Computer Security: Join the CERN WhiteHat Challenge!
Over the past couple of months, several CERN users have reported vulnerabilities they have found in computing services and servers running at CERN. All were relevant, many were interesting and a few even surprising. Spotting weaknesses and areas for improvement before malicious people can exploit them is paramount. It helps protect the operation of our accelerators and experiments as well as the reputation of the Organization. Therefore, we would like to express our gratitude to those people for having reported these weaknesses! Great job and well done!
Seizing the opportunity, we would like to reopen the hunt for bugs, vulnerabilities and insecure configurations of CERN applications, websites and devices. You might recall we ran a similar initiative (“Hide & Seek”) in 2012 where we asked you to sift through CERN’s webpages and send us those that hold sensitive and confidential information. Quite a number of juicy documents were found and subsequently removed. However, if we probe deep, we have to apply due care. Not all our applications are robust and resilient enough to withstand vulnerability scanning and penetration testing. It is of the uttermost importance that random testing of CERN applications, websites or devices does not stop them from working, delete their contents or render them broken. Therefore, a bit of training and coordination is needed.
Enlist with us and join the CERN WhiteHat Challenge! In order to prepare you, we are planning to hold a half-day work-shop on vulnerability scanning, penetration testing and proper ethics early in the Autumn this year. The only prerequisites are programming skills and/or knowledge of system/service administration. Once you have followed and completed the workshop, you will be eligible to conduct penetration tests on CERN applications, websites and devices of your choice. All you will need to do is suggest your favourite area that you would like to test... We will coordinate with the corresponding service manager in order to get a suitable time window or test instance. Once ready, you are “go” to try your vulnerability assessment and penetration testing skills on real applications and live devices. This setup will make your challenge a win-win for everyone: your engagement as a security tester, and the security and robustness of the area you’ve tested! If you are interested in becoming an official CERN WhiteHat, sign up by sending an email to Computer.Security@cern.ch with subject “Make me a CERN WhiteHat”.
However, please note: the academic curiosity and the perseverance of a nerd shall be your only motivation for this challenge. As compensation, we offer full kudos, a good book on security matters, a letter of appreciation to be sent to your supervisor, and a mention of your findings in our Monthly Report. Of course, such an activity also looks good in your CV. However, we do not and will not provide financial compensation (and have even turned down such requests in the past). If you want to make some money, it is better to look for bugs and weaknesses in Google (earn $100 to $20,000), Facebook ($500 flat), Microsoft (rewards up to $100,000), or elsewhere. But note that such an activity against third parties is your personal business and must NOT be conducted from the CERN network (as it violates the CERN Computing Rules).
Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.