NEWS

Intel’s acquisition of McAfee – did the chip giant pay too much?

7SEPTEMBER/OCTOBER 2010

Since it was announced, the IT security world has been buzzing about

Intel’s plan to acquire veteran IT security vendor McAfee in a $7.68bn

deal.

As reported by Infosecurity, under the terms of the deal, Intel will

pay $48 per share in cash for McAfee, almost 60% higher than its

closing price the day the deal was made public.

The two companies say they have been working together

for 18 months on the deal and, if it passes regulatory and

shareholder approval, the first new products could be revealed

early next year.

Analysis of the acquisition has been widespread and mixed; with

IT security vendors keen to make their own voice heard.

Perhaps the most telling analysis came from 30-year veteran IT

writer Robin Harris of ZDnet, who observed that Intel has never been

satisfied with being the ‘King of Pop Processors’, even though the

firm has built an enormous and lucrative business.

“12 years ago, Intel went on another buying spree. The target was

the communications market”, he said, adding that everyone knew that

communications and computers were converging. What could go wrong?

“Oh, it is a different business that Intel didn’t understand? Who

could have guessed?”

“After writing off those investments, Intel got out of the business in

2006”, he noted.

The only good thing about the acquisition, says Harris, is that Intel

gets a $2 billion company with 80% gross margins – not as good as

Microsoft – but better than Intel’s.

Philippe Courtot, chairman and CEO of Qualys, meanwhile, took

a different view, noting that the deal is another example of the rapid

consolidation taking place in the enterprise software industry.

It comes, he says, as traditional high-tech vendors have an

increasingly harder time competing against SaaS and cloud

computing offerings and can only find growth by embarking

on aggressive pricing against their competitors to steal market

share.

“This is precisely what McAfee did against Symantec. Intel certainly

gains security expertise with this acquisition, though it is unclear at this

stage how they will leverage McAfee’s products”, he said.

Over at Imperva, the firm’s director of security strategy Rob

Rachwald said that the acquisition means one thing, and that is

security cannot be separated from the business.

“In the past, the objective of security was all about keeping the

bad guys out while letting the good guys in. However, with the advent

of insiders and as external hacking’s focus shifted to data theft, the

objective of security professionals changed dramatically”, he said.

“Data and the transactions that moved data have meant

security teams had to deploy security as a part of supply chains,

online transactions and for online collaboration among customers,

employees, partners and social networks”, he added.

He explained that the way security teams view and approach their

roles have changed dramatically.

“In the past, CISOs distributed anti-virus and set up firewalls.

Today, they must know where data resides, where it moves and how

to protect it, which requires a serious, comprehensive data security

practice”, he said.

“This means security teams need to become business process

experts to keep the bad guys disarmed while keeping the good guys

productive. With this is in mind, Intel’s purchase makes a lot of

sense”, he added.

‘Oracle padding’ crypto attack affects millions of ASP.NET appsTwo security researchers have implemented an attack vector that

exploits the way that ASP.NET web applications handle encrypted

session cookies – a weakness that could enable an attacker to hijack

users’ online banking sessions and cause other severe problems in

vulnerable applications.

Reporting on the revelations, Dennis Fisher, a security researcher

and writer with Kaspersky Labs, said that full details of the vulnerability

were to be revealed during the Ekoparty security conference in

Argentina during September. The issue – which he claims could

affect millions of web applications – stems from the way

ASP.NET, Microsoft’s web framework, implements the AES

encryption algorithm to protect the integrity of the cookies these

applications generate to store information during user sessions.

A common mistake, says Fisher, is to assume that encryption

protects the cookies from tampering so that if any data in the

cookie is modified, the cookie will not decrypt correctly. “However,

there are a lot of ways to make mistakes in crypto implementations,

and when crypto breaks, it usually breaks badly”, he said in his

Threat-Post security blog.

Fisher quotes Thai Duong, one of the researchers who

discovered the flaw, as saying that he and fellow researcher Juliano

Rizzo knew that ASP.NET was vulnerable several months ago, but

didn’t realise how serious the situation was until a couple of weeks

ago.

The Kaspersky Lab writer goes on to say that the two

researchers “have developed a tool specifically for use in this

attack, called the Padding Oracle Exploit Tool. Their attack is

an application of a technique that’s been known since at least

2002, when Serge Vaudenay presented a paper at on the topic at

Eurocrypt”, he explained.

The attack vector seems to allow remote users to decrypt

cookies lifted from an ongoing IP session. These cookies, says

Fisher, “could contain valuable data such as bank balances, social

security numbers or crypto keys.”

“The attacker may also be able to create authentication

tickets for a vulnerable web app and abuse other processes that

use the application’s crypto application programming interface”,

he added.