News for admins

Tech News

Article from ADMIN 31/2016
By
News for system administrators around the world.

Critical Linux Kernel Bug Discovered

Security researchers at Perception Point Software have identified a zero-day privilege escalation vulnerability in the Linux kernel. According to the report, the problem has existed since 2012. The report states that the vulnerability "could affect tens of millions of Linux PCs and servers and 66 percent of all Android devices."

The problem, numbered CVE-2016-0728, is related to the keyring facility in the Linux kernel, which is "… a primary way for drivers to cache security data, authentication keys, encryption keys, and other data in the kernel." All Linux users are urged to install the necessary patches as they become available. Refer to the security bulletin for your Linux distro. For more information, see the full report at the Perception Point website [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/].

One Third of All IT Infrastructure Expenditure is Going to the Cloud

According to a report from IDC, one third of all IT infrastructure money is now spent on the cloud. The Worldwide Quarterly Cloud IT Infrastructure Tracker says a total of $7.6 billion was spent in the third quarter of 2015. The total cloud expenditure was up 23  percent since this time a year ago. The report does not track direct cloud space allocations but measures server, disk storage, and Ethernet switch spending for cloud environments. In other words, the study shows how much companies are investing in building data centers to support public and private cloud operations.

Dell sold the most cloud infrastructure, with a little over 15  percent share of the total vendor revenue, followed by Dell, Cisco, EMC, and NetApp. Unlike in some areas of high tech, the big players didn't own the whole market. Original Design Manufactures (ODMs) had 29.4 percent of the market share, and 17.5 percent went to smaller vendors grouped together in the "Other" category.

New Attack Sucks Information from HTTPS

Security expert Guido Vranken has published a paper on an attack that can successfully extract meaningful information from a captured TLS traffic session. Although the so-called HTTPS Bicycle attack does not provide direct access to encrypted data, it can determine the length of parts of the data, such as the cookie header or the payload of an HTTP POST request. An attacker can even employ this technique to determine the length of a password used to access an online account. Knowing the length of the password can greatly simplify a dictionary attack.

The attack has no known antidote; however, a high-quality password, some form of two-factor authentication, or both will make it more difficult for the attacker to succeed. See Guido Vranken's blog [https://guidovranken.wordpress.com/2015/12/30/https-bicycle-attack/] for a summary of the attack technique.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • A New Backdoor Found in Microsoft SQL Server
  • Hybrid public/private cloud
    Extending your data center temporarily into the cloud during a customer rush might not be easy, but it can be done, thanks to Ansible's Playbooks and some AWS scripts.
  • News for Admins
    In the news: Code execution flaws in PHP; ESET finds malware that targets political activists; bluetooth vulnerability makes spying easy; and open source webmin had backdoor for more than a year;
  • News for Admins
    AlmaLinux 8.5 Now Available For PowerPC Hardware
  • Cross-Vendor IPsec

    Any implementation of the standards-based IPsec is supposed to work with any other implementation – but sometimes you need a little extra effort. This article tests some IPsec implementations to see how well they fit.

comments powered by Disqus