Chloe Payne / en Â鶹ĘÓƵ staff (ethically) hack CERN, world’s largest particle physics lab /news/u-t-staff-ethically-hack-cern-world-s-largest-particle-physics-lab <span class="field field--name-title field--type-string field--label-hidden">Â鶹ĘÓƵ staff (ethically) hack CERN, world’s largest particle physics lab</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=xdpDJkvs 370w, /sites/default/files/styles/news_banner_740/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=TB-ogLde 740w, /sites/default/files/styles/news_banner_1110/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=N53Ai2Jc 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=xdpDJkvs" alt="Photo of inside CERN"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>noreen.rasbach</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2018-04-04T12:27:39-04:00" title="Wednesday, April 4, 2018 - 12:27" class="datetime">Wed, 04/04/2018 - 12:27</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">CERN, the international lab near Geneva, is home to the Large Hadron Collider, the world’s largest particle accelerator (photo by Claudia Marcelloni/CERN)</div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/chloe-payne" hreflang="en">Chloe Payne</a></div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/global-lens" hreflang="en">Global Lens</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/global" hreflang="en">Global</a></div> <div class="field__item"><a href="/news/tags/information-technology" hreflang="en">Information Technology</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>It takes 22 member states, more than 10,000 scientists and state-of-the-art technology for CERN&nbsp;to investigate the mysteries of the universe. But no matter how cutting-edge a system is, it can have vulnerabilities&nbsp;– and last year University of Toronto employees helped CERN find theirs.</p> <p>CERN, the European Organization for Nuclear Research,&nbsp;asked for help to hack its digital infrastructure last year, organizing&nbsp;<a href="https://security.web.cern.ch/security/services/en/whitehats.shtml">the White Hat Challenge</a>.<strong>&nbsp;Allan Stojanovic</strong> and <strong>David Auclair</strong> from Â鶹ĘÓƵ’s ITS Information Security Enterprise and Architecture department, along with a group of security professionals, were more than willing to answer the call.</p> <p>Passionate advocates for information security, Stojanovic and Auclair say&nbsp;regular testing is essential for any organization.</p> <p>“Vulnerabilities are not created, they are discovered,” says Stojanovic. “Just because something has been working, doesn’t mean there wasn’t a flaw in it all along.”</p> <p>Their director, <strong>Mike Wiseman</strong>, supported their participation in the challenge. “This competition was an opportunity to bring experts together to exercise their skill as well as give CERN a&nbsp;valuable&nbsp;test of their infrastructure.”</p> <p>Stojanovic first heard about the challenge during a presentation at a Black Hat digital security conference. He&nbsp;jumped at the opportunity,&nbsp; immediately approaching the presenter, Stefan LĂĽders, CERN’s security manager.</p> <p>Stojanovic put together a group of eight industry professionals (pen testers, consultants, Computer Information Systems&nbsp;administrators&nbsp;and programmers), set goals for the test and created a ten-day timeline.&nbsp;</p> <p>Any penetration test involves three main stages: scoping, reconnaissance and scanning. Before the scanning stage begins, testers are not allowed to interact with the system directly, but&nbsp;try to learn everything they can about it.</p> <p>During the “scoping” stage, testers define what is “in scope” and specify what IP spaces and domains they can and cannot probe during the testing. The “recon” stage is exactly what it sounds like: reconnaissance. The testers try to find out everything they can about the domains that are in scope, helping guide them towards potential weaknesses.</p> <p>With scoping and recon complete, the team was able to officially begin the scanning stage. Scanning is like a huge treasure hunt, beginning with a broad search and gradually narrowing it down,&nbsp; burrowing deeper and deeper into the most interesting areas and letting go of the others.</p> <p>This went on for nine days. It was a gruelling process – the team&nbsp;would find a tiny foothold, investigate it, but nothing significant would emerge. This happened again and again.</p> <h3><a href="/news/geneva-where-u-t-scientists-are-frontier-physics-world-s-largest-particle-accelerator">Read&nbsp;about Â鶹ĘÓƵ scientists at CERN</a></h3> <p>Finally, Stojanovic was woken up one day by a short message, “I got it!” One of his team members,<strong> Jamie Baxter</strong>, had solved the puzzle – a breakthrough generated by multiple late nights of patient analysis.</p> <p>Details of the breakthrough are kept secret due to a confidentiality agreement with CERN. But after more than&nbsp;two weeks of work, <a href="https://security.web.cern.ch/security/home/en/kudos.shtml">the team revealed&nbsp;weaknesses in CERN’s security infrastructure </a>and provided important recommendations on how to improve it.</p> <p>CERN's security group was then able to roll out fixes and address the identified vulnerabilities before Â鶹ĘÓƵ's formal report even hit their desks.</p> <p>Stojanovic hopes that his team’s success will encourage educators to use penetration testing as a pedagogical tool.</p> <p>“It’s a lot of really fantastic experience,” he says, adding that these are the hands-on skills that new security professionals are going to need in the fast-growing information security industry.</p> <p>Stojanovic also hopes that other institutions, including Â鶹ĘÓƵ, will follow CERN’s lead in opening themselves up to testing of this nature.</p> <p>And this won’t be the last CERN will see of Â鶹ĘÓƵ&nbsp;– LĂĽders has already asked for round two.</p> <p>&nbsp;</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Wed, 04 Apr 2018 16:27:39 +0000 noreen.rasbach 132766 at