Security of Shredding Services

When I started dealing with serious information security we created a lot of paper. This wasn’t regular information printed on paper but very sensitive information that could be very damaging if it ever found its way out of the building. If this paper was ever deemed to be trash, it wasn’t thrown into a trash can, rather it was put into a burn bag. Once full, or after a specific period of time, this bag would be secured at the top, serialized, recorded, and then shredded and burned on site. It is highly unlikely that any information would be easily recoverable with that method of destruction (and even keeping the ash!).

Having learned this way of handling my trash, imagine my surprise that at my next job people were supposed to put their sensitive papers in a box which would be opened by a civilian contractor who would come around every so often with a big trash can and then wheel it out to his big truck where, supposedly, the papers were shredded on-site. There were, and are, so many problems with this plan I actually complained to the security officer at the command. He didn’t seem concerned. We weren’t handling top secret (or even secret) information, who would want anything we had, it was good enough, blah blah blah. Of course he did take notice a few weeks later when I gave him a call to let him know that the locked containers were so full that I could actually reach in and pull papers out and people were just stacking papers, that were otherwise too sensitive to be thrown in the trash, in big piles on top of the containers. It didn’t change the culture nor the practice of handling this information but at least some additional training was had in the following days. (Needless to say, I was not impressed.)

So all of this happened many, many years ago; why talk about it now? Each of us generates, receives, and sends information everyday that we end up just throwing away. Maybe we think that no one will see it once it hits the round receptacle. Those that do have a security mindset will realize that once their trash leaves their house they are no longer in control of it and that perhaps destroying it would be better.

Some cities and counties have started providing "shred trucks" as part of a service to their community to help them get rid of sensitive documents on a regular basis. This might be better than just throwing it away, but is it a Trojan horse?

Shred it?

First, lets discuss shredding. Paper shredders used to be all the rage a couple of decades ago. They were advertised on TV and were front and center in stores as a quick impulse buy item. But are they any good? The National Security Agency (NSA) has a list (as of 2015-05-18) of "High Security Crosscut Paper Shredders" that will no doubt educate you as to the options available as well as asking how you might afford such a device. Of course shredding is time consuming (unless you have a really big shredder and can just dump things into them).

Shredding may also not be very secure. The use of computers has made it almost trivial to put shredded documents back together. In 2011, DARPA hosted a challenge whereby teams were given five hand-written documents that were shredded into more than 10,000 pieces with a goal of extracting useful information from the pieces before an end date. Several teams completed the challenge.

What about that shred truck?

(I can’t find this now but it’s buried in a book somewhere around here.) There was an attack where a paper shredder in an office was modified so that when a paper was put in to be shredded, a picture was made of the document just before it was cut up. That was decades ago, fast forward to today and you have a large, opaque truck sitting outside making lots of noise and everyone just assumes there’s a big shredder inside whirring away making dust out of all your bank statements, personal files, and letters. Why do you trust that? What’s inside that thing? Basically you are going to hand over what you’ve already identified as important information to a stranger with a big truck with hopes that they are trustworthy. Heck, you’re doing all the work for them, sorting out all the garbage, and handing over all the good stuff! I’m sure they appreciate it.

So what should you do?

What you should do depends a lot on what kind of information you are trying to dispose of. Long, single cut shredders aren’t good enough. Some crosscut shredders aren’t either. Educate yourself and determine what it’s worth to you to have the information end up in the wrong hands.

You can also burn paper, just make sure it actually gets burned to ash. This may not be feasible for everyone.

Another thing is to stop producing the paper in the first place. If there isn’t a good reason to put unencrypted, sensitive information on paper then just don’t do it. (I’ll say the same thing about other modes of conveying information. If you aren’t going to encrypt it before it leaves your hands (or your computer) then just don’t do it. Hard drives, email, data in databases…​ you just don’t know when those types of things are going to get leaked.)

Reducing the amount of paper you need to get rid of will always lessen the problem of destruction. Just remember that trusting others to do what you should have done in the first place is never good security.