TGQR 2010Q4 Report.pdf - Teragridforum.org
TGQR 2010Q4 Report.pdf - Teragridforum.org
TGQR 2010Q4 Report.pdf - Teragridforum.org
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8.8.4<br />
PSC<br />
During October, the PSC security team spent a significant amount of time responding to serious<br />
Linux vulnerabilities that had been announced. These announcements were occurring about once<br />
per week, and when announced, there were no vendor patches available. This created an awkward<br />
situation where we had to find ways to protect against these threats until patches were made<br />
available. For each of these vulnerabilities PSC’s Jim Marsteller created a wiki page so the status<br />
of all production systems could be tracked. This included identifying which of the production<br />
systems were at risk and what controls could be applied to mitigate the risks until an official<br />
patch would be released. This same process was duplicated for TeraGrid in order to coordinate<br />
responses from all resource providers. To date there have been no security incidents at PSC<br />
related to these vulnerabilities.<br />
PSC had no other security incidents during the quarter.<br />
After conducting an audit for accounts that have not seen any activity in the past six months, PSC<br />
disabled a number of inactive user accounts. We now have 1,200 fewer idle accounts for hackers<br />
to target. There has only been one call from a user whose account was incorrectly disabled<br />
(account was only used to access a Wiki maintained by PSC). We have modified our procedures<br />
so that access to a wiki will be considered as active use of an account.<br />
Jim Marsteller held the annual “Security 4 Lunch” on 08-Nov-2010 for all PSC staff and students.<br />
The one hour presentation covered general information on security best practices including<br />
material for PSC staff traveling to SC10. This year the staff was very interactive, asking a number<br />
of security related questions. In fact, the VPN demo ran over the one hour allotted time.<br />
8.8.5<br />
Purdue disabled 11 TG accounts due to compromises reported at other RP sites. Purdue also<br />
deleted SSH keys for one account due to compromise at another RP site. Purdue patched several<br />
Linux kernel and libc 0-day vulnerabilities.<br />
8.8.6<br />
Purdue<br />
SDSC<br />
SDSC had five minor incidents this quarter. These incidents resulted in the compromise of<br />
multiple user accounts elsewhere. Six user accounts were proactively suspended at SDSC as a<br />
result. No evidence of abuse of these accounts was found prior to their deactivation.<br />
SDSC performed and completed a security audit of Trestles. Minor configuration changes were<br />
made to the system configuration to enhance security posture and improve the quality of<br />
information available for incident detection and response.<br />
8.8.7<br />
TACC<br />
A security compromise on the previous Lonestar system occurred on the two login nodes on<br />
October 27, 2010. A then recent Linux kernel vulnerability was used by an intruder to gain root<br />
privileges and replace ssh to collect user passwords. This tripped automatic change detection<br />
scripts on Lonestar and notified admins of the compromise. TACC admins immediately cut off<br />
access to Lonestar, notified TG security working group of compromised user account and began<br />
forensic analysis of the compromise. During the investigation, the file used by the intruder to<br />
start collecting passwords was found and had three user accounts in it, however, the intruder may<br />
not have had time to retrieve those passwords once remote access was disabled. Those users<br />
were immediately notified to change their passwords just in case of possible collection. A patch<br />
was applied to the Lonestar kernel to remove the vulnerability.<br />
In addition, three user accounts with compromises at other locations had their accounts disabled<br />
on TACC systems.<br />
85