NEWS
Dangerous New Attack Could Compromise One Third of All HTTPS Servers
A team of security researchers has uncovered a high-severity new attack that could make up to one third of all HTTPS web traffic vulnerable to compromise. The so-called DROWN attack (CVE-2016-0800) is a cross-protocol attack that exploits flaws in the SSLv2 protocol.
The attacker must passively observe around 1,000 TLS handshakes and initiate roughly 40,000 probe connections, performing computations offline to complete the attack. Running the computations on Amazon EC2 costs around $440.
The report indicates that 25% of the top one million domains, and 33% of all HTTPS sites, are vulnerable to the DROWN attack. The attack is focused on server systems, which typically manage the HTTPS process. The researchers add, "There is nothing practical that browsers or end-users can do on their own to protect against this attack."
The team that discovered DROWN has gone to considerable trouble to make information available to users. A website that went live at the moment of public disclosure includes a testing tool to check whether your systems are vulnerable.
Users are encouraged to disable SSLv2 "… in all SSL/TLS servers if you haven't done so already." Disabling SSLv2 ciphers without disabling the protocol is not sufficient, unless you have updated your systems with the patches for an earlier SSL problem (CVE 2015-3197), because an attack could force SSLv2 if it is present on the system.
The team also cautions not to share private keys among servers. According to the DROWN website, "Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server."
See the technical paper for additional information on the DROWN attack.
More Online
Linux Magazine
Off the Beat * Bruce Byfield
Compensating with Neon
A basic tenet of organizational theory is that, whenever the formal structures are inadequate, other structures emerge to compensate. And that, in a sentence, may explain why KDE Neon has emerged.
Why I Chose a Creative Commons License
I recently published a book called Designing with LibreOffice. The experience can be surreal, and some other time, I'll blog about incidents like my photo shoot, which was continually interrupted by a two-by-two line of 10-year-olds coming and going, or trying to plan a book launch menu that included vegetarian options and satisfied two different sets of allergies.
David Graham Provides Glimpse into FOSS in Canada's Government
Ordinarily, free and open source software receives little attention in the government of Canada. A rare exception occurred on Thursday, March 10 when David Graham, the Liberal Member of Parliament for Laurentides--Labelle (Québec) began asking questions before the Standing Committee On Government Operations and Estimates (Shared Services).
Productivity Sauce * Dmitri Popov
Use Node-RED to Get Twitter Mention Alerts
I don't use Twitter a lot, which explains why I often miss mentions from other users. But checking for mentions manually is as practical as playing tennis with a broom stick. Node-RED to the rescue!
Quick-and-Dirty Geotagging with a Bash Script
When you need to quickly geotag a bunch of photos with an approximate location (e.g., city and country), a simple Bash shell script can help you to do it much faster than a heavy-weight application like digiKam.
Open Note Scanner: Instant Note Digitizing on Android
There is no lack of apps of varying degrees of sophistication and quality that can transform your Android device into a handy note digitizing tool. And, if you prefer to keep things simple and open source, Open Note Scanner is what you need.
ADMIN HPC
http://hpc.admin-magazine.com/
Finding and Recording Memory Errors * Jeff Layton
A recent article in IEEE Spectrum by Al Geist, titled "How To Kill A Supercomputer: Dirty Power, Cosmic Rays, and Bad Solder," reviewed some of the major ways a supercomputer can be killed. The first subject the author discussed was how cosmic rays can cause memory errors, both correctable and uncorrectable.
ADMIN Online
http://www.admin-magazine.com/
Linux Storage Stack Stacking Up * Werner Fischer and Georg Schönberger
Abstraction layers are the alpha and omega in the design of complex architectures. The Linux Storage Stack is an excellent example of well-coordinated layers. Access to storage media is abstracted through a unified interface, without sacrificing functionality.
Network virtualization with OpenDaylight * Sandro Lucifora
OpenDaylight provides a flexible solution for setting up a software-defined networking environment. We show you how to get started.
Monitoring Containers * Sebastian Meyer
A monitoring system helps avoid unpleasant surprises during operations, but admins need to modify existing solutions to fit a containerized world.
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.