Burn Bins: Yet Another Treasure Chest for Attackers

Physical security is often overshadowed by its digital counterpart. As organizations pump resources into safeguarding digital assets, there's a looming threat in their premises that sometimes gets lesser attention - the insecure handling and storage of physical documents and keys.

This blog post dives into the realm of physical document security, particularly focusing on "burn bins", and provides guidance for physical penetration testers on potential weak points to assess.

The Burn Bin

A burn bin, as the name suggests, is a specialized container used for collecting sensitive and confidential documents awaiting destruction, typically through incineration. The primary purpose of a burn bin is to provide an interim, secure location for these documents before they are permanently destroyed, ensuring they don't fall into unauthorized hands.

The documents that are inside burn bins are those that the organization has deemed to be to important or sensitive to simply throw away, and thus must be destroyed either by shredder or actual fire, which makes these bins an excellent location for document theft for attackers.

In many organizations, especially those dealing with sensitive information like financial institutions, healthcare entities, or government bodies, burn bins play a critical role in the document disposal process. They help ensure that personal, confidential, or proprietary data is not exposed or misused, upholding both regulatory requirements and maintaining trust.

However, while the concept of a burn bin is simple, its security implications are profound. Proper usage, placement, and timely destruction of contents are essential to prevent potential data breaches and maintain the integrity of an organization's information management protocols.

Burn bins are very often green or white trash cans on wheels that are around 1.2 meters tall (see above image). They will often have a small hole or slit cut into the top for documents to be dropped into and a padlock to keep it shut.

In large organizations that have multiple floors, you may find a burn bin on every floor, which allows an attacker two things:

1. If you know what kind of work a specific floor does, you know what is likely inside those bins

2. Multiple bins to attack. If one bin isn’t assecable due to watching people or difficult locks, you have many to choose from when deciding which is easiest to get into.

Why Physical Document Security is Essential

1. Identity Theft: Papers often hold personal details like social security numbers or bank account information. Falling into wrong hands, these can lead to significant personal and financial harm.

2. Corporate Espionage: Business strategies, trade secrets, and client lists on paper can be a goldmine for competitors or malicious actors.

3. Regulatory Compliance: Many sectors, especially finance and health, are bound by regulations necessitating the secure destruction of certain data. Non-compliance can result in legal consequences and hefty fines.

The Burn Bin Vulnerability

Photo by Yeo Yonghwan on Unsplash

Burn bins are a prime example of the paradox of security. The bins are used to secure sensitive items, but they also tell attackers exactly where sensitive items are located.

Common Oversights:

• Location: Positioned in easily accessible areas, they are often exposed to unauthorized individuals. They can also be located in printer rooms or similar unoccupied locations which allow attackers unobserved access.

• Locking Mechanisms: Many bins are either left unlocked or possess weak locks, making them easy targets.

• Destruction Delays: Waiting for bins to be filled entirely increases risks as documents accumulate.

• Employee Habits: Without proper training, employees might mishandle sensitive papers, leaving them in inappropriate places.

• Employee Indifference: If bins are left open or unlocked, VERY RARELY will an employee actually notice let alone care to alert someone or resolve the issue themself.

The Overlooked Open Burn Bin: Employee Indifference and Its Consequences

Photo by Annie Spratt on Unsplash

Burn bins, specifically designed to house sensitive documents prior to their destruction, inadvertently become a weak point in many organizations, not due to their design, but rather because of human oversight and indifference. One might assume that the security of such a crucial container would be paramount, but in practice, it's an entirely different story.

Employees often become complacent about the bins, especially during the routine of emptying them. An open, unlocked burn bin becomes an innocuous sight in many workplaces, leading to a normalization of this security lapse. When employees empty these containers, they frequently leave them unlocked, thinking that an empty bin poses no risk.

Furthermore, the day-to-day hustle and bustle of a busy office environment can foster an attitude of nonchalance among staff. Many employees operate under the belief that "it's not my job" or assume that someone else will lock it up, leading to collective negligence.

This casual approach to burn bin security is concerning. Even if the bin is momentarily empty, leaving it unsecured can set a precedent for lax security practices, making it easier for potential breaches to occur when the bin is full. For organizations to truly safeguard their sensitive information, it's essential that every link in the chain, including employee attentiveness to seemingly mundane tasks like locking a burn bin, remains strong and unbroken.

Employee Indifference and Its Consequences … Quick Story

This exact burn bin was located inside an organization and you will notice from the image that it is currently open and clearly unlocked. Due to the cheap lock used to secure it, I was able to open the lock quickly with employees working around me, took confidential documents and left the container open while i moved around the office floor for around 30min before returning and locking it again. At no point did a single employee notice me unlocking the container, taking documents or even that it was left open.
I personally witnessed one employee even drop new documents inside the bin while it was open and walk away.

Employee Indifference is real and it has real consequences

Other Vulnerable Points for Physical Penetration Testers

1. Safes: While they are designed to protect, safes can also be a vulnerability if not correctly used or if they are outdated. A physical pen-tester should look for:

   • Outdated Models: Older safes might be susceptible to specific breaking techniques.

   • Location: Safes placed in isolated areas can give thieves ample time to work undisturbed.

   • Key/Combination Storage: If the keys or combinations are stored nearby or with weak protection, they become an obvious target.

   • Mechanical Backups: Very often small electronic office safes that may cost hundreds of dollars will have a very cheap mechanical lock for emergencies, which can be opened in seconds by a skilled picker.

2. Key Boxes: These are common in larger establishments to manage a multitude of keys.

   • Visibility: Key boxes placed in visible areas might attract attention.

   • Access Control: Lack of electronic monitoring or logging can be an issue. Physical pen-testers should check if every key access is logged or if there's an easy override mechanism.

   • Cheap Quality: Often keys to vital things like servers, documents, etc will be protected by a $15 Amazon keybox.

3. Desks and Drawers: Employees often leave sensitive documents in their desks or drawers, thinking they are secure. Physical pen-testers should check:

   • Lock Quality: Cheap or old locks can be easily picked.

   • Habits: Documents left atop desks after working hours, even if not sensitive, can indicate lax security habits.

Strengthening Physical Security

1. Awareness and Training: Employees should be regularly trained on the significance of document security.

2. Frequent Document Destruction: Instead of waiting for burn bins to fill up, schedule regular destruction intervals.

3. Audit and Surveillance: Employ cameras and regular checks to ensure security protocols are followed.

4. Upgrade Equipment: Regularly assess and upgrade safes, locks, and bins to ensure they meet current security standards.

5. Access Control: Introduce electronic access controls and logging mechanisms, especially for key boxes and high-security areas.

In conclusion, as digital security continues to dominate organizational agendas, it's crucial not to forget the tangible vulnerabilities that lie within physical documents and keys. Physical penetration testers play a vital role in identifying these vulnerabilities, ensuring that organizations can take holistic security measures.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.