The best cybersecurity system in the world isn’t worth a floppy disk if it can be defeated by a child’s birthday balloon.
And it probably can, according to Deviant Ollam, who’s plied his hacking skills for everyone from the FBI to the NSA. Ollam made a guest appearance for a roomful of University of Montana students in Sherri Davidoff’s Introduction to Cyber Security class on Thursday.
“Every building’s physical access is a data access,” said Ollam, who makes his living breaking into companies’ computers and the facilities that house them. “It’s fun to play an MP3 of the CEO talking to his wife or somebody and they say, ‘How’d you get through the PBX (phone security)? How’d you get into our network?’ I didn’t. I got through the door. One bad decision at Home Depot throws all that other stuff out the window.”
In rapid succession, Ollam demonstrated how to pick the key and combination locks found on most American doors and containers, using tools available commercially for a few dollars. To pop the lock most high school students have on their lockers, he fashioned a shim from a piece of an aluminum beer can in about 30 seconds.
Such tools are also legal in almost every state in the country. Most, including Montana, require suspicion of criminal activity before mere possession of a lock pick can become a chargeable crime.
That said, Ollam pointed out that UM has student policies forbidding stealing and unauthorized access to others’ belongings: “Bottom line, if you’re not supposed to be in there, you probably shouldn’t be picking your way in,” he warned.
And that was Ollam’s overriding point – not to encourage criminality, but to think differently about where the weak points of security exist. For example, thieves in Holland often ignore the heavy duty U-locks protecting people’s bikes to a sign post because they’ve already detached the screws holding the post to the ground. They simply remove the post, take the bike, work on the lock at leisure while waiting for another victim to lock another bike there.
“The pin-tumbler design on most door locks hasn’t changed for over a century,” Ollam said. “The idea that you can game a lock with a piece of beer can – that’s not how people’s brains work. We love shattering that illusion.”
More complicated door systems often have embarrassing weaknesses. For instance, electronic key-card systems fall to a simple hook-and-pole device if the door is locked from the outside but openable from the inside. Motion-sensor locks can be defeated by a balloon slipped under the doorjamb and inflated with helium – disposable gas tanks are available at party stores for children’s birthday parties.
“This is the first time we’ve ever run this class,” Davidoff said. “The university has been great. They set up a cyber range — an isolated sandbox where the students can practice and learn about cybersecurity.”
After his prepared remarks, Ollam dumped piles of locks and picks on a table at the front of the class and invited students to give it their best shots. Quite a few popped the easy locks in seconds and moved on to tougher challenges.
“The hardest lock I ever picked was my bike lock, and I had to use a shim,” senior computer science student Alex Dunn said as he worked on a pin-and-tumbler key lock. “I’m interested in all forms of security.”