An organisation I work for had an Internet outage on Wednesday. I ended up at the datacentre lastnight looking for clues and trying to fix things. It's a shared datcentre with many other organisations having gear there in cages and sealed racks. A big name in my city and country, they have many datacentres around. We have a cage there and a rack. While troubleshooting, I travelled between both locations and at one stage, I accidentally walked up to the wrong rack - there are many rows of them, all identical looking, so it was simple mistake, also, they are not marked clearly and it was late etc. I put in the key and opened it and saw immediately that the gear there was clearly not ours. I did not touch anything, but made a note that we had hardware that was clearly not accounted for. I looked around and immediately realised that it was the wrong rack.
My security key opened another client's rack.
I have physical access to another enterprise's physical hardware!
I sent an email to the account manager of the datacentre to inform him. No response. Their technician arrived later today to help me troubleshoot and I showed him first hand that the key I have opens another rack. He seemed amazed, made a comment that it was concerning, but seemed unconcerned. I rang the account manager later to follow up the email and tell him there was a major question around physical security and initially I was concerned another persons key might allow them into our physical gear. He seemed pretty unphased and informed me that it was not something he dealt with and he'd look into it in the morning.
Tonight, it only dawned on me that there is out there a sysadmin that is unaware that a stranger has access to their physical gear; a couple of blade servers, a few disk shelves and a pair of Sophos firewalls.
It seems possible that if their firewalls are there, then I have likely access to their local network, too...?
What to do? Am I overreacting by insisting somebody call me before 9am to explain? Should I inform that third party?
[link] [comments]