Have you ever had your purse or wallet stolen? Or your laptop? Your smartphone? Did someone break into your apartment or house and leave it in a mess? Or smash a window of your car and remove your valuables? Or did your bike just disappear? Have your credit cards ever been abused? Maybe you just don’t know yet – so wouldn’t you be interested to find out?
The same applies in the digital world. Passwords are getting phished or stolen from unprotected storage and regularly exposed (“The easy way to lose passwords”). Credit card numbers, expiry dates and CVVs (the three-digit security code on the back) are getting stolen. Computers are getting compromised and all their local data lost (“Malware, ransomware, doxware and the like”). Wouldn’t you be interested to learn if your passwords for CERN or any other external web service have been stolen and exposed by thieves? Wouldn’t you be keen to know whether details of your credit card have been secretly shared among fraudsters? Wouldn’t you like to find out whether your computer has ever been compromised and whether your personal data has been sold among criminals? And wouldn’t you love to acquire information as to whether you or your family have ever been, are or will be the target of cyber-criminals? While, of course, this is your private business*, it is best practice – in industry and as part of CERN’s due diligence responsibilities – to figure out what information the evil-doers have already gathered about the Organization, its operations, its staff and its users.
So, just as many other organisations and companies do for themselves, the Computer Security team has contracted an external company specialising in intelligence about the underground markets for stolen digital goods (sometimes labelled as the underground economy or the so-called “Deep & Dark Web” (DDW)). This company, like many of its competitors, has expert staff who have gained access to the hidden forums and vetted circles used by cyber-criminals to share, discuss and execute attack vectors and plans, and to sell or buy stolen digital goods, or even vulnerabilities and weaknesses. Consequently, this company collects any interesting data about many different stakeholders, similar to the way that the Google or Shodan search engines index and cache “normal” visible webpages. Our subscription with this external company permits us to query their vulnerability, password and attack vector database using a maximum of 500 keywords related to CERN, e.g. “cern.ch”, “INDICO”, “Large Hadron Collider”, “Medipix”, “Geant4”, “openlab”, “PasseportBigBang”. Based on our past experience, past incidents, past reports from our peers in the security community and past password dumps, such queries are intended to give more insight about the vulnerabilities and weaknesses that evil-doers have already gathered regarding CERN, its computing services and webpages; to discover any weak or disclosed CERN passwords or credit card information; and to find out the aims attackers have when targeting CERN, and which attack vector they plan to use (or, if already too late, have chosen in the past).
After one month of continuous queries, the company came back to us. Fortunately, their report has not revealed any critical or direct threats to the Organization, but provided only a series of minor findings which have been acted upon by the CERN Computer Security Team following its standard procedures and practices. A big thank you to those who swiftly repaired the affected computing resources and services! You can find some details in our Monthly Report once those issues have been fixed.
*If you want to figure out whether one of your passwords has been exposed, we suggest this fine and trustworthy site here: https://haveibeenpwned.com/.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.