Tuesday, November 22, 2016

Burn Bags, Trash, And Shredding: OPSEC

What can you reveal with your trash?
I have a friend who is a retired police detective from a large metropolitan city. He told me that he can tell a lot about someone from their trash. If he had someone under surveillance he would often go through their trash. You can tell where a person eats out, what stores they frequent, insurance and work information, even if they have a dog. Return address and logos from the companies you do business with can be just as dangerous as the bills themselves. All this from one bag of trash.

Is there really a way to securely dispose of sensitive documents?

Today we’ll be looking at some of the most common forms of disposal for sensitive documents and offering some suggestions that either may have not occurred to you, or will hopefully be a refresher on how to properly dispose of these documents.

Before we address the most common methods of disposing of sensitive documents, let’s first define what sensitive documents are and why we should be concerned with properly disposing of them.

Most people would define their sensitive documents as anything containing account numbers, social security numbers, private correspondence, bank statements, bills, medical info, legal info, passwords, etc. We’d like you to think further and consider including anything with your signature, pre-approved credit card offers and even the envelopes that come with all these documents mentioned.
Why do you need to securely dispose of sensitive documents at all? The answer is two words, identity theft. Those responsible for inflicting such damage to hard working individuals like yourselves, can obtain your information through a number of sources, but today we’ll be helping you take away one of their biggest assets. Your trash.

Believe it or not, dumpster diving isn’t a crime if the trash is in a public place. This includes curbs, apartment dumpsters and anywhere it’s in public view. Where it becomes a crime is when your trash is concealed, like on the side of your house in your trash cans.

One last thing to mention is boxes and packaging from expensive items. Don’t invite trouble into your home by leaving these casually on your curb. At the very least break these down to make them indistinguishable to would-be thieves driving by. Why publish what you bought last weekend by leaving the boxes out on the curb? Want everyone to know you just bought a gun or gun related gear? What about those old ammo company flyers or catalogs? They all scream information. This is something you should pay particular attention to around Christmas particularly.

Putting it into simple terms, you only have one way in which your non-digital sensitive documents reach you and leave you. The mailbox and the trash can.

As we’ve already addressed the trash, let’s look at your incoming sensitive mail really quick. While stealing mail is a federal crime, identity theft is too. Unfortunately just the simple notion of it being a felony isn’t enough to deter a thief to begin with. One of the best purchases you can make to protect yourself from this kind of theft is a locking mailbox insert.

Identity theft is a huge topic, but suffice to say that if you can eliminate the variable of protecting your incoming and outgoing sensitive documents you’ll be leaps ahead of most of the many people that are victimized every day.

By far the most common method of disposing of your sensitive documents is shredding. There are many different kinds of shredders available on the market. Since we’re mostly addressing home shredding, we’ll be discussing the most common commercially available shredders and what their capabilities are.

There are security levels for shredding:

Security Level 1 (for shredding general internal documents): Strip-Cut – 3/8” or Cross-Cut – between 3/8” x 1-1/2” and 3/8” x 3-1/8”
Security Level 2 (for shredding sensitive internal documents): Strip-Cut – 1/8” or 1/4″
Security Level 3 (for shredding confidential documents): Strip-Cut – 1/16″ or Cross-Cut – 1/4” x 1/8”
Security Level 4 (for shredding secret documents): Cross-Cut – 1/16 x 5/8″
Security Level 5 (for shredding of top secret documents – DOD approved): Cross-Cut – 1/32” x 1/2”
Security Level 6 (for shredding of top secret documents – NSA/CSS approved): Cross-Cut 1mm x 5mm (approx. 1/26″ x 1/5″)

Most office supply stores don’t list shredders by their respective security levels, but most list the dimensions of the cut in the product details. It’s suffice to say that Strip-Cut is definitely not the way to go, and can lead to your sensitive documents being reconstructed.

Typically there are three classification levels for shredders that you’ll see commercially available, Strip-Cut, Cross-Cut and Micro-Cut. Strip-Cut and Cross-Cut are fairly on the money in terms of the security levels above, and Micro-Cut is around a level 3-4. Just note the cut size of any shredder you’re buying and compare it to the above security levels for what is best for you. We’d recommend nothing less than Security Level 4 (with the capability of shredding CDs) to ensure that would-be identity thieves are going to have a difficult time reconstructing your documents.

Some government shredders in the Security Level 5-6 range are called disintegrators, which is a term used to describe very large machines capable of generating a top secret level particulate from just about anything. This includes hard drives, cell phones, microfilm etc.

The reconstruction of sensitive documentation has been around as long as shredders have. According to NY Times article: reconstruction was first brought to light during the 1979 US Embassy takeover in Tehran. The Iranians elicited the help of local carpet weavers to reconstruct sensitive documents, which were sold on the streets of Tehran as a testament to US imperialism.

Just know that with some time and even the help of computer programs like Unshredder, there isn’t much reassurance that your documents will stay shredded.

While shredding can be an effective way to deconstruct your sensitive documents, even that must be put on the curb for anyone to pick up. To totally and securely dispose of these documents you’ll need a Burn Bag. The Government uses Burn Bags for the collection of classified materials that are to be destroyed.

A Burn Bag isn’t some magical bag that bursts into flames on command to erase your documents, it’s simply a bag which is easily identifiable that you can continually deposit your to-be-destroyed information into throughout the day. Then once the day, or however long you’re waiting, the bag gets incinerated. If you’re waiting multiple days in between incinerating Burn Bags, you’ll need to consider where you’re going to store it.

One of the best ways we’ve found to incinerate Burn Bags is to get one of those outdoor fire pits with the screened lids. It will keep your ashes from flying around everywhere while you’re cooking your documents. Of course when you’re done you’ll need to properly scatter the ashes. We use a burn barrel since we are in the country.

Burn Bags can even be used in conjunction with a shredder, as many documents stacked in a pile will not fully burn. The absence of oxygen on the interior pages of a book or large stack of documents acts as insulation and will not allow a complete burn. You’ll wind up with plenty of unburned material and have to repeat the process all over again.

The Burn Bags that the Government uses feature red and white diagonal stripes that makes them easily identifiable and harder to confuse with other trash.

You may have remembered seeing Burn Bags in the movie “Spy Game”, which is the first movie we’ve seen to actually use a Burn Bag. In the movie, Robert Redford’s character uses the bag to store sensitive documents, not for burning, but to deceive fellow CIA personnel by hiding them in plain sight.

What if you need a document disposed of, but don’t have a shredder? Do your best to rip up the papers, put them in a plastic bag and fill it with just a little bit of water. Slosh, roll, squeeze and or crumble the paper into a big, sloppy mess. When you're finished, you should be left with a waterlogged ball of incomprehensible pulp!
It's probably not the best solution if it's something you need to do every day, but for the odd item that needs to be securely destroyed, it's a pretty clever alternative.

Keeping your information safe is an ongoing battle. Make sure you win this battle by being vigilant and smart.

Semper Paratus
Check 6