Critical Linux Kernel Bug Discovered

Security researchers at Perception Point Software have identified a zero-day privilege escalation vulnerability in the Linux kernel. According to the report, the problem has existed since 2012. The report states that the vulnerability "could affect tens of millions of Linux PCs and servers and 66 percent of all Android devices."

The problem, numbered CVE-2016-0728, is related to the keyring facility in the Linux kernel, which is "… a primary way for drivers to cache security data, authentication keys, encryption keys, and other data in the kernel." All Linux users are urged to install the necessary patches as they become available. Refer to the security bulletin for your Linux distro. For more information, see the full report at the Perception Point website [http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/].

One Third of All IT Infrastructure Expenditure is Going to the Cloud

According to a report from IDC, one third of all IT infrastructure money is now spent on the cloud. The Worldwide Quarterly Cloud IT Infrastructure Tracker says a total of $7.6 billion was spent in the third quarter of 2015. The total cloud expenditure was up 23  percent since this time a year ago. The report does not track direct cloud space allocations but measures server, disk storage, and Ethernet switch spending for cloud environments. In other words, the study shows how much companies are investing in building data centers to support public and private cloud operations.

Dell sold the most cloud infrastructure, with a little over 15  percent share of the total vendor revenue, followed by Dell, Cisco, EMC, and NetApp. Unlike in some areas of high tech, the big players didn't own the whole market. Original Design Manufactures (ODMs) had 29.4 percent of the market share, and 17.5 percent went to smaller vendors grouped together in the "Other" category.

New Attack Sucks Information from HTTPS

Security expert Guido Vranken has published a paper on an attack that can successfully extract meaningful information from a captured TLS traffic session. Although the so-called HTTPS Bicycle attack does not provide direct access to encrypted data, it can determine the length of parts of the data, such as the cookie header or the payload of an HTTP POST request. An attacker can even employ this technique to determine the length of a password used to access an online account. Knowing the length of the password can greatly simplify a dictionary attack.

The attack has no known antidote; however, a high-quality password, some form of two-factor authentication, or both will make it more difficult for the attacker to succeed. See Guido Vranken's blog [https://guidovranken.wordpress.com/2015/12/30/https-bicycle-attack/] for a summary of the attack technique.