back to article Pentester says he broke into datacenter via hidden route running behind toilets

Many security breaches involve leaks, but not perhaps in the same way as one revealed by noted security consultant Andrew Tierney, who managed to gain unauthorized access to a datacenter via what he delightfully terms the "piss corridor." Tierney, who works as a consultant for security services outfit Pen Test Partners, …

  1. alain williams Silver badge

    Crappy security

    at this data center.

    1. Loyal Commenter Silver badge

      Re: Crappy security

      I'll bet they had a problem with leaks.

  2. Wellyboot Silver badge
    Coat

    Caught with their trousers down!

    I'm going..

    1. Doctor Syntax Silver badge

      Re: Caught with their trousers down!

      So did he.

      1. This post has been deleted by its author

  3. My-Handle

    This is just taking the piss.

    I'm expecting a long list of toilet based jokes to follow. Don't disappoint :)

    1. msknight

      Re: This is just taking the piss.

      The pen tester was flush with success after throwing this one in the bowl. Security really got the toilet brush-off and had to disinfect the situation once they had recovered from turning yellow with rage at the leak that had occurred.

    2. JamesTGrant Bronze badge
      Coat

      Re: This is just taking the piss.

      The police investigating say they’ve nothing to go on…

  4. Warm Braw

    Visible for all to see on public planning documents

    Did the penny drop when they saw the paper trail?

  5. Neil Barnes Silver badge
    Holmes

    Built a studio complex in the UN building

    And discovered we shared a wall with a bank.

    Well, we shared the first eight feet of the wall; right up to the false ceiling tiles. Above that was three feet of fresh air... they were a bit concerned when I pointed it out to them.

  6. Zebo-the-Fat

    Urine trouble now!

    1. Flywheel
      Thumb Up

      Comment of the day! W00t!

    2. Anonymous Coward
      Anonymous Coward

      That's just taking the piss!

      1. Scott 26
        Coat

        "IP Security"... yeah, I bet you do, mate.

  7. katrinab Silver badge
    Coat

    Hello, this is the Lock-Picking Lawyer

    and today I am going to break out of this piss corridor using a folded-up bit of toilet paper ...

  8. Richard Jones 1
    FAIL

    The Security Was Possibly Via a Screwdriver

    Often, those panels are only held by screws, though, in this case possibly nothing so secure, as he had bidirectional access. Possibly, only spring clips were used to ensure easy access in the event of an urgent service problem.

    1. TRT

      Re: The Security Was Possibly Via a Screwdriver

      One of those square section keys I expect. Not exactly secure!

      1. cybergibbons

        Re: The Security Was Possibly Via a Screwdriver

        Yep - it was just a square key! Very easy.

        1. The Oncoming Scorn Silver badge
          Coat

          Re: The Security Was Possibly Via a Screwdriver

          Robertson screw or should that be Roberturds screw.

          1. Martin-73 Silver badge

            Re: The Security Was Possibly Via a Screwdriver

            spoken like a true non canadian, when you have the correct driver, they\re beautiful. when you don't, they're EVIL.... but no i suspect the square drive Cybergibbons speaks of is more of the 1/4 inch variety

            1. Michael Wojcik Silver badge

              Re: The Security Was Possibly Via a Screwdriver

              Yeah, I'll take a Robertson or Torx any day over Phillips. And slot-head screws should only be used for decorative purposes. Years ago I had to assemble an outdoor shelter using slotted screws, and the number that were ruined by the driver camming out... ugh, it doesn't bear remembering.

              1. Martin-73 Silver badge

                Re: The Security Was Possibly Via a Screwdriver

                Yes, slotted screws are pretty much only for retro good looks, or electrical accessory plates (where i feel the combi head looks 'cheap').

        2. Martin-73 Silver badge

          Re: The Security Was Possibly Via a Screwdriver

          Ah, similar to the venerable BR key, still used to disassemble locomotives, and access all manner of interesting things on railtrack premises.

          Do NOT get caught by BTP with one, or they'll ask pointy questions. (sparky, i have one because the square section fits loft hatches and door locks where someone's removed the handle, it's on my set of fire brigade keys, not my everyday carry)

          1. technos

            Re: The Security Was Possibly Via a Screwdriver

            >Do NOT get caught by BTP with one, or they'll ask pointy questions

            When I was a consultant I kept a kit in my car for all those times the failing equipment was behind a locked door and no one on site could produce a key. Lock picks, security bits, various 'universal' keys, tools for disassembling security hinges, etc.

            Aaand then I got pulled over for speeding and the cop saw the bright orange Pelican with a tongue-in-cheek 'Burglary Tools' stenciled on it in my back seat.

            Whew, boy. Five minutes of explaining, twenty minutes of sitting while he made sure I had absolutely no warrants, another five minutes of re-explaining, and then he wanted me to run him through what I had in there because he was interested.

            Got out of the speeding ticket at least, but I painted over the stencil and renamed it the 'Lock-out Kit'.

            1. HashimFromSheffield

              Re: The Security Was Possibly Via a Screwdriver

              I'm curious - what kind of consultant? And would you recommend it as a career?

          2. Rob Daglish

            Re: The Security Was Possibly Via a Screwdriver

            Not sure why railway types get so shirty about people having these T keys, pretty much every coach driver I've ever met has at least one because they're used to lock all kinds of panels and lockers shut on coaches and buses... I think they sometimes forget it's a common solution to a common problem!

            1. Martin-73 Silver badge

              Re: The Security Was Possibly Via a Screwdriver

              It's more a case of 'they'd simply rather you didn't'... as with everything police related, it's what the cop feels like, how well he or she slept, and how shifty you look.

  9. ChrisC Silver badge

    "remember it is always about more than just IP access"

    IP or "I pee", sounds the same to me...

  10. Sgt_Oddball
    Coffee/keyboard

    Brown trouser moment...

    I can only imagine the strained look on the faces of the security team when this was explained to them.

    I will admit though that I've heard of security going down the crapper but never past the crapper and out the otherside..

  11. Flat Phillip
    Thumb Up

    I appreciated it at least

    "more than just IP access"

    Nice, reminds me of those fake names like I.P. Freely.

    1. FBee

      Also "Yellow River"

      by I. P. Daly

    2. TRT

      Re: I appreciated it at least

      The swan's escaped. From the castle.

      And who might you be?

      Mr Staker. Mr Peter Ian Staker. Yes. PI Staker.

      1. Anonymous Coward
        Anonymous Coward

        Re: I appreciated it at least

        I stumbled across an Alan Terego in an online thread the other day.

        Alan, aka 'Al'...

        Al Terego...

        A/C.

    3. Roger Greenwood

      Re: I appreciated it at least

      A friend in our village has the car registration P15 OYL

      Don't know how that got past the licence plate checkers, perhaps they don't know any Yorkshire slang....

  12. Mike 137 Silver badge

    False floors too

    I once worked in a 'secure' research centre where the actual work was done behind a key coded door. However, during maintenance we found out that the void beneath the false floors outside and inside was continuous and the space was about 60 cm high, the tiles could be lifted from above with a small lever (e.g. a screwdriver) and from below just by lifting them, so you could in principle crawl past the locked door from outside.

    1. My-Handle

      Re: False floors too

      I admit, I've never had to do work in an environment with false floors, but 60cm seems like a hell of a large space to me!

      I dread to think how many bodies you were hiding down there.

      1. Doctor Syntax Silver badge

        Re: False floors too

        "I dread to think how many bodies you were hiding down there."

        No room for them - too many cables. That's why the BOFH favours carpet, quicklime and a shallow grave in dense woodland.

        1. Anonymous Coward
          Anonymous Coward

          Re: False floors too

          and the smell would be hard to hide

        2. Anonymous Coward
          Anonymous Coward

          Re: False floors too

          We used to keep cases of wine and champagne in ours, kept them nicely cooled.

      2. Jellied Eel Silver badge

        Re: False floors too

        ...but 60cm seems like a hell of a large space to me!

        Only 60cm? I've worked in a few DCs with deeper floor voids, so easily deep enough to crawl through comfortably. The first was for a large mainframe site, and asked the facility manager why. Answer was because it used forced air underfloor cooling*. And being a big IBM (ok, Amdahl 5990-1400E) shop, the floor void needed enough space to accomodate massive channel cables that were probably 3cm in diameter, with brick-sized connectors, plus all the thick serial cables going to channel controllers, FEPs etc.

        So it allowed decent cable routing & management, without restricting airflow too much. Plus it made it easier for us to do the human ferret thing and crawl under the floor dragging cables. And despite being a secure DC with an even more secure room inside it, we could crawl into that room because the drywall only went as far as the floor tiles. That got fixed by adding sheetrock under the tiles.. Which we then improvised some cable routes with a couple of large screwdrivers. High security doors and mantrap entrances may impress manglement and clients, but won't defeat a determined attacker who can make their own entrance using a skillsaw or a large hammer.

        That was a fun introduction to big IT and DC design. I also learned that a lot of DCs since shared the same problem. Plus other incipient risks, like using non-plenum rated cables between fire zones, and the challenges of creating fire stops that could be easily managed if new cables needed to be run.

        *Naturally we abused the underfloor cooling and used it to keep a couple of slabs of beer cool under the floor of our comms room inside the DC.

        1. Anonymous Coward
          Anonymous Coward

          Re: False floors too

          a favored site from yesteryear had 24" raised floors with forced air... I miss the holy tile that I moved under my chair

          1. Ken Moorhouse Silver badge

            Re: 24" raised floors with forced air

            Hopefully the toilets are not upstream from the air source.

            ===

            I used to work at a place where the inflow fans were located behind our premises: in Drummond Street*, NW1. You could usually tell when the curry houses were getting ready to open.

            *Street name mentioned as the area is well-respected by curry lovers.

          2. A.P. Veening Silver badge

            Re: False floors too

            a favored site from yesteryear had 24" raised floors with forced air

            That is about 60 cm.

            1. JamesTGrant Bronze badge

              Re: False floors too

              About 2ft

              1. A.P. Veening Silver badge

                Re: False floors too

                About Exactly 2ft

                FTFY, 24" is 2' is 60.96 cm.

        2. Martin-73 Silver badge

          Re: False floors too

          Ah of course, for forced air cooling that makes sense, use the void as a supply plenum

        3. Pangasinan Philippines

          Re: False floors Ouch!

          "human ferret thing and crawl under the floor dragging cables"

          But watch out for plastic cable ties - especially the ones that are trim cut, but not quite flush.

      3. Anonymous Coward
        Anonymous Coward

        Re: False floors too

        Current working location, very large, very old building. Was on the 'third' floor with an FM team to work out where we could possibly run some cables (assuming the 'aboves' would even let us once they saw the plan; they didn't). The FM guy, popped up the floorboards in the corridor and I was expecting maybe a one- or two-foot drop to the ceiling of the floor below, and maybe some rafters and old conduit running around. Nope, it was about eight feet straight down to a solid concrete (?) layer you could walk around on. You could have lived down (up?) there.

        A/C b/c location.

        1. H in The Hague

          Re: False floors too

          "Current working location, very large, very old building."

          With a view of the Thames, by chance?

          1. Anonymous Coward
            Anonymous Coward

            Re: False floors too

            Quite possibly. Maybe. Couldn't say. What river?

      4. Martin-73 Silver badge

        Re: False floors too

        yeah, uni data centre... sorry. 'data processing unit''s false floor was 8" gap max, getting multiple 4 core 95mm2 armoured cables thru there was fun (apparently 80's heavy iron needed lots of power)

        1. Robert Carnegie Silver badge

          Re: False floors too

          And to break in you'd need the trained mongoose from that Sherlock Holmes story, I suppose. :-) (I'm slightly cheating there.)

          That's if you did mean 8 inches, and not, as someone else had as their under floor space, 8 feet.

      5. eionmac

        Re: False floors too

        My mum's house and all houses in that street were on wooden suspended floors with a 2 ft 6 inch (say 75cm) 'crawl space' below the floors, in which the ancient lead water pipes were run from street water cock to under sink and water store (large diameter day tank holding at least two day's supply in case of water problems) built in mid 1850s.

        Absolutely no problem in running modern electrics from room to room.

    2. Anonymous Coward
      Anonymous Coward

      Re: False floors too

      There was a Telco *unmanned* Data Centre which I had to visit often where the outer wall of the building was literally next to a public pavement (within 50cm or so) and the card-activated door opened outwards.

      On multiple occasions as I was about to use my access card I noticed that the door was already sitting about 2-3cm ajar. It seems that sometimes when the door closed (via typical "auto close" mechanism) sometimes it "bounced" and never actually closed. So the open door would be in full view of anyone walking (in one direction) along the pavement.

      There were allegedly sensors in place that should have detected any such "door open" events and triggered alarms at the off-site security monitoring station but either that was not the case or else security routinely ignored them.

      1. ITMA Silver badge

        Re: False floors too

        I have that in the flats where I live.

        The delay between the holding magnets de-energising (fail safe rather than fail secure) when the door release is pressed and the magnets re-energising can be a little too long at times.

        Result - the door can "bounce" off the door jam and the closer then doesn't close it back to within "grab" range of the magnets when they re-energise. Thus the door remains "unlocked".

      2. Anonymous Coward
        Anonymous Coward

        Re: False floors too

        I used to work for an access control company. Was at one site where they wanted the door ajar alarm set, which I did.

        Turns out that they had a painter working the same day and so kept leaving doors open.

        Was asked to turn alarm off, no idea if it was ever enabled again....

    3. Anonymous Coward
      Anonymous Coward

      Re: False floors too

      Server room in an ancient building had an unlocked (unlockable?) door which opened onto a vertical shaft with a rails-and-rungs metal ladder "fire escape" bolted to the brickwork.

      I discovered this shaft from opening a door in a disused storage room on 7th floor, went down the ladder (I'm a bit of compulsive explorer) as far as it went: a second-floor balcony, from which you'd have to jump to the ground in case of fire. Climbed back up to the 7th floor. Oops, that door autolocked. Down to 6th floor, tried the door, which also was locked. Down to the 5th floor, tried the door, and, bingo, hey, here's a server room!

      I slipped an anonymous, typed note into security's in-box, but never dared risk my job to return to see what they'd done about it.

  13. TRT

    I've heard of a including a backdoor for system access...

    But a back passage for cistern access???

    1. ITMA Silver badge

      Re: I've heard of a including a backdoor for system access...

      Quite common in installations with BTW (back to wall) toilets and the (concealed) cistern hidden behind the rear wall of the cubicle.

      You either need to have "maintenance" hatches in every cubicle, which can potentially be opened by unauthorised people to give access to nice hideaways for illicit materia/itemsl, bombs etc.

      Or you have a maintenance "gang way" running behind all of the cubicles giving access to all the otherwise inaccessible cisterns, water and sewage services. And electrical control gear for those "no contact" proximity flush things.

      The problem here seems to be that someone forgot about the security of the maintenance areas.

      1. J. Cook Silver badge
        Pint

        Re: I've heard of a including a backdoor for system access...

        It's not called a 'wet wall' for nothing... :D

        1. ITMA Silver badge
          Pint

          Re: I've heard of a including a backdoor for system access...

          Or you've had too much falling down water and your aim is severly impaired LOL.

          Then it is a wet wall, wet floor, wet shoes and.... Well, start with the excuse that the "splashback" from the basins was horrendous.

  14. tiggity Silver badge

    yellow team?

    As pen testers like their team colours

    1. TRT

      Re: yellow team?

      Blue-loo team.

    2. Mark 85

      Re: yellow team?

      Not to forget the brown team.

  15. Doctor Syntax Silver badge

    Simple

    A piece of piss really.

  16. Mugs

    In the 90s I did some work in Moscow in the Central Telegraph building. I was on the civilian side, the other side was restricted military. The toilets were common to both but there was little danger of anyone crossing due to the stench which was only alleviated by the cigarette smoke

  17. TRT

    You could always smuggle a USB stick out...

    by attaching it to a piece of string, dropping it in the bog and intercepting it further down the sewerage system using a bit of bent wire and pulling it back up the pipework.

    But that would be a flash in the pan.

    1. ITMA Silver badge

      Re: You could always smuggle a USB stick out...

      That would make your flash memory a "jobby stick".

    2. Anonymous Coward
      Anonymous Coward

      Re: You could always smuggle a USB stick out...

      Sure you could smuggle it out that way but would you really want it back?

    3. arachnoid2

      Re: You could always smuggle a USB stick out...

      A condom and the use of the rear passage would be so much easier

  18. Anonymous Coward
    Anonymous Coward

    I remember many, many moons ago whilst working for a company that liked to keep a tight control on 'expensive' office supplies (think boxes of floppy disks), they decided to lock everything up in a small room - with an 8 foot wall which could easily be climbed over due to someone deciding it would be also be a good idea to put filing cabinets up against said wall. Both sides.

    1. ITMA Silver badge

      There was some gold rush era hotel in the US which boasted of it's massive walk in vault with a huge steel vault door.

      Only problem - the floor of the walk in vault was very, very thin and laid over bare earth. In a town full of miners.

      Go figure....

  19. Scott Broukell
    Coat

    Maybe some engineers requested they build it that way, you know, just for the sake of convenience.

    Alternatively, it may perfectly demonstrate the way in which bean-couters consider proper security as a drain on finances.

  20. steelpillow Silver badge
    Happy

    A new euphemism

    "Excuse me. Just going to pen-test the neighbours, I won't be long".

  21. Surrey Veteran

    If I was due to do some pen testing I would head to the stationary cupboard and not the data centre.

    1. TRT

      The pen tester is mightier than the sword tester.

      1. the Jim bloke

        “The pen is mightier than the sword if the sword is very short, and the pen is very sharp.”

        .. Sir Pterry.

        1. TRT

          The penis; meatier than the sword.

  22. Ken Moorhouse Silver badge

    I thought that pentesters spent their days...

    ...trawling through logs.

    1. Ken Shabby
      Childcatcher

      Re: I thought that pentesters spent their days...

      Cross Shite Scripting

  23. DS999 Silver badge

    All because they wanted to save a little money

    By building one larger restroom and splitting it to serve both sides.

    If you want to build something secure, start your plan with a reinforced concrete box with concrete floor and ceiling, then justify and fully secure every opening in that box.

    1. Terry 6 Silver badge

      Re: All because they wanted to save a little money

      It has to be that, doesn't it. The clever security experts doing the planning probably thought they were above thinking about toilets and the bean counters controlling the overall build wouldn't want to spend the money on two separate sets of toilets unless the security experts specifically demanded it, is my guess.

    2. M.V. Lipvig Silver badge

      Re: All because they wanted to save a little money

      True security requires a Faraday cage integrated into the walls. Worked in a few, so secure they even had power filters designed to prevent the electrical wiring from being used as an antenna, with regular testing to make sure nothing electrical inside could be detected outside.

      1. DS999 Silver badge

        Re: All because they wanted to save a little money

        That's for building a SCIF, which is a whole different level of security than your typical datacenter.

      2. Joe Loughry

        Re: All because they wanted to save a little money

        How about fire sprinkler pipes?

        "Don't Look Up: Ubiquitous Data Exfiltration Pathways in Commercial Spaces" by Anku Adhikari, Samuel Guo, Paris Smaragdis, Marianne Winslett (arXiv, 2022).

        Abstract: We show that as a side effect of building code requirements, almost all commercial buildings today are vulnerable to a novel data exfiltration attack, even if they are air-gapped and secured against traditional attacks. The new attack uses vibrations from an inconspicuous transmitter to send data across the building's physical infrastructure to a receiver. Our analysis and experiments with several large real-world buildings show a single-frequency bit rate of 300Kbps, which is sufficient to transmit ordinary files, real-time MP3-quality audio, or periodic high-quality still photos. The attacker can use multiple channels to transmit, for example, real-time MP4-quality video. We discuss the difficulty of detecting the attack and the viability of various potential countermeasures.

        https://arxiv.org/abs/2206.12944

        1. DS999 Silver badge

          Re: All because they wanted to save a little money

          In a SCIF you probably don't have sprinklers - thus no pipes. Since the local fire department wouldn't be permitted entry they'll never know :)

    3. Anonymous Coward
      Anonymous Coward

      Re: All because they wanted to save a little money

      Quite possibly it was originally drawn up with a partition wall in that access corridor but after security had signed it off, the builders realised some building regulation required that a soil pipe can't go through a different property or inaccessible area and as they didn't know why a wall had been specified anyway they didn't build it.

  24. Hazmoid

    simple fix is to split the piss corridor with a wall.

    Of course in this case it was a case of "out of sight, out of mind"

  25. Soruk

    Security defeated by a wee bit of lateral thinking/crawling.

  26. D-tech

    False floors

    Data centre with classified and low security areas. With elevated false floors, and one big open space below.

  27. arachnoid2
    FAIL

    They probably fixed it by inaslling a "Master" branded padlock........ btw many tenament or semis loft spaces that have shared roof spaces usually have easy access to neibouring properties

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like