intel's acquisition of mcafee – did the chip giant pay too much?
TRANSCRIPT
NEWS
Intel’s acquisition of McAfee – did the chip giant pay too much?
7SEPTEMBER/OCTOBER 2010
Since it was announced, the IT security world has been buzzing about
Intel’s plan to acquire veteran IT security vendor McAfee in a $7.68bn
deal.
As reported by Infosecurity, under the terms of the deal, Intel will
pay $48 per share in cash for McAfee, almost 60% higher than its
closing price the day the deal was made public.
The two companies say they have been working together
for 18 months on the deal and, if it passes regulatory and
shareholder approval, the first new products could be revealed
early next year.
Analysis of the acquisition has been widespread and mixed; with
IT security vendors keen to make their own voice heard.
Perhaps the most telling analysis came from 30-year veteran IT
writer Robin Harris of ZDnet, who observed that Intel has never been
satisfied with being the ‘King of Pop Processors’, even though the
firm has built an enormous and lucrative business.
“12 years ago, Intel went on another buying spree. The target was
the communications market”, he said, adding that everyone knew that
communications and computers were converging. What could go wrong?
“Oh, it is a different business that Intel didn’t understand? Who
could have guessed?”
“After writing off those investments, Intel got out of the business in
2006”, he noted.
The only good thing about the acquisition, says Harris, is that Intel
gets a $2 billion company with 80% gross margins – not as good as
Microsoft – but better than Intel’s.
Philippe Courtot, chairman and CEO of Qualys, meanwhile, took
a different view, noting that the deal is another example of the rapid
consolidation taking place in the enterprise software industry.
It comes, he says, as traditional high-tech vendors have an
increasingly harder time competing against SaaS and cloud
computing offerings and can only find growth by embarking
on aggressive pricing against their competitors to steal market
share.
“This is precisely what McAfee did against Symantec. Intel certainly
gains security expertise with this acquisition, though it is unclear at this
stage how they will leverage McAfee’s products”, he said.
Over at Imperva, the firm’s director of security strategy Rob
Rachwald said that the acquisition means one thing, and that is
security cannot be separated from the business.
“In the past, the objective of security was all about keeping the
bad guys out while letting the good guys in. However, with the advent
of insiders and as external hacking’s focus shifted to data theft, the
objective of security professionals changed dramatically”, he said.
“Data and the transactions that moved data have meant
security teams had to deploy security as a part of supply chains,
online transactions and for online collaboration among customers,
employees, partners and social networks”, he added.
He explained that the way security teams view and approach their
roles have changed dramatically.
“In the past, CISOs distributed anti-virus and set up firewalls.
Today, they must know where data resides, where it moves and how
to protect it, which requires a serious, comprehensive data security
practice”, he said.
“This means security teams need to become business process
experts to keep the bad guys disarmed while keeping the good guys
productive. With this is in mind, Intel’s purchase makes a lot of
sense”, he added.
‘Oracle padding’ crypto attack affects millions of ASP.NET appsTwo security researchers have implemented an attack vector that
exploits the way that ASP.NET web applications handle encrypted
session cookies – a weakness that could enable an attacker to hijack
users’ online banking sessions and cause other severe problems in
vulnerable applications.
Reporting on the revelations, Dennis Fisher, a security researcher
and writer with Kaspersky Labs, said that full details of the vulnerability
were to be revealed during the Ekoparty security conference in
Argentina during September. The issue – which he claims could
affect millions of web applications – stems from the way
ASP.NET, Microsoft’s web framework, implements the AES
encryption algorithm to protect the integrity of the cookies these
applications generate to store information during user sessions.
A common mistake, says Fisher, is to assume that encryption
protects the cookies from tampering so that if any data in the
cookie is modified, the cookie will not decrypt correctly. “However,
there are a lot of ways to make mistakes in crypto implementations,
and when crypto breaks, it usually breaks badly”, he said in his
Threat-Post security blog.
Fisher quotes Thai Duong, one of the researchers who
discovered the flaw, as saying that he and fellow researcher Juliano
Rizzo knew that ASP.NET was vulnerable several months ago, but
didn’t realise how serious the situation was until a couple of weeks
ago.
The Kaspersky Lab writer goes on to say that the two
researchers “have developed a tool specifically for use in this
attack, called the Padding Oracle Exploit Tool. Their attack is
an application of a technique that’s been known since at least
2002, when Serge Vaudenay presented a paper at on the topic at
Eurocrypt”, he explained.
The attack vector seems to allow remote users to decrypt
cookies lifted from an ongoing IP session. These cookies, says
Fisher, “could contain valuable data such as bank balances, social
security numbers or crypto keys.”
“The attacker may also be able to create authentication
tickets for a vulnerable web app and abuse other processes that
use the application’s crypto application programming interface”,
he added.