Illinois graduate student Shreya Udhani has recently authored a paper with College of Engineering’s Masooda Bashir and NCSA’s Alexander  Withers. The paper, "Human vs Bots: Detecting Human Attacks in a Honeypot Environment,” has been accepted at the 7th International Symposium on Digital Forensic and Security (ISDFS). Shreya is a student research programmer with NCSA’s Cybersecurity and Networking Division. The paper analyzes an SSH-based Honeypot deployed over a period of 423 days to identify human behavior traits which can essentially distinguish an automated attacker and a human attacker. The honeypot used in the experiment is part of the Science DMZ Actionable Intelligence Appliance (SDAIA), created here at NCSA.

Congrats to NCSA's Matias Carrasco Kind on being selected as one of six Trusted CI Open Science Cybersecurity Fellows for 2019!

NCSA's Justin Azoff and Alex Withers are co-authors with Illinois graduate student Phuong M. Cao and other Illinois researchers on a paper presented at this year's USENIX Symposium on Networked Systems Design and Implementation (NSDI). The paper describes CAUDIT, an operational system deployed at NCSA that enables the identification and exclusion of hosts that are vulnerable to SSH brute-force attacks. For more information, see the slides and full paper, the NCSA news item, and the GitHub sources.

Last Thursday Leandro Avila-Diaz gave a talk to NCSA staff about applying practical cybersecurity strategies to protect NCSA's (and the individual's) private data and resources. This talk was the initial launch of a quarterly series focusing on security for a variety of users and experience levels. Slides to the presentation are available on PDF.

To learn more about security at NCSA, see our website. To learn more about software development at NCSA, see our Github. Follow us on Twitter at @NCSASecurity.

NCSA's relationship with the Bro Project goes back to its earliest days of development, but the first NSF grant was awarded in 2010. The grant helped establish a stable development cycle as well as providing funds for workshops and conferences. NCSA hosted the first Bro Workshop in 2011 and went on to coordinate and host many more events for the project, at NCSA and other venues. Earlier this year we handed off the role of coordinating Bro events, which has given us the opportunity to reflect on lessons learned from hosting numerous open source software conferences. 

We have assembled a fairly comprehensive list of tasks and insights into hosting an event. The full list can be found here, but highlights include tips for building the event page, a sample sponsorship prospectus, and what requirements should be considered when picking an event venue.

Today NCSA's Justin Azoff gave a talk demonstrating a few tools written and used by the Cybersecurity and Networking Team. The talk was well attended by members of NCSA, Campus Security, Engineering IT, ESNet, and the Consortium of Academic and Research Libraries (CARLI). The focus of the talk was on Bro, of which Justin is a member of the development team; and other tools developed in-house: Dumbno, SSH-Auditor, and Blackhole Router Site. To learn more about software development at NCSA, see our Github. Follow us on Twitter at @NCSASecurity.

Justin's work has been funded in part by NSF Award Number 1547249.

Farewell Adam!

NCSA's Director of Cybersecurity and Networking, Adam Slagell, has accepted a position at ESNet as their Chief Security Officer.

Adam joined NCSA in 2003 as a security engineer. Over the 15 years he's worked for NCSA he was promoted to numerous positions, including CISO in 2012, and Director of the Cybersecurity Division in 2015 (which later merged with the Networking Division). In his time at NCSA he served as PI and Co-PI for numerous grants, co-managed the Bro Project in collaboration with the International Computer Science Institute (ICSI) at UC Berkeley, was security operations co-lead for the XSEDE federation, and led the team that created the first HIPAA enclave on the UIUC campus. Adam's contributions to NCSA and the UIUC campus have been numerous. We will miss his friendly face in the hallways, the coffee walks, and most of all his leadership. We wish him the best of luck in his new position!

Adam SlagellAdam Slagell and Amy Schuele

NCSA staff saying farewell

NCSA Security Team wins the 2017 SANS Holiday Hack Challenge!

The NCSA Security Operations Team has won the Grand Prize for the 2017 SANS Holiday Hack Challenge! This is following up their win for Best Technical Answer for the 2016 SANS Holiday Hack Challenge.

To listen to the recording of the SANS Webinar covering answers and winners follow this link.

NCSA Cybersecurity staff will be presenting at the 2018 EDUCAUSE Security Professionals Conference in April. Warren Raquel (NCSA) will co-present training sessions on Incident Response and Security Log Analysis with Mark Krenz (IU) on April 10. Jim Basney (NCSA) will co-present a breakout session on Cybersecurity for Research on Campus: Not Just HIPAA & FISMA with Anurag Shankar (IU) and Von Welch (IU) on April 11. These activities are part of our work with the Center for Trustworthy Scientific Cyberinfrastructure. Registration for the conference is now open!

NCSA Supports Sirtfi

NCSA's InCommon identity provider (IdP) now officially supports the Security Incident Response Trust Framework for Federated Identity (Sirtfi). InCommon has tagged the NCSA IdP as Sirtfi-compliant in federation metadata. This enables cybersecurity researchers at NCSA and other researchers with NCSA identities to access federated services at CERN and around the world where Sirtfi compliance is required. For more information about InCommon's Sirtfi program, see the InCommon Sirtfi FAQ. The eduGAIN Entities Database contains a growing number of identity providers, service providers, and attribute authorities around the world that assert compliance with Sirtfi.

Securing IoT Devices

Part of our mission here at the CyberSecurity & Networking Division is advancing applied cybersecurity and networking research and anticipating future security trends and threats.  Working towards that end is the Science DMZ Actionable Intelligence Appliance (SDAIA) project—currently in development—which collects data from allocated but unused networking space.  The data is analyzed for potential threats and shared with participating partners.


Large amounts of data have been collected from many thousands of unused IPs and we noticed several trends.  All of the data collected so far have been SSH brute-force attacks, where automated attackers attempt to guess user and password combinations, giving them access to devices listening with an SSH service.  We have noticed that a lot of the user/password combinations indicate an attacker preference for connected, embedded or “smart” devices—often referred to as the Internet of Things, or IoT.  For example, within the 20 most common hits we found:


ubntubnt"wireless networking equipment"
openelec"Linux based media center"
dreambox“Linux based set-top box receiver"
raspberrypi"single board computer, typically running Linux"
000000"imaging, webcam"
raspberry"single board computer, typically running Linux"
xmhdipc"imaging, webcam"
anko"imaging, webcam"
welc0me“Linux based NAS device"
rpitc"raspberrypi thin client"
uClinux"linux on embedded microcontrollers"
nosoup4u”Linux based NAS device"
alpine“smart phone"
rootubnt"wireless networking equipment"


These attacks point to the pervasiveness of these devices, which are projected to be over 7 billion by the end of this year.  As these scans indicate, there has been little attempt to secure these devices, let alone change the default password—despite a large number of high profile denial of service attacks and worryingsecurity vulnerabilities. As has been pointed out by many experts, changing the default password on these devices can often prevent them from being infected by malicious software.
How can you ensure that you can quickly identify these devices on your networks?   There are two possibilities. A passive solution relies on constant examination of traffic in and out of your networks using software such as the Bro IDS.  The downside to this technique is that Bro will only detect insecure devices once they have been compromised.  An active solution relies on scanning all parts of your network and testing whether the devices are actually vulnerable. SSH-auditor is an example of software that can do this efficiently and can be found at NCSA’s github repository collection.  Seeding this software with the most common user/password combinations and scheduling frequent scans of your network can very quickly identify vulnerable devices.

The following announcement is an NCSA press release, the original may be found here.

The Global Environment for Network Innovations (GENI), funded by the National Science Foundation, is now benefitting from identity management capabilities provided by NCSA. Specifically, GENI is using NCSA's federated identity provider to enable access for researchers whose home organization does not operate its own federated identity provider.

GENI provides a virtual laboratory for networking and distributed systems research and education. GENI provides a unique, free-to-use combination of computing and network resources, including the ability to program the network. Experimenters log in to the GENI Portal to gain access to the testbed and manage projects, access tools, and reserve resources. GENI requires authentication for testbed access to ensure that experimenters do not disrupt each other's work and to allocate testbed resources efficiently across multiple experiments.

GENI uses federated authentication so that experimenters can access GENI using their home organization identities, without needing to create a separate GENI password. Using organizational identities also makes it easier for experimenters to invite each other into project groups. The InCommon federation connects GENI to over 450 identity providers in the United States.

NCSA added its identity provider to the InCommon federation in July. NCSA's identity provider is relatively unique in that it offers accounts not just to NCSA members but also to the wider scientific research community, as part of NCSA's mission to provide cyberinfrastructure to support the work of scientists, engineers, and scholars at the University of Illinois and across the country. When first visiting the GENI portal, if the experimenter finds that their home organization does not offer a federated identity provider, they can easily request an NCSA account if they don't have one already and then log in to the GENI portal using their NCSA account. InCommon's "Identity Provider of Last Resort" working group documented the need for identity providers like NCSA's that provide accounts to individuals who are not served by existing organizational identity providers.

Jim Basney and Tom Mitchell led the effort to connect the GENI Portal to NCSA's identity provider. Jim is a senior research scientist in NCSA's Cybersecurity division and a former member of the InCommon Technical Advisory Committee. Tom is a senior software engineer for the GENI Project Office at Raytheon BBN Technologies and a current member of the InCommon Technical Advisory Committee.

Jim explained, "NCSA has a 30 year history of providing accounts to a national community of computational scientists. We recently updated NCSA's account management system to support a wider range of scientific cyberinfrastructure, beyond traditional supercomputing accounts. That update made it possible for NCSA to register an 'identity provider of last resort' with InCommon for use by GENI and other science projects."

"Experimenters access GENI using more than 200 federated identity providers, but 30% of GENI experimenters need an 'identity provider of last resort.' Leveraging the NCSA identity provider should make it easier for those unaffiliated users to access GENI and other NSF-funded cyber infrastructure," said Tom. "NCSA's identity provider is a shared resource for NSF projects like GENI, so each project does not need to duplicate the effort of operating its own identity provider in the InCommon federation, and researchers can use a single account across multiple science projects."

NCSA's CyberSecurity Division is hiring research programmers and security engineers! Join our team to work on cutting edge software and projects that help secure cyberinfrastructure for national and international science and engineering research communities. Please view the position postings (65782 and 70543) to apply.

In mid-August, the NCSA Cybersecurity Division participated in the 2016 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure in Arlington, VA. The theme this year was strengthening trustworthy science. As members of CTSC, the NCSA CSD team presented two of the all day training sessions and participated in a panel discussion. 

James Basney and Spherical Cow Group's Scott Koranda presented the training "Federated Identity Management for Research Organizations." The goal of the training was the provide an overview of the challenges research organizations, especially virtual organizations, face when utilizing identity management tools and services to manage access to their resources. Click here to view the slide presentation. 

Warren Raquel, Vlad Grigoresqu, Adam Slagell, and Jeannette Dopheide presented the training "Security Log Analysis with CTSC and Bro." The goal of the training was to provide a detailed walkthrough of the log analysis life cycle with interactive demonstrations using the Bro network analysis softwareClick here to view the slide presentation.

Adam Slagell was a member of the panel talk "FBI Case 216," a cyber attack that Slagell and other members of NCSA helped investigate. While the attack occurred over 13 years ago, its impact on cybersecurity, and the lessons learned, are still relevant today.

A full agenda and more slide presentations are available on the summit's event page.

As members of the Center for Trustworthy Scientific Cyberinfrastructure (CTSC), the NCSA Cybersecurity Division participated in the launch of a new webinar series. The purpose of the series is to provide readily available cybersecurity services tailored to the NSF science community. 

The series began in May and includes such topics as how to perform a risk self-evaluation, the XSEDE security team's process of information sharing, and the benefits of building a ScienceDMZ. Presenters include members of CTSC and its community.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."