Members of NCSA's CSND will be attending PEARC19 and presenting four posters during the poster reception. If you are attending PEARC, the session will be held on Tuesday, July 30th from 6:30 - 8:30pm in the Crystal Foyer and Crystal B rooms. Stop by and see what we've been working on.

  • Corey Eichelberger, Approaches to High Resolution Network Telemetry & Analytics with Machine Learning In Support of High Performance Computing

    • This poster describes ongoing efforts at NCSA to gather high resolution (< 10s collection interval) network telemetry data utilizing SNMP and streaming telemetry with machine learning being utilized to analyze and generate alerts on the data being collected.

  • Kapil Agrawal, Automated network provisioning and orchestration for vendor agnostic networks

    • This poster highlights how network engineers can abstract their network infrastructure as a code using a data modeling strategy and use network automation tools to auto provision devices in a vendor agnostic manner.

  • Alex Withers, Jeff Gaynor, Jim Basney and student collaborator You Alex Gao; SciTokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor
    • SciTokens introduces a capabilities-based authorization infrastructure for distributed scientific computing, to help scientists manage their security credentials more reliably and securely. These access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources and public clouds. This poster presents SciTokens project updates since PEARC18.
  • Jim Basney, Trusted CI, the NSF Cybersecurity Center of Excellence
    • Trusted CI's mission is to provide the NSF community a coherent understanding of cybersecurity's role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs. Trusted CI addresses the challenge for meeting the needs of individual cyberinfrastructure projects through deep engagements, training, and dissemination of experiences. NCSA is part of the Trusted CI team. To learn more about Trusted CI's involvement at PEARC, see their blog post.

Update: the talk has bee posted to YouTube. The slides have been archived.

Von Welch will be presenting the talk, "Cybersecurity to Enable Science: Hindsight & Vision from the NSF Cybersecurity Center of Excellence," at the NCSA on Thursday, May 30th at 10am Central at the NCSA Auditorium. Von is the director of Trusted CI, which is a collaborative partnership with Indiana University, NCSA, University of Wisconsin-Madison, Pittsburgh Supercomputing Center, Internet2, and Berkeley Lab. 

Read the full event details here. We are streaming the presentation online if you are not able to attend in person.

Abstract: How can cybersecurity play an enabling role in scientific research? This talk describes the first five years of experience from NSF Cybersecurity Center of Excellence, its vision for the next five, and its take on how cybersecurity supports scientific integrity, reproducibility, and productivity.

Speaker Bio: Von Welch has been enabling scientific research through cybersecurity for over twenty years. He serves as the Director and PI for the NSF Cybersecurity Center of Excellence (Trusted CI) and for the recently announced NSF-funded Research Security Operations Center (ResearchSOC). At Indiana University he is the Director of the Center for Applied Cybersecurity Research (CACR) and an Associate Director for the IU Pervasive Technology Institute.

Join Trusted CI's announcements mailing list for information about upcoming events.

NCSA's CyberSecurity Division is hiring research scientist. Join our team to work on cutting edge software and projects that help secure cyberinfrastructure for national and international science and engineering research communities. For more details, view the full position posting on NCSA's site. To apply, see the University of Illinois jobs page.

Security Operations Manager James Eyrich gave the second of a series of security talks to NCSA staff today. The presentation focused on instructions for setting up NCSA DUO and LastPass accounts. The presentation also included a demonstration from Innovative Technology Services's Tim Dudek on how to reset your NCSA password. Slides, including step-by-step instructions for setting up DUO and LastPass, are available in PDF below.

Setting up NCSA Duo (2019)

Setting up NCSA LastPass (2019)

If you have questions or need assistance setting up these accounts, please contact us at

To learn more about security at NCSA, see our website. To learn more about software development at NCSA, see our Github. And follow us on Twitter at @NCSASecurity.

Illinois graduate student Shreya Udhani has recently authored a paper with College of Engineering’s Masooda Bashir and NCSA’s Alexander  Withers. The paper, "Human vs Bots: Detecting Human Attacks in a Honeypot Environment,” has been accepted at the 7th International Symposium on Digital Forensic and Security (ISDFS). Shreya is a student research programmer with NCSA’s Cybersecurity and Networking Division. The paper analyzes an SSH-based Honeypot deployed over a period of 423 days to identify human behavior traits which can essentially distinguish an automated attacker and a human attacker. The honeypot used in the experiment is part of the Science DMZ Actionable Intelligence Appliance (SDAIA), created here at NCSA.

Congrats to NCSA's Matias Carrasco Kind on being selected as one of six Trusted CI Open Science Cybersecurity Fellows for 2019!

NCSA's Justin Azoff and Alex Withers are co-authors with Illinois graduate student Phuong M. Cao and other Illinois researchers on a paper presented at this year's USENIX Symposium on Networked Systems Design and Implementation (NSDI). The paper describes CAUDIT, an operational system deployed at NCSA that enables the identification and exclusion of hosts that are vulnerable to SSH brute-force attacks. For more information, see the slides and full paper, the NCSA news item, and the GitHub sources.

Last Thursday Leandro Avila-Diaz gave a talk to NCSA staff about applying practical cybersecurity strategies to protect NCSA's (and the individual's) private data and resources. This talk was the initial launch of a quarterly series focusing on security for a variety of users and experience levels. Slides to the presentation are available on PDF.

To learn more about security at NCSA, see our website. To learn more about software development at NCSA, see our Github. Follow us on Twitter at @NCSASecurity.

NCSA's relationship with the Bro Project goes back to its earliest days of development, but the first NSF grant was awarded in 2010. The grant helped establish a stable development cycle as well as providing funds for workshops and conferences. NCSA hosted the first Bro Workshop in 2011 and went on to coordinate and host many more events for the project, at NCSA and other venues. Earlier this year we handed off the role of coordinating Bro events, which has given us the opportunity to reflect on lessons learned from hosting numerous open source software conferences. 

We have assembled a fairly comprehensive list of tasks and insights into hosting an event. The full list can be found here, but highlights include tips for building the event page, a sample sponsorship prospectus, and what requirements should be considered when picking an event venue.

Today NCSA's Justin Azoff gave a talk demonstrating a few tools written and used by the Cybersecurity and Networking Team. The talk was well attended by members of NCSA, Campus Security, Engineering IT, ESNet, and the Consortium of Academic and Research Libraries (CARLI). The focus of the talk was on Bro, of which Justin is a member of the development team; and other tools developed in-house: Dumbno, SSH-Auditor, and Blackhole Router Site. To learn more about software development at NCSA, see our Github. Follow us on Twitter at @NCSASecurity.

Justin's work has been funded in part by NSF Award Number 1547249.

Farewell Adam!

NCSA's Director of Cybersecurity and Networking, Adam Slagell, has accepted a position at ESNet as their Chief Security Officer.

Adam joined NCSA in 2003 as a security engineer. Over the 15 years he's worked for NCSA he was promoted to numerous positions, including CISO in 2012, and Director of the Cybersecurity Division in 2015 (which later merged with the Networking Division). In his time at NCSA he served as PI and Co-PI for numerous grants, co-managed the Bro Project in collaboration with the International Computer Science Institute (ICSI) at UC Berkeley, was security operations co-lead for the XSEDE federation, and led the team that created the first HIPAA enclave on the UIUC campus. Adam's contributions to NCSA and the UIUC campus have been numerous. We will miss his friendly face in the hallways, the coffee walks, and most of all his leadership. We wish him the best of luck in his new position!

Adam SlagellAdam Slagell and Amy Schuele

NCSA staff saying farewell

NCSA Security Team wins the 2017 SANS Holiday Hack Challenge!

The NCSA Security Operations Team has won the Grand Prize for the 2017 SANS Holiday Hack Challenge! This is following up their win for Best Technical Answer for the 2016 SANS Holiday Hack Challenge.

To listen to the recording of the SANS Webinar covering answers and winners follow this link.

NCSA Cybersecurity staff will be presenting at the 2018 EDUCAUSE Security Professionals Conference in April. Warren Raquel (NCSA) will co-present training sessions on Incident Response and Security Log Analysis with Mark Krenz (IU) on April 10. Jim Basney (NCSA) will co-present a breakout session on Cybersecurity for Research on Campus: Not Just HIPAA & FISMA with Anurag Shankar (IU) and Von Welch (IU) on April 11. These activities are part of our work with the Center for Trustworthy Scientific Cyberinfrastructure. Registration for the conference is now open!

NCSA Supports Sirtfi

NCSA's InCommon identity provider (IdP) now officially supports the Security Incident Response Trust Framework for Federated Identity (Sirtfi). InCommon has tagged the NCSA IdP as Sirtfi-compliant in federation metadata. This enables cybersecurity researchers at NCSA and other researchers with NCSA identities to access federated services at CERN and around the world where Sirtfi compliance is required. For more information about InCommon's Sirtfi program, see the InCommon Sirtfi FAQ. The eduGAIN Entities Database contains a growing number of identity providers, service providers, and attribute authorities around the world that assert compliance with Sirtfi.

Securing IoT Devices

Part of our mission here at the CyberSecurity & Networking Division is advancing applied cybersecurity and networking research and anticipating future security trends and threats.  Working towards that end is the Science DMZ Actionable Intelligence Appliance (SDAIA) project—currently in development—which collects data from allocated but unused networking space.  The data is analyzed for potential threats and shared with participating partners.


Large amounts of data have been collected from many thousands of unused IPs and we noticed several trends.  All of the data collected so far have been SSH brute-force attacks, where automated attackers attempt to guess user and password combinations, giving them access to devices listening with an SSH service.  We have noticed that a lot of the user/password combinations indicate an attacker preference for connected, embedded or “smart” devices—often referred to as the Internet of Things, or IoT.  For example, within the 20 most common hits we found:


ubntubnt"wireless networking equipment"
openelec"Linux based media center"
dreambox“Linux based set-top box receiver"
raspberrypi"single board computer, typically running Linux"
000000"imaging, webcam"
raspberry"single board computer, typically running Linux"
xmhdipc"imaging, webcam"
anko"imaging, webcam"
welc0me“Linux based NAS device"
rpitc"raspberrypi thin client"
uClinux"linux on embedded microcontrollers"
nosoup4u”Linux based NAS device"
alpine“smart phone"
rootubnt"wireless networking equipment"


These attacks point to the pervasiveness of these devices, which are projected to be over 7 billion by the end of this year.  As these scans indicate, there has been little attempt to secure these devices, let alone change the default password—despite a large number of high profile denial of service attacks and worryingsecurity vulnerabilities. As has been pointed out by many experts, changing the default password on these devices can often prevent them from being infected by malicious software.
How can you ensure that you can quickly identify these devices on your networks?   There are two possibilities. A passive solution relies on constant examination of traffic in and out of your networks using software such as the Bro IDS.  The downside to this technique is that Bro will only detect insecure devices once they have been compromised.  An active solution relies on scanning all parts of your network and testing whether the devices are actually vulnerable. SSH-auditor is an example of software that can do this efficiently and can be found at NCSA’s github repository collection.  Seeding this software with the most common user/password combinations and scheduling frequent scans of your network can very quickly identify vulnerable devices.