Finding The Hidden InfoSec Story


"Rapunzel, Let Down Your Hair" by Anne Anderson. And the witch climbed up...

Social Engineering, biometrics and human error are at the heart of the story of Rapunzel, along with proof that if somebody wants something badly enough they will find a way to get to it, regardless of the measures in place to protect it.

In the story from the brothers Grimm, Rapunzel’s imprisonment in the tower of the Enchantress named Gothel, initially occurs because her father is caught in the act of stealing some rapunzel (a type of salad leaf) in order to satisfy the cravings of his (likely pregnant) wife.   Catching him in the act, Gothel makes him promise to hand over the as yet unborn child as punishment for the theft.

As the imprisoned Rapunzel grows up, her hair becomes her only access route into and out of the tower, as Gothel makes a fairly decent attempt at protecting her asset incorporating an early example of biometric security.

Whilst Gothel’s methods and motivations are questionable, and her personality flawed, what she was trying to do was to keep something, safe and private. She has considerable resources at her disposal to do this and was not, by all accounts, someone to mess with.

Despite this, in the end it takes very little in the way of persuasion for the prince to persuade Rapunzel to let down her hair and allow him access to herself and the tower. After some rudimentary surveillance, he mimics Gothel and Rapunzel lets down her hair, swiftly resulting in the prince gaining access to the tower, convincing Rapunzel to marry him, and getting her pregnant almost immediately, the blighter!

Gaining access through familiarity and routine is one of the most frequently used social engineering ploys. No physical security system is safe if those who have access to it can be fooled, persuaded, blackmailed or coerced into opening the doors because someone they trust asks them to do so. In the end, all the biometrics, locks, keys and codes will not protect you if your staff have the ability to choose to let someone in.

When the Enchantress discovers the “breach”, she is so incensed that she chops off Rapunzel’s hair and throws her into the wilderness. She then, uses the hair to fool the prince into the tower where he falls/is pushed back out, blinding him and dooming him to also wander the wilderness, where he is eventually reunited with Rapunzel and their now toddler twins (as if he hadn’t suffered enough!)

The prince is easily fooled because that ponytail gives him a false sense of security. It’s a very good security measure, in this case a biometric measure to boot, and he, like employees in many large organisations had become accustomed to relying on its protection. Additionally, he is presented with a familiar situation and sees no reason to question it – it must be Rapunzel because only Rapunzel has the key (in this case her hair.) The situation had become part of his routine, normalised and in this lies vulnerability, his guard was down and he “knew” the security measures had him covered.

Gothel makes the same mistakes, and whilst using her considerable means and intellect to safeguard her asset she forgets to address the human element of the story. She cannot, in the end, prevent Rapunzel from human desires, fears and emotions, and when opportunity meets circumstance, the measures she has put in place fail, miserably and completely, leaving her with a nice tower and an awesome set of hair extensions, but emphatically NOT in possession of her asset.

Rapunzel is a classic case of human error rendering the tech useless, in the end. The story teaches us that if someone wants something badly enough, they will find a way to get to it. Resources, reputation and risk, three powerful potential deterrents will not necessarily protect an organisation from a determined attacker, especially one whose motivation is more complex than just financial gain. Rapunzel is an old story but its message is as true today in our technologically advanced world as it was when a tower was the best security money could buy. If you can’t hack the tech, hack the people – asset compromised, security breached.

Finally, the story of Rapunzel teaches us that a lack of focus on the human element is as dangerous as putting no security measures in place at all, because fooling the right person once, is all it takes to instigate the most serious of breaches…and towers will tumble.

Author: Jenny Radcliffe

Share This Post On