Wednesday, January 9, 2008

phy sec... or not...

while on a job where i was shadowing a soon to be ex-employee for this client, i had the chance to visit a local ISP CoLo facility... this is not a mom n pop ISP... it is a brand name you would recognize...

this experience has reminded me of the importance of visiting any co location / remote data-center type place that i might be responsible for...

background: this is a new CoLo for the company i'm working for. we haven't got our access badges yet, and as of yet we have no equipment in the facility.

so we roll up there and ring the bell outside the facility. a guy comes on the com, and we're like:

"hey, we need access to the data center, but we don't have our keys yet. we're supposed to talk to alice or bob about that" (not real names; also not people we've ever met).

"umm, yea, hold on a sec, i'll see if i can find someone to let you in"

(waiting)
(cold outside and more waiting)

"hey, are we gonna have to wait outside much longer? it's kinda freezing"

"umm, i can't find alice or bob. can you come down to the other entrance? we'll have someone let you in"

so we proceed down to the other entrance, and an older engineer (assumption) w/ a pot belly and a wicked gray ponytail is outside waiting for us. he says:

"you guys need access to the data center?"

"yep"

"you guys supposed to be in there?"

"yep"

"alright, follow me"

"you can trust us," i add

so we get walked into the building. we end up wandering around (unattended) a cubical farm looking for the person we're supposed to be talking to. well, bob isn't around, so we stop by and talk to charlie. he is the head of infosec for this company. he is quite helpful, and goes to bobs office and starts digging around for keys we can use.

oh yea, here is the whiteboard outside of charlies office:



since he can't find any, he just lets us into the dc, where we proceed to load up network gear and servers.

so, we get all of our stuff hooked up, and they eventually find bob, who comes and gives us our keys.

they didn't ask our names. they didn't check our ids. they didn't make any phone calls. and they gave us access to their client (unescorted for over an hour) and private (escorted) data centers. anyway, it was kinda fun, considering that was completely not the job i was there to do. but now i know, if i've got to do a physical pen for this ISP, all i need is the name of a client and to know the name of someone who works there...

here's some pics... not too great, my camera phone kinda sucks...









...
(snip)after thinking about this bit a tad more, i've decided to pull it(/snip)
...


and one last note on this big sec pic post... this pic is craptastic, but it is a sec camera... i talked to the contractor who put it up... the little black bit in the center is the camera, and all that white stuff around the outside are infrared LEDs. the device is approx 6-8 inches in diameter... anyway, i was asking the tech how much light that thing threw, since most of the ones i encounter have like 8 or 12 lights... he points down the alley and across the street and says:

"you see that van?" (over 100 yards away)

"yea..."

"well at night you could read the writing on the side of it"

wowza...

2 comments:

Jens "jdm" Meyer said...

So... if you went up to this ISP with a client's name and knew the names of some internal people, you could get in. They'd have a pretty good vid of you though.

Physical security is always something to consider. I'm a little surprised they didn't make you leave your phone outside the data center. Should've stolen that fiber, haha. Good story. "You can trust us." lol.

rwnin said...

actually, that camera was at a client site, not the data center. there were a few old old old cameras at the DC, but they didn't even look hooked up, and the ones i saw were in the cubicle areas. i didn't see any in the DC itself.