Farewell Adam!

NCSA's Director of Cybersecurity and Networking, Adam Slagell, has accepted a position at ESNet as their Chief Security Officer.

Adam joined NCSA in 2003 as a security engineer. Over the 15 years he's worked for NCSA he was promoted to numerous positions, including CISO in 2012, and Director of the Cybersecurity Division in 2015 (which later merged with the Networking Division). In his time at NCSA he served as PI and Co-PI for numerous grants, co-managed the Bro Project in collaboration with the International Computer Science Institute (ICSI) at UC Berkeley, was security operations co-lead for the XSEDE federation, and led the team that created the first HIPAA enclave on the UIUC campus. Adam's contributions to NCSA and the UIUC campus have been numerous. We will miss his friendly face in the hallways, the coffee walks, and most of all his leadership. We wish him the best of luck in his new position!

Adam SlagellAdam Slagell and Amy Schuele

NCSA staff saying farewell

NCSA Security Team wins the 2017 SANS Holiday Hack Challenge!

The NCSA Security Operations Team has won the Grand Prize for the 2017 SANS Holiday Hack Challenge! This is following up their win for Best Technical Answer for the 2016 SANS Holiday Hack Challenge.

To listen to the recording of the SANS Webinar covering answers and winners follow this link.

NCSA Cybersecurity staff will be presenting at the 2018 EDUCAUSE Security Professionals Conference in April. Warren Raquel (NCSA) will co-present training sessions on Incident Response and Security Log Analysis with Mark Krenz (IU) on April 10. Jim Basney (NCSA) will co-present a breakout session on Cybersecurity for Research on Campus: Not Just HIPAA & FISMA with Anurag Shankar (IU) and Von Welch (IU) on April 11. These activities are part of our work with the Center for Trustworthy Scientific Cyberinfrastructure. Registration for the conference is now open!

NCSA Supports Sirtfi

NCSA's InCommon identity provider (IdP) now officially supports the Security Incident Response Trust Framework for Federated Identity (Sirtfi). InCommon has tagged the NCSA IdP as Sirtfi-compliant in federation metadata. This enables cybersecurity researchers at NCSA and other researchers with NCSA identities to access federated services at CERN and around the world where Sirtfi compliance is required. For more information about InCommon's Sirtfi program, see the InCommon Sirtfi FAQ. The eduGAIN Entities Database contains a growing number of identity providers, service providers, and attribute authorities around the world that assert compliance with Sirtfi.

Securing IoT Devices

Part of our mission here at the CyberSecurity & Networking Division is advancing applied cybersecurity and networking research and anticipating future security trends and threats.  Working towards that end is the Science DMZ Actionable Intelligence Appliance (SDAIA) project—currently in development—which collects data from allocated but unused networking space.  The data is analyzed for potential threats and shared with participating partners.


Large amounts of data have been collected from many thousands of unused IPs and we noticed several trends.  All of the data collected so far have been SSH brute-force attacks, where automated attackers attempt to guess user and password combinations, giving them access to devices listening with an SSH service.  We have noticed that a lot of the user/password combinations indicate an attacker preference for connected, embedded or “smart” devices—often referred to as the Internet of Things, or IoT.  For example, within the 20 most common hits we found:


ubntubnt"wireless networking equipment"
openelec"Linux based media center"
dreambox“Linux based set-top box receiver"
raspberrypi"single board computer, typically running Linux"
000000"imaging, webcam"
raspberry"single board computer, typically running Linux"
xmhdipc"imaging, webcam"
anko"imaging, webcam"
welc0me“Linux based NAS device"
rpitc"raspberrypi thin client"
uClinux"linux on embedded microcontrollers"
nosoup4u”Linux based NAS device"
alpine“smart phone"
rootubnt"wireless networking equipment"


These attacks point to the pervasiveness of these devices, which are projected to be over 7 billion by the end of this year.  As these scans indicate, there has been little attempt to secure these devices, let alone change the default password—despite a large number of high profile denial of service attacks and worryingsecurity vulnerabilities. As has been pointed out by many experts, changing the default password on these devices can often prevent them from being infected by malicious software.
How can you ensure that you can quickly identify these devices on your networks?   There are two possibilities. A passive solution relies on constant examination of traffic in and out of your networks using software such as the Bro IDS.  The downside to this technique is that Bro will only detect insecure devices once they have been compromised.  An active solution relies on scanning all parts of your network and testing whether the devices are actually vulnerable. SSH-auditor is an example of software that can do this efficiently and can be found at NCSA’s github repository collection.  Seeding this software with the most common user/password combinations and scheduling frequent scans of your network can very quickly identify vulnerable devices.

The following announcement is an NCSA press release, the original may be found here.

The Global Environment for Network Innovations (GENI), funded by the National Science Foundation, is now benefitting from identity management capabilities provided by NCSA. Specifically, GENI is using NCSA's federated identity provider to enable access for researchers whose home organization does not operate its own federated identity provider.

GENI provides a virtual laboratory for networking and distributed systems research and education. GENI provides a unique, free-to-use combination of computing and network resources, including the ability to program the network. Experimenters log in to the GENI Portal to gain access to the testbed and manage projects, access tools, and reserve resources. GENI requires authentication for testbed access to ensure that experimenters do not disrupt each other's work and to allocate testbed resources efficiently across multiple experiments.

GENI uses federated authentication so that experimenters can access GENI using their home organization identities, without needing to create a separate GENI password. Using organizational identities also makes it easier for experimenters to invite each other into project groups. The InCommon federation connects GENI to over 450 identity providers in the United States.

NCSA added its identity provider to the InCommon federation in July. NCSA's identity provider is relatively unique in that it offers accounts not just to NCSA members but also to the wider scientific research community, as part of NCSA's mission to provide cyberinfrastructure to support the work of scientists, engineers, and scholars at the University of Illinois and across the country. When first visiting the GENI portal, if the experimenter finds that their home organization does not offer a federated identity provider, they can easily request an NCSA account if they don't have one already and then log in to the GENI portal using their NCSA account. InCommon's "Identity Provider of Last Resort" working group documented the need for identity providers like NCSA's that provide accounts to individuals who are not served by existing organizational identity providers.

Jim Basney and Tom Mitchell led the effort to connect the GENI Portal to NCSA's identity provider. Jim is a senior research scientist in NCSA's Cybersecurity division and a former member of the InCommon Technical Advisory Committee. Tom is a senior software engineer for the GENI Project Office at Raytheon BBN Technologies and a current member of the InCommon Technical Advisory Committee.

Jim explained, "NCSA has a 30 year history of providing accounts to a national community of computational scientists. We recently updated NCSA's account management system to support a wider range of scientific cyberinfrastructure, beyond traditional supercomputing accounts. That update made it possible for NCSA to register an 'identity provider of last resort' with InCommon for use by GENI and other science projects."

"Experimenters access GENI using more than 200 federated identity providers, but 30% of GENI experimenters need an 'identity provider of last resort.' Leveraging the NCSA identity provider should make it easier for those unaffiliated users to access GENI and other NSF-funded cyber infrastructure," said Tom. "NCSA's identity provider is a shared resource for NSF projects like GENI, so each project does not need to duplicate the effort of operating its own identity provider in the InCommon federation, and researchers can use a single account across multiple science projects."

NCSA's CyberSecurity Division is hiring research programmers and security engineers! Join our team to work on cutting edge software and projects that help secure cyberinfrastructure for national and international science and engineering research communities. Please view the position postings (65782 and 70543) to apply.

In mid-August, the NCSA Cybersecurity Division participated in the 2016 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure in Arlington, VA. The theme this year was strengthening trustworthy science. As members of CTSC, the NCSA CSD team presented two of the all day training sessions and participated in a panel discussion. 

James Basney and Spherical Cow Group's Scott Koranda presented the training "Federated Identity Management for Research Organizations." The goal of the training was the provide an overview of the challenges research organizations, especially virtual organizations, face when utilizing identity management tools and services to manage access to their resources. Click here to view the slide presentation. 

Warren Raquel, Vlad Grigoresqu, Adam Slagell, and Jeannette Dopheide presented the training "Security Log Analysis with CTSC and Bro." The goal of the training was to provide a detailed walkthrough of the log analysis life cycle with interactive demonstrations using the Bro network analysis softwareClick here to view the slide presentation.

Adam Slagell was a member of the panel talk "FBI Case 216," a cyber attack that Slagell and other members of NCSA helped investigate. While the attack occurred over 13 years ago, its impact on cybersecurity, and the lessons learned, are still relevant today.

A full agenda and more slide presentations are available on the summit's event page.

As members of the Center for Trustworthy Scientific Cyberinfrastructure (CTSC), the NCSA Cybersecurity Division participated in the launch of a new webinar series. The purpose of the series is to provide readily available cybersecurity services tailored to the NSF science community. 

The series began in May and includes such topics as how to perform a risk self-evaluation, the XSEDE security team's process of information sharing, and the benefits of building a ScienceDMZ. Presenters include members of CTSC and its community.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

NCSA's CyberSecurity Division is hiring research programmers! Join our team to work on cutting edge software and projects that help secure cyberinfrastructure for national and international science and engineering research communities. Please view the position posting to apply.

Interviews and offers may be made before the closing date, so don't wait
to apply.

Initial job duties will include:

1) Nagios. We have a fairly extensive system, but we'd like to start
generating the config programmatically instead of by hand and start
fine-tuning our checks, alerts, etc.
2) Automating system provisioning and updates using Katello.
3) Vetting. Important systems undergo a security vetting process before
they go in production. We're working on refining this and automating it.
4) CentOS 7 upgrade. We're upgrading our systems from CentOS 6 to 7.
5) Some VMware care and feeding.

NCSA's CyberSecurity Division is hiring research programmers! Join our team to work on cutting edge software and projects that help secure cyberinfrastructure for national and international science and engineering research communities. Please view the position posting to apply.

CILogon 2.0 Project Begins

The CILogon 2.0 project officially launched this month. The project integrates and expands on the existing open source CILogon and COmanage software to provide an integrated identity and access management (IAM) platform for cyberinfrastructure. The platform combines the federated identity management capabilities of CILogon with the collaborative organization management capabilities of COmanage, with an emphasis on supporting international research collaborations via eduGAIN. The 3 year project, funded by NSF award number 1547268, is a collaboration between NCSA and Spherical Cow Group. Visit CILogon News for more details.

We're pleased to announce that CTSC has been funded for the next three years as the NSF Cybersecurity Center of Excellence. CTSC is a collaboration between Indiana University, NCSA, the Pittsburgh Supercomputing Center and the University of Wisconsin-Madison to address cybersecurity challenges of NSF science. Visit the CTSC blog for more details.

NCSA CyberSecurity wins an NSF CICI award with PSC

Butler, Slagell and Withers of NCSA win an NSF award for $499,206 along with co-PIs Ravi Iyer of UIUC and Jim Marsteller at PSC. This work will bring a new security appliance and tools for sharing and using intelligence to the many Science DMZ communities supported by NSF.


This research is expected to significantly enhance the security of campus and research networks. It addresses the emerging security challenge of open, unrestricted access to campus research networks, but beyond that it lays the foundation for an evolvable intelligence sharing network with the very real potential for national scale analysis of that intelligence. Further it will supply cyber security researchers with a rich real-world intelligence source upon which to test their theories, tools, and techniques. The research will produce a new kind of virtual security appliance that will significantly enhance the security posture of open science networks so that advanced high-performance network-based research can be carried out free of performance lags induced by more traditional security controls.

This research will integrate prior research results, expertise and security products from from both the National Science Foundation and the Department of Energy to advance the security infrastructure available for open science networks, aka Science DMZs. Further the effort will actively promote sharing of intelligence among science DMZ participants as well as with national academic computational resources and organizations that wish to participate. Beyond meeting the security needs of campus-based DMZs, the effort will lay the foundation for an intelligence sharing infrastructure that will provide a significant benefit to the cybersecurity research community, making possible the collection, annotation, and open distribution of a national scale security intelligence to help test and validate on-going security research.

Alex Withers Wins an NSF SI2-SEE Award

One of CyberSecurity's newest leaders, Alex Withers, wins a $499,136 award from the National Science Foundation to bring research from Professor Ravi Iyer's DEPEND group to production use.


The cyber infrastructure that supports science research (such as the cyberinfrastructure that provides access to unique scientific instrumentation such as a telescope, or an array of highly distributed sensors placed in the field, or a computational supercomputing center) faces the daunting challenge of defending against cyber attacks. Modest to medium research project teams have little cyber security expertise to defend against the increasingly diverse, advanced and constantly evolving attacks. Even larger facilities that have with security expertise are often overwhelmed with the amount of security log data they need to analyze in order to identify attackers and attacks, which is the first step to defending against them. The challenges of the traditional approach of identifying an attacker are amplified by the lack of tools and time to detect attacks skillfully hidden in the noise of ongoing network traffic. The challenge is not necessarily in deploying additional monitoring but to identify this malicious traffic by utilizing all available information found in the plethora of security, network, and system logs that are already being actively collected. This project proposes to build and deploy, is needed in research environments, an advanced log analysis tool, named AttackTagger, that can scale to be able to address the dramatic increase in security log data, and detect emerging threat patterns in today's constantly evolving security landscape. AttackTagger will make science research in support of national priorities more secure.

AttackTagger will be a sophisticated log analysis tool designed to find potentially malicious activity, such as credential theft, by building factor graph models for advanced pattern matching. AttackTagger will integrate with existing security software so as to be easily deployable within existing security ecosystems and to offload processing and computational work onto better suited components. It can consume a wide variety of system and network security logs. AttackTagger accomplishes advanced pattern matching by utilizing a Factor Graph model, which is a type of probabilistic graphical model that can describe complex dependencies among random variables using an undirected graph representation, specifically a bipartite graph. The bipartite graph representation consists of variable nodes representing random variables, factor nodes representing local functions (or factor functions , and edges connecting the two types of nodes. Variable dependencies in a factor graph are expressed using a global function, which is factored into a product of local functions. In the practice of the security domain, using factor graphs is more flexible to define relations among the events and the user state compared to Bayesian Network and Markov Random Field approaches. Specifically, using factor graphs allows capturing sequential relation among events and enables integration of the external knowledge, e.g., expert knowledge or a user profile.