OSG AC Report: Security

13 December 2017

Short List:

  • Vulnerabilities since last AC report
  • Results of ad hoc certificate training
  • December security exercise
  • Notes about OSG security coverage over the holidays.
  • Followup/Questions

Vulns Handled Since 13 Sept:

  • September 25: OSG SecTeam sent an announcement regarding Struts 2.5.13 (released Sept 5th), which fixes three security vulnerabilities.

    • FYI only, as the only potentially serious issue impacted a REST interface not used by OSG in a dangerous way.

    • Delay in advisory was to ensure that updating would be safe/compatible with all OSG software.

  • 2 Linux kernel vulnerabilities:

    • Local privilege escalation https://ticket.opensciencegrid.org/35047

    • Local privilege escalation with potential DoS and remote arbitrary code execution https://ticket.opensciencegrid.org/35240

Vulns Handled Since 13 Sept (cont.):

  • Vulnerability in DNSMasq reported by Google https://ticket.opensciencegrid.org/35105

  • SLURM vulnerability also allowing local privilege escalation https://ticket.opensciencegrid.org/35293

Certificate Training:

  • Security Team provided a series of VO trainings on certificate request processes in September.

    • Jeny prepared the training and supporting documentation, and gave the trainings.

    • This effort was in response to an uptick in certificate requests that violated either OSG policy or that of our upstream CA, which were costing a growing amount of effort on OSG's part to handle.

  • In the three months prior to the training, we had 8 policy violations and 1 malformed certificate request.

  • In the three months since the training, we have had 0 policy violations and 1 malformed certificate request.

December Security Exercise:

  • Security Team rebooted our program of exercising OSG security this month, following notices sent to OSG staff in October to give ample lead time.

  • Our first exercise was a simple phish, sent only to OSG staff.

  • OSG exceeded expectations for a first phish!

    • The phish went out to 30 staff members in total.

    • Only one staff member clicked through the phishing site's form, without giving valid credentials, to check on what was going on.

    • Only three staff members clicked through the email to view the phishing site at all.

    • Several staff members contacted either user support or security very promptly to report the phish.

Future Security Exercises:

  • Expect quarterly security exercises for now, with a goal of monthly exercises when our team feels that OSG is handling these smoothly enough that a monthly exercise will not be unduly disruptive.

  • Non security team members who would enjoy a turn at playing on the red team ("attacker" during an exercise) may email Zalak Shah (zsshah@iu.edu) and he'll add you to the list that we pull from for each exercise.
  • We do a postmortem of each exercise on the following Monday's Security Team call (4:30pm Eastern) if anyone would like to join us.

OSG Security Over the Holidays:

  • I will be on holiday from December 22 through January 8.
  • Area Coordinators should all have my mobile number in case of a burning-fire emergency.  Please use it only for emergencies.
  • Zalak will not be taking holiday apart from Christmas Day and New Year's Day, so consider him your first point of contact for any security issues during the break.
  • I don't check email while I'm on holiday, and I tend to throw out the backlog. Several of us at CACR have discovered just how much time can be wasted chasing issues that were already resolved in our absence.  If you plan to email me something, please do so after 9am on the 8th of January, or I won't see it.

Q & A

(or just throw rotten tomatoes at me)