January 4, 2016: Point of least resistance

In IT there is a lot of talk about having the latest and greatest gizmo on the market to protect your stuff. As an administrator who's seen his fair share of "features" and appliances that are suppose to be bullet proof, I've decided to share a memory I have which demonstrates even the most elaborate systems can be broken if they aren't implemented correctly.

In a former life before all the IT stuff I built some experience in what is known today as physical pentesting (locks, doors, etc). One day a friend contacted me about a safe he had found hidden in a false air vent at his house. Apparently it had been left behind by the previous owner and nobody knew the combination, so he wanted me to break inside it. Having never cracked a safe before, I did what the "pros" do on the movies: turn the dial slowly and listen for a magic click. In reality, that's a bunch of crap...at least for me. When I got some time I ended up doing some real research on the safe. Turns out it was designed to be a floor safe sunk into the foundation of a house and was really only strong at the top where the door and dial were located. So the rest of the safe was about 1/2 inch steel all the way around...nothing a decent powerdrill couldn't punch through.

Drilling was fine with me, as it wouldn't generate a lot of heat in case something inside desided to burn/blowup, so I started drilling holes in the back plate in a pattern big enough to fit my hand through. Afer several hours and a couple of drill bits, I was able to punch out the rough circle with a sledgehammer, all without damaging the contents inside. Now all I needed to do was make a gap through the contents, unscrew the protective plate covering the locking machanism, then roll the gates into place so the door could be opened. Easy. I turned over the contents to my friend so they could be returned to the rightful owner.

I've carried that experience through to much of my work in IT. Remember that even the hardest systems have weaknesses, especially when they are poorly configured to begin with. Also, never underestimate the power of a bruteforce attack. Drills and hammers are no respector of complexity or expense, neither are the folks breaking into your network.