Voir en

français

Computer Security: Bingo walk-through

|

Once more, bravo to all those who participated in the Bull**** Bingo in the last but one Bulletin issue and sent us their solution. The Hawaiian pizza was quickly gone. But some people were wondering why their responses were not correct… Good point, so let’s walk through that Bingo:

  • 1A “There is no malware for Apple devices” ─ was a slogan of the past, as the big market share was with Microsoft Windows. But that has changed. And owners of a MacBook are perceived as being richer, so the spoils are larger...;
  • 1B “Software from the Google Play Store is harmless” ─ actually, anyone can push any application to the Google Play Store. It is not curated or validated so it has become a dump for malware, too. The Apple store is better in that respect, as Apple keeps it tightly controlled (to make money) and only admits applications that follow their policies (which doesn’t mean that there are no problems either);
  • 1C “Security is everyone’s responsibility” ─ indeed! Given the academic environment at CERN, its openness and the freedom you have to benefit from any (legal) computing resource, it is impossible for the Computer Security team to shoulder the responsibility for your digital assets. We have to count on you to keep those secure, and we are happy to help you do so;
  • 1D “SSH on port 2222/tcp is more secure” ─ nope. This is called security-through-obscurity as SSH normally runs on port 22/tcp. Changing that might only deter the lightweight attackers and, thus, keep the noise level down. The experts run reconnaissance tools like “nmap”, which find SSH regardless of which port you use;
  • 1E “Spam and malware filtering is 100% effective” ─ we wish! But in CERN’s environment, with the openness to use the CERN email address for personal matters, with the multitude of languages spoken and written at CERN, and with the large academic community sending emails back and forth, for many emails it is hard to tell whether they are spam or not. We try our best, but, admittedly, there is room for improvement;
  • 2A “2FA is a big step forward for account protection” ─ it is! With two-factor authentication it is no longer enough to remotely steal your password (e.g. via a so-called phishing attack). The attacker would also need to have physical access to your smartphone or hardware token, and most attackers are not close by. In addition, you would quickly notice the theft of your smartphone or keys, no?
  • 2B “Emails from “@cern.ch” are legitimate” ─ emails can be easily spoofed. That means that an email is not necessarily sent from a “cern.ch” mail service but from another one (e.g. gmail.com). This is called “spoofing” and is the reason why so many emails are currently quarantined in our mail appliances, because the sender is consciously or accidentally spoofing email addresses;
  • 2C “I'm personally not a target as I'm not interesting to attackers” ─ don’t be so humble. You are interesting (!) even if you might not be the one working on that very confidential, top-secret or highly visible stuff. You might just be the entry point. The personal assistant used to attack the boss. The colleague to trick your peers. The patient zero to infect and compromise others…
  • 2D “Back-ups cannot be altered” ─ as long as they remain connected and remotely reachable and are not immutable, most back-ups can be altered. CERN takes special care to ensure that back-ups are secure, but if you leave your external hard-disk connected to your laptop, it is for some malware only another folder to subject to ransomware encryption
  • 2E “I have nothing to hide” ─ don’t you? Can I get your credit card PIN? Install a camera in your place? Access the “deleted photos” folder on your smartphone?
  • 3A “I would never fall for phishing” ─ said many other people before. We usually catch out 10% of CERN accountholders with our annual phishing campaigns;
  • 3B “Only the link behind a text/QR code reveals its truth” ─ yessss! What is displayed can be anything (for readability or for obfuscation). Only once you hover your mouse over the link or check the text displayed right before taking the QR photo, is the real destination revealed.
  • 3C “CERN’s technical network is secure” ─ it is secured. But given its complexity, its automatic interaction with CERN’s Data Centres and the need for experts and operators to remotely connect to the technical network, it is far from being perfectly secure. There is still some margin for improvement!
  • 3D “A password written on a post-it is a good idea” ─ if you want to give the cleaning personnel or visitors access to your computer. And you shouldn’t!
  • 3E “QR codes always link to legit sites” ─ nope. There is no guarantee of that (see 3B above);
  • 4A “A (free) VPN service protects me” ─  but remember, if you're not paying for the product, there's a very high chance that you​ are​ the product. There is no guarantee regarding anonymity or privacy with a free VPN, and the provider is free to share your data with third parties as they see fit or to (ab)use your network bandwidth for other purposes. This is why, for example ”Hola! VPN” is forbidden at CERN. Paid VPNs are better, but still protect only your communication, they do not protect against the content you access. In the end, it is a question of whom you trust more, your ISP (and thus indirectly the country/jurisdiction under which that ISP operates) or your VPN provider (and the country where they/their servers are
    located);
  • 4B “Password protection on my laptop protects its data” ─ actually, that password protects interactive access to your laptop. But if you don’t take extra precautions to encrypt your hard disk with Bitlocker (Windows) or Filevault (MacOS), your laptop is for an attacker just another unprotected storage system like a USB stick;
  • 4C “My browser’s password manager is secure” ─ that depends very much on the kind and on which version you run. In the past, passwords were even stored in plain text in some browsers. Hence, if you can’t remember your passwords, a stand-alone password manager might be the better choice;
  • 4D “CERN is not interesting to attackers” ─ was never a true statement. The Chaos Computer Club infiltrated CERN in 1986; at the beginning of the millennium we fought “Phalanx”, “Windigo” and “ebury” in our data centres and on the WLCG; and today CERN is targeted by ransomware attacks like anyone else ;
  • 4E “CERN’s anti-malware software is free for you to download” ─ yes, it is! For the protection of your devices at CERN and at home, and for the wider protection of CERN;
  • 5A “Using “https” means the website is secure” ─ the “s” in “https” indicates that the communication is protected by encryption and, hence, from eavesdropping. But this doesn't imply the trustworthiness of the website behind;
  • 5B “CERN’s outer perimeter firewall keeps all threats away” ─ if that were true, we wouldn’t have this article here. While that firewall blocks a large fraction of malicious and unwanted traffic, it is not watertight and requires other “defence-in-depth” layers to catch all threats;
  • 5C “Cloud services cannot be hacked” ─ actually, cloud service providers are in the same boat as everyone else and, in addition, are big targets with lots of revenue to be made. Indeed, there have been reports in the past of a multitude of successful attacks on large cloud service providers like Okta, Microsoft, LastPass, etc.;
  • 5D “Encryption is easy; key management is complicated” ─ true! There are a multitude of good encryption mechanisms on the market. It gets tricky, however, to ensure that the decryption keys are properly and securely stored. If they get lost, so is your encrypted data. And it gets even more tricky if several people, each with their own decryption key, need to access the data;
  • 5E “WiFi is always secure” ─ WiFi is just a communication method, here via the air. It does not say anything about access protection or encrypted communication. If you want a secure WiFi, ensure that the communication is subject to “WPA3” and, even better, always use encrypted protocols: SSH or HTTPS (see 5A above).

Complicated? Maybe. But that’s why we keep you regularly updated in our Bulletin articles. So, once again, CONGRATULATIONS to those who got five right answers. And THANK YOU to you all for helping to keep CERN secure!

_______

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.