<div dir="ltr">Hey Chris,<div><br></div><div>This is something I've done several presentations (behind closed doors) on this topic at a few events in the past. We don't normally talk about it too openly, so as not to give ideas to people. I've even done a couple of pentest/tiger teams on DCs over the years, mostly in Asia where we've used this technique to achieve an end result.</div><div><br></div><div>But... I don't think we should theorise in an open forum giving anyone ideas on how you could abuse this situation.</div><div><br></div><div>I'd even scrub the archives of this if possible.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:12.8000001907349px"><div style="font-size:12.8000001907349px"><br>...Skeeve</div><div style="font-size:12.8000001907349px"><br></div><div style="font-size:12.8000001907349px"><div><b style="font-size:13px;font-family:Calibri">Skeeve Stevens - Founder & The Architect</b><span style="font-family:Calibri;font-size:13px"> - eintellego Networks Pty Ltd</span></div><div><span style="font-size:13px;font-family:Calibri">Email: </span><a href="mailto:skeeve@eintellegonetworks.com" style="font-family:Calibri;font-size:13px" target="_blank">skeeve@eintellegonetworks.com</a><span style="font-family:Calibri;font-size:13px"> ; Web: </span><a href="http://eintellegonetworks.com/" style="font-family:Calibri;font-size:13px" target="_blank">eintellegonetworks.com</a></div><div><p style="color:rgb(0,0,0);font-family:Calibri;font-size:13px;margin:0px">Cell +61 (0)414 753 383 ; S<a>kype: skeeve ; </a>LinkedIn: <a href="http://linkedin.com/in/skeeve" target="_blank">/in/skeeve</a> ; Expert360: <a href="https://expert360.com/profile/d54a9" target="_blank">Profile</a> ; Keybase: <a href="https://keybase.io/skeeve" target="_blank">https://keybase.io/skeeve</a></p></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Sun, Sep 25, 2016 at 8:48 PM, chrismacko80 <span dir="ltr"><<a href="mailto:chrismacko80@gmail.com" target="_blank">chrismacko80@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear Industry Colleagues,<br>
<br>
In the last week, in reflection of previous data centre tours I have<br>
undertaken across the country and the risks that face us all within<br>
the IT industry, a concern came to mind in our physical security layer<br>
in relation to data centre facilities. It is my understanding<br>
currently in Australia (and for other countries as per discussions<br>
with colleagues), colocated computer equipment provided by customers<br>
is not inspected nor scanned for any potentially damaging substances<br>
before being installed within data centres, by organisations providing<br>
these services. At times, singular servers may be extremely bulky, and<br>
there may also be occasions when customers provide multiple racks<br>
fully equipped that is positioned within the data centre without any<br>
closer inspection apart from basic identification checks, as per<br>
understanding of information provided from some of our largest data<br>
centres. Considering this, I feel it's a risk that we don't scan<br>
equipment as it is being delivered/installed, similar to airports, in<br>
particular when it has been delivered locally.<br>
<br>
It's my understanding as an industry we spend billions each year<br>
securing our data security layer within data centres, however it<br>
appears that even with the strictest data centre audits (including by<br>
government risk assessors), these have not scrutinised this risk to<br>
any degree. I'm not aware if the Attorney General's department nor our<br>
federal or state governments perform any such checks when equipment is<br>
being installed into their own data centre facilities. I also don't<br>
believe I ever saw any such risk considered under any data centre<br>
rating specification. As a point, what good is bullet-proof glass<br>
within the foyer of a data centre and specific outline of the<br>
construction of a goods lift, when there is a greater threat for<br>
potentially damaging substances to be wheeled into a data centre<br>
within equipment without scrutiny.<br>
<br>
I would also ask the question whether our financial market is exposed<br>
in any way to this risk, and whether the Australian Stock Exchange<br>
sufficiently scans computer equipment delivered for installation into<br>
its' data centre facilities in particular by third party customers. I<br>
don't know the answer. I hope they do, if not, the question really<br>
needs to be asked, why not?<br>
<br>
Quoting from ASX document<br>
(<a href="http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf" rel="noreferrer" target="_blank">http://www.asx.com.au/<wbr>documents/professionals/alc-<wbr>connectivity-guide.pdf</a>)<br>
which is available on their website currently;<br>
<br>
"The Australian Liquidity Centre (ALC) is a state-of-the-art data<br>
centre and financial markets community located just outside Sydney’s<br>
CBD. It enables ASX customers to connect with each other and the<br>
Australian and global financial markets like never before.<br>
<br>
Offering one central location for fast, simple connection to the<br>
financial markets community, the ALC provides low latency connectivity<br>
options to domestic and global liquidity sources, ASX market data and<br>
all ASX markets.<br>
<br>
The ALC is designed to maximise the potential of its community. It<br>
houses all of ASX’s primary trading, clearing and settlement systems<br>
as well as providing hosting facilities for its customers which<br>
include buy and sell-side firms, market infrastructure and liquidity<br>
venues, information and technology vendors, and infrastructure and<br>
network service providers."<br>
<br>
I've reached out to several colleagues within the industry, who also<br>
agree the lack of scanning of potentially damaging substances is a<br>
serious concern, I'd ask that you consider your thoughts on this risk<br>
in regards to safeguarding our technology and investments made by all<br>
involved, and what you believe should be done to address this risk<br>
moving forward.<br>
<br>
Kind regards,<br>
<br>
Chris Macko<br>
______________________________<wbr>_________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a><br>
</blockquote></div><br></div>