[AusNOG] RISK - IT Industry - Concern Over Equipment Being, Installed in Data Centre Facilities - Further Replies

chrismacko80 chrismacko80 at gmail.com
Mon Sep 26 23:33:16 EST 2016


Still seem to be getting some emails being blocked via gmail, so have
initiated a seperate thread in replies to all that have been received
to date;

Thomas Jackson - Thanks for your reply. I find it somewhat odd that we
have bulletproof glass considered at the front entry foyer yet no
process for checking for such harmful substances being wheeled in.
Which poses a more significant threat and likelihood - a data centre
isn't somewhere that you hold up as it doesn't contain any cash in
most cases!

Sam Silvester - Really thanking you on your level head over these
concerns. My own concerns were raised over the issue after reading the
recently unsuppressed 28 pages of the 2002 Report of the US
Congressional Joint Inquiry into Intelligence Communitiy Activies
Before and After the Terrorist Attacks of September 11, 2001 a section
of the document which had been suppressed for approximately 15 years
with ongoing lobbying by US congressmen and public support recently
forcing the government to make this information public.

>From the looks of things, our leaders, the UK leaders and the US
leaders may have been misled and in turn may have misled us as
citizens over the reasons why they wanted to go to war in
Iraq/Afghanistan and if these pages had been released it may have
prevented them to go ahead with certain plans. I certainly understand
some in the UK are now questioning whether their countries'
involvement in the gulf war was actually lawful. It'll be interesting
to see what happens there.

It is quite disturbing that our media and government leaders have not
revealed this important information to us, I certainly haven't seen
anything about the recently released 28 pages anywhere in mainstream
media. If you haven't read it for yourself, feel free to contact the
Citizen's Electoral Council (http://www.cecaust.com.au) which are an
investigative company based in Melbourne to obtain a copy (they charge
$10 for the booklet including their research as well as the 28 pages
that have been partially censored). I found it disturbing just how
much finances were put into the planning and the actions of certain
countries groups to inflict damage to another. I'm quoting from the
CEC Booklet entitled "To Stop a Near-term Terror Attack, Read the '28
Pages'!";

START QUOTE

The name of Prince Bandar bin Sultan appears repeatedly throughout the
28 pages. A leading Saudi royal, he was the Saudi ambassador to
Washington at the time of 9/11, whose close friendship with President
George W. Bush and his family had earned him the nickname 'Bandar
Bush'. The 28 pages refer repeaetedly to Bandar's direct involvement
with funds transfers to U.S.-based Saudi intelligence agents Omar
al-Bayoumi and Osama Bassnan, who were providing direct aid to some of
the future highjackers. Not mentioned in the chapter, however, is that
the UK government oversaw regular payments into the same Washington DC
Riggs Bank account from which Bandar and his wife financed the 9/11
hijackers. This is the deeper scandal of the 28 pages, and the
principlal reason for the cover-up. The payments, which were made from
a confidential account at the Bank of England administered by the UK
Ministry of Defence, were corrupt kickbacks to Prince Bandar fromt he
proceeds of the al-Yamamah oil-for-arms deal, the UK's biggest-ever
arms contract, which Bandar had negotiated with then British Prime
Minister Margaret Thatcher in 1985 (footnote 2). Under the deal,
British Defence contractor BAE Systems supplied fighter jets and
infrastructure to the Saudi Air Force in exchange for 600,000 barrels
of oil per day-one full oil tanker-for every day of the life of the
contract, which as of 2005 had netted BAE Systems £43billion. (BAE
also has a big presence in Australia's defence industry, especially in
South Australia.) Beyond that declared profit, al-Yamamah generated a
secret US$100 billion-plus off-the-books slush fund, which was used to
finance coups d'etat, assassinations, and terrorism, including the
creation of al-Qaeda in Afghanistan, as Prince Bandar's friend and
biotgrapher William Simpson recorded (Article, p. 19)."

Footnote 2 - David Leigh and Rob Evans, "BAE accused of secretly
paying £1bn to Saudi prince", The Guardian, 7 June 2007, reported:
"According to legal sources familiar with the records, BAE Systems
made cash transfers to Prince Bandar every three months for 10 years
or more. BAE drew the money from a confidential account held at the
Bank of England that had been set up to facilitate the al-Yamamah
deal. ... Both BAE and the government's arms sales department, the
Defence Export Services Organisation (DESO), allegedly had drawing
rights on the funds, which were held in a special Ministry of Defence
account run by the government banker, the paymaster general. Those
close to DESO say regular payments were drawn down by BAE and
despatched to Prince Bandar's account at Tiggs bank in Washington DC."

END QUOTE

This is relevant, and not policitically motivated, as the following is
VERY important;

I'd believe the Syrian Electronic Army (hacker group) are very well
equipped and very technologically advanced, from seeing some advanced
technology embedded within Javascript as part of phishing attempts
that were emailed to me in the past, I couldn't figure out how they
managed to encode the data without being able to be reverse decoded.
Although it was late at night, and I didn't really spend too much time
analyzing it further, it was interesting to say the least. From
Wikipedia; The Syrian Electronic Army (SEA) is a group of computer
hackers which first surfaced online in 2011 to support the government
of Syrian President Bashar al-Assad. Using spamming, website
defacement, malware, phishing, and denial-of-service attacks, it has
targeted political opposition groups, western news organizations,
human rights groups and websites that are seemingly neutral to the
Syrian conflict. It has also hacked government websites in the Middle
East and Europe, as well as US defense contractors. As of 2011 the SEA
has been "the first Arab country to have a public Internet Army hosted
on its national networks to openly launch cyber attacks on its
enemies". https://en.wikipedia.org/wiki/Syrian_Electronic_Army

I'm concerned for our industry as a whole given that we don't have
sufficient physical security in place from the looks of things and to
what extent other countries want to disrupt our freedoms and ways of
life. Can anyone suggest an appropriate provider that may be able to
offer a cost effective solution for scanning devices as we take
possession of them at the data centre? Is there any data centres that
are actually protected against this risk in Australia?

Karl - thanks for your comments, and support. Is there any government
run initiative that is tasked to assess major risks such as
backdoors/insecure firmwares of severe threat? Does Auscert do any
scanning of exposed devices - ie the recent reveleaed Fortinet bug
that openly allowed administrative access to Fortinet devices with a
hidden administrative user? See
http://arstechnica.com/security/2016/01/secret-ssh-backdoor-in-fortinet-hardware-found-in-more-products/.
Does CSIRO have any mandate to protect industry in electronic risks by
scanning the used IP space in Australia for severe vulnarabilities? I
understand they say "CSIRO - Using science and research to solve
issues and make a difference to industry, people and the planet.", I
don't know with a statement like that, I think they should be???

Mark Delany - Thanks

McDonald Richards - Thanks

Bob Wooley - Thanks, that's a lot of one's!!!

Jim Woodward - Thanks

Chad - Thanks, however the issue is that once you are a client,
there's no physical check whether or not your server has potentially
damaging equipment

Paul Wilkins - Wouldn't rogue asteroids be more likely than a space
station? I hear there's mega-gazillions of asteroids!

Alan Maher - Thanks, positive feedback, planes are included in the
TIA942 specification as well as the Uptime Institute specification
however damaging substances are not, I'm not aware any data centre
that goes to this level of considering and satisfying risk for their
clients, this is a major concern as clients aren't aware of this
either. Should they be?

Mark Andrew - We're really getting off topic now. Thanks for your reply though.

Mark Newton - Hope you're talking about the offshoot thread and not
the main thread.

Surely there's network admins on this list from the ASX - why has no
one responded whether or not our financial markets are also exposed?
Strange.

Thanks for all your comments, in particular the private emails that
were sent/received.

Chris.


More information about the AusNOG mailing list