Monday, December 9, 2019

Trusted CI Incident Response Report 2019-10-02_01

As I discussed during my presentation at the NSF Cybersecurity Summit in October, Trusted CI inadvertently exposed an embargoed engagee report earlier this year. Our first time doing incident response as a project also revealed some weaknesses in our response planning that could have been problematic for a more serious incident.

With the approval of the impacted engagee, we are now making our internal report on the incident and our plans to improve public. Please find the URL to the report at the bottom of this blog post.

The community’s trust in us is paramount and we hope this transparency helps you maintain that trust in us. We welcome questions and suggestions.

Von Welch, Trusted CI Director


Trusted CI Incident Response Report 2019-10-02_01
Available at http://hdl.handle.net/2022/24845

Report Summary
A Trusted CI engagement report with the Singularity team at Sylabs was inadvertently published prematurely due to miscommunication within the Trusted CI team. A secondary leak was discovered in the resume of a Trusted CI team member and weaknesses were discovered in the incident response process of Trusted CI. This report describes these events and the steps Trusted CI took in responding. An analysis of those events follows along with a set of planned remediations by Trusted CI to avoid a future incident and strengthen Trusted CI’s incident response processes.

Monday, November 25, 2019

Trusted CI Webinar December 9th at 11am ET: DDIDD: Project Overview and Early Results

USC's John Heidemann is presenting the talk, "DDoS Defense in Depth for DNS (DDIDD): Project Overview and Early Results" on December 9th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The DDIDD Project (DDoS Defense in Depth for DNS) is applying existing and developing new defenses against Distributed-Denial-of-Service attacks for operational DNS infrastructure. We are building a defense-in-depth approach to mitigate Distributed Denial-of-Service attacks for DNS servers, with approaches to filter spoofed traffic, identify known-good traffic when possible, and employ cloud-based scaling to handle the largest attacks. We are working with USC's B-Root team to test our approaches as a case study, and are making approaches open source as they become available. This talk will summarize the project and our overall approach, provide details about some of our early filters and filter selection, and describe where we plan to go in the remaining year.
John Heidemann is a principal scientist at the University of Southern California/Information Sciences Institute (USC/ISI) and a research professor at USC in Computer Science. At ISI he leads the ANT (Analysis of Network Traffic) Lab, studying how to observe and analyze Internet topology and traffic to improve network reliability, security, protocols, and critical services. He is a senior member of ACM and fellow of IEEE.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, November 22, 2019

Apply by January 17th, 2020 for the Trusted CI 2020 Fellows Program!

Trusted CI’s inaugural 2019 cohort of Fellows was an amazing success with six Fellows from research technologies, astrophysics, criminal justice, network and combinatorial optimization, and computer engineering. We are now pleased to announce the call for applications for our 2020 Trusted CI Fellows. Another cohort of six fellows will receive training from and work closely with Trusted CI to expand their own understanding of trustworthy science and further empower the NSF community to secure its own research.

The deadline for applications is January 17th, 2020. We’ll be hosting a special Trusted CI webinar on the Fellow application process on December 17th at 10am Eastern time. For more information and to apply, please visit https://trustedci.org/fellows/apply

Register for the webinar here: https://iu.zoom.us/webinar/register/WN_nEfmD78RR1ScWDIrpoCaTg

Monday, November 18, 2019

New at the NSF Cybersecurity Summit this year: Jupyter Security Training

Picture of Matthias Bussonnier teaching about Jupyter security
Matthias Bussonnier - Photo by Emily Sterneman
 This year at the NSF Cybersecurity Summit, Trusted CI expanded upon its training session offerings with a Jupyter security training/workshop on the first day (afternoon session). This training was led by Matthias Bussonnier (Jupyter Developer Team, UC Merced), Rick Wagner (Globus), Mark Krenz (Trusted CI), and Ishan Abhinit (Trusted CI). Twenty-one people attended the workshop, making it one of the more popular training sessions at the summit this year.

The session started with an around-the-room introduction of attendees and their experiences using Jupyter, including what they knew about Jupyter security and what they were hoping to get out of the workshop. Most attendees had little-to-no experience with Jupyter and were curious to learn more about  deploying and securing Jupyter. This was especially valuable information to Matthias to better help the development team understand the different scientific communities using Jupyter. The room seemed to be balanced between attendees from Information Technology and Research, which is a sign that Jupyter is more and more used and deployed at scale in various institutions.

The next 30 minutes were devoted to helping the audience understand Jupyter and its software landscape: notebooks, notebook server, IPython, JupyterHub, etc. This included an overview of Jupyter architecture, nomenclature where things run and how they communicate, the Threat Model, examples of attacks, and how to secure an installation.

This was followed by a hands-on exercise where Rick demonstrated how to access a remote Notebook Server and set up a JupyterHub instance using a default configuration. Then attendees learned to observe and secure components and their interactions one by one. Rick and Matthias ended the session by answering the questions attendees had asked at the beginning, defining Jupyter security best practices, and giving an overview of what can be done to improve security in the Jupyter Community. The slides from the workshop are available here. The group will be looking for ways to provide this training at future events.

According to Matthias, this was the first ever security focused training workshop on Jupyter; and the feedback from the first group of attendees will inform the shape this training will take in future iteration.

Friday, November 15, 2019

Trusted CI activities at SC19

Members of Trusted CI will be attending SC19 (November 17-22) in Denver. SC is the International Conference for High Performance Computing, Networking, Storage, and Analysis. The conference includes a technical program of talks, tutorials, exhibitions, posters, birds of a feather, awards, etc. Below is a list of Trusted CI member activities, booth assignments of Trusted CI organizations, and activities of our partner projects. Stop by and see us!

Trusted CI Member Activities:
  • Barton Miller & Elisa Heymann are presenting a training, "Secure coding practices and automated assessment tools" (description) (preview)
  • Barton Miller is also presenting a paper, "Diogenes: Looking for an Honest CPU/GPU Performance Measurement Tool"
  • Von Welch is presenting at the IU booth 643 Tuesday at 11am
  • Trusted CI Advisory Committee meeting Tuesday
  • Jim Basney at the NCSA booth 714 Wednesday at 10am
  • Dana Brunson is participating in a panel and a BOF, both on research computing
  • Florence Hudson is participating in a panel on computation and health, and in a BOF on HPC education, outreach, and training
Trusted CI Organization Booths at SC19:
SC Activities of our partner projects that may interest you:

Monday, November 11, 2019

Student Program at the 2019 NSF Cybersecurity Summit

In October we hosted our annual NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure in San Diego, CA. The Summit included training workshops, plenary talks, and networking opportunities for members of NSF Large Facilities and the CI community.

As Summit attendance and funding grows so has our ability to provide learning opportunities for new members to the community. Two years ago we launched a student scholarship program to follow through on our goals of outreach and broadening impact. Students apply to the program by writing a brief essay sharing their security interests and what they hope to gain from attending the Summit.

This year we were able to fund the attendance of ten students to the Summit. Their names and schools they attend are listed below (see: photo, left to right):
  • Emma He - MS Computer Science - University of Wisconsin-Madison
  • Shuvra Chakraborty - PhD Computer Science - University of Texas San Antonio
  • Merlin Cherian - BS/MS Computer Science - Drexel University
  • Cameron Ogle - Bachelor Computer Science - Clemson University
  • Minh Nguyen - PhD Student Computer Science - CUNY
  • Alexis Reyes - MS Software in Software Engineering - University of Texas at El Paso
  • Desiree Lester - Bachelor Information Assurance - Norfolk State University
  • Tre' Jeter - Bachelor Computer Science, Bachelor Computer Engineering - Claflin University
  • Roncs Etame-Ese - BS Information Technology - Marymount University
  • Luis Gonzalez - BS Information Technology - Florida International University
We also paired the students with volunteer mentors (two students per mentor). We thank them for helping make the students feel welcome at the Summit. Their names and organizations are listed below:
  • Florence Hudson; Trusted CI
  • Steve Barnet; Wisconsin IceCube Particle Astrophysics Center
  • Susan Ramsey; Amazon
  • Celeste Matarazzo; Lawrence Livermore National Laboratory.
  • David Halstead; National Radio Astronomy Observatory (NRAO)
We asked the students to share some insights into their Summit experience. We list a selection of their statements below.

Shuvra Chakraborty
As a doctoral student, my research works focus on the investigation of novel access control methodologies; development and deployment. I have attended a couple of conferences before: this Summit was a bit different for me. Apart from the usual knowledge hunting, I have got great networking opportunities here. I would specifically mention my colleagues in the student programs and mentors. My mentor was superb: I felt really inspired after meeting her. I liked the training program most: the hands-on training was useful and informative.
Cameron Ogle
By far my favorite thing from the Summit, was the chance to interact with others who share the same passion for technology and learning. I gained some of the most valuable information from speaking with the attending industry experts. I especially appreciated the advice the mentors offered in finding a career and what lessons they had to share. The other students were a blast to explore San Diego with, and I can’t wait until we have the chance to lead the cybersecurity field.
Desiree Lester
The student program was very informative. It exposed all the students to industry work, lab, and research projects. It showed me that the industry it not all about coding, but about fixing a bigger problem. It was about networking with people from all over the world and learning from their experiences. After hearing stories, I have considered applying to a fellowship program. I just would like to that TrustedCI for this amazing opportunity and hope to network in the future.
Tre' Jeter
For me, I learned so much! I got actual experience with security tools in a real world setting in the Web Security Automated Assessment Tools session. I enjoyed speaking further with Dr. Miller about graduate school and I actually scheduled a visit to the University of Wisconsin-Madison. Furthermore, I appreciated being treated like a professional in the field although I am still a student. Being asked the difficult questions and being forced to put things into the perspective of a real world event on the spot was intriguing, challenging, and inspiring. It also showed me that I have much to learn in every aspect of this field! I am much more confident in my degree choices now because I attended this summit and got real feedback and honesty when it came to me asking the right questions, giving the right answers, and even thinking in the correct way in order to be successful in this field. Everything I wanted to get out of this summit was achieved!
Roncs Etame-Ese
This year’s conference was a memorable experience for me as it was my first time out on the West Coast. Prior to arriving at the conference, the thing I was looking forward to the most was meeting other students. The new friendships I made and the bond we all established in that week, are memories that I can never forget. They were all incredibly smart and I was pretty impressed by their academic, professional, and extracurricular achievements. I’m looking forward to all of us succeeding in our endeavors and being the next generation of cybersecurity professionals.
Luis Gonzalez
Being able to attend this summit was a wonderful experience and I would recommend any student interested in Cyber Security to attend. The staff at IU and Trusted CI were very welcoming and gracious. Along with being wonderful to me, they were extremely organized and punctual throughout the summit. You will be able to network with many research individuals in the cybersecurity field. The training session was only 3.5 hours. long each but the presenters did a great job of overloading us with great information and allowing us to do many hands-on exercises in the process. If you have the opportunity to attend this event. I greatly encourage it.
We were more than impressed with the Student Program this year. Their participation and enthusiasm was a rewarding affirmation of our commitment to community building. We look forward to seeing where their careers take them and sponsoring more students in the future.

The students and mentors




Tuesday, November 5, 2019

Remembering Steve Tuecke’s contributions to cybersecurity

I am deeply saddened to learn of the passing of Steve Tuecke last weekend. Steve was a passionate leader in the application of technology to advance science as well as being a great mentor to me during the three years I worked as part of the Globus project and since. While Steve’s contributions to scientific computing and data management are wide-ranging, I worked most closely with him on the topics of cybersecurity and identity management. This post is to remember and reflect on his work in those areas that was foundational to much of cybersecurity in scientific computing today.

When I first met Steve in the late 1990s, he was a driving force behind establishing a flexible security architecture to support distributed science. His ability to grasp the needs for delegating authority and secure communications amongst researchers and infrastructure (fairly novel concepts in those days where the world wide web was just getting started) and his acumen in systems design and software engineering immediately attracted me to him as someone from whom I was eager to learn.

The first project Steve drew me into was solving the challenge of how a researcher delegated credentials to web servers, an unknown concept in the simple client-server model of the web at that time. This original work became MyProxy, a workhorse for credential management in scientific computing to this day, and which led to the important CILogon infrastructure.

I joined the Globus project shortly after and under Steve’s mentorship started working on standardizing Proxy Certificates and developing their implementation in the very nascent Grid Security Infrastructure (GSI). During this period, Steve taught me much about software development and architecture (I will always associate the term “idempotent” with Steve), the role of standards, building  communities, and leadership.

Since my days with Globus, I continued to admire Steve’s leadership in developing Globus Auth, allowing researchers to manage their multiple identities at different sites and services. I enjoyed numerous conversations with Steve on that identity work as well as other topics such as software sustainability. He was a great mentor and friend and will be missed.

Von Welch, Trusted CI Director