Chloe Payne / en 老司机直播 staff (ethically) hack CERN, world鈥檚 largest particle physics lab /news/u-t-staff-ethically-hack-cern-world-s-largest-particle-physics-lab <span class="field field--name-title field--type-string field--label-hidden">老司机直播 staff (ethically) hack CERN, world鈥檚 largest particle physics lab</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=xdpDJkvs 370w, /sites/default/files/styles/news_banner_740/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=TB-ogLde 740w, /sites/default/files/styles/news_banner_1110/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=N53Ai2Jc 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=xdpDJkvs" alt="Photo of inside CERN"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>noreen.rasbach</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2018-04-04T12:27:39-04:00" title="Wednesday, April 4, 2018 - 12:27" class="datetime">Wed, 04/04/2018 - 12:27</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">CERN, the international lab near Geneva, is home to the Large Hadron Collider, the world鈥檚 largest particle accelerator (photo by Claudia Marcelloni/CERN)</div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/chloe-payne" hreflang="en">Chloe Payne</a></div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/global-lens" hreflang="en">Global Lens</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/global" hreflang="en">Global</a></div> <div class="field__item"><a href="/news/tags/information-technology" hreflang="en">Information Technology</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>It takes 22 member states, more than 10,000 scientists and state-of-the-art technology for CERN&nbsp;to investigate the mysteries of the universe. But no matter how cutting-edge a system is, it can have vulnerabilities&nbsp;鈥 and last year University of Toronto employees helped CERN find theirs.</p> <p>CERN, the European Organization for Nuclear Research,&nbsp;asked for help to hack its digital infrastructure last year, organizing&nbsp;<a href="https://security.web.cern.ch/security/services/en/whitehats.shtml">the White Hat Challenge</a>.<strong>&nbsp;Allan Stojanovic</strong> and <strong>David Auclair</strong> from 老司机直播鈥檚 ITS Information Security Enterprise and Architecture department, along with a group of security professionals, were more than willing to answer the call.</p> <p>Passionate advocates for information security, Stojanovic and Auclair say&nbsp;regular testing is essential for any organization.</p> <p>鈥淰ulnerabilities are not created, they are discovered,鈥 says Stojanovic. 鈥淛ust because something has been working, doesn鈥檛 mean there wasn鈥檛 a flaw in it all along.鈥</p> <p>Their director, <strong>Mike Wiseman</strong>, supported their participation in the challenge. 鈥淭his competition was an opportunity to bring experts together to exercise their skill as well as give CERN a&nbsp;valuable&nbsp;test of their infrastructure.鈥</p> <p>Stojanovic first heard about the challenge during a presentation at a Black Hat digital security conference. He&nbsp;jumped at the opportunity,&nbsp; immediately approaching the presenter, Stefan L眉ders, CERN鈥檚 security manager.</p> <p>Stojanovic put together a group of eight industry professionals (pen testers, consultants, Computer Information Systems&nbsp;administrators&nbsp;and programmers), set goals for the test and created a ten-day timeline.&nbsp;</p> <p>Any penetration test involves three main stages: scoping, reconnaissance and scanning. Before the scanning stage begins, testers are not allowed to interact with the system directly, but&nbsp;try to learn everything they can about it.</p> <p>During the 鈥渟coping鈥 stage, testers define what is 鈥渋n scope鈥 and specify what IP spaces and domains they can and cannot probe during the testing. The 鈥渞econ鈥 stage is exactly what it sounds like: reconnaissance. The testers try to find out everything they can about the domains that are in scope, helping guide them towards potential weaknesses.</p> <p>With scoping and recon complete, the team was able to officially begin the scanning stage. Scanning is like a huge treasure hunt, beginning with a broad search and gradually narrowing it down,&nbsp; burrowing deeper and deeper into the most interesting areas and letting go of the others.</p> <p>This went on for nine days. It was a gruelling process 鈥 the team&nbsp;would find a tiny foothold, investigate it, but nothing significant would emerge. This happened again and again.</p> <h3><a href="/news/geneva-where-u-t-scientists-are-frontier-physics-world-s-largest-particle-accelerator">Read&nbsp;about 老司机直播 scientists at CERN</a></h3> <p>Finally, Stojanovic was woken up one day by a short message, 鈥淚 got it!鈥 One of his team members,<strong> Jamie Baxter</strong>, had solved the puzzle 鈥 a breakthrough generated by multiple late nights of patient analysis.</p> <p>Details of the breakthrough are kept secret due to a confidentiality agreement with CERN. But after more than&nbsp;two weeks of work, <a href="https://security.web.cern.ch/security/home/en/kudos.shtml">the team revealed&nbsp;weaknesses in CERN鈥檚 security infrastructure </a>and provided important recommendations on how to improve it.</p> <p>CERN's security group was then able to roll out fixes and address the identified vulnerabilities before 老司机直播's formal report even hit their desks.</p> <p>Stojanovic hopes that his team鈥檚 success will encourage educators to use penetration testing as a pedagogical tool.</p> <p>鈥淚t鈥檚 a lot of really fantastic experience,鈥 he says, adding that these are the hands-on skills that new security professionals are going to need in the fast-growing information security industry.</p> <p>Stojanovic also hopes that other institutions, including 老司机直播, will follow CERN鈥檚 lead in opening themselves up to testing of this nature.</p> <p>And this won鈥檛 be the last CERN will see of 老司机直播&nbsp;鈥 L眉ders has already asked for round two.</p> <p>&nbsp;</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Wed, 04 Apr 2018 16:27:39 +0000 noreen.rasbach 132766 at