In my previous post, I described a data center failure that I discovered as the newly hired security manager of a prominent company.
In this post, I describe my next adventure.
NOTE: Some of the details below were changed a bit to protect the guilty. I tweaked their noses enough. :)
As I mentioned previously, this company’s data center had an outer “secured” area and an inner “secured” area (the data center proper).
The outer data center area was behind a locked door (and several smaller, unlocked doors). It was an area where the big printers resided, including the check printer.
All of the data center staff’s cubes were in this area: server admins, network jocks, a firewall guy, and all their managers.
The data center manager was not happy that I entered the outer area through the mainframe report doors. No one had ever done that before, he said.
He also said there was little risk in anyone entering via that method, as no one would be able to enter the data center proper.
Being the feisty guy I am, I took that as a challenge, but I kept it to myself.
Some time later, I still had not be granted any data center access, and the company had not fixed the little mainframe report doors. So I used them again to enter the outer area. Soon, I was standing outside the inner data center door.
It was lunchtime, and no one was around.
The data center door was locked, and the hinges were not mounted so that the pins were accessible (one company I worked for actually had a data center like that, seriously).
I looked at the ceiling. Like most office buildings I’ve worked in, the ceiling consisted of drop panels. So I dropped a couple of panels next to the inner data center’s walls (a ladder was conveniently leaning against a wall in the back, where some light bulbs had been changed recently).
Climbing the ladder, I noticed the walls only went so high, and the ladder easily allowed me to climb over the walls into the actual data center. So I decided to drop in.
Fortunately, no one was inside the inner area either. I was alone. In the data center. Proper.
The first thing I noticed was that a couple of Windows servers were logged in, ready to go.
And the tape system was also online and ready for action (this was not single server tape backup device, but a large, automated tape library system that had a robot arm to locate and load tapes). No login had ever been configured for it.
I looked at my watch. It was time to introduce some insecurity.
So I left a little note on the whiteboard inside the data center, and included the date and the time. The note said:
Mack was here!
Continued in Data Center Failure: Conclusion