Cyberinfrastructure Vulnerabilities 2019 Q2 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available to all by subscribing to Trusted CI’s mailing lists (see below).

We monitor a number of sources for software vulnerabilities of interest, then determine which ones are of the most critical interest to the community. While it’s easy to identify issues that have piqued the public news cycle, we strive to alert on issues that affect the CI community in particular. These are identified using the following criteria: the affected technology’s or software’s pervasiveness in the CI community; the technology’s or software’s importance to the CI community; type and severity of potential threat, e.g., remote code execution; the threat’s ability to be remotely triggered; the threat’s ability to affect critical core functions; and if mitigation is available. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE, Open Science Grid (OSG), the NSF supercomputing centers, and the ResearchSOC on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Some of the sources we monitor for possible threats to CI include:

• OpenSSL, OpenSSH, and Globus project and security announcements
• US-CERT advisories
• XSEDE announcements
• RHEL/EPEL advisories
• REN-ISAC Alerts and Advisories
• Social media, such as Twitter, and Reddit (/r/netsec and /r/security)
• News sources, such as The Hacker News, Threatpost, The Register, Naked Security, Slashdot, Krebs, SANS Internet Storm Center and Schneier

In 2Q2019 the Cyberinfrastructure Vulnerabilities team issued the following 10 vulnerability alerts to 133 subscribers:

• Exim Remote Code Execution Vulnerability (CVE-2019-10149)
• Linux TCP SACK Panic (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479)
• kubectl Path Traversal (CVE-2019-11246)
• VMware Multiple Vulnerabilities (VMSA-2019-0005)
• Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211)
• Confluence WebDAV and Widget Connector Vulnerabilities
• Confluence Path Traversal Vulnerability (CVE-2019-3398)
• Drupal Vulnerabilities (SA-CORE-2019-005 & SA-CORE-2019-006)
• Drupal Vulnerability (SA-CORE-2019-007)
• Microarchitectural Data Sampling (CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, CVE-2019-11091)

If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available at https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Trusted CI Completes Engagement with the Polar Geospatial Center

The Polar Geospatial Center (PGC) (NSF 1559691, NSF 1614673, NSF 1810976, NASA NNX16AK90G, and NASA 80NSSC18K1370) at the University of Minnesota provides geospatial support, mapping, and GIS/remote sensing solutions to researchers and logistics groups in the polar science community. The PGC supports U.S. polar scientists to complete their research goals in a safe, timely, and efficient manner by providing a service which most groups do not have the resources or expertise to complete. The mission of the PGC is to introduce new, state-of-the-art techniques from the geospatial field to effectively solve problems in the least mapped places on Earth. Trusted CI's engagement with PGC began in January 2019 and concluded in June 2019.

The primary goals for this engagement were to rapidly mature PGC’s cybersecurity program and develop a roadmap for future cybersecurity efforts at PGC. Trusted CI and PGC conducted a risk assessment of cyberinfrastructure assets, and then, driven by the results of the assessment, worked to build upon these results to improve PGC’s security program. The Trusted CI Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects and related materials were used to facilitate the effort.

NSF Community Cybersecurity Benchmarking Survey

It's time again for the NSF Community Cybersecurity Benchmarking Survey (“Community Survey”). We’ve appreciated all the great participation in the past, and look forward to seeing your responses again this year. The Community Survey, started in 2016, is a key tool used by Trusted CI to gauge the cybersecurity posture of the NSF science community. The twin goals of the Community Survey are: 1) To collect and aggregate information about the state of cybersecurity for NSF projects and facilities; and 2) To produce a report analyzing the results, which will help the community level-set and provide Trusted CI and other stakeholders a richer understanding of the community’s cybersecurity posture. To ensure the survey report is of maximum utility, we want to encourage a high level of participation, particularly from NSF Large Facilities. Please note that we are aggregating responses and minimizing the amount of project-identifying information we’re collecting, and any data that is released will be anonymized.

https://forms.gle/meVYfsxvbzEEYWAn6

Each NSF project or facility should submit only a single response to this survey. Completing the survey may require input from the PI, the IT manager, and/or the person responsible for cybersecurity (if those separate areas of responsibility exist). While answering specific questions is optional, we strongly encourage you to take the time to respond as completely and accurately as possible. If you prefer not to respond to or are unable to answer a particular question, we ask that you make that explicit (e.g., by using “other:” inputs) and provide your reason.

The response period closes July 31, 2019.

2019 NSF Cybersecurity Summit Call For Participation - NOW OPEN - Deadline is Monday, August 12th

It is our pleasure to announce and invite you to the 2019 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.  The event will take place Tuesday, October 15th through Thursday, October 17th, at the Catamaran Hotel in San Diego, CA. Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities. Registration and hotel reservations details will be announced in the coming weeks. We are happy to announce the call for participation, community leadership recognition program, and student program are now open and we welcome your proposals.

Call for Participation (CFP)

Program content for the summit is driven by our community. We invite proposals for presentations, breakout and training sessions, as well as nominations for student scholarships. The deadline for CFP submissions is August 12th, 2019. To learn more about the CFP, please visit: https://trustedci.org/cfp2019

Nominations for the Community Leadership Recognition Program

The Summit seeks to recognize outstanding leadership in the cyberinfrastructure and cybersecurity field. These leaders have developed and established the processes and practices for building a trusting, collaborative community, and seriously addressing that community's core cybersecurity challenges in ways that remain relevant as research technologies and infrastructure evolve and change. The deadline for CFP submissions is August 12th, 2019. More information on the program and how to submit a nomination can be found here: http://trustedci.org/leadership2019

Student Program - Accepting Applications

Each year, the summit organizers invite several students to attend the summit. Students who are interested in cybersecurity and new, efficient, effective ways to protect information assets while supporting science will benefit from attending. Undergraduate and Graduate students may self-nominate or be nominated by a teacher or mentor. The deadline for applications is August 12th, 2019.. To learn more about the Student Program, please visit: https://trustedci.org/summit2019/students

On behalf of the 2019 NSF Cybersecurity Summit organizers and program committee, we welcome your participation and hope to see you in October.

More information can be found at https://trustedci.org/2019-nsf-cybersecurity-summit

Welcoming Michael Zentner to Advisory Committee and thank you to Nancy Wilkins-Diehr

With the retirement of Nancy Wilkins-Diehr, we thank her for her years of service on the Trusted CI Advisory Committee. Her guidance and the collaboration with the Science Gateways Community Institute (SGCI) she led have been instrumental to Trusted CI’s success.
Michael Zentner is succeeding Nancy as PI of SGCI, and we’re happy to announce that the collaboration between Trusted CI and SGCI will continue. Michael will be replacing Nancy on Trusted CI’s Advisory Committee and we extend a warm welcome to him. 

About Michael: Michael Zentner is the Director for Sustainable Scientific Software at the San Diego Supercomputer Center (SDSC), the Director of the HUBzero® project, , co-PI on the nanoHUB.org project (a science gateway serving over 1.4 million visitors annually), and is transitioning into the Director role of the SGCI.  In this combined role, Michael focuses on new innovations in cyberinfrastructure and science gateways, as well as sustainability models for such gateways and other scientific software.  Michael’s background consists of 9 years in academic settings advancing data analytics and cyberinfrastructure software, as well as 18 years of entrepreneurial experience in creating sustainable business models for software and applying technology based software solutions in Fortune 500 companies tor supply chain optimization, data analytics, and collaboration.  Michael holds a Ph.D. in Chemical Engineering from Purdue University and dual MBAs in International Business from Purdue University’s Krannert School of Management and the TIAS School for Business and Society in Tilburg, Netherlands.

Trusted CI at the 2019 annual Great Plains Networks All-Hands Meeting May 21-23

Ishan Abhinit conducting log analysis exercise at GPN AHM 2019

Following on the successful workshops Trusted CI staff provided at the 2017 Great Plains Network All-Hands Meeting, The Trusted CI staff was invited back to the event in 2019 by GPN staff. Five members of the Trusted CI staff presented a series of three workshops from May 21st - 23rd at the 2019 Great Plains Networks All-Hands Meeting. The workshops covered log analysis, risk management for regulated data, and developing information security programs for research projects and facilities.

Building a NIST Risk Management Framework for HIPAA and FISMA Compliance - Wednesday, May 22 (Anurag Shankar & Ryan Kiser)
Anurag Shankar and Ryan Kiser led a workshop to prepare attendees to effectively leverage NIST’s risk management guidelines as a tool to address the increasingly heavy demands of regulated data on research workflows. They provided an overview of the requirements for handling different types of regulated data such as PHI and CUI as well as a unified risk-based methodology for adhering to these requirements.

Security Log Analysis - Wednesday, May 22 (Mark Krenz & Ishan Abhinit)
Mark Krenz and Ishan Abhinit presented a half day workshop on Security Log Analysis including a 45 minute exercise developed by fellow Trusted CI colleague Kay Avila. The hands on exercise involved performing analysis on an Apache web server log file to find attacks at 6 levels of difficulty. The workshop also covered important aspects of collecting, organizing and analyzing log files as well as provided specific techniques for finding different types of attacks. Real time polling was utilized as a method of helping enguage with attendees as well as gaining insight into community practices.


A Practical Cybersecurity Framework for Open Science Projects and Facilities- Thursday, May 23 (Bob Cowles)
Bob conducted a workshop to give attendees a foundation in what it means to have a basic, competent cybersecurity program for open science projects. In addition to lively discussion from the participants, the four pillars of the Trusted CI Framework were presented along with the sixteen “musts” that compose the core framework requirements. Participants were provided with the tools for building a cybersecurity program and encouraged to use a set of rational, evidence-based controls as a component of their program.

Left to right: Bob, Anurag, Ishan, Michael, Mark, Ryan

Attending the conference also allowed Trusted CI staff to meeting and provide less formalized cybersecurity discussion and consultation during social events at the conference. While visiting Kansas City, the Trusted CI team also had the opportunity to meet with Michael Grobe, who is a member of the distributed computing community and co-developer of Lynx, one of the first popular web browsers.

The materials presented by Trusted CI at the conference as well as others can be found on the Trusted CI website.

Many opportunities to meet with Trusted CI at PEARC19

There are numerous opportunities to interact with members of Trusted CI at PEARC19, July 28th - August 1st, in Chicago. PEARC19, "will explore the current practice and experience in advanced research computing including modeling, simulation, and data-intensive computing."

We will update our PEARC19 page as more scheduling info involving Trusted CI becomes available. The full schedule has been posted on PEARC's site.

7/08 Note: Room assignments have been updated.

Trusted CI Workshop on Trustworthy Scientific Cyberinfrastructure

Tuesday July 30th at 11am - 5pm in the Water Tower room

Our workshop provides an opportunity for sharing experiences, recommendations, and available resources for addressing cybersecurity challenges in research computing. Presentations by Trusted CI staff and community members will cover a broad range of cybersecurity topics, including science gateways, transition to practice, cybersecurity program development, workforce development, and community engagement (e.g., via the Trusted CI Fellows program). Space is still available for lightning talks. Please contact jbasney@illinois.edu if you are interested in presenting at the workshop.

Panel: Community Engagement at Scale: NSF Centers of Expertise panel

Tuesday July 30th at 1:30pm - 3pm in the Atlanta room

This panel brings together the leaders of centers of expertise serving the CI and NSF communities to present what they wish everyone knew about their respective area and to explore the challenges and lessons learned with the cross-cutting topic of community engagement at scale. Panelists include:

• Ruth Marinshaw — Moderator (Stanford University)
• Daniel Crawford (MoISSI)
• Ewa Deelman (CI CoE Pilot)
• Jennifer Schopf (EPOC)
• Von Welch (ResearchSOC, Trusted CI)
• Nancy Wilkins-Diehr (SGCI)
• Frank Wuerthwein (OSG)

Technical Papers

Our technical paper, “Trusted CI Experiences in Cybersecurity and Service to Open Science,” will be published in the proceedings. To read the pre-print copy, click here.

Trusted CI's paper will be presented on Wednesday July 31st at 11am - 12:30pm in the Wrigley room.

Another paper presentation that may be of interest is “Integrity Protection for Scientific Workflow Data: Motivation and Initial Experiences.” This paper describes the experiences of the Scientific Workflow Integrity Project in protecting data integrity.

SWIP's paper will be presented on Tuesday July 30th at 3:30 - 5pm in the Crystal C room.

AI4GOOD Workshop

Monday July 29th at 8:30am - 5pm in the Horner room

Trusted CI's Florence Hudson will be presenting in the AI4GOOD workshop on a panel about privacy, policies, security, and ethics regarding Artificial Intelligence. This workshop will provide a full-day of awareness, advocacy and hands-on training in basic skills needed by those who wish to employ or support artificial intelligence (AI) for accelerated research outcomes in a variety of domains. Biomedical advances, economic empowerment strategies, agricultural innovation and quality of life improvements for citizens in underserved regions will be emphasized.

Poster Reception

Tuesday July 30th at 6:30pm - 8:30pm in the Crystal Foyer and Crystal B rooms

Trusted CI is presenting a poster on our mission, how it can help your project, and the advances it is making in cybersecurity and resources for cybersecurity professionals.

The Exhibitors Hall

Trusted CI is a sponsor of PEARC19, and will have a table at the PEARC19 Exhibitors Hall. Meet members of our team and find out how we can provide cybersecurity support to your NSF project.

SIGHPC Systems Professionals Symposium19 [Added July 6th]

Von Welch will be speaking as part of the panel on HPC Cybersecurity from 10:30-11:30am on Monday at the SIGHPC Systems Professionals Symposium19.