Skip to content

Security

Please read this page as it has some advice on good security practices when installing software into your home directory on the HPC login node.

You can install and run Python or R code or download and compile C or any other type of software. That’s a valuable privilege and one that enables you do do your valuable research. However, you do need to be careful in what you download, install and run. It would not be good if your valuable data was encrypted or the HPC was compromised.

The Risk

Recently there has been a large increase in the quantity and sophistication of malicious code being inserted into open source software. Particularly the libraries that a lot of code pulls in when it is compiled or run.

Read the two references at the end of this email for the different ways that you or I might end up running malicious software. That will explain how very bright but malicious persons might be able to get their code run on our systems.

They can:

  • create forks of legitimate repositories
  • use supply-chain attacks
  • use repo confusion
  • use dependency confusion

It’s not just end users like you or I that need to be careful, developers are getting tricked into incorporating malicious code into their software.

An Example

As an example let’s consider the Bowtie2 genomics software. Note, I’m just using it as an example, there is no known problem with this software. Bowtie2 is for aligning sequencing reads to reference sequences. It can be installed from Conda but also you can download the latest versions from the Github site here https://github.com/BenLangmead/bowtie2 or the Sourceforge site https://bowtie-bio.sourceforge.net/bowtie2.

However you can also find the following links and more if you search for Bowtie2 software on Google.

https://github.com/ddiez/bowtie2
https://github.com/caidenAU/bowtie2
https://github.com/uwb-linux/bowtie2
https://github.com/mathworks/bowtie2

The above are just a few of the 161 forks of the original software. See https://github.com/BenLangmead/bowtie2/forks. So you can see that there are many versions of Bowtie2. Most are identical to the canonical version by Ben Langmead but some will have been modified by others to cater to their specific needs.

What should you do?

You need to be careful that you are installing the correct software.

Carefully double check the location and the name of the software when you download it.
Record the location where you download it from by a copy and paste from the browser or record the command line you used e.g.

$ wget https://github.com/BenLangmead/bowtie2/releases/download/v2.5.3/bowtie2-2.5.3-linux-x86_64.zip

Perhaps occasionally check the developers site for any warning that they may have posted. That’s all we can probably do. Neither you nor I would be able to spot any malicious content.

Just be careful.

References to Read

“PyPI Inundated by Malicious Typosquatting Campaign” https://blog.checkpoint.com/securing-the-cloud/pypi-inundated-by-malicious-typosquatting-campaign/

“GitHub besieged by millions of malicious repositories in ongoing attack” https://arstechnica.com/security/2024/02/github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack/

If there are any questions email eResearch-IT@uts.edu.au