Vulnerabilities and weaknesses lurk all over the digital place: unprotected file uploads, generous SQL queries, unfiltered input fields, disclosed passwords… They are the entry point for cross-site scripting, remote code execution or root privilege escalation, and the first step towards fostering the patient-zero-like compromise of a server, a service or the whole of CERN; the first step towards losing protected, restricted or confidential information; the first step that can result in mild to serious reputational damage for the Lab.

A plethora of means exists to protect against that. On the one hand, the Computer Security team is scanning for vulnerabilities and weaknesses in the hope of detecting them early and mitigating them fast. On the other, hand-in-hand with the Computer Security team, you, as an excellent software developer and experienced programmer, have followed the right courses to put in place a secure software programming and code development life-cycle, including sound system architecture and choice of components, apply best practices for managing and building your software in a secure fashion, and are aware of (and can avoid!) potential supply chain traps.

The CERN WhiteHat Challenge
While external students continue hacking into CERN and finding “juicy” stuff, we are glad to announce that the WhiteHatChallenge is back at CERN after a two-year hiatus. Designed as two half-days of training on ethics and integrity, focusing on penetration testing and vulnerability scanning, it should bring you up to speed on detecting suboptimal configurations and weaknesses in your web services and websites. While penetration testing is a marathon that requires lots of training and practice, this WhiteHat training should at least get you up and walking. It will cover the concepts for breaking into and abusing web applications, the use of the appropriate tools, and a Capture the Flag (CTF) tournament as a homework exercise to sharpen your skills. Hopefully it will give you a taste for becoming ─ after lots more fun training ─ an experienced penetration tester, hacker and participant in worldwide CTF tournaments! So, join us! All details for afternoon 1 and afternoon 2 can be found on Indico ─ no registration necessary.

Zebra Alliance Incident Response Exercise
And if you want to experience the pressure when the going really gets tough, see how incident response is conducted in reality. The Zebra Alliance has been hacked yet again (after previous attacks in 2022 and 2023)! And once again, it’s up to you and your peers in the room to figure out what happened. How did the attacker get in? What was their technique and intrusion vector? What’s their name (so the police can apprehend them)? No prior knowledge of security, incident response or even IT is needed. All you need is a laptop, the curiosity to dig and the eagerness to learn and tackle the challenge. As seats are limited, however, we kindly request that you register on Indico.

Have fun at both of these events! We hope to see you soon!

______

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.