CERN: Computing updates https://home.cern/ en ExaHealth 2021 https://home.cern/news/announcement/computing/exahealth-2021 <span>ExaHealth 2021</span> <div class="field field--name-field-p-news-display-byline field--type-entity-reference field--label-hidden field--items"> <div class="field--item">Andrew Purcell</div> <div class="field--item">James Beacham</div> </div> <span><span lang="" about="/user/34041" typeof="schema:Person" property="schema:name" datatype="">ccoman</span></span> <span>Thu, 10/07/2021 - 09:44</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>On Monday, 18 October, CERN openlab and Chelonia Applied Science will host a first-of-its-kind workshop called ExaHealth 2021. The half-day virtual event will begin at 1.00 p.m. CEST and will examine the potential for exascale computing and machine learning to support efforts to improve public health. The workshop is free and open to all.</p> <p>With recent advancements in high-performance computing (HPC) towards exascale (the capability to perform a billion billion (10<sup>18</sup>), or a quintillion, computing operations per second) and the continued development and proliferation of both machine- and deep-learning techniques in all sectors, it is imperative that we ensure these resources are capitalised upon fully in a realm that affects us all: public health.</p> <p>Projects supported by the European Union (such as Exscalate4COV and LIGATE, with the participation of dozens of institutions, including Chelonia Applied Science, hosted at the Innovation Office of the University of Basel) demonstrate the potential that exascale HPC and machine learning offer for the health sciences. This is also seen through initiatives pioneered by CERN openlab, such as the CERN Science 4 Open Data project. But what are we missing? How can we ensure that we will respond quickly and efficiently to future health situations, including (but not limited to) pandemics?</p> <p>Join us at ExaHealth 2021 to explore how exascale computing and machine learning are used in the health and life sciences and to begin charting a course for the future.</p> <p><em>Full information – including a list of speakers – is available on the event page: </em><a href="https://indico.cern.ch/e/ExaHealth_2021"><em>https://indico.cern.ch/e/ExaHealth_2021</em></a><em>. Register by Friday, 15 October.</em></p> </div> Thu, 07 Oct 2021 07:44:47 +0000 ccoman 158086 at https://home.cern Computer Security: The risk of losing it all… https://home.cern/news/news/computing/computer-security-risk-losing-it-all <span>Computer Security: The risk of losing it all…</span> <div class="field field--name-field-p-news-display-byline field--type-entity-reference field--label-hidden field--items"> <div class="field--item">Computer Security team</div> </div> <span><span lang="" about="/user/21331" typeof="schema:Person" property="schema:name" datatype="">thortala</span></span> <span>Mon, 10/11/2021 - 14:47</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>Ransomware and its nasty companion “extortion” attacks <a href="https://home.cern/news/news/computing/computer-security-blackmailing-enterprises-you-are-patient-zero">are still on the rise</a>. Criminals try to <a href="https://home.cern/news/news/computing/computer-security-what-do-accelerators-and-pipelines-have-common">break into companies</a>, <a href="https://edition.cnn.com/2021/09/07/politics/howard-university-ransomware-attack/index.html">universities</a> and <a href="https://www.bbc.com/news/world-europe-58413448">government bodies</a> in order to demand money from the victims. Attackers have started going big nowadays. On the decline are the attacks à la “<a href="http://home.cern/cern-people/updates/2017/05/comp-security-wannacry-importance-being-patched">WannaCry</a>” against single home user PCs; welcome instead large-scale attacks against the victim’s entire IT infrastructure! Active Directory, file stores, databases – everything.  And regardless of <a href="https://home.cern/news/news/computing/computer-security-reflections-paying-ransom">whether or not the victim pays</a>, with ransomware comes the risk of losing it all…</p> <p>Ransomware is not that new. It started with malware infecting individual user PCs, encrypting all local documents, photos and files, and then asking for a little payment – the ransom – of maybe 300 dollars to get the decryption key. Recently, however, attackers “upgraded” to the aforementioned “extortion” attacks, where data was not only encrypted but also shipped offshore, with the attacker threatening to publish all the data, private photos, personal documents and confidential files if no money was paid to them. But the revenue was not that large and, with their expertise and skills improving, criminals turned their attention to the big fish: companies and their IT infrastructure, with ransom demands in the millions of dollars. Their attacks, however, start slowly. Infiltrating a company takes time, and doing it clandestinely is of the utmost importance in order to avoid getting caught. Reconnaissance, identification of juicy assets and primary targets, deployment of malware – the process can take months.</p> <p>There is also a market for the sale of corporate credentials and access to company networks. Often, ransomware gangs don’t bother with the initial commitment involved in getting a foothold inside the company; they just buy that from other crimeware gangs. Once their nefarious work is in place and they have exfiltrated all the sensitive data, they pull the trigger and data gets encrypted in a coordinated manner on all corporate assets in parallel. The trigger is often at the worst possible time (during a public holiday, on a Friday evening, etc.). They operate slowly, beneath the radar, but are determined and thorough. Once everything is accomplished, it’s show time for the criminals and the company faces the risk of losing it all.</p> <p>The three mantras of handling a ransomware attack are (1) don’t get it, (2) don’t pay, and (3) have disaster-recovery means in place. While (1) is particularly difficult (but still mandatory and essential) given the heterogeneous infrastructure of large companies, and (2) is debatable, particularly in view of <a href="https://home.cern/news/news/computing/computer-security-reflections-paying-ransom">what’s at stake</a>, (3) is the ultimate silver bullet and the last resort, in particular once the attack has already hit hard: have a proper disaster-recovery plan in place and be ready to reinstantiate your infrastructure from scratch – whether or not you pay the ransom. The million-dollar questions for you as a CERN service manager, data taker, control system expert, trigger master, software custodian or document librarian are: Do you have the appropriate back-up means in place? Do you have proper back-ups of your crown jewels? Are those back-ups unaltered by and safe from attack?</p> <p>Of course, it is essential, firstly, to have a back-up at all. And to have tested whether the back-up is integral and complete and can be played back. Back-up frequency might matter, depending on how much loss you can tolerate in the event that you need to reinstantiate your service from scratch from the last valid back-up. The higher the frequency, the smaller the loss. Usually, however, this frequency and the number of back-ups kept in the pipeline strongly depend on how much back-up space you have available. Storage is not infinite. A high back-up frequency with a limited pipeline depth might also be problematic because of the risk that encrypted files pollute the back-up (playback and testing might detect this).</p> <p>Hence, secondly, can you be sure that your back-up has not been tampered with? Given that the attackers work clandestinely over months, encrypted files – in particular if they are rarely accessed, like contracts, personal files, transaction logs and measurements – might creep into <em>all</em> copies of your back-up. Ideally, back-ups should be offline (using external USB disks for individual users or tapes for big bulk back-up). Instead of full back-ups, incremental back-ups triggered only when a file changes can counter this particular attack vector (at least until the attackers encrypt a file multiple times). On the other hand, the malicious encryption of data files that change frequently and are regularly read back (like configuration and calibration parameters, templates, documents being worked on) should be easily spotted as accesses fail to work and functionality becomes void. Propagation to the back-up of such encrypted files is unlikely, as the back-up period is much longer than the time before incident detection.</p> <p>In the end, there are three kinds of people: (1) those who don't back up (and regret it later), (2) those who back up but don't check their back-ups (and definitely regret it later), and (3) those who back up and <a href="https://devrant.com/rants/688433/there-are-two-types-of-people-1-people-who-do-backup-2-people-who-will-start-doi">check their back-ups</a>. So, the time to check has come. For individuals, <a href="https://cernbox.cern.ch/">CERNBox</a> is the best choice. And as a CERN service manager, data taker, control system expert, trigger master, software custodian or document librarian, check your crown jewels! Protect your configuration, data records, calibration parameters, software libraries, documents and data! Actually, protect CERN’s data and documents! Talk to your IT service providers. Figure it out. And make disaster recovery a priority. Otherwise, you risk to lose it all… And you might not be in a position to assume that risk for all of CERN.</p> <p>Do you want to learn more about computer security incidents and issues at CERN? Follow <a class="bulletin" href="https://cern.ch/security/reports/en/monthly_reports.shtml">our Monthly Report</a>. For further information, questions or help, check <a class="bulletin" href="https://cern.ch/Computer.Security">our website</a> or contact us at <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a>.</p> </div> Mon, 11 Oct 2021 12:47:59 +0000 thortala 158104 at https://home.cern Computer security: Privacy vs security – a double dilemma https://home.cern/news/news/computing/computer-security-privacy-vs-security-double-dilemma <span>Computer security: Privacy vs security – a double dilemma</span> <div class="field field--name-field-p-news-display-byline field--type-entity-reference field--label-hidden field--items"> <div class="field--item">Computer Security team</div> </div> <span><span lang="" about="/user/21331" typeof="schema:Person" property="schema:name" datatype="">thortala</span></span> <span>Mon, 09/13/2021 - 11:10</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>In this increasingly digitalised world, privacy was initially neglected for some time, but is now gathering speed. The internet was the no-privacy Wild West, with big social media outlets, advertising companies and government agencies trying to gather whatever was legally (and sometimes even illegally) possible. People, however, are becoming more and more aware of the privacy implications of using the internet and, fortunately, tools do exist to improve the privacy of online browsing. With such tools in place, however, it also becomes more and more difficult to protect an organisation like CERN against remote attacks and user blunder. –</p> <p>Privacy <em>is</em> important. The amount of data that online giants have collected about us is staggering. Standard web browsing is, by design, leaving traces (you can check these traces on sites like <a href="https://clickclickclick.click/">https://clickclickclick.click/</a> – best with sound on). Embedded “like” buttons and similar third party content make it possible to gather even more information. And even if you have enabled browser privacy add-ons like “Ghostery”, “Privacy Badger”, “uBlock”, “DuckDuckGo Privacy Essentials”, etc., certain of your computer’s parameters and features (operating system, time zone, local language, screen size and color depth, fonts, browser plugins, touch support) still provide sufficient entropy to identify your device among millions of others (<a href="https://coveryourtracks.eff.org">check out yours</a>). In a particularly frightening example, an activist group was able to <a href="https://www.madetomeasure.online/en/experience">reconstruct the life of a volunteer</a> based only on her Google-stored search history and metadata.</p> <p>In order to protect your privacy, the use of so-called “secured” protocols like HTTPS, SSH and VPN help in shielding all your communication from eavesdropping by third parties. In addition, Mozilla, Apple and others have proposed and implemented new and more sophisticated (but also intrusive) measures to stop people spying on your network traffic:</p> <ul><li>Mozilla, in collaboration with Cloudflare, provides a browser option to funnel all your DNS requests, i.e. the task of resolving an IP address to a domain name and vice versa, via HTTPS to their DNS servers (“DNS-over-HTTPS” or, for short, “DoH”) instead of using local ones. Google offers the same through their 8.8.8.8 DNS resolver. This prevents third parties (other than Cloudflare or Google, of course) collecting the domain names your device wanted to access.</li> <li>Some other companies have started to <a href="https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/">randomise so-called MAC addresses</a>, i.e. the normally unique IDs of every device. These “Private Wi-Fi addresses” (term used by Apple) hinder Wi-Fi infrastructure providers’ efforts to trace a device, as the unique identifier is now randomised and varies often.</li> <li>Just recently, Apple introduced “<a href="https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/">iCloud Private Relay</a>”, which spawns a Virtual Private Network (VPN) to Apple’s servers in order to hide local IP addresses and stop any traffic being exposed to third parties.</li> </ul><p><strong>Dilemma 1.</strong> You face a dilemma, however, as DoH, VPN, and “iCloud Private Relay” might not work when connecting to CERN-internal services, as those measures tunnel to outside CERN. Similarly when using “Private Wi-Fi addresses”, as by changing quickly they prevent your device from connecting to CERN’s Wi-Fi network. The CERN Wi-Fi network requires a permanent, fixed MAC address (hence, please disable this feature in the Wi-Fi settings for the CERN network (“CERN SSID”)).</p> <p><strong>Dilemma 2.</strong> The CERN Computer Security team faces a dilemma, too. While we value your privacy, all of these privacy measures hinder our efforts to do our job, namely to protect the Organization and to protect your devices against any kind of cyberattack. With secured channels – HTTPS, VPN, DoH – we are less able to detect whether your device is connecting to some malicious domains, being redirected to spooky websites or downloading data with dangerous contents. And being blind conflicts directly with our objective to keep your device, and the Organization, secure.</p> <p>Hence, while we continue to encourage you to use HTTPS, SSH and VPN (as a client at CERN; see also our Bulletin articles on VPN tunnels, “<a href="https://home.cern/news/news/computing/computer-security-tunnel-madness">Tunnel Madness</a>”), please refrain from using DoH and Apple’s “iCloud Private Relay” while on the CERN network for the sake of the general protection of the network and its attached devices. If this does not work, we will have to consider blocking these features (but would first need to better understand the collateral damage), and we prefer not to.</p> <p>Do you want to learn more about computer security incidents and issues at CERN? Follow our <a href="https://cern.ch/security/reports/en/monthly_reports.shtml">Monthly Report</a>. For further information, questions or help, check our <a href="https://cern.ch/Computer.Security">website</a> or contact us at <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a>.</p> </div> Mon, 13 Sep 2021 09:10:36 +0000 thortala 157945 at https://home.cern Online “lightning talks” from the 2021 CERN openlab summer students https://home.cern/news/announcement/computing/online-lightning-talks-2021-cern-openlab-summer-students <span>Online “lightning talks” from the 2021 CERN openlab summer students</span> <div class="field field--name-field-p-news-display-byline field--type-entity-reference field--label-hidden field--items"> <div class="field--item">CERN openlab</div> </div> <span><span lang="" about="/user/151" typeof="schema:Person" property="schema:name" datatype="">anschaef</span></span> <span>Thu, 08/26/2021 - 11:02</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>On Monday, 6 and Tuesday, 7 September, the 2021 CERN openlab summer students will present their work at dedicated public “lighting talk” sessions (<a class="bulletin" href="https://indico.cern.ch/event/1054527/">session 1</a>, <a class="bulletin" href="https://indico.cern.ch/event/1054531/">session 2</a>).</p> <p>In five-minute presentations, each student will introduce the audience to their project, explain the technical challenges they have faced and describe the results of their investigations. It will be a great opportunity for the students to showcase the progress they have made so far and for members of the audience to be informed about these cutting-edge IT projects, the solutions that the students have come up with, and the potential future challenges they have identified.</p> <p>Due to the pandemic, this year’s CERN openlab Summer Student programme is taking place online, with the selected students participating remotely from their homes across the globe. Over nine weeks (June–August 2021), the CERN openlab summer students have been working – via remote connection – with some of the latest hardware and software technologies, as well as learning about how advanced IT solutions are used in high-energy physics. This year, 28 students from 16 different countries were selected for the programme. They have also participated in a series of lectures given by IT experts on advanced CERN-related topics.</p> <p>Join us on 6 and 7 September to discover the exciting work the students have carried out, bringing innovative ideas and fresh perspectives to the IT challenges faced at CERN. The presentations are free and open to all. On both days, the sessions will begin at 4.00 p.m. CEST and will last under two hours. Follow the live webcasts via the links below:</p> <ul><li><a class="bulletin" href="https://indico.cern.ch/event/1054527/">Session 1</a></li> <li><a class="bulletin" href="https://indico.cern.ch/event/1054531/">Session 2</a></li> </ul></div> Thu, 26 Aug 2021 09:02:49 +0000 anschaef 157830 at https://home.cern Computer Security: “Check me” comes before “Scan me” https://home.cern/news/news/computing/computer-security-check-me-comes-scan-me <span>Computer Security: “Check me” comes before “Scan me”</span> <div class="field field--name-field-p-news-display-byline field--type-entity-reference field--label-hidden field--items"> <div class="field--item">Computer Security team</div> </div> <span><span lang="" about="/user/151" typeof="schema:Person" property="schema:name" datatype="">anschaef</span></span> <span>Fri, 08/27/2021 - 11:15</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>Remember our article on “<a href="http://home.cern/news/news/computing/computer-security-truth-lies-url">The truth lies in the URL</a>” about our latest phishing campaign and the risk to your device, your account and your digital life when clicking on the wrong – malicious – URL, the wrong “link”? Unfortunately, in this “Covidised” world, URLs now come more and more frequently in another form – as QR codes (see images below).</p> <p>QR codes are used to access a dedicated webpage, e.g. to make a restaurant reservation or to provide personal details for COVID-19 tracking. Taking a photo of a QR code with your smartphone opens the intended webpage in your browser. Easy as pie.</p> <figure class="cds-image" id="CERN-HOMEWEB-PHO-2021-140-1"><a href="//cds.cern.ch/images/CERN-HOMEWEB-PHO-2021-140-1" title="View on CDS"><img alt="home.cern,Computers and Control Rooms" src="//cds.cern.ch/images/CERN-HOMEWEB-PHO-2021-140-1/file?size=large" /></a> <figcaption>Colours are arbitrary and used here just to distinguish the good from the evil.</figcaption></figure><p>But wait! While it’s easy for your smartphone to tell what those patterns ought to be, our human eye is innocent and fails. Is this a good QR code? Is this a malicious one? Like with “standard” URLs embedded in emails, attachments, WhatsApp or Facebook messages or even text messages, you have to make the final call. You have to (try to) judge whether the URL embedded in the QR code is reasonable, expected and non-malicious. Like when you hover your mouse over a “standard” URL when using a laptop/PC, your smartphone should display at least the beginning of the URL (for the examples above, “cern.ch” and “cern.cg”). Check this URL and continue only if it looks right to you. Admittedly, it’s often hard to tell, but it’s still better to be safe than sorry. Otherwise, like with any other malicious URL, letting one malicious QR code through can put your smartphone and, hence, your account and subsequently your digital life at risk. So, please, watch out, be vigilant and STOP – THINK – DON’T CLICK!</p> <p>For those who want to create their own QR code, e.g. to direct people to a website or as a link to a conference paper or other supporting material, make sure that the embedded QR is “pure” and only contains the URL you intended to provide. Some online QR generators embed additional information in the URL such as webpage redirection or id tokens that are used for tracking purposes. Please refrain from doing so*. Thanks!</p> <p><em>* <a href="https://zxing.appspot.com/generator">https://zxing.appspot.com/generator</a>, for example, generates pure QR codes.</em></p> <p>______</p> <p><em>Do you want to learn more about computer security incidents and issues at CERN? Follow <a href="https://cern.ch/security/reports/en/monthly_reports.shtml">our Monthly Report</a>. For further information, questions or help, check <a href="https://cern.ch/Computer.Security">our website</a> or contact us at Computer.Security@cern.ch.</em></p> </div> Fri, 27 Aug 2021 09:15:42 +0000 anschaef 157836 at https://home.cern Changes in the Swisscom mobile coverage on the CERN Meyrin site https://home.cern/news/announcement/computing/changes-swisscom-mobile-coverage-cern-meyrin-site <span>Changes in the Swisscom mobile coverage on the CERN Meyrin site</span> <span><span lang="" about="/user/21331" typeof="schema:Person" property="schema:name" datatype="">thortala</span></span> <span>Wed, 08/11/2021 - 11:27</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>Following the re-allocation of mobile telephony frequencies in France, the Swisscom site providing 3G coverage for the western part of the CERN Meyrin site (from the water tower to Gate E) will be switched off permanently by the telecommunications operator on 21 August 2021. A replacement Swisscom 4G service will be made available by the telecommunications operator as soon as possible.<br /><br /><strong>Consequences (until the new Swisscom 4G service is established): </strong></p> <ul><li>Only Orange (French) mobile telephony coverage will be available in this area as of 21 August 2021.</li> <li>People with restricted CERN mobile phone subscriptions cannot connect to Orange for data services and will hence not be able to use mobile data services in this area as of 21 August.</li> </ul><p><strong>Important:</strong></p> <p>Please note that 3G networks are being gradually phased out by telecommunications operators and 3G services will be entirely discontinued in the medium term. Consequently, 3G-only mobile phones can no longer ensure good connectivity. The mobile phones available in the CERN store are all 4G-capable.</p> <p><em>For regular updates on your computing environment, please check the </em><a href="https://computing-blog.web.cern.ch/"><em>CERN computing blog</em></a><em> (sign-in to access). To receive automatic monthly updates, </em><a href="https://e-groups.cern.ch/e-groups/EgroupsSubscription.do?egroupName=computing-blog-update"><em>subscribe to the computing-blog-update e-group</em></a>.</p> </div> Wed, 11 Aug 2021 09:27:25 +0000 thortala 157759 at https://home.cern Computer Security: AndroCovid https://home.cern/news/news/computing/computer-security-androcovid <span>Computer Security: AndroCovid</span> <div class="field field--name-field-p-news-display-byline field--type-entity-reference field--label-hidden field--items"> <div class="field--item">Computer Security team</div> </div> <span><span lang="" about="/user/151" typeof="schema:Person" property="schema:name" datatype="">anschaef</span></span> <span>Mon, 08/09/2021 - 22:03</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>While we humans are still struggling with our own 21st century pandemic, Android devices have apparently had their own strain of flu in recent weeks: “FluBot” (aka “FakeChat”, aka “Cabassous”). This new Android malware started to spread in Europe. Once installed, it tries to steal login information like passwords, but also personal details and banking information. As a banking Trojan, it is ultimately trying to break into your bank accounts to steal your money. In parallel, it tries to spread to other victims via SMS sent from infected devices.</p> <p>What’s interesting about FluBot is that just two clicks are enough to get your device infected. The first click opens a malicious web link, a bad email, a fake text message or a nasty WhatsApp notification pretending to come from a Telecom provider (with which you have no subscription), a package delivery service (when you’re not expecting a parcel), the local tax authorities, etc. And the second, disguised as a notification that you need to install an essential app (“Delivery manager”, “Your Telco invoices”, “Tax submission portal”) linked to that message, compromises your device. As with our famous clicking campaign (see our <em>Bulletin</em> article “<a href="http://home.cern/news/news/computing/computer-security-truth-lies-url">The truth lies in the URL</a>”), two clicks are enough to compromise your device, lose your personal data and, if the worst comes to the worst, have your banking details and money stolen!!!</p> <p>Contrary to iOS devices, the underlying problem with Android devices is that AndroidOS allows you to install apps from any source, not only the central Google Play Store. Apple tightly restricts, controls and dictates which apps are permitted to propagate to iOS end-devices, whereas Google does not. Its policy is much more liberal, which leads to the problem of (malicious) app installation from (malicious) third parties. While there might be many other pros and cons, curation and centralisation come with security benefits…</p> <p>So, once more, in order to protect yourself, your assets, your private and, consequently, also your professional life: STOP – THINK – DON’T CLICK! Be vigilant and suspicious. Watch out for dubious messages. Did you expect that message? Is it reasonable? Check the URL behind a link-to-be-clicked. Does it look fine, with a domain name (“cern.ch”, for example) related to the message? If in any doubt, just hold on. Either ignore or delete that message, or check with us at Computer.Security@cern.ch.</p> <p>Of course, although Android devices are the focus here, “STOP – THINK – DON’T CLICK!” should be your general mantra when dealing with unexpected messages and weblinks. Protect your Windows, Linux and Apple devices! Protect your digital assets! Protect your digital life (“<a href="https://home.cern/news/news/computing/computer-security-what-do-apartments-and-computers-have-common">What do apartments and computers have in common</a>”)!!!</p> <p>______</p> <p><em>Do you want to learn more about computer security incidents and issues at CERN? Follow <a href="https://cern.ch/security/reports/en/monthly_reports.shtml">our Monthly Report</a>. For further information, questions or help, check <a href="https://cern.ch/Computer.Security">our website</a> or contact us at Computer.Security@cern.ch.</em></p> </div> Mon, 09 Aug 2021 20:03:11 +0000 anschaef 157749 at https://home.cern Computer Security: Reflections on paying ransom https://home.cern/news/news/computing/computer-security-reflections-paying-ransom <span>Computer Security: Reflections on paying ransom</span> <div class="field field--name-field-p-news-display-byline field--type-entity-reference field--label-hidden field--items"> <div class="field--item">Computer Security team</div> </div> <span><span lang="" about="/user/151" typeof="schema:Person" property="schema:name" datatype="">anschaef</span></span> <span>Tue, 07/20/2021 - 14:35</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>Previous <em>Bulletin</em> articles have discussed the risk of an organisation, university, institute, company or enterprise falling victim to a so-called <a href="https://home.cern/news/news/computing/blackmailing-enterprises-you-are-patient-zero">ransomware attack</a>, whereby the successful attackers infiltrate into (many) computers, laptops and computing services and encrypt valuable files, documents and data. That data is only released after a certain amount of money (the ransom) has been paid to the attackers. The central question is, however, whether a compromised entity should or should not pay.</p> <p>Of course, paying is the easiest way to eventually recover the data and re-establish compromised computing services – in particular if the damage done vastly exceeds the ransom demand. But hold on, there could be collateral costs, so let’s think about what other risks an entity might consider:</p> <ul><li><strong>Attackers’ ethics</strong>: Are the attackers serious, reasonable and trustworthy? Will they not be tempted to ask for even more money? Will they really hand out decryption keys? Will and can they ensure that all malicious activity is stopped and that any stolen data is purged and not further distributed?</li> <li><strong>General ethics</strong>: Ransom payments usually support and subsidise criminal activities and provide funding for more/other criminal activities. Hence, paying the attackers encourages them to either ask for more money and/or continue such a "lucrative" business against the same or another entity.</li> <li><strong>Legal risks</strong>: Is paying a ransom <a href="https://www.ncsc.admin.ch/ncsc/en/home/aktuell/news/news-archiv/sicherheitsrisiko-durch-ransomware.html">illegal</a> in <a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-001.pdf">the country</a> where the entity under attack is based? And what about the <a href="https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf">liabilities for damages</a> a bank suffers as a result of unknowingly carrying out a ransom payment instruction (e.g. if it causes them to breach – US – sanctions regulations)?</li> <li><strong>Insurance coverage</strong>: Is there a cyberinsurance policy in place that might cover ransom expenses? What are the conditions and are there any exclusion clauses that might invalidate coverage? Fun fact: attackers have already compromised some such insurance companies and, subsequently, attacked their clients, reasoning that “<a href="https://grahamcluley.com/ransomware-gang-says-it-targets-firms-with-cyber-insurance/">They’re covered by insurance, so they’re more likely to pay</a>”.</li> <li><strong>Reputational risks</strong>: The media will cover the fact that an entity has paid a ransom. How might this be perceived by the general public? By similar entities? By its peers and the wider community? Could there be negative consequences that would be detrimental or destructive to the entity?</li> <li><strong>Risk of "replay" attacks</strong>: Given that the attack (and a possible payment!) will become public, other attackers might see this as an incentive to also have a go, launch <a href="https://www.zdnet.com/article/ransomware-this-is-the-first-thing-you-should-think-about-if-you-fall-victim-to-an-attack/">a similar attack</a> and try to press for their money: “They paid once, why wouldn’t they pay twice?”</li> </ul><p>It’s not an easy call to make. While some entities paid, <a href="https://home.cern/news/news/computing/computer-security-blackmailing-academia-back-pen-and-paper">others did not</a>. In the end, it largely depends on what incident recovery and business continuity capabilities are in place. Recovery is incredibly complex, time-consuming and expensive, regardless of whether or not the ransom is paid. Do unaltered / untampered back-ups exist? Is all the information (documentation, configuration files, procedures, including all dependencies) available to rebuild systems and services from scratch? Has this restore and rebuild been regularly and successfully exercised? In case you manage or administer a computing service or control system, have you ever tried? If your palms are getting sweaty now, it’s time to talk: Computer.Security@cern.ch.</p> <p>_____</p> <p><em>Do you want to learn more about computer security incidents and issues at CERN? Follow <a href="https://cern.ch/security/reports/en/monthly_reports.shtml">our Monthly Report</a>. For further information, questions or help, check <a href="https://cern.ch/Computer.Security">our website</a> or contact us at Computer.Security@cern.ch.</em></p> </div> Tue, 20 Jul 2021 12:35:19 +0000 anschaef 157654 at https://home.cern Computer Security: Dear summer students, welcome! https://home.cern/news/news/computing/computer-security-dear-summer-students-welcome <span>Computer Security: Dear summer students, welcome!</span> <div class="field field--name-field-p-news-display-byline field--type-entity-reference field--label-hidden field--items"> <div class="field--item">Computer Security team</div> </div> <span><span lang="" about="/user/151" typeof="schema:Person" property="schema:name" datatype="">anschaef</span></span> <span>Fri, 07/02/2021 - 11:55</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>A warm welcome to the summer-student class of 2021! We’re glad that you made it in these troubled times! We offer a packed agenda for the next two months: challenging lectures; interesting projects to tackle with your team; and lots of time to take a great big gulp of CERN’s academic freedom, spirit and creativity! In order to make your digital life as comfortable as possible, however, there are a few things you need to know.</p> <p>When you join CERN, you’re given a CERN computing account. Take care of <a href="https://home.cern/news/news/computing/computer-security-easy-way-lose-passwords">your account password</a> as any evil-doer might misuse it to spam the world on your behalf, abuse CERN’s computing clusters in your name, download journals in bulk from CERN’s digital library, or simply compromise your CERN PC and extract your photos, documents or personal data, or spy on you using your computer’s microphone or webcam. Worst-case scenario, <a href="https://home.cern/news/news/computing/blackmailing-enterprises-you-are-patient-zero">the whole Organization is at risk</a>! Similarly, take good care of your CERN and personal computers, tablets and smartphones. Give them some freedom to update themselves so you benefit from <a href="https://home.cern/news/news/computing/computer-security-what-do-apartments-and-computers-have-common">the latest protective measures</a>. “Auto-update” is a good friend, just make sure that it’s enabled – as it should be by default.</p> <p>A particularly nasty way to lose your password, at CERN or at home, is to reply to so-called “phishing emails”, i.e. emails asking for your password. No serious person – the CERN Computer Security team, the CERN Service Desk or your CERN supervisor – would send such an email, only dishonest people or fraudsters would. So stay on the lookout and don’t enter your password in weird webpages. Don’t click on links in emails <a href="http://home.cern/news/news/computing/computer-security-truth-lies-url">obviously not intended for you</a>, for example, emails not addressed to you, <a href="https://home.cern/news/news/computing/computer-security-when-cernch-not-cern">not coming from the real CERN</a>, not written in one of your native languages, or of no relevance to you. Ask us at Computer.Security@cern.ch if you have any doubts. Similarly, don’t randomly click on web links, but stop and think first. Otherwise, <a href="https://home.cern/cern-people/updates/2018/03/computer-security-malware-ransomware-doxware-and">you might infect your computer</a> in no time – and the sole remedy will be a full reinstallation of your device (easier if you have backups!).</p> <p>CERN has awesome network connectivity to the world. But it’s for professional purposes. While private usage is tolerated, please do not abuse this. Keep your bandwidth low. In particular, refrain from bulk downloading movies or software. Remember “copyright”? It also applies at CERN. <a href="http://home.cern/cern-people/updates/2017/03/computer-security-music-videos-and-risk-cern">Any violation of copyright</a> reported to CERN will be followed up and any infringement costs will be passed on to the perpetrator. The same holds true for pirated software. If you have stored pirated licence keys on your device, it’s time to delete them. Companies are monitoring for abuse of their software and infringement costs <a href="https://home.cern/news/news/computing/computer-security-when-free-not-free">can quickly reach five to six figures</a>. This one is of particular importance: if you need particular software, have a look at <a href="https://information-technology.web.cern.ch/services">CERN’s central software repositories</a>.</p> <p>While you’re at CERN, you might be working on a project requiring digital resources – setting up a webpage, writing some code, developing hardware. Please don’t reinvent the wheel if you need a database. Or a webserver. Or some software. The CERN IT department can provide a wide variety of <a href="https://home.cern/news/news/computing/computer-security-go-clever-go-central">centrally managed and secure services</a> for your digital convenience. Just put yourself on their shoulders and build on top. Free up your time and brain for creativity and let CERN IT provide the tools. Moreover, make sure that all your development work, software, design drawings, documentation and so on are made available to your supervisor when you leave. This will ensure your legacy lives on at CERN. If you keep them to yourself, they’ll get purged and deleted, and your time at CERN will be forgotten.</p> <p>Finally, like anywhere else, there are some rules to respect. Use of CERN’s computing facilities is governed by the <a href="https://cern.ch/computingrules">CERN Computing Rules</a>. Basically, be reasonable. Don’t do anything that could be considered immoral, illegal or abusive. Similarly, personal use of CERN’s computing facilities is tolerated, but within the aforementioned limits. For example, browsing pornography is forbidden unless you have a good professional reason to do so (and it might be awkward receiving a corresponding cease-and-desist email from us). In another example, <a href="https://home.cern/cern-people/updates/2018/01/computer-security-computing-power-professionals-only">crypto-mining on CERN’s computing clusters</a> is definitely a no-no. Just don’t.</p> <p>So, make sure that you respect these few ground rules – keep your system up to date – protect your password – STOP-THINK-DON’T CLICK – respect copyright – preserve your work – follow the CERN Computing Rules. We wish you a great and exciting stay at CERN. Have fun and enjoy!</p> <p>_______</p> <p><em>Do you want to learn more about computer security incidents and issues at CERN? Follow <a href="https://cern.ch/security/reports/en/monthly_reports.shtml">our Monthly Report</a>. For further information, questions or help, check <a href="https://cern.ch/Computer.Security">our website</a> or contact us at Computer.Security@cern.ch.</em></p> </div> Fri, 02 Jul 2021 09:55:50 +0000 anschaef 157533 at https://home.cern Computer Security: The truth lies in the URL https://home.cern/news/news/computing/computer-security-truth-lies-url <span>Computer Security: The truth lies in the URL</span> <div class="field field--name-field-p-news-display-byline field--type-entity-reference field--label-hidden field--items"> <div class="field--item">Computer Security team</div> </div> <span><span lang="" about="/user/151" typeof="schema:Person" property="schema:name" datatype="">anschaef</span></span> <span>Wed, 06/23/2021 - 11:05</span> <div class="field field--name-field-p-news-display-body field--type-text-long field--label-hidden field--item"><p>Failed. We all failed spectacularly! We’re talking about the latest annual phishing campaign conducted by the CERN Computer Security team. Like last year, every CERN staff member and user received a fake message posing as a malicious attempt to convince them to click on the embedded link. Already clicking – and about 22% of recipients clicked! – put the corresponding device (and CERN) at risk, and the subsequently displayed fake login pages would have done the rest – more than 7% of recipients tried to provide their password (fortunately that fake login page didn’t accept passwords for privacy reasons). If it had been for real: device gone, password gone, CERN gone – see our <em>Bulletin</em> articles on “Ransomware” and the risks for CERN: “<a href="https://home.cern/news/news/computing/computer-security-what-do-accelerators-and-pipelines-have-common">What do accelerators and pipelines have in common?</a>”, “<a href="https://home.cern/news/news/computing/computer-security-blackmailing-academia-back-pen-and-paper">Blackmailing Academia: Back to pen and paper(?)</a>” and “<a href="https://home.cern/news/news/computing/blackmailing-enterprises-you-are-patient-zero">Blackmailing Enterprises: You are Patient Zero</a>”.</p> <p>On the plus side, hundreds of colleagues spotted the trap and reported their fake phishing email to the Computer Security team. Many more simply ignored the email, as the contents (“Contract amendment”, “COVID-19 internal report”, “Fund balance – confidential”, “X has shared a file with you”, “Teleworking Reminder”, “Updated vaccine schedule”, or “Your travel arrangements”) did not concern them. Some people cross-checked the sender names in the CERN Phonebook where, indeed, Sean Luggers, Sebastien Lodevinski, Luigi Valnese, Ramon Warze, Anne Longshire, Nikolae Fridilidis, Adriana Do Montes and Danielle Pecheur do not appear and, hence, do not seem to work for CERN (some of their namesakes, however, work for the Computer Security team). Others wondered about the embedded link that, while being labelled with “documentstore.cern.ch”, “hr.cern.ch”, “pf.cern.ch” or “covid-cern.ch”, actually pointed to either the domain cern.CG of the Republic of the Congo, or to the IP address 192.91.245.24. And there we go. The truth lies in the URL!</p> <p>While judging the relevance of the email itself based on typos or any other anomaly, or checking for names in the address book, is good practice (see <a class="bulletin" href="https://security.web.cern.ch/recommendations/en/malicious_email.shtml">our recommendations</a>), these methods aren’t foolproof. Attackers are trying their very best to perfect the spoofing of their malicious emails. Given that lots of information about CERN, CERN projects and current news is public, it’s easy to come up with increasingly targeted and sophisticated email messages – messages that anyone who isn’t vigilant would fall for*. And given that many of our names are published on one webpage or another, sending malicious emails using real CERN names would not have been a problem for attackers. The email protocol allows that – just as you can write any sender name on the paper envelope of your letter, <a href="http://cds.cern.ch/journal/CERNBulletin/2016/38/News%20Articles/2215901?ln=en">you can fake any email sender address you wish</a>. Easy-peasy.</p> <p>So, the best way to spot malicious emails is to check the web address that a link would lead you to. The truth lies in the URL, the uniform resource locator, <a href="https://home.cern/news/news/computing/computer-security-when-cernch-not-cern">pointing to the real internet contents</a>. The displayed text is all hollow words. “documentstore.cern.ch”, “hr.cern.ch”, “pf.cern.ch” or “covid-cern.ch” are just inventions. The truth lies beneath. In the URL. STOP—THINK—DON'T CLICK!!! Hover your mouse pointer over those hollow words, those duplicitous links, and the pop-up tooltip will reveal their truth, reveal the true destination.</p> <figure class="cds-image" id="CERN-HOMEWEB-PHO-2021-100-1"><a href="//cds.cern.ch/images/CERN-HOMEWEB-PHO-2021-100-1" title="View on CDS"><img alt="home.cern,Computers and Control Rooms" src="//cds.cern.ch/images/CERN-HOMEWEB-PHO-2021-100-1/file?size=large" /></a> <figcaption><span></span></figcaption></figure><p>The same holds true for any embedded link in WhatsApp messages, tweets, Facebook posts and Instagram threads. STOP—THINK—DON'T CLICK!!! It’s hard, but it’s still better than getting your device infected and compromised. Only if it’s cern.CH (for Switzerland) or home.CERN, is it us. If the pop-up looks dodgy, weird or unexpected or has contents differing from the displayed text, hold fire. Be vigilant, be sceptical. Better check with us first at Computer.Security@cern.ch. For the sake of your device’s security, and for the security of the Organization!</p> <p>Finally, and in particular, check the CERN login page before typing your password. The two valid Single Sign-On (SSO) pages for CERN are “login.cern.ch” for the old and “auth.cern.ch” for <a href="https://home.cern/news/news/computing/computer-security-new-single-sign">the new SSO webpage</a>. Every other URL is fake, bad, malicious and should be reported!!! Alternatively, use a password manager. It will prompt you to fill in your password ONLY on the CERN domain, so if the password manager suddenly refuses to enter your password, something may be majorly off...<br />  </p> <p><em>*Even we could have done better with our campaign. But it’s a slippery slope, as some companies discovered with their tests (see <a class="bulletin" href="https://www.theguardian.com/uk-news/2021/may/10/train-firms-worker-bonus-email-is-actually-cyber-security-test">here</a> and <a class="bulletin" href="https://www.cbsnews.com/news/tribune-bonus-email-hoax-cybersecurity-test/">here</a>).</em></p> <p>______</p> <p><em>Do you want to learn more about computer security incidents and issues at CERN? Follow our <a href="https://cern.ch/security/reports/en/monthly_reports.shtml">Monthly Report</a>. For further information, questions or help, check <a href="https://cern.ch/Computer.Security">our website</a> or contact us at Computer.Security@cern.ch.</em></p> </div> Wed, 23 Jun 2021 09:05:07 +0000 anschaef 157450 at https://home.cern