Hack the server room! No tech required

Secret codes and heavy locks on the server room door are no contest when the contractors simply don't do their job

Hack the server room! No tech required
Thinkstock

As we are all painfully aware, IT security comes in many forms, from technical details to physical barriers. But a word of advice: Double-check all your new security measures. Then step back and think through anything that could be related to the changes you put in place. Finally, check to make sure those, too, are secured adequately.

I worked at one company some years ago where I was given an office near a server room. Not long before then, the IT execs had asked for measures to be taken to better secure the servers.

The concern arose because this server stored data for a billion-dollar operation that contained sensitive information we were required to preserve. They wanted to tightly control access to the room.

Security first

The IT execs had filled out a form request with plant services to remove the key lock and install a number-combination lock. Only a select few IT staff would know the combination to open the door.

The plant services department did exactly as told: They pulled out the key-operated lock and installed a new number keypad lock. However, as we soon came to find out, no one looked closely at the finished work.

About six months after the new lock was installed, the A/C failed in the server room. Because my office was close by, I heard the alarm and called my boss to report what was going on. Not long afterward, the services personnel showed up and tried to get into the room, but they had not been given the code or any other way to open the door. I hadn’t, either.

We called my boss and other employees who we knew had the code, but none of them answered their office phones (this was in the days before cellphones were common). The alarms kept clanging and time kept passing, and we had to do something.

Mistakes become opportunities

I looked closely at the door and a few details popped out. They raised red flags about the general security of the room, but gave me ideas on how to take care of the immediate problem.

First, the hinge pins were exposed. One of our options was to drive the hinge pins up and out and remove the door.

Second, and quicker and easier for our purposes, the technicians who installed the lock had done exactly as requested and apparently didn’t think the situation through. They had removed the lock cylinder and installed the keypad, but had not changed out the lock bolt—the keypad was attached to a little lever arm that went down to pull back the original lock bolt. Also, they hadn’t bothered to adequately patch or cover the exposed area left behind: You could still pull back the lock bolt by poking a coat-hanger wire into where the lock cylinder used to be.

The A/C got fixed and I alerted my superiors to what we’d discovered. Needless to say, it didn’t take long for the IT execs to implement further changes to the server room door—under their personal supervision.