13 December 2017
September 25: OSG SecTeam sent an announcement regarding Struts 2.5.13 (released Sept 5th), which fixes three security vulnerabilities.
FYI only, as the only potentially serious issue impacted a REST interface not used by OSG in a dangerous way.
Delay in advisory was to ensure that updating would be safe/compatible with all OSG software.
2 Linux kernel vulnerabilities:
Local privilege escalation https://ticket.opensciencegrid.org/35047
Local privilege escalation with potential DoS and remote arbitrary code execution https://ticket.opensciencegrid.org/35240
Vulnerability in DNSMasq reported by Google https://ticket.opensciencegrid.org/35105
SLURM vulnerability also allowing local privilege escalation https://ticket.opensciencegrid.org/35293
Security Team provided a series of VO trainings on certificate request processes in September.
Jeny prepared the training and supporting documentation, and gave the trainings.
This effort was in response to an uptick in certificate requests that violated either OSG policy or that of our upstream CA, which were costing a growing amount of effort on OSG's part to handle.
In the three months prior to the training, we had 8 policy violations and 1 malformed certificate request.
In the three months since the training, we have had 0 policy violations and 1 malformed certificate request.
Security Team rebooted our program of exercising OSG security this month, following notices sent to OSG staff in October to give ample lead time.
Our first exercise was a simple phish, sent only to OSG staff.
OSG exceeded expectations for a first phish!
The phish went out to 30 staff members in total.
Only one staff member clicked through the phishing site's form, without giving valid credentials, to check on what was going on.
Only three staff members clicked through the email to view the phishing site at all.
Several staff members contacted either user support or security very promptly to report the phish.
Expect quarterly security exercises for now, with a goal of monthly exercises when our team feels that OSG is handling these smoothly enough that a monthly exercise will not be unduly disruptive.
(or just throw rotten tomatoes at me)