ago a friend and I “dumpster” dived our high school’s trash bin and uncovered handwritten sticky notes with passwords on them. 

It was about this time I rounded a hallway and came face to face with one of these bins. Now mind you this was not in a “public” area per say, but it was not in an area I would call physically secure. Only one badge swipe stood between outside and this bin. 

Then it occurred to me. I have no idea who places these bins there. If I saw someone in a reasonably plausible uniform rolling one of these in or out I wouldn’t even think about it; proof of which I am sure I have seen it happen but the event was so plain I can remember no instance. 

I imaged if an attacker did a bit of recon, found the company who supplies this bins, then walked into the lobby in their uniform. A half-wit at social engineering probably could get past reception and get buzzed in. If that failed all they’d have to do is go to one of the employee entrances and shadow someone.

The loot would be like a super dumpster dive. Instead of a lot of garbage with little payoff, you’d get a win fall with only a little garbage. 

Then I took it one step further. Nobody knows who drop these off and picks them up. What if an attacker created their own bin? If timed right, there is a chance nobody would notice anything missing and your success in getting past the front door goes up probably by 100%. Who doesn’t want to help out and hold a door for some hard-working fellow with their hands full?

Anyhow, I hope this gives you something to think about. We are looking at better locking these things down. However, it’s a low tech attack which could prove to be quite costly. My desire is to bring more attention to this because trust me if me, of all people, have thought about this surely attackers have as well.