HALON 2024: another success with 72 vulnerabilities found

Targets and participants share their motivation for participating in HALON

After the introduction, the teams enthusiastically set to work searching the digital networks of ten institutions: Leiden University, Amsterdam UMC, Vrije Universiteit (VU), Utrecht University, Naturalis Biodiversity Center, Utrecht University of Applied Sciences, Radboud UMC, University of Amsterdam/Hogeschool van Amsterdam (UvA/HvA), Windesheim and NHL Stenden.

Roeland Reijers, chief information security officer (CISO) and also host of this edition, points out some of the reasons why the UvA/HvA has participated for three years in a row: "It is important to work well together at sectoral level, which is why I am also in the organisation this year. It is also important to have your IT infrastructure continuously tested. This is why we do not participate once, but for several years in a row. Having your infrastructure tested doesn't stop either."

Naturalis Biodiversity Center is participating for the first time this year. Joep Vermaat, lead developer at Naturalis, explains why: "Our first reaction was: 'there's no way we're taking part, we'll get hacked'. Yet we wanted to experience it once, bare our bottoms, so to speak, in the hope that we could learn new information about our infrastructure. Outsiders often see more. Besides, we do have experience with responsible disclosure, but in this organised way we see more clearly how our infrastructure is doing. And even though we started more cautiously, we have already gained more knowledge about the systems we have. Next year, we might even want to participate bigger."

Improving IT skills in a playful way

The hacking event offers students and industry employees the chance to improve their IT skills. HALON makes learning digital security playful and interactive, while participants simultaneously contribute to a safer learning and working environment.

Not only do institutions like Naturalis learn a lot from a HALON, students also find it educational to participate. Jonathan, a student at Leiden University, adds: "It is fun to participate because I push myself to spend a few hours doing hacking. It's also educational and feels good to give something back to the university. Normally I am a bit scared to hack anything, but here there are scopes on which I get to try things. This makes it a kind of playing field, which makes me dare to do a bit more things, because I know it's meant to be and I don't really break anything. At home I would never do this and that's why I would like to gain some experience here.".

So what do the institutions think about this? Roeland can agree: "This way, we provide a platform for students to learn and experience this profession. It is modig that students participate and are trained in this way. In addition, it is incredibly important to create a culture where you report these kinds of vulnerabilities. Responsible disclosure is just incredibly important."

HALON strengthens digital resilience in education and research

The aim of HALON is to strengthen digital resilience within the Dutch education and research sector. As participating institutions open up part of their infrastructure, an important step is taken towards increased awareness and prevention of cyber threats. Although the primary focus is on the participants themselves, ultimately all education and research institutions benefit from the results HALON generates.

With this successful edition, HALON has once again proved how important ethical hacking is for the security of digital infrastructure in education.

A day at HALON: live report

As soon as the starting signal went off, it remained quiet for 15 minutes in terms of reported vulnerabilities. An hour and a half later, the counter stands at twenty reported vulnerabilities. After two hours, 14 verified vulnerabilities have been found, at seven different institutions. Before lunch, the state of play is: seventeen verified vulnerabilities found, but still three unhacked institutions.

With two hours of hacking left, the counter stands at 32 verified vulnerabilities at eight institutions. As the final hour enters, 40 verified vulnerabilities have been found at eight targets. Still one target that seems inviolable! The final results come in at 18:00. A total of 113 vulnerabilities have been reported, of which 72 have been verified, at all participating institutions.

Winners in different categories

In total, there were prizes to be won in three categories: 'the most creative verified vulnerability' is, 'the most advanced verified vulnerability' and 'found the most vulnerabilities across the most participating targets'.

The winners at a glance:

1. Most creative verified vulnerability was won by the following two teams: 'Twente' and 'Garbage Selection'.
2. Most advanced verified vulnerability was won by the following three teams: 'Reloading','ROC MN', and 'We actually do not have any interest to compete in halon and we are just here for the looting as is UvA tradition also radboud rules!!!!!!'.
3. Found the most vulnerabilities across the most participating targets was won by the following team: 'Reloading'.

Also check out the HALON Hall of Fame or click through the gallery below.

HALON versterkt de digitale weerbaarheid van onderwijs en onderzoek

Het doel van HALON is om de digitale weerbaarheid binnen de Nederlandse onderwijs- en onderzoekssector te vergroten. Doordat de deelnemende instellingen een deel van hun infrastructuur openstellen, wordt een belangrijke stap gezet richting meer bewustzijn en preventie van cyberdreigingen. Hoewel de primaire focus ligt op de deelnemers zelf, profiteren uiteindelijk alle onderwijs- en onderzoeksinstellingen van de resultaten die HALON voortbrengt.

Met deze succesvolle editie heeft HALON opnieuw bewezen hoe belangrijk ethisch hacken is voor de veiligheid van de digitale infrastructuur in het onderwijs.