14 February 2018
1Linux kernel vulnerability (Dec 19th, 2017)
A 'use-after-free' flaw was reported in the Linux kernel, within the XFRM framework; it may lead to privilege escalation when user namespaces are enabled. This vulnerability is exploitable on systems that have enabled a non-default EL7 kernel boot option to allow the use of unprivileged user namespaces, i.e. the non-setuid version of Singularity
Spectre and Meltdown attacks (Jan 4th, 2018)
Two attacks, Meltdown and Spectre, widely circulated.
These exploit design flaws in the way affected processor designs have implemented speculative execution of instructions. The exploitation could enable access to sensitive data in the memory of any computing device.
Relevant software patches incur a high performance penalty.
2 follow-up messages were sent on Jan 10th and Jan 22nd
Our next security exercise will be sometime in March, with a warning email going out a week before.
Non security team members who would enjoy a turn at playing on the red team ("attacker" during an exercise) may email Zalak Shah (firstname.lastname@example.org) and he'll add you to the list that we pull from for each exercise.
We do a postmortem of each exercise on the Monday following the exercise during our regular Security Team call (4:30pm Eastern) if anyone would like to join us.
(we're on Zoom, email Zalak for connection details)
Over the course of this year, Security Team Effort has gone from 1.35 FTE to 0.65 FTE
SecTeam has cut all of our outside-OSG meetings, and are beginning to cut some internal ones in order to focus more working time on providing security services to OSG.
If you feel something is being overlooked, please drop me an email directly and I'll address it if I can, or at least let you know what effort we do/don't have to put toward a particular issue.
(or just throw snowballs at me)