It is bad enough that a thousand hijacked computers can attack a network and take a business offline, but a security professional proved a single person can do the job.
That’s the message that a dozen security professionals learnt as they gathered in a dim, cloistered room above the bustle of the AusCert 2010 vendor floor to pick locks under the guidance of Deviant Ollum, a man who’s name fits his profession.
Ollum is a security penetration tester for the CORE Group who plies the trade of break and entry, and lock-picking, yet skirts on the right-side of the law.
Amid the muted rapping as lock pins resisted, and failed, Ollum recounted how he had found himself in front of the power-source to a businesses’ data centre.
“I could have cut power and taken the place offline. Now there’s a (Denial of Service) attack,” Ollum said.
Facing a lobby filled with security guards, the mild-mannered Ollum took his picks to the carpark and trounced the lock within the lift, which enabled the service elevator functions — and gave him clandestine access past the guards to the power room.
Ollum typically uses social engineering, rather than picks, to bypass complex front-door locks. A little schmoozing or a confident manner is enough to get you through the door, he said.
Sometimes gaining entry is even easier. Ollum retold how he strolled out of a hospital after doing a job with a backpack full of morphine, obtained from medical cabinets guarded only by rudimentary wafer locks. Although he admits being edgy and overly suspicious that at least someone must have seen him.
The former computer penetration tester then recounted breaking into an office after-hours and picking drawer locks to retrieve hand-written usernames and passwords, which he then used to access data on the corporate network.
“I tell IT folk, if you get [computer security] right, it can be undermined by someone physically breaking in,” Ollum said.
“You should have at least one person at your facility who understands this concept — you have someone who runs scans against severs, and tests Web apps for code injections, but if no one is testing the doors, then something is lacking in your security posture.”
Like IT penetration testers, Ollum and his counterparts have busted countless locks — and the hearts of vendors. Throughout his two-hour, closed-door workshop, he clicks through slides of dozens of seemingly brilliant locks, and how they were routed often by a lone locksmith and a 20g steel pick.
In one instance, described as “a security fable”, he shows how the American 700 padlock was circumvented with a single tool that bypassed the complex core to pick the control cylinder, and open the lock.
The company “amazingly” released a “patch” in the form of a thin metal wafer that prevented access to the cylinder. Soon after, the same locksmith used a “brute force attack” in the form of a sharp stick that punched a hole in the metal to regain access to the cylinder.
“Are these companies bad or are they just responding to marketplace? The marketplace is always driven in the direction of weakness, because the people who need to know don’t learn enough,” Ollum said.
“Unless consumers know [about the vulnerabilities of locks] how will they? How often do we talk about this?”
Price is a general guide to the quality of locks, Ollum said, but consumers often assume that all locks are secure.
“The $150 lock always sits and gathers dust,” he said.